the international legal regime on states’ interaction …
TRANSCRIPT
THE INTERNATIONAL LEGAL REGIME ON STATES’
INTERACTION IN CYBER SPACE
BY
VICTOR ONYEKACHUKWU OJEAH
LAW 1106382
FACULTY OF LAW
UNIVERSITY OF BENIN
BENIN CITY
JULY, 2016.
ii
THE INTERNATIONAL LEGAL REGIME ON STATES’
INTERACTION IN CYBER SPACE
BY
VICTOR ONYEKACHUKWU OJEAH
LAW 1106382
A LONG ESSAY WRITTEN AND SUBMITTED TO THE FACULTY OF
LAW, IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR
THE AWARD OF THE DEGREE OF BACHELOR OF LAWS (LL.B) OF
THE UNIVERSITY OF BENIN, BENIN CITY.
JULY, 2016.
iii
CERTIFICATION
I, Victor Onyekachukwu Ojeah, with Mat. No.: LAW1106382, do herby certify that apart
from the references which have been made to other persons’ work which have been
acknowledged, the entire work is the product of my personal research and that the project has
neither in whole nor in part, been presented for another degree elsewhere.
__________________________ __________________
VICTOR ONYEKACHUKWU OJEAH DATE
(STUDENT)
iv
APPROVAL
We certify that this project was written and completed by Victor Onyekachukwu Ojeah with
Mat. No.: LAW1106382, in partial fulfillment of the requirements for the award of the
bachelor of laws (LL.B) degree.
_________________________ ___________________
DR.G.L UMORU DATE
(PROJECT SUPERVISOR)
_________________________ ___________________
DR. A.O. EWERE DATE
(PROJECT CO-ORDINATOR)
_________________________ ___________________
PROF. N. A. INEGBEDION, Ph.D DATE
(DEAN, FACULTY OF LAW)
v
DEDICATION
This work is dedicated to my parents Mr. & Mrs. Michael Ojeah, who are my spot-on
inspiration for success.
vi
ACKNOWLEDGMENT
I have a few persons to thank for their various roles in my life. Putting this work together is
only a partial fulfilment of something that began some four years ago. These people have
stood out in facilitating this half a decade pursuit for me.
I start by pouring my adoration to my beloved mummy and daddy. Their support, belief, care
and overt affection for me marvels me, sometimes I wonder, how can a mortal love me this
much? I cannot fully appreciate them without pausing for a moment to celebrate their maker,
my God; Jesus Christ. Thank you for you hear me always, and give prompt responses. Always!
During my sojourn in this University, I have had the advantage of relating with different
people on different platforms. Can I say a big thank you to every person I have worked with
on a team for national, regional and international competitions. I sincerely appreciate my
friend, brother and team mate Tami Koroye, I thank Divine Atsegbua “my sklon sklo”, ‘Mr.
Success’ and Nonso Anyasi, my brother, for going through the Jessup 2016 experience with
me (being my very last competition in the University). I also appreciate all officers of the Jural
court from 2015 to 2016. I am moved to mention Aziengbe J, for being a remarkable ‘brother’.
Someone I can always call on, my best friend; Rehoboth Juwah, thanks for being a standby
and a true friend, I love you, you are indeed the best! My kid brother Joshua Ojeah deserves
mention also, I just love you with all my heart, thanks for always being there for me. To
Stephen and Helen (Tikech) Ojeah my elder ones, when I remember you are family, I smile
in most profound satisfaction, I am favoured to have you. For leadership skills and endurance,
I have the leadership structure of Christian Fellowship International to thank for initiating that
in me.
I cannot escape irrationality if I don’t address the true purpose of this segment. International
law is for me, more than a flair, in coming up with the idea behind this project, I am expectedly
indebted to the International Law Students’ Association (ILSA) for fanning the embers of my
vii
love for this area of law. I am particularly beholden to the 2016 Jessup for arousing in me, the
teething and contemporary issue of the activities of States in cyberspace. Most of the materials
and texts used in this project were those supplied by ILSA for the Jessup 2016 competition,
to the entire team at Washington, Merci Beacoup! Importantly also, I am heavily in the debt
of Katharina Ziolkowski, Marco Roscini and Michael N. Schmitt. Their books have not only
inspired this work, but has also massively contributed to it. May I add that some lecturers
deserve particular and palpable mention for their indelible roles in my life? To Dr. Godwin L.
Umoru, my project supervisor, I am ceaselessly grateful for your fatherly caution, your
accommodation, skill and expertise in legal research, all these put together have inspired me
to work harder. I am appreciably indebted to Dr. Gabriel Arishe, my father, thank you for your
love in all of its various shades. Dr. Mobolaji Ezekiel, your motherly role and affection for me
inspires me to be better, thank you. Barr Alero Fenemigho and Barr Keseme Odudu, my
coaches inter alia, I am grateful for your concern and support for me. I am also in due of the
Adeloye family for accepting and outfitting me even without really knowing me. Aunty B and
Uncle D, I love you, “golly”!
A few of my friends deserve appreciation in clear mention; Ikoli Blessing, George Oneze Jnr,
Nosa Garrick, Raymond Ijeomah, Precious Kunu, Nosakhare Okungaye, Joy Nicholas, Mercy
Oluwafemi, Joy Jindu, Harrison Enoghayin, Chiamaka Nwokedi, Nkechukwu Otike-Odibi,
Jones Ogan, Edosomwan Ann, Eyituoyo Sakpa, Collins Arikor, Heritage Imoyera,
BeccaRoy… Oops! I love you all.
For printing and putting this work together in a fathomable state, I am obligated to Joy, thank
you!
viii
TABLE OF CONTENT
Title page - - - - - - - - - ii
Certification - - - - - - - - - iii
Approval - - - - - - - - - iv
Dedication - - - - - - - - - v
Acknowledgement - - - - - - - - vi
Table of Content - - - - - - - viii
Table of Cases - - - - - - - - xi
Table of Statutes - - - - - - - - xii
Table of Treaties and other International Instruments - - - xiv
Table of Abbreviation - - - - - - - xvi
Abstract - - - - - - - - - xviii
CHAPTER ONE : General Introduction
1.0 Introduction - - - - - - - 1
1.1 Definition of Cyberspace Operations - - - - - 2
1.1.1 Distinction between Cyberspace and Outer Space - - - 4
1.1.2 Terms Frequently Associated with Cyber Operations - - 6
1.2 Historical Background of Cyberspace - - - 11
1.3 Technical Methods, Techniques and Tools in
Cyberspace Operations - - - - - - 12
1.4 Effects of Cyber Operations - - - - - 23
Conclusion - - - - - - - 26
CHAPTER TWO: Applicability of General Principles of International
Law to Cyberspace
2.0 Introduction - - - - - - - 27
2.1 Nature of the General Principles of International Law - - 28
2.2 Source and Content of the General Principles of
International Law - - - - - - - 30
2.3 Relationship to Practice, Opinio Iuris and Consent
of States - - - - - - - - 37
2.4 Higher ‘Normative Value’ - - - - - - 40
2.5 Relationship to the Concept of Fundamental Rights and
Duties of States - - - - - - - 43
2.6 Instrument of Progressive Law Development - - - 46
ix
Conclusion - - - - - - - - 48
CHAPTER THREE: Rights and Obligation of States in Cyber Space:
Specific Applicable Laws and General
Principles of International Law
3.0 Introduction - - - - - - - - 50
3.1 Sovereign Equality of States and Corollary Principles - - - 51
3.1.1 Self-Preservation - - - - - - - 53
3.1.2 Territorial Sovereignty and Jurisdiction - - - - 58
3.1.3 Non-intervention in Domestic Affairs - - - - - 60
3.1.4 Duty Not to Harm Rights of Other States (Principle of Prevention,
Precaution and ‘Due Diligence’) - - - - - 62
3.1.5 Principle of Good Neighbourliness and sic utere tuo - - - 68
3.2 International Telecommunications Law and the Regulations of Cyber Space 70
3.3 Space Law and Cyber Activities - - - - - - 72
3.4 International Economic Law in the Cyber Arena - - - 73
3.5 Maintenance of international peace and security - - - - 80
3.5.1. Refrain from Threat or Use of Force in International Relations - 81
3.5.2. Peaceful Settlement of Disputes - - - - - 83
3.6 Cooperation and solidarity - - - - - - 84
Conclusion - - - - - - - - 87
CHAPTER FOUR: Proving State Responsibility for Cyber Operations
4.0 Introduction: State responsibility for cyber operations - - - 89
4.1 The International Law of Evidence - - - - - 93
4.2 Burden of Proof and Cyber Operations - - - - - 97
4.3 Standard of Proof and Cyber Operations - - - - - 103
4.4 Methods of Proof and Cyber Operations - - - - - 107
4.4.1 Documentary Evidence - - - - - - - 108
4.4.2 Official Statements - - - - - - - 113
4.4.3 Witness Testimony - - - - - - - 113
4.4.4 Enquiry and Experts - - - - - - - 114
4.4.5 Digital Evidence - - - - - - - 115
x
4.5 Presumptions and inferences in the cyber context - - - 116
4.6 Inadmissible evidence - - - - - - - 118
Conclusion - - - - - - - - 120
CHAPTER FIVE
5.1 Summary - - - - - - - - 122
5.2 Findings - - - - - - - - 124
5.3 Recommendations - - - - - - - 129
xi
TABLE OF CASES
Applicability of the Obligation to Arbitrate under Section 21 of the United Nations
Headquarters Agreement of 26 June 1947, Advisory Opinion (1988) ICJ Rep 12
Application of the Convention on the Prevention and Punishment of the Crime of Genocide
(Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J Rep 43
Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment,
2005 I.C.J Rep 168
Asylum Case (Colombia v. Perú), Judgment, 1950 I.C.J Rep 266
Avena and Other Mexican Nationals (Mex. v. U.S.), Judgment, 2004 I.C.J Rep 12
Barcelona Traction, Light and Power Company, Limited. (Belg. v. Spain), 1964 I.C.J Rep
6
Case Concerning Delimitation of the Maritime Boundary in the Gulf of Maine Area,
Judgment (1984) ICJ Rep 246
Case Concerning Land and Maritime Boundary between Cameroon and Nigeria Case
(Preliminary Objections), Judgement (1998) ICJ Rep 275
Case Concerning Right of Passage over Indian Territory Case, Preliminary Objections,
(1957) ICJ Rep 125
Case Concerning the Factory at Chorzów, Merits (1928) PCIJ Rep Ser A, No 17
Case Concerning the Frontier Dispute, Judgement (1986) ICJ Rep 554
Case Concerning the Temple of Preah Vihear, Merits (1962) ICJ Rep 6
Certain Norwegian Loans (Fr. v. Nor.), Judgment, 1957 I.C.J Rep 9
Electricity Company of Sofia and Bulgaria, Order (1939) PCIJ Rep Ser A/B, No 79
Greco-Bulgarian ‘Communities’, Advisory Opinion (1930) PCIJ Rep Ser B, No 17
LaGrand Case, Judgement, (2001) lCJ Rep 466
Land, Island and Maritime Frontier Dispute (El Salvador/Honduras.: Nicaragua.
intervening), Judgment, 1992 I.C.J. Rep 351
Legal Consequences for States of the Continued Presence of South Africa in Namibia
(South West Africa) Advisory Opinion (1971) ICJ Rep 16
Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion (1996) International
Court of Justice Rep 226
Mavrommatis Palestine Concessions, Judgement (1924) PCIJ Rep Ser A, No 2
xii
Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment,
1986 I.C.J Rep 14
Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J Rep 161
Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J Rep 14
Reservations to the Convention on the Prevention and Punishment of the Crime of
Genocide, Advisory Opinion (1951) ICJ Rep 15
Rights of Nationals of the United States of America in Morocco (Fr. v. U.S.), Judgment
1952 I.C.J Rep 176
South-West Africa – Voting Procedure, Advisory Opinion (1955) ICJ Rep 67
Sovereignty over Pulau Ligitan & Pulau Sipadan (Indon./Malay.), Judgment, , (Dec. 17
2002) I.C.J. Rep 69
S.S. ‘Lotus’, Merits (1927) PCIJ Rep Ser A, No 7, 18ff
Territorial and Maritime Dispute between Nicaragua and Honduras in the Caribbean Sea
(Nicar. v. Hond.), Judgment, 2007 I.C.J. Rep 659
The Corfu Channel Case, Merits, (1949) ICJ Rep 4
United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J
Rep 3
Western Sahara, Advisory Opinion (1975) ICJ Rep 12
Whaling in the Antarctic (Aust. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J Rep 148
xiii
TABLE OF STATUTES
Cybercrime Prevention and Prohibition Act 2015
xiv
TABLE OF TREATIES AND OTHER INTERNATIONAL INSTRUMENTS
Additional Protocol I to the Geneva Conventions 1977
Agreement Relating to the International Telecommunications Satellite Organization,
“Intelsat,” 1971.
American Declaration of Rights and Duties of Nations 1916.
Constitution of the International Telecommunications Union, Dec. 22, 1992
Convention of the International Maritime Satellite Organization London 1976
Convention on Cybercrime, (Budapest Treaty), 2001.
Creation of a Global Culture of Cybersecurity and Taking Stock of National Efforts to
Protect Critical Information Infrastructures, G.A. Res. 64/211, U.N. Doc. No.
A/RES/64/211 (July 21, 2016).
Declaration of American Principles of the Eights International Conference of American
States of 1938.
Declaration on Principles of International Law concerning Friendly Relations and Co-
operation among States in accordance with the Charter of the United Nations UNGA Res
2625 (XXV) (24 October 1970)
Developments in the field of information and telecommunications in the context of
international security UNGA Res 53/70 (4 December 1998)
Global Culture of Cybersecurity and the Protection of Critical Informational
Infrastructures, G.A. Res. 58/199, U.N. Doc. No. A/RES/58/199 (July 21, 2016).
I.C.J. Rules of Court, Acts & Docs. 1978.
Montevideo Convention on Rights and Duties of States (inter-American) 1933.
Statute of the International Court of Justice
The Charter of the Organization of African Unity 1963
The Charter of the Organization of American States of 1948
The Constitutive Act of the African Union 2000
The Final Act of the Conference on Security and Cooperation in Europe (1 August 1975)
(Helsinki Declaration)
Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer
Space, Including the Moon and Other Celestial Bodies (Outer Space Treaty) 1967.
United Nations Charter 1945
U.N.G.A Res 178 (II) (21 November 1947)
xv
U.N.G.A Res 375 (IV) (6 December 1949)
U.N.G.A Res 46/62 (9 December 1991)
U.N.G.A Res 37/10 (15 November 1982)
U.N.G.A. Res. 66/24, 2011
United Nations Millennium Declaration U.N.G.A Res 55/2 (8 September 2000)
xvi
TABLE OF ABBREVIATION
Am. J. Int’l L - American Journal of International Law
AMU I.L.R - American University International Law Review
Alb - Albania
ART. - Article
Aust. - Australia
Belg. - Belgium
Berkeley J. Int’l L - Berkeley Journal of International Law
C.E.C.C - The Council of Europe’s Convention on Cybercrime
C.D.M.A - Cyber Defence Management Authority
D.D.O.S - Distributed Denial of Services
D.R.C - Democratic Republic of Congo
E.J.I.L - European Journal of International Law
ENIISA - The European Union Agency for Network and
Information Security
E.P.I.L - Encyclopedia of Public International Law
E.U - European Union
Fordham Int’l L.J. - Fordham Journal of International Law
G.L.S - German Law Journal
Harv. J.L - Harvard Journal of Law
Hond. - Honduras
ICJ Rep - International Court of Justice Report
I.L.C - International Law Commission
I.L.R - International Law Report
I.L.S - International Law Studies
Indon. - Indonesia
INMARSAT - Convention of the International Maritime Satellite Organisation
INTELSAT - Agreement Relating to the International
Telecommunications Satellite Organization
I.T.U - International Telecommunications Union
Jap - Japan
Malay. - Malaysia
MPEPIL - Max Planck Encyclopedia of Public International Law
xvii
NATO - North Atlantic Treaty Organisation
Nicar. - Nicaragua
N.Y. TIMES - New York Times
N.S.A - National Security Agency
N.Z. - New Zealand
O.A.S - Organization of American States
O.A.U - Organisation of African Unity
OSINT - Open Source Intelligence
PCIJ Rep Ser - Permanent Court of International Justice Report Series
SCOOR - Shanghai Cooperation Organisation
S.L.R - Stanford Law Review
U.K. - United Kingdom
U.N - United Nations
U.N.G.A - United Nations General Assembly
U.N RES - United Nations Resolution
U.N.S.C - United Nations Security Council
U.N.S.C.O.R - United Nations Security Council Ordinary Resolution
U.S - United States
U.S.S.R. - Union Soviet States Republic
Virginia J. Int’l L - Virginia Journal of International Law
VOL - Volume
WTO - World Trade Organisation
xviii
ABSTRACT
At a time of growing global interconnectivity and increasing dependence of man on
information and communication technology, State action without the use of cyberspace is
almost unimaginable. States through their institutions operate both as providers of information
and services on the internet and as internet users. But even beyond these operations, States
depend on available and reliable information and communication technology infrastructures.
Security, the functioning of vital institutions, economic and scientific progress, the organisation
of social and healthcare systems, as well as the prosperity and wellbeing of the population
cannot be provided without the use of cyberspace. Cyber threats that materialise in the loss of
confidentiality, integrity or availability of information and communication technology can
have an impact on the stability of States, and in extreme cases, threatening their existence. In
order to minimise such risks, technical precautions certainly need to be taken; however,
technical measures alone will not suffice: a solid and reliable legal framework for State
activities in cyberspace is essential.
The aim of this thesis is not only to propose such a framework by identifying existing prerequisites
and offering diverse interpretations, but also to point out and address unsettled issues. One premise
is certain: cyberspace cannot be deemed a legal lacuna. In this space, too, the rules of public
international law must and does apply. For only then can the significance of the internet as a
platform for economic and social development, as well as a contributor to understanding
between States, truly unfold. However, the creation of a legal framework for cyberspace is not
a task that any State could tackle alone. Due to the global nature of cyberspace, a global effort
is needed to find answers to questions about which rules apply to users and providers operating
in cyberspace, or how access to the internet and cross-border data flow should be regulated.
The international community has not yet come very far in determining a common regulatory
regime for cyberspace. The starting point for such deliberations must be norms of international
xix
law as applicable outside the digital world. Once the application of such norms in cyberspace
has been clarified and the basis for an appropriate legal regime thereby established, the question
of the need for new regulation will arise. Various approaches to and interpretations of
international law need to be aligned in order to progressively develop a common understanding
of the legal regime for cyberspace.
In general, before a certain situation can be assessed from a legal point of view, the facts of the
case must be scrutinized. Therefore, before describing the rights and obligations of States in
cyberspace under international law, the first chapter of this project offers an overview of the
technological possibilities and explains, inter alia, the functioning of internet communications,
the methods, tools and techniques of cyber operations. The second chapter addresses the
question of the operation and applicability of international law in cyber space and further
answers questions that have intrigued cyber scholars over the decades. The third chapter will
investigate some of the specific applicable rules of international law to cyber space and show
how they apply. The fourth chapter then proceeds to address questions bordering on the method
of proof and evidence in cyber operations under international law, and the issue of state
responsibility in such situations of cyber operations. Finally, the fifth chapter provides
recommendations, conclusions and submissions in the light of the afore- raised issues.
1
CHAPTER ONE
1. INTRODUCTION
State actors’ activities in cyberspace do not focus solely on information technology (IT)
security and cyber defence scenarios. Bodies of different State entities have found cyberspace
to be a new domain of engagement within the scope of public authority activity. State
authorities such as the police, the intelligence services and the military nowadays routinely
operate in cyberspace to fulfil their duties: active forensics on suspicious systems as well as
intelligence or even military peace time operations in cyberspace have become a reality. These
activities, summarised under the term ‘cyber operations’, have one thing in common: breaking
into foreign IT systems to extract or modify data, to change the system configuration1 or to
take down the entire system. To put it another way, it is about hacking. The possibility of
hacking/cyber operations will be explained by reference to the methods of a cyber-operation,
which will be explained in seven subsequent stages. For each stage, tools and techniques are
introduced with a focus on State actors’ use, and these are distinguished from malicious actors.
The crux of this chapter will examine three main concerns in understanding the nature, scope
and gamut of cyber operations with respect to State activities. The first section gives a general
definition and exposition of cyber operations as a concept and its attendant terminologies and
further offers a brief history about cyberspace and operations in cyberspace. The second section
further defines specific terms, techniques, tools and methods involved and utilised in the cyber
domain and which are commonly associated with cyber operators, and finally, the chapter shall
address the effects of cyber operations which would be followed by a fitting conclusion.
1 A change of the system configuration may include the deletion of files and/or services as well as blocking or
taking down the entire system.
2
1.1 Definition of Cyberspace Operations
In order to fully appreciate the definition of cyberspace operations, it is pertinent to
disambiguate the terms cyber operations and cyberspace. As a precursor, cyber operations are
the activities that occur in cyberspace, which can be said to be a domain that permits such
activities. To start with, on the one hand, the term “cyber operation” or, synonymously,
“computer network operation” (CNO) refers to the reduction of information to electronic
format and the actual movement of that information between physical elements of cyber
infrastructure.2 Cyber operations can be categorized as “computer network attack”, “computer
network exploitation” and “computer network defence”.3 While computer network attacks
(CNA) comprise all cyber operations aiming “to disrupt, deny, degrade, or destroy information
resident in computers and computer networks, or the computers and networks themselves”,4
computer network exploitation (CNE) refers to “enabling operations and intelligence collection
to gather data from target or adversary automated information systems or networks”.5
Computer network defence (CND), in turn, refers to “actions taken to protect, monitor, analyse,
detect, and respond to unauthorized activity within… information systems and computer
networks” or, in short, the prevention of CNA and CNE through intelligence,
counterintelligence, law enforcement and military capabilities.6 This terminology, which is
specific to operations conducted in cyberspace, must be carefully distinguished from existing
technical terms of international law such as, for example, “force”,7 “armed attack”8 and
“attack”. 9
2 Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual), (Michael N. Schmitt et al.
Cambridge University Press, (2013). 258. 3 US Department of Defence, The National Military Strategy for Cyberspace Operations, 2006, GL-1. 4 Ibid. 5 Ibid. 6 Ibid. 7 UN Charter, art. 2(4). 8 Ibid, art. 51. 9 Additional Protocol I to the Geneva Conventions, art. 49(1).
3
On the other hand, several definitions has been accorded to the term; “cyberspace”. First
cyberspace has been defined as “the notional environment in which communication over the
computer networks occurs”.10 According to Chip Morningstar and F. Randall Farmer,
“cyberspace is defined more by the social interactions involved rather than its technical
implementation”.11 Cyberspace is considered by the principal governments to be the fifth
domain of warfare such as space, land, sea and air, and due to this reason, principal countries
are mass investing in the development of new cyber capabilities to protect it. This is the position
of the U.S. Government on the cyberspace. William J. Lynn, U.S. Deputy Secretary of Defense,
states that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new
domain in warfare . . . which has become just as critical to military operations as land, sea, air,
and space.”12 Unfortunately, however, there is no consensus on what “cyberspace” is, let alone
what are the implications of State interactions in cyberspace. In an attempt to clarify the
situation, another author suggests that cyberspace is a time-dependent set of interconnected
information systems and the human users that interact with these systems. In all of these
definitions, one golden thread runs through, which is the fact that cyberspace has to do with
the functioning of computers and the internet. It follows then, for the purpose of this project,
that cyberspace operations could be conceptualized as the activities which a State may engage
in on the internet via computers which may or may not affect other States.
10 http://www.oxforddictionaries.com/us/definition/american_english/cyberspace. (May 3, 2016). 11 Morningstar, Chip and F. Randall Farmer. The lessons of Lucasfilm Habitat. The MIT Press, 2003. pp 664-667
Print. 12 U.S department of defence Journal, 2013, p 106.
4
1.1.1 Distinction between “Cyberspace” and “Outer Space”
The debate between the terms “cyberspace” and “outer space”, has been a heated one. Some
scholars have used this two terms interchangeably,13 while others have vehemently opposed.14
The conundrum lies in the answer to the puzzle; whether cyberspace and outer space are indeed
synonymous concepts, or is there any distinction. In truth however, the two concepts are indeed
similar in some respects, for example, with respect to their “global commons character”. In
both cases the international community has acknowledged that these environments in some
way belong to humanity and are beyond national appropriation. In the case of outer space, this
‘global commons’ status is explicitly set out in the foundational Outer Space Treaty of 1967.
Article I of that treaty stipulates that the use of outer space ‘shall be carried out for the benefit
and in the interests of all countries … and shall be the province of all mankind’. Article II
reinforces this concept of global ownership by specifying that outer space, including the moon
and other celestial bodies, is ‘not subject to national appropriation by claim of sovereignty, by
means of use or occupation, or by any other means’.15 With respect to cyberspace, this ‘global
commons’ status is not as explicitly or legally set out as is the case with outer space, but a
similar vision animates the pronouncements of States. The most authoritative of these
Statements to date were those agreed to by consensus at the UN-mandated World Summit on
the Information Society (WSIS), which was held in two stages in Geneva and Tunis in 2003
and 2005 respectively. The Declaration of Principles adopted by WSIS described ‘a people-
13 See Frank H. Easterbrook, Cyberspace and the Law of the Horse, 1996 U. Chi. Legal F. p 207; Richard A.
Epstein, Cyber trespass, 70 U. Chi. L. Rev. pp 73, 82–84 (2003); Timothy S. Wu, Note, Cyberspace
Sovereignty?—The Internet and the International System, 10 Harv. J.L. & Tech. pp 647, 662–665 (1997); Eugene
Volokh, Freedom of Speech, Cyberspace, Harassment Law, and the Clinton Administration, Law & Contemp.
Probs. Winter/Spring 2000, at pp 299, 302–03, in Peacetime Regime for State Activities in Cyberspace,
Kaatharina Ziolkowski, 122. 14 Foundational writings include Michel Foucault, Of Other Spaces; Diacritics Spring (1986), p 22, Henri
Lefebvre, The Production of Space (Donald Nicholson-Smith trans., Blackwell 1991) p 79 and Kevin
Hetherington, The Badlands of Modernity: Heterotopia and Social Ordering pp 20–38 (1997). 15 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including
the Moon and Other Celestial Bodies (Outer Space Treaty), 10 October 1967, United Nations, Accessed at:
<http://www.nti.org/media/pdfs/aptospc.pdf?_=1316555222&_=1316555222.> (May 3, 2016).
5
centred, inclusive and development-oriented Information Society, where everyone can create,
access, utilize and share information and knowledge …’16
Despite this similarity which only roots to the perception of States with respect to these two
concepts, nothing else remotely links these two terms as otherwise synonymous. With respect
to their distinction however, the first and most obvious is that outer space is a natural
environment whereas cyberspace is a human-made one17. Outer space is a vast, timeless
domain in which humankind is only gradually projecting itself. Cyberspace, while equally vast
at one level, has been developed in the timeframe of a generation and its nature is purely within
human control.
A second major difference between the two spaces might be described as the ‘threshold of
entry’ to them. To enter and use outer space requires sophisticated and costly assets and
capabilities, usually possessed by a small number of States and a few multinational companies.
Cyberspace, by contrast, can be explored by anyone with a personal computer or mobile device.
The basic equipment is relatively cheap and users are numbered in the billions.
A third difference between the realms is that outer space activity is still dominated by State
actors although there is a recent trend towards privatisation of some services. Currently there
are only ten spacefaring nations possessing an independent orbital launch capacity.18 In
contrast, the infrastructure of cyberspace is largely owned and operated by the private sector
and civil society.
Finally, if one is to look at the attitude of States holistically, one would find that there is a
difference in the manner in which the two realms have been treated to date under international
16 First Phase of the World Summit on the Information Society, Declaration of Principles, Building the
Information Society: A Global Challenge in the New Millennium, WSIS-03/GENEVA/DOC/4-E (12 December
2003), para. 1, http://www.itu.int/dms_pub/itu-s/md/03/wsis/doc/S03-WSIS-DOC-0004!!PDF-E.pdf. 17 Anna-Maria Osula & Henry roigas (eds.) International Cyber Norms: Legal, Policy and Industry Perspective,
NATO CCD Publications, Tallim, 2016. Accessed at:
<https://ccdcoe.org/sites/default/files/multimedia/pdf/InternationalCyberNorms_Ch8.pdf (June 14 2016) 18 https://en.m.wikipedia.org/wiki/Timeline_of_first_orbital_launches_by_country/cite_note-ACT-1; Soviet
Union (1957), United States (1958), France (1965), Japan (1970), China (1970), United Kingdom (1971), India
(1980), Israel (1988), Iran (2009), North Korea (2012). (May 3, 2016).
6
law, this is demonstrated for example in the fact that outer space has benefited from an early
foundational treaty that defined its character. Although this treaty is now 48 years old and many
States believe that the legal regime it created for outer space needs to be reinforced,19 it
nonetheless provides an authoritative reference point. No similar treaty has yet been devised to
define cyberspace and efforts to formalise cooperation via international legal instruments such
as the 2001 Budapest Convention on Cyber Crime have not as yet met with widespread support
amongst States.20 From the following disquisition, one point is clear; the intangibility of
cyberspace betrays its acclaimed semblance with outer space. Both realms are real, but greatly
distinguished. Amongst other things, is the outstanding distinction that while one is man-made,
the other is a creation of nature.
1.1.2 Terms Frequently Associated with Cyber Operations
1. Cyberspace
Cyberspace is said to be coined by William Gibson, who described the term as “a consensual
hallucination-lines of light ranged in the nonspace of the mind, clusters and constellation of
data. Like city lights, receding”21. Cyberspace has also been defined as the domain that is
characterized by the use of electronics and the electromagnetic spectrum to store, modify and
exchange data via network systems and associated physical infrastructures.22
19 See notably the resolution on the ‘Prevention of an Arms Race in Outer Space’ which is annually adopted by
the UN General Assembly with near universal support and which in reference to the legal regime for outer space
States that ‘there is a need to consolidate and reinforce that regime and enhance its effectiveness …’: United
Nations, General Assembly resolution 69/31, Prevention of an Arms Race in Outer Space, A/RES/69/31 (11
December 2014), http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/69/31. (May 3, 2016). 20 The Convention developed by the Council of Europe has only been ratified or acceded to by 47 States of which
only eight are non-member States of the Council of Europe, see Convention on Cybercrime, Budapest, 23
November 2001, Council of Europe Treaty Series, No. 185,
http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_e
n.pdf. (May 3, 2016). 21 William Gibson, “Father of Cyberspace” by Scott Thill; Wired; March 17, 1948, p 12. 22 Ibid.
7
2. Computer Network Attack (C.N.A)
This is a category of "fires" employed for offensive purposes in which actions are taken
through the use of computer networks to disrupt, deny, degrade, manipulate or destroy
information resident in the target information system or computer networks or the
systems/networks themselves. The ultimate intended effect is not necessarily on the target
system itself, but may support a larger effort, such as information operations or counter-
terrorism.23
3. Computer Network Exploitation (CNE)
This is a process which enables the operations and intelligence collection capabilities to be
conducted through the use of computer networks to gather data about target or adversary
automated information systems or networks24.
4. Countermeasures
It is some form of military science that, by the employment of devices and/or techniques, has
as its objective the impairment of the operational effectiveness of undesirable or adversarial
activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of
sensitive or classified information or information systems. There are two types of
countermeasures, namely:
(i) Defensive Countermeasures: Include actions to identify the source of hostile cyber activities,
protection/mitigation at the boundary, hunting within networks, passive and active intelligence
(including law enforcement) employed to detect cyber threats; and/or actions to temporarily
isolate a system engaged in hostile cyber activities.
(ii) Offensive Countermeasures: This might include electronic jamming or other negation
measures intended to disrupt an adversary's cyber capabilities during employment.25
23Note: the term "fires" means the use of weapon systems to create specific lethal or nonlethal effects on a target
Accessed at: http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary. 24 Ibid, * See also computer network attack. 25 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.
8
5. Cyber-Attack
A hostile acts using computer or related networks or systems, and intended same to disrupt
and/or destroy an adversary's critical cyber systems, assets, or functions. The intended effects
of cyber-attack are not necessarily limited to the targeted computer systems or data themselves-
for instance, attacks on computer systems which are intended to degrade or destroy
infrastructure of C2 capability.26
6. Cyber Incident
A cyber incident is likely to cause, or is causing, harm to critical functions and services across
the public and private sectors by impairing the confidentiality, integrity, or availability of
electronic information, information systems, services, or networks; and/or threaten public
safety, undermine public confidence, have a negative effect on the national economy, or
diminish the security posture of the Nation.27
7. Cyber Operational Preparation of the Environment (C-OPE)
Non-intelligence enabling functions within cyberspace conducted to plan and prepare for
potential follow-on military operations. C-OPE include but is not limited to identifying data,
system/network configurations, or physical structures connected to or associated with the
network or system for the purpose of determining system vulnerabilities; and actions taken to
assure future access and/or control of the system, network, or data during anticipated hostilities.
C-OPE replaces CNE or CNA when used specifically as an enabling function for another
military operation.28
8. Cyber-Security
All organizational actions required to ensure freedom from danger and risk to the security of
information in all its forms (electronic, physical), and the security of the systems and networks
26 Ibid. 27 Ibid. 28 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.
9
where information is stored, accessed, processed, and transmitted, including precautions taken
to guard against crime, attack, sabotage, espionage, accidents, and failures. Cyber-security risks
may include those that damage stakeholder trust and confidence, affect customer retention and
growth, violate customer and partner identity and privacy protections, disrupt the ability or
conduct or fulfill business transactions, adversely affect health and cause loss of life, and
adversely affect the operations of national critical infrastructures.29
9. Cyberspace Superiority
The degree of dominance in cyberspace by one force that permits the secure, reliable conduct
of operations of that force, and its related land, air, sea, and space forces at a given time and
sphere of operations without prohibitive interference by an adversary.30
10. Cyber Warfare (CW)
An armed conflict conducted in whole or part by cyber means. Military operations conducted
to deny an opposing force the effective use of cyberspace systems and weapons in a conflict.
It includes cyber-attack, cyber defense, and cyber enabling actions.31
11. Defensive Counter-Cyber (DCC)
All defensive countermeasures designed to detect, identify, intercept, and destroy or negate
harmful activities attempting to penetrate or attack through cyberspace. DCC missions are
designed to preserve friendly network integrity, availability, and security, and protect friendly
cyber capabilities from attack, intrusion, or other malicious activity by pro-actively seeking,
intercepting, and neutralizing adversarial cyber means which present such threats. DCC
operations may include: military deception via honeypots and other operations; actions to
adversely affect adversary and/or intermediary systems engaged in a hostile act/imminent
29 Ibid. 30 Ibid. 31 Ibid.
10
hostile act; and redirection, deactivation, or removal of malware engaged in a hostile
act/imminent hostile act.32
12. Hostile Act
This refers to force or other means used directly to attach the US, US forces, or other designated
persons or property, to include critical cyber assets, systems or functions. It also includes force
or other means to preclude or impede the mission and/or duties of US forces, including the
recovery of US personnel or vital US Government property network operations.33
13. Mitigation (US CERT CONOPS, NRF)
These are solutions that contain or resolve risks through analysis of threat activity and
vulnerability data which provide timely and accurate responses to prevent attacks, reduce
vulnerabilities and fix systems.34
14. Network Operations (Net Ops)
This can be defined as activities conducted to operate and defend the DOD's Global information
Grid.35
15. Offensive Cyberspace Operations (OCO)
Activities that, through the use of cyberspace, actively gather information from computers,
information systems, or networks, or manipulate, disrupt, deny, degrade, or destroy targeted
computers, information systems, or networks. This definition includes Cyber Operational
Preparation of the Environment (C-OPE), Offensive Counter-Cyber (OCC), cyber-attack, and
related electronic attack and space control negation.36
1.2 Historical Background of Cyberspace
32 Accessed at: < https://en.m.wikipedia.org/wiki/cyberspace_definitions?-e_pi_7%page_ID> 33 Ibid. 34 Ibid. 35 Ibid. 36 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.
11
During the Cold War, the United States needed a system that is beyond destruction in the
event of a nuclear attack in order to send and receive intelligence. The computers were
linked in a network and not in a straight line to achieve the connection. So although it
may seem like a new innovation, the net has actually been around for over forty (40) years
and began at first as a university experiment in military communications. At first, each
computer was physically linked by cable to the next computer, but this approach has
obvious limitations, which led to the development of networks utilizing the telephone
system. So people then decided that nuclear attack or not the computer network was a
benefit to all and that they could use it to communicate with one other. Some university
students started using the network to do their homework together. More people started to
demand access, although initially the users were only from the university and government
sectors. But more and more people could see the potential of computer networks and
various community groups developed networks separate from the official networks for
the use of their local communities.
The internet today is a collection of all the various users and various local, regional and
national networks and it is an ever expanding network of people, computers and
information coming together in ways the Pentagon never dreamed of forty years ago. So
what began as an exercise in military paranoia has become a method of global
communication.
The term “Cyberspace” first appeared in fiction in 1980’s in the work of cyberpunk
science fiction author William Gibson, in his 1982 Short story “Burning Chrome” and
later in his 1984 novel “Neuromancer.”37 Gibson’s fantasy of a world of connected
computers has moved into a present reality in the form of the internet. In cyberspace,
37 William Gibson (1984). Neuromancer. New York: Ace Books. p. 69. ISBN 0-441-56956-0.
12
people are met electronically, without a face or a body.38. The reality of the above
disquisition is that cyber operations began at the inception of cyberspace. In other words,
people began to interact in cyberspace the moment it was incepted. Because it began with
a group of students, it follows that States only began to interact in cyberspace as a body
component a few years on. The history of cyberspace is the story of the internet, and once
the internet begun, the possibility of trans-continental communication, interaction and
operations was birthed.
1.3 Technical Methods, Techniques and Tools in Cyberspace Operations
A concise point of commencement is to identify the answers to the questions of how States
conduct cyber operations and with what tools. Most of the activities constituting cyber
operations, have one thing in common: breaking into foreign Information Technology systems
to extract or modify data, to change the system configuration39 or to take down the entire
system. To put it another way, it is about hacking. Hackers hack; this is more or less commonly
known, but does that mean that State cyber operations are conducted by hackers? No less
important is the question of why is hacking possible- which is key to understanding methods
of cyber operations. This will be explained by reference to an abstract model for cyber
operations which will be introduced in this chapter. Based on this model, the methods of a
cyber operation will be explained in seven subsequent stages. For each stage, tools and
techniques are introduced with a focus on State actors’ use, and these are distinguished from
malicious actors.
38 <http://www.google.com/a brief history of cyberspace>. 39 A change of the system configuration may include the deletion of files and/or services as well as blocking or
taking down the entire system, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 85.
13
1 Hacking – Mise-En-Scène (Staging the Operation)
How does hacking work? Unfortunately, this question cannot be answered within one or two
simple sentences. It is essential to know how hacking works in order to defend against threats
effectively, and for a State to make use of suitable tools and techniques within the parameters
of law. In order to understand how hacking works, it is first of all essential to understand why
hacking works at all – and the answer this time is simple: it works, because the hacked systems’
security is (or was) too weak. Again, this is easy to explain since there is not much secrecy
around the fact that there is nothing like hundred percent (100%) security in Information
Technology. A strategy to hack a system can be derived from knowing that hacking is about
getting information about a target system in cyberspace, finding clever ways to exploit its
vulnerabilities, making use of its misconfigurations or taking profit from its users. This
intrusion into systems, which basically describes the process of hacking, is referred to as a
cyber-attack. NATO defines cyber-attacks as ‘actions taken through the use of computer
networks to disrupt, deny, degrade, or destroy information resident in computers and computer
networks, or the computers and networks themselves,40and most scientific and legal definitions
define cyber-attacks in this or a similar way. Before any cyber-attacks against a target can be
launched, the first two steps of reconnaissance and weaponisation, need to be carefully
considered since they prepare the grounds for the success of any cyber operation, the following
sections will explore each phases in detail.
2 Reconnaissance – Get Information about Your Target
As in any operation, cyber operations need to be planned based on relevant and reliable41
Information about the operation’s targets. This implies the need to gather information about
the target in the best possible manner to be able to derive a solid situational picture, on which
40 NATO Standardization Agency, NATO Glossary of Terms and Definitions (AAP-6) at 2-C-12, 2012. 41 The integrity, authenticity and correctness of the information need to be assured. (May 5, 2016).
14
basis different courses of action can be assessed. It also requires reliable information about the
status of one’s own capabilities and available resources. The process of collecting this
information is called footprinting: collection of information available from open sources or
provided by services is known as passive footprinting, while active footprinting refers to one’s
own actions within the cyber operation to obtain missing information, and is analogous to
battlefield reconnaissance. The most convenient way to gather the required information is open
source intelligence (OSINT). Using OSINT for reconnaissance purposes must therefore be seen
as a very important first step which should not only be considered in the operation’s planning
stage, but also in any subsequent stage of the cyber operation as soon as new information is
derived which updates the situational picture, and which might influence decision making and
the action of current operations.42 Very often, further information can be found by simply
accessing the target’s offered services43, or by using social media. Social networks have been
identified as another primary source of information in the process of intelligence gathering.
If the target is a network, the network connections within that target must also be explored.
This is achieved by tracerouting: step by step, possible routes from the own systems to the
target are tested, and a fine-grain network picture is derived. During the entire cyber operation,
all this information must be updated regularly since owners of targets can be assumed to use
modern techniques to strengthen their systems’ resilience. This is especially important if such
changes are monitored in very short time intervals, otherwise successful weaponisation – as
described in the following section – is almost impossible.
3 Weaponise – Prepare to Break the Shields
Intruders need to be equipped and trained to be able to engage in cyberspace. Once a target has
been identified in cyberspace, a cyber situational picture has been derived and a network
42 OSINT tools and resources see: R. Hock. (2013 September 13). Internet Tools and Resources for Open Source
Intelligence 54. 43 Such a service is, e.g., a hosted web-site
15
fingerprint has been made, the most challenging part of the mission preparation is to find
suitable cyber means to take effect on the target. Such means of cyber activities in this context
are all I.T hardware and software items as well as other systems capable of taking effect in
cyberspace, such as computer programs or malicious software and are all generally known as
cyber tools. A cyber tool can be a cyber weapon specially designed to break into foreign
systems and perform malicious actions, or it can be a regular tool which is used within cyber
operations as well as for regular system operations or maintenance. The penetrator of a cyber
tool is called an ‘exploit’. Exploits are very clever pieces of software that use vulnerabilities,
so the more a system is hardened, the more difficult it is to crack the virtual bunker. But it is
possible.
Finally, weaponisation is an iterative process since updated information from the situational
picture may highlight a need to change or modify the cyber tool of choice. Without appropriate
cyber tools, access to systems can only be achieved by taking advantage of misconfigurations
or user mistakes. If a target system is not properly protected and cyber tools are not needed at
all, intruders can start to manipulate the target system directly. Otherwise, once a cyber tool
has been tested successfully,44 the delivery of the tool to the target system needs to be planned.45
4 Delivery – Get the Tools to the Target
The delivery phase of a cyber operation describes the transfer of a cyber tool to the target
system. Depending on the nature of the cyber tools, different approaches to delivery can be
chosen. Again, State actors are more limited since they should ensure that intended
manipulations only affect the target system and no side effects occur, whereas malicious
hackers will not care too much, and may even use third party systems as proxies to launch their
cyber-attacks. In case of user mistakes or misconfigurations, the delivery of the payload can be
44 A test is not always possible and reasonable, thus not all targets can be emulated to test the cyber tool. 45 The requirements of the cyber tool delivery can have influence on the tools’ development.
16
very simple: it may be that, due to missing or incorrect access control modifications on the
target system, delivery is possible without any further action by the intruder and a payload can
just be uploaded and installed. If user credentials at non-administrator level are used, this may
not suffice to deliver the payload successfully to the target system. In that case, the available
user credentials with minor privileges can be used to gain access to the system and – after
successfully having logged on – to raise the privileges using other cyber tools made available
in the weaponisation phase. If no cyber tools are available at that stage, a step back to
reconnaissance might be required to evaluate the target system information accessible with the
user credentials used to log on, and to consider new techniques to escalate the privileges. The
most difficult and highly sophisticated form of delivery is the delivery by a service exploit. If
the users of a target system do not ‘help’ the intruder to install the payload on their system,
vulnerable services running on the target system can be used to get the payload in.
5 Exploitation – Hijacking the Control Flow
Hackers like to see themselves as very smart programmers, and there is good justification for
that. When user credentials cannot be used to get administrator or system level access to a
target system, clever ways of deviating target systems from their regular program control flow
into payload execution must be found during the weaponisation phase. It is essential to
understand why exploitation works and why it is at all possible to alter the control flow of a
program during its runtime.46
One of the most important requirements for exploitation is the physical ability to alter the
program control flow on the target system. This basically means that a program needs to be
executed in a computer’s random access memory (RAM). The easiest way to alter the program
control flow is to use so-called overflow techniques, for example buffer overflows. Buffers are
46 Software is usually executed in a process structure which is protected by the operating system against any
external modification. See, Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 102.
17
dedicated pieces of memory used to store user input data during program execution. If user
input is accepted during the execution of a subroutine within the program, it can be stored
within a data structure which is called a stack. This is very likely, as programmes usually
consist of a lot of subroutines that are reused by different parts of the program to keep the code
short. A stack is the dedicated piece of memory space assigned to each process of a computer,
and regulates subroutine calls. When a program calls a subroutine, it stores required parameters
on the stack to provide the subprogram with the data it needs to process. Since a subprogram
can be called from many different parts of the program, it needs to know the memory address
to return to after the subroutine has finished. This return address is stored on the stack as well
as data and buffers for inputs. Normally, all these items ‘pushed’ onto the stack have a
dedicated size, so after the subroutine has finished, the stack can be cleaned up again47. The
problem why exploitation of the stack worked quite well for a long time was that, unfortunately,
a number of software compliers48 did not check if the user inputs to the system really did fit
into the dedicated buffer space being reserved on the stack.
Thus, if a user created an input for the program that exceeded in size the dedicated buffer space,
the rest of the buffer was overwritten with the rest of the user input as well, including the
address to return to after the subroutine has finished. So by cleverly researching the exact length
of required user input and replacing the return address on the stack with a memory address
pointing to the payload placed on the target system, a program control flow can be altered
during runtime. These techniques are called overflows; they not only work on a process stack
but also on a process heap.49 So when the subroutine finishes after a successful overflow
47 Otherwise a process would run out of memory quite fast if all subroutine calls would just put things onto it. 48 A program that creates the executable binary containing the program code from a human readable programming
language. 49 A ‘process heap’ is a memory space additionally allocated to a process during program execution.
18
exploit, the program will return not to the position the subroutine was called from, but to the
new address specified in the submitted data.
6 Installation – Reside the Payload on the Target
Having successfully exploited a target system, or having gained access to the system due to
misconfigurations or user mistakes, the malicious actions intended to be carried out on the
target system may require the installation of additional software, unless the mission can be
carried out by functionality provided by the target system’s operating system or software that
is already installed. If the cyber operation is conducted to take the system down, software
installation is usually also not required. In most cases, the software to be installed on the target
system is a Remote Access Tool (RAT), which needs to be persistently available in the boot
process of the system and which opens a ‘backdoor’ allowing the intruder to take control. The
installation of such RAT software on a target system faces major challenges since:
• The users and administrators of the target systems should not recognise the RAT tool being
installed on their system, so the RAT must be invisible to them;
• The RAT tool must be installed persistently, which means it needs to be able to
survive a system re-boot; and
• The RAT tool must be resilient to patches and installations or de-installations of
software.
Hiding a RAT is the most important challenge. Once the RAT is detected, the administrators
of the target system knows that their system has been hacked and they can take actions to
remove the RAT. Removing a RAT from a stand-alone system is easy and is normally done by
a simple re-installation of the machine. Sometimes this is done by restoring it from a backup,
which bears the risk of the RAT surviving, if the backup has been made before the RAT was
detected but after its successful installation. Since good administrators will also check the
backups for traces of the RAT, this is not very likely. Removing a RAT from multiple machines
19
within a network might be more challenging since it is often not possible to shut down the
entire network. Trying to restore machine by machine only promises success if the vulnerability
the intruder used to exploit the system and install the RAT has been found and can be patched
successfully; otherwise, a restored system might simply be re-infected by other machines on
the network which have not yet been treated.
If a RAT has been placed successfully, and not been detected and removed, the target system
is controlled by the intruder and malicious actions of all kind can be conducted. RATs are often
sustained to maintain access for the intruder persistently. Having installed such a combination
on the target system, the intruder can control it and issue any desired command.
7 Command and Control – Remotely Control the Target System
If all required software needed for or intended to be used during the cyber operation has been
installed on the target system, the planned action needs to be prepared and started.
For this, means of command and control have to be foreseen based on which the intruder can
submit commands to the target system. They consist of a RAT being installed on the target
machine and a control unit being operated by the intruder, together with some means of
communication connecting the RAT with the control unit. Command and control are usually
implemented by means of network communication. At the network level, command and control
information can be embedded into packets of other network communication, for example in
packets containing simple requests for a service running on the target system. The installed
RAT will intercept this information from the incoming network packets and ‘interpret’ them,
i.e. extract the embedded information from the packets. Answers from the RAT will also be
encoded into protocol information in response packets sent from the service back to the
intruder; this technique is called tunnelling.
The RAT will analyse the content of the requests and extract the embedded command, as well
as embed answers in regular service responses. The services used for this purpose will process
20
the intruder’s requests as regular requests, not noticing that the only purpose of this
communication is the transport of commands for a RAT; therefore, discovery of covert
channels is very challenging and needs a lot of experience and sophisticated tools for statistical
analysis or tools with a built-in anomaly detection features. Apart from network
communication, offline command and control can be built into the cyber tool as well. Once
delivered and installed, the tool carries all required information to act on the target system. This
technique is especially used in logic bombs which are launched against a target and which do
not require any link back to the intruder once the cyber tool is engaged.
8 Act – The System is Yours
If intruders can successfully submit commands to the target, the list of possible actions is more
or less unlimited. Taking down a system is the most commonly known impact of a cyber-attack;
the effect is not very challenging for the target system operators since the intrusion is noticed
instantly and can usually be countered by restoring the system from a backup or by system re-
installation. Still, system downtime and the effort required to bring the system up again can be
inconvenient. The most challenging intrusions are modifications that compromise a system and
force operators of the target system to work intensely to figure out which modifications to data
or software have been made, and to distinguish valid data from invalid data. The biggest
challenge here is the reverse proportion of acting effort against reacting effort: simple
modifications can disorganise target systems entirely and make them useless to their rightful
owners. The following examples of disturbing actions which intruders have performed
illustrate the great variety of possible actions from which they can choose, once they have
successfully exploited the target system:
(i) Renaming files:
Big companies or organisations store their files on servers. A very vicious interference is to
rename files or exchange file names of existing documents, either randomly or following a
21
plan. The effect increases if the intruder does not initially do this with files that are currently
or recently used but focuses on older files, so the changes are not seen immediately. In that
case, the modifications might also be applied to the backup device, so when the attack is finally
recognised, restoring the backup does not solve the problem.
(ii) Changing file versions and dates:
In any office environment, documents usually have different versions. Substituting this
information or swapping new with old versions can entirely disorganise business processes
until the cyber-attack is detected.
(iii) Modifying tables and charts in files:
This effect takes the already introduced effects to a more fine-grain level: all modifications can
be done at file level as well. Inserting false data or modifying information in documents can
disturb business processes and such changes – if done at system level, so the modifications are
not reflected in the file system – are even more difficult to detect.
(iv) Deleting single files:
Instead of taking down an entire system, deleting single files can cause more confusion, though
the effect is not great if the system is backed up regularly.
(v) Inserting bogus files:
Instead of deleting information, adding some information is also likely to cause confusion,
especially if this information is well-prepared and fits into the context of the business processes
of the target systems. Such additional information can be, for example, new versions of existing
documents or entirely bogus documents introducing new processes or workflows. Malware
spreading techniques have been implemented this way, but since that promotes detection, such
techniques are no longer used.
(vi) Modifying user privileges:
22
Modifying user privileges is especially effective when granting more right to users than they
should have. They tend to misuse their new privileges or accidentally make use of them causing
damage to the system. Taking rights from users is not a very efficient technique since they will
complain; system administrators will help out and probably detect the intrusion at the same
time.
(vii) Changing passwords:
Password changes of target system user accounts, often referred to as famous intruders’
activities, are not very effective since they can easily be changed again by the system
administrators. The picture changes if all system administrator passwords are changed. In such
a case, as with system takedown, only restoring the system from a backup or a system re-
installation will help.
(viii) Uninstalling software:
Whereas during a cyber operation additional software might have been installed, uninstalling
software or applying bogus software patches can have reasonable effects on the target system,
especially if system security software is being compromised. Additionally, introducing
software failures in COTS software is very efficient if, for example, the undo function is also
disabled, and bogus functionality affects information when working with business data.
This list of possible actions and effects is of course incomplete and only demonstrates the
potential impact an intruder can have on a target system. If the target system is steering the
controls of a machine, for example, the impact may be worse. Successful intrusion into control
devices of machines have been seen already, and with the Stuxnet case50, scenarios of cyber
tools indirectly causing physical damage to critical infrastructures are no longer science fiction.
50 The European Union Agency for Network and Information Security (ENISA) published a Stuxnet Analysis –
see internet portal of ENISA. Available at:< http://www.enisa.europa.eu/media/press-releases/stuxnet-analysis>.
23
After a successful penetration of the target system, the effects of the intrusion are only limited
by the technical capabilities of the targeted system. Whereas security researchers usually do
not modify anything on the target since they more or less aim to work out a proof of concept,
and State actors will act in accordance with their duties, malicious hackers will try to make a
profit.
1.4 Effects of Cyber Operations.
The examples of effects that cyber operations may cause illustrate the threatening technical
possibilities an information society is facing. The tools and techniques used to cause these
effects are available on the internet and can be used by any talented actor, regardless of the
particular intention or motivation. State actors’ cyber operations must be accepted as a
consequence of the emerging threat to which everyone is exposed, and technical evolution will
raise their importance. The effect of cyberspace operations could be positive or negative,
depending on the intent and purpose of its use. In analysing the effects of cyber operations by
States, two ends of the spectrum must be considered. On one end of the spectrum, is the
possibility that States could employ the use of cyberspace as a global network, where several
inter-continental interactions can be effected. Such operations could also suffice as a social
experience for individuals, where they can interact, exchange ideas, share information, provide
social support, conduct business, direct actions, create artistic media, play games, engage in
political discussions, and the list is endless.
On the other end of the spectrum is another use of cyberspace by States which has become
increasingly popular over the decades, and this is the use of cyberspace for offensive purposes.
It appears that States have taken the cyberspace as an alternative battleground to address rising
concerns amongst one another. Instead of the conventional warring, most States would rather
attack other States using cyber weapons and causing harm than actually confronting those other
States using kinetic or nuclear weapons. A typical example of this kind of cyber operation is
24
“Cyber-attack”. The definition of cyber-attack used here is actions in cyberspace whose
foreseeable results include damage or destruction of property, or death or injury to persons.51
To date, the best real-world example of a cyber-attack is “Stuxnet”,52 an operation reportedly
carried out by Israel and the US to slow Iran’s development of nuclear weapons. Reports of
Stuxnet estimate 1,000 Iranian centrifuges were damaged beyond repair when stealthy malware
caused machines to spin at certain high and low ranges. The result of the Stuxnet activity –
destruction of equipment – would make it a cyber-attack under the cyber spectrum proposed
here. Another obvious example would be a tragic accident that occurred in Russia in 2009.53
In that case, a damaged turbine at the Sayano-Shushenskaya hydroelectric power plant had
been shut down for maintenance. A computer operator at a control facility, located far from
the dam, seeking to correct for a loss in available power, brought the damaged turbine back on
line. The operator’s electronically delivered command for increased activity caused the
damaged turbine to spin out of control, killing 75 people and causing over $1 billion damage.
While the official investigation of the dam failure blamed poor management and technical
flaws, this tragedy demonstrates how wrongdoers might theoretically take control of a
computer system and cause horrific damage by manipulating it.
Finally, another effect malicious States’ operations may lead to is a phenomenon referred to as
“Cyber disruption”. Cyber disruption includes actions that interrupt the flow of information or
the function of information systems without causing physical damage or injury. Examples of
cyber disruptions include disturbing the ability of a government to communicate with its
population, as occurred in Estonia (2007)54 and Georgia (2008)55. In 2007 in Estonia, cyber
51 Ibid. 52 William J. Broad, John Markoff, & David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear
Delay, N.Y. TIMES, Jan. 15, 2011, Accessed at:
<http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet> (May 7, 2016). 53Available at: < https://en.wikipedia.org/.../2009_Sayano–Shushenskaya_power_station> (May 7, 2016). 54 "STUXNET Malware Targets SCADA Systems". Trend Micro. Jan 2012. 55 Cyber War Case study: Georgia 2008. David Hollis.
25
actions shut down the Government’s ability to communicate and froze the financial sector for
about a month. The motivation for the actions was the Estonian government’s decision to move
a memorial statue of a Soviet soldier in Tallinn to a less prominent location in the city. The
activities were coercive in that they were imposed against Estonia’s will and the Government
was not able to stop the effects. Estonia heavily relied on cyberspace for communications and
commerce, and experienced significant disruption of its communication and economic systems.
Furthermore, in 2008, cyber disruption of Georgian web and telecommunications began just as
Russia commenced military operations in the Republic of Georgia. The disruptive activities
prevented many government computer-based activities in the early days of the Russo-Georgian
conflict. Georgia’s civilian communications, financial systems and media were also degraded
by the cyber operations. And lastly, a lesser-known example of cyber disruption is the
GhostNet56 set of activities. GhostNet, was reportedly based in China, and affected government
systems around the world. It penetrated systems in Canada’s Finance Department and Treasury
Board so pervasively that the Government took the systems off-line for nearly a month. As the
Canadian action demonstrates, certain access or espionage activities may be so damaging to
the system’s trustworthiness or reliability, they can effectively render the system useless. This
is especially true in the case of systems vital to national security or welfare. One notorious
effect of this offensive cyber operations is that when unauthorized people gain deep or
persistent access to sensitive information, the situation effectively forces a government to
choose between shutting down a system or suffering exposure to unacceptable risk. Although
cyber disruption is factually distinguishable from actions that cause death and destruction, the
effects of both are largely the same. In both cases, the cyber operations inhibits one State from
56 Tracking GhostNet: Investigating a Cyber Espionage Network. Munk Centre for International Studies. May 9,
2016.
26
taking further or a particular action, either by destroying its cyber infrastructure or by effecting
a dislocation to its functionality.
Conclusion
In this chapter, we have considered holistically, the meaning, scope and gamut of cyberspace
operations. We have also considered some of the phraseologies commonly associated with
“cyberspace”. In progression, a cursory examination into the fons et origo of cyberspace
operations was provided. After pointing out the different roles of cyber actors and the
implications their roles have on the conduct of a cyber operations, the stages of such an
operation in cyberspace have been described. For each stage, common techniques used by the
different actors have been explained and examples of the most commonly used tools have been
given. Additionally, the effects caused by these tools and techniques have been discussed,
especially the possible actions following a successful target system penetration. This chapter
also demonstrated that a cyber operation is a very complex endeavour and requires not only
deep system knowledge at expert level, but also a certain portion of talent to be truly successful.
With respect to the essence of this project, this chapter has demonstrated a detailed explication
into the realm of the cyberspace. In this chapter, the intricacies surrounding cyberspace that
befuddle many legal professionals have been brought to the glare in plain terms. One thing is
obvious; cyberspace is a novel area in legal jurisprudence, as there is lacking, a direct and
fitting provision of the law that circumspectively regulates operations in cyberspace, otherwise
known as cyber operations. In the next chapter, we shall consider the possibility of the
applicability of the law, specifically international law in cyberspace.
27
CHAPTER TWO
APPLICABILITY OF GENERAL PRINCIPLES OF INTERNATIONAL LAW TO
CYBERSPACE
2.0. Introduction
This chapter describes general principles of international law as a source of international law
(pursuant to art 38(1) (c))57 and illustrates their application to cyberspace. For the purposes of
the present analysis, cyberspace is understood as a global, non-physical, conceptual space,
which includes physical and technical components i.e. the internet, the ‘global public memory’
contained on publicly accessible websites, as well as all entities and individuals connected to
the internet. Cyberspace has political, economic, social and cultural aspects going far beyond
the notion of a pure means of information transfer.
Some claim (inadequately, as the present chapter proves) that cyberspace is not or is only partly
regulated by law, as cyber-specific international customs are absent and contractual regulation
scarce. The classical international law approach to such a situation would be to invoke the basic
principle as stated in 1927 by the Permanent Court of International Justice (PCIJ) in the Lotus58
case: “based on the notion of sovereignty, in the absence of a legal prohibition, a State enjoys
freedom of action. However, the consequently competing freedoms of the coexisting sovereign
States are guided (and de-conflicted) by general principles of international law”. These
principles are most important in the cyber context, since they form the basis for a progressive
development of international law, enabling the international law system to respond to the
dynamic needs of an international society and especially to meet the fast growing technological
advances.
57 Article 38(1) (c), Statute of the International Court of Justice. 58 The Case of the S.S. ‘Lotus’, Merits (1927) PCIJ Rep Ser A, No 7, 18ff.
28
In the following, the nature, source and content of general principles of international law and
other corollary precepts will be described. These sections will be followed by some concluding
remarks.
2.1. Nature of the General Principles of International Law
The term ‘principles’ may refer to a meta-legal concept, generated within a philosophical or
ethical discourse, or to principles inherent in or developed from a particular body of law or law
in general.59 General principles of international law belong to the latter category, and must be
distinguished from the notion of ‘justice’ (or equity in the broad sense) and from ‘general
principles of moral law’, i.e., compelling or essential ethical principles endorsed in
international law (e.g., prohibition of genocide).60 On a conceptual level, though, the ethical
and legal meaning of the term ‘principles’ cannot be completely separated, as legal principles
are always to be deemed as expressions of overarching values.61 General principles of
international law reflect a genuine morality and the most basic values of the international
society as inherent in the international order and absolute principles relative to that existing
order.62 It should be mentioned that, because of this feature, general principles of international
law are partly criticised in academic writings as being a ‘gateway into the legal discourse for
natural law maxims’.63 As stated by one scholar, ‘general principles of law ... are arguably the
most important but certainly the least used and most confused source of law ...’64
The jurisprudence of the International Court of Justice (ICJ) does not bring clarity to the matter,
as hitherto the Court’s reference to general principles of international law has been
59 Rüdiger Wolfrum, ‘General International Law (Principles, Rules, and Standards)’ in idem (ed), The Max Planck.
Encyclopedia of Public International Law (Oxford University Press 2008, online edition [www.mpepil.com]) in
Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 136. 60 Brian D. Lepard, Customary International Law. A New Theory with Practical Implications (Cambridge
University Press 2010) 165. 61 Armin von Bogdandy, ‘General Principles of International Public Authority: Sketching a Research Field’
(2008) 9 German Law Journal 1909, 1912. 62 Lepard (n 3) 164. 63 Niels Petersen, ‘Customary Law without Custom? Rules, Principles, and the Role of State Practice in
International Norm Creation’ (2008) 23 American University International Law Review 275, 292. 64 Hicks (n 5) 7.
29
‘inconsistent and confused’.65 The academic controversy pertains in particular to whether
general principles of international law can be deemed a source of law of a normative character
or merely reflecting juridical maxims or legal ideas. In addition, there are disagreements over
whether they can present a source of obligations for States, whether they are a source of natural
law, and which relation they show with regard to that concept; whether they are enshrined in
Article 38(1) (c) of the Statute of the International Court of Justice of 1945 (ICJ Statute), or
are part of customary international law within the meaning of Article 38(1) (b) of the ICJ
Statute, even of a peremptory character, or whether they exist aside from the enumeration of
the aforementioned Article as an autonomous source of law; and whether they have a merely
persuasive authority of interpretative guidance or have the a nature of a quasi-constitutional
norm of the most importance.
Thus, it is surely not an exaggeration to assert that every aspect of general principles of
international law is disputed and unclear. Against this background, a thorough presentation of
diverse scholarly opinions on the specific aspects of controversy, as well as a clarification with
regard to the respective legal debate must be considered a task for a legal analysis of a major
extent and cannot be provided for within the limited scope of the present chapter. Therefore,
the following assessment can only offer a limited overview of the relevant court rulings and
opinions of legal commentators, and attempt to describe the source and content (2.2) as well as
its relationship to practice, opinion juris and consent of States (2.3), its Higher normative value
(2.4), its relationship to the concept of fundamental rights and duties of States (2.5) and finally
their feature as a vehicle of progressive law development (2.6).
65 ibid.
30
2.2 Source and Content of the General Principles of International Law
‘General principles of law recognized by civilized nations’ within the meaning of Article 38(1)
(c) of the ICJ Statute are a (subsidiary)66 source of international law which is derived, according
to the wording and as understood by the majority of scholars, from principles common to the
domestic law systems of all ‘civilised’67 countries, in so far as they are applicable to inter-State
relations.68 Some scholars assert that the provision (formerly Article 38 No. 3 of the Statute of
the Permanent Court of International Justice (PCIJ Statute) of 1920)69 also includes general
principles of international law, reflecting rather the international order of States than the
national law systems.70 They refer to the PCIJ Statute’s travaux préparatoires of 1920, which
show that the drafters had different views of the reference to ‘general principles of law’,
including the notion that the principles are to be understood in a broad way as ‘maxims of
law’.71 Furthermore, the drafting history shows that Article 38(c) (or as it was then, No. 3) was
a response to the need for the completeness72 of the law and the intention of the drafters was to
avoid a non liquet of the Court for lack of a positive rule (however, without giving the judges
the possibility to legislate or opening a gateway for natural law).73 In this spirit, it is asserted
that a modern interpretation of Article 38 is justified by the changes of the structure of the legal
order since 1920 with regard to the means of determination of international rules based on an
66 Alain Pellet, ‘Art. 38’ in Andreas Zimmermann et al (eds), The Statute of the International Court of Justice.
A Commentary (Oxford University Press 2006) MN 290. 67 The reference to ‘civilised’ nations was included in Article 38 of the Statute of the Permanent Court of Justice
(League of Nations) of 13 December 1920 (and was reproduced in the Statute of the International Court of Justice). 68 ‘The Uses of “General Principles” in the Development of International Law’ (1963) 57 American Journal of
International Law 279, 282, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski. 69 The provision was reproduced in the ICJ Statute without considerable discussion and with only minor alterations
(in the numbering of the paragraphs and subparagraphs, instead of alphabetic characters, and the addition of a few
words in the introductory phrase). cf Pellet (n 9) 42-45, in Peacetime Regime for State Activities in Cyberspace,
Kaatharina Ziolkowski. 70 Wolfrum, ‘General International Law’ (n 2) 28. 71 Cheng, General Principles of Law as Applied in International Courts and Tribunals (Cambridge University
Press 1953) 6-21, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski.. 72 In 1920, customary law was considered a slowly developing source of international law. Additionally, the
development of new rules of customary law was these days surrounded by scepticism, given the newly appeared
heterogeneity of the international community by the establishment of the Marxist-Leninist regime of USSR. 73 cf Bassiouni (n 3) 772ff, 779; Petersen (n 6) 307ff; Pellet (n 9) 245 (with further references to the drafting
history); Kolb (n 11) 30, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 138.
31
implicit consensus of States, which nowadays can be derived from more than the municipal
legal systems, e.g., also from binding decisions of international organisations.74 Finally, it is
noted that general principles as mentioned in the ICJ Statute and general principles of
international law cannot always be distinguished from each other.75 Others76 assert that the
reference to recognition by nations constitutes the distinguishing element between the
principles referred to by Article 38(1) (c) of the ICJ Statute and the general principles of
international law, of which only the latter derive from international law. Advocates of this
approach also invoke the legislative history, object and purpose of Article 38(1) (c) of the ICJ
Statute as a supporting argument.77 Their view is supported by the wording of Article 21(1) of
the Rome Statute of the International Criminal Court of 1998 (Rome Statute), which describes
as the law applicable by the Court, inter alia, ‘principles and rules of international law’ and
‘general principles of law derived by the court from national laws of legal systems of the
world’, thus explicitly distinguishing between the two forms of ‘general principles’. As the
Rome Statute hitherto has been signed by 139 States78, it can be asserted that the majority of
States, who are the primary subjects of international law, consider general principles of
international law as existing aside from the general principles derived from national law
systems, and consequently beside the enumeration of law sources in Article 38 of the ICJ
Statute.
This view is confirmed by the jurisprudence of the PCIJ and ICJ, which indicates the existence
of general principles of law, irrespective of their correspondence to principles pertaining to
74 17 Heintschel von Heinegg (n 10) § 16 MN 17, 23; Wolfrum, ‘Sources of International Law’ (n 2) 10; Pellet (n
9) 96, 88-95; Petersen (n 6) 308. 75 Wolfrum, ‘General International Law’ (n 2) 20. 76 eg Pellet (n 9) 86 and 252; Wolfrum, ‘General International Law’ (n 2) 7 and 20; cf Heintschel von Heinegg
(n 10) § 17 MN 1; Hicks (n 5) 3ff, 7, 35; Lepard (n 3) 163 and 166; Gaia (n 9) 32; JP Tammes, ‘The Legal System
as a Source of International Law’ (1953) 1 Netherlands ILR (4) 374, in Peacetime Regime for State Activities in
Cyberspace, Kaatharina Ziolkowski, 139. 77 Wolfrum, ‘General International Law’ (n 2) 28. 78 Information of the UN Treaty Collection as of 9 May 2013, <http://treaties.un.org/pages/ViewDetails.
aspx?src=TREATY&mtdsg_no=XVIII-10&chapter=18&lang=en>. (May 11, 2016).
32
municipal laws.79 The PCIJ, for example, referred to ‘principles of international law’,80 ‘an
elementary principle of international law’,81 ‘a principle of international law, and even a
general conception of law’,82 ‘general and essential principles’,83 ‘generally accepted principle
of international law’,84 and to a ‘principle universally accepted’.85 The ICJ, for example,
invoked ‘general and well recognized principles’,86 ‘rule(s) of law generally accepted’,87
‘general principles of international law’,88 ‘fundamental or cardinal principle of ... law’,89
‘fundamental principle of international law’,90 ‘well established principle of international
law’,91 and a ‘principle universally accepted’.92 In none of the cases was Article 38(1) (c) of
the ICJ Statute mentioned in the context. The question arises, upon which methodology the
existence of general principles of international law is recognised. In the Lotus case, the PCIJ
conducted ‘researches of all precedents, teachings and facts to which it had access and which
might possibly have revealed the existence of one of the principles of international law (…)’.93
In the Chorzów Factory case, the Court ascertained an ‘essential principle’, because it ‘has …
79 Cf Gaia (n 9) 32. 80 Lotus (n 1) 31. 81. Mavrommatis Palestine Concessions, Judgement (1924) PCIJ Rep Ser A, No 2, 12 (referring to the principle
that a State has a right to protect its subjects when injured by unlawful acts committed by another State), in
Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski,142. 82 Case Concerning the Factory at Chorzów, Merits (1928) PCIJ Rep Ser A, No 17, 29 (‘any breach of an
engagement involves an obligation to make reparation’). 83 ibid 47-48. 84 Greco-Bulgarian ‘Communities’, Advisory Opinion (1930) PCIJ Rep Ser B, No 17, 32 (‘in relations between
treaty parties treaty law prevails over municipal law’). 85 Electricity Company of Sofia and Bulgaria, Order (1939) PCIJ Rep Ser A/B, No 79, 199, in Peacetime Regime
for State Activities in Cyberspace, Kaatharina Ziolkowski, 142. 86 The Corfu Channel Case, Merits, (1949) ICJ Rep 4, para 22. 87 Case Concerning Right of Passage over Indian Territory Case, Preliminary Objections, (1957) ICJ Rep 125,
142. 88 Legal Consequences for States of the Continued Presence of South Africa in Namibia (South West Africa)
notwithstanding Security Council Resolution 276 (1970), Advisory Opinion (1971) ICJ Rep 16, para 94 (‘the
general principles of international law regulating termination of a treaty relationship on account of breach’). 89 Nicaragua (n 29) 190. 90 Applicability of the Obligation to Arbitrate under Section 21 of the United Nations Headquarters Agreement of
26 June 1947, Advisory Opinion (1988) ICJ Rep 12, para 57 (‘the fundamental principle of international law that
international law prevails over domestic law’). 91 Case Concerning Land and Maritime Boundary Between Cameroon and Nigeria Case (Preliminary
Objections), Judgement (1998) ICJ Rep 275, para 38 (‘the principle of good faith is a well-established principle
of international law’). 92 LaGrand Case, Judgement, (2001) lCJ Rep 466, para 103. 93 Chorzów Factory (n 25) 29
33
never been disputed in the course of the proceedings in the various cases concerning the
Chorzów factory’94and ‘seem (ed) to be established by international practice and in particular
by the decisions of arbitral tribunals’.95 In the Electricity Company of Sofia and Bulgaria case,
the PCIJ concluded the existence of a principle, because it was ‘universally accepted by
international tribunals and likewise laid down in many conventions’,96 without further
explanation. The assertion by the ICJ of a general principle of law was only rarely accompanied
by an adequate demonstration of its existence in international law.97 In the Nicaragua case, the
Court sought a ‘confirmation of the validity as customary international law of the principle of
the prohibition of the use of force’ by reference to Article 2(4) of the Charter of the United
Nations (UN Charter) and ‘the fact that it is frequently referred to in statements by State
representatives as being not only a principle of customary international law but also a
fundamental or cardinal principle of such law’.98 In the Western Sahara99 advisory opinion, the
ICJ referred as the basis for the principle of international law of self-determination of peoples
to the UN Charter, UN General Assembly (UNGA) resolutions and to its own prior decision.
Thus, it can be concluded that the jurisprudence of the international Courts did not develop any
methods of identifying general principles of international law. Unfortunately, to quote a
scholar, (scholarly writings on this question are few, and what writings exist are unclear.’100
The most accurate assertion might be the ambiguous proposal to identify general principles of
international law ‘by way of successive “accretions” (inductive) and “concretization”
(deductive) to which the principle leans itself’.101
94 Ibid. 95 Ibid. 96 Electricity Company of Sofia and Bulgaria (n 28) 199. 97 Gaia (n 9) 20. 98 Nicaragua (n 29) 190. 99 Western Sahara, Advisory Opinion (1975) ICJ Rep 12, para 54-65. 100 Bassiouni (n 3) 817, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 149. 101 cf Kolb (n 11) 10.
34
By whichever methodology, academic literature and the jurisprudence of the PCIJ and ICJ
indicate that general principles of international law can be derived from general
considerations102 (for example, ‘elementary considerations of humanity’, as seen in Corfu
Channel Case103), legal logic (mostly pertaining to procedural rules), legal relations in general
(for example, the principle of good faith),104 from international relations, or from a particular
treaty105 regime. Additionally, some scholars assert that general principles of international law
can be derived from the ‘conception of [a specific] legal system’106 (e.g., the UN) and may
emerge from ‘manifestations of international consensus expressed in [UN] General Assembly
and Security Council Resolutions’.107
PCIJ and ICJ identified several principles of either general significance (freedom of maritime
communications,108 damages109), of a contractual nature (pacta sunt servanda, good faith,
estoppel110), of procedural character (nemo judex in causa sua)111 and of relevance to specific
situations (self-determination of peoples,112 uti possidetis juris,113 ‘fundamental general
principles of humanitarian law’,114 ‘elementary considerations of humanity’115). Academic
writings assert, beside the above-mentioned principles, the existence of further general
principles of international law, such as consent, reciprocity unjust enrichment, finality of
102 Wolfrum, ‘Sources of International Law’ (n 2) 37. 103 Corfu Channel (n 29) 22. 104 Wolfrum, ‘Sources of International Law’ (n 2) 37. 105 Reservations to the Convention on the Prevention and Punishment of the Crime of Genocide, Advisory Opinion
(1951) ICJ Rep 15, 23. 106 cf Hermann Mosler, ‘General Principles of Law’ in Rudolf Bernhardt (ed), Encyclopedia of Public
International
Law (vol 2, Elsevier North Holland 1995) 511-27. 107 Bassiouni (n 3) 769, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 151. 108 Corfu Channel (n 29) 22, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 151. 109 Chorzów Factory (n 25) 29. 110 Case Concerning the Temple of Preah Vihear, Merits (1962) ICJ Rep 6, 31-32. 111 South-West Africa – Voting Procedure, Advisory Opinion (1955) ICJ Rep 67, 100 [separate opinion of Judge
Lauterpacht]. 112 Western Sahara (n 42) 54-65. 113 Case Concerning the Frontier Dispute, Judgement (1986) ICJ Rep 554, para 20. 114 Nicaragua (n 29) 218, 220, 225. 115 Corfu Channel (n 29) 22.
35
settlements, and proportionality.116 Additionally, based on the notion of general principles as
systematisation of existing norms of international law, the ‘principle of common heritage of
mankind’ (developed in the context of the law of the sea and applied to certain common spaces)
and the ‘principle of sustainable development’ (developed in the context of international
environmental law) are affirmed.117
With regard to general principles of international law as pertaining to international peace and
security, the international Courts did explicitly acknowledge the principles of State
sovereignty118 (and the corollary principle of ‘every State’s obligation not to allow knowingly
its territory to be used for acts contrary to the rights of other States’119), non-intervention,120
refraining from use of force in international relations,121 and peaceful settlement of disputes.122
Article 2 of the UN Charter enshrines these principles as legal obligations,123 i.e., the sovereign
equality of States (No. 1), non-intervention in matters within the domestic jurisdiction of States
(No. 7, although only stating a respective prohibition for the UN), refraining from (threat or)
use of force in international relations (No. 4), and peaceful settlement of disputes (No. 3).
Article 1 of the UN Charter, depicting the purposes of the organisation, refers to the
organisation’s goal of achieving international cooperation in solving international problems
(No. 3). All the above mentioned principles of the UN and, additionally, the duty of States to
cooperate are further elaborated upon in the UNGA Friendly Relations Declaration71 of
116 Ian Brownlie, International Law and the Use of Force by States (Oxford University Press 1963) 19. As stated
before, it is noted in the academic writings that some of the principles may not be distinguishable from the ‘general
principles of law recognized by civilized nations’ in the meaning of Article 38(1) (c) of the ICJ Statute. 117 Wolfrum, ‘General International Law’ (n 2) 8. 118 Nicaragua (n 29) 263 119 Corfu Channel (n 29) 22. 120 Nicaragua (n 29) 202, 204. 121 ibid 181. 122 ibid 290. 123 Andreas Paulus, ‘Article 2’ in Bruno Simma et al (ed), The Charter of the United Nations (3rd edn, vol 1,
Oxford University Press 2012) MN 8.
36
1970124 (widely accepted as a quasi-binding interpretation of the UN Charter),125 which
declares them to ‘constitute basic principles of international law’ (General Part, para. 3). These
‘basic principles’ were confirmed by the UNGA in its Millennium Declaration126 of 2000. At
the regional level, States participating in the Conference on Security and Cooperation in
Europe in 1975 adopted a Declaration on Principles Guiding Relations between Participating
States127 (part of the so-called Helsinki Declaration), which affirms, apart from other
principles, all the general principles of international law pertaining to international peace and
security as stated in the Friendly Relations Declaration.
Scholarly writings in general confirm these principles as having the nature of general principles
of international law, partly adding also into this category the principle of domestic jurisdiction
(corollary of State sovereignty).128 Thus, a common core of general principles of international
law, as pertaining to international peace and security, can be identified, even if the finding is
‘… based on nothing grander than their having passed what Thomas Franck calls the ‘but of
course test’ – a more or less unstable ‘common sense of the international community’ …’.129
In summary, general principles of international law as relevant to international peace and
security can be deemed as consisting of the principles of:
1. Sovereign equality of States, including the corollary principles of:
a. Self-preservation,
124 71 Declaration on Principles of International Law concerning Friendly Relations and Co-operation among
States in accordance with the Charter of the United Nations UNGA Res 2625 (XXV) (24 October 1970) annex
(adopted without vote). 125 Bardo Fassbender, ‘Article 2(1)’ in Simma (n 70) MN 31. 126 United Nations Millennium Declaration UNGA Res 55/2 (8 September 2000) para 4. 127 The Final Act of the Conference on Security and Cooperation in Europe (1 August 1975) (Helsinki Declaration)
(1978) 14 ILM 1292. 128 cf Crawford (n 11) 37 (naming the principles of equality of States and domestic jurisdiction); Kolb (n 11) 25ff
(naming the principles of ‘non-use of force, peaceful settlement of disputes […], etc.’); Heintschel von Heinegg
(n 10) § 16 MN 43 (naming the principle of equality and independence of States); Brownlie (n 63) 19, in Peacetime
Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 172. 129 International Law Commission (ILC), Fragmentation of International Law: Difficulties Arising from the
Diversification and Expansion of International Law (Report of the Study Group of the International Law
Commission, finalized by Martti Koskenniemi, UN Doc No A/CN.4/L.682, 13 April 2006) para 468.
37
b. Independence,
c. Jurisdiction over domestic matters,
d. Non-intervention in matters within the domestic jurisdiction of other States,
e. Duty not to harm the rights of other States,
2. Maintenance of international peace and security, including the principles of:
a. Refrain from (threat or) use of force in international relations,
b. Duty to peaceful settlement of disputes, and
3. Duty of international cooperation in solving international problems.
The significance and concretisation of these principles for cyberspace will be introduced in
detail, in the next chapter.
2.3 Relationship to Practice, Opinio Iuris and Consent of States
It is widely recognised within scholarly writings that the development or recognition of general
principles of international law either does not require proof of their existence, or exists
independently from the consent or will of the States. Based on the consensual approach to
international law (i.e., emphasising the importance of the will of the States, who are the primary
subjects creating international law), and on the presumption of general principles of
international law being part of international custom, some scholars assert that the existence of
the general principles is based on the States’ opinio iuris, which, however, does not require to
be evidenced.130 They affirm that there would be an agreement within the international
community that the general principles of international law have been so long and generally
accepted and are still believed to be desirable, so there would be no need for an evidence of
State practice for their recognition.131 This approach corresponds with the classical theory of
130 eg Heintschel von Heinegg (n 10) § 16 MN 43. 131 cf Heintschel von Heinegg (n 10) § 16 MN 43; Crawford (n 11) 37; Lepard (n 3) 166; Brownlie (n 63) 19.
38
international custom, which perceives State practice not as a normative requirement, but as a
means to proving the existence of consent (in the meaning of a tacit treaty).132 In the case of
general principles of international law, such a (tacit) consent or will of the States is
presumed.133 However, such presumed (tacit) consent or will of the States could also be deemed
irrelevant. The above-presented view is based on the notion that the existence of general
principles of international law is based on the opinio iuris of the States. It is noted within
scholarly writings that opinio iuris is an opinion, conviction, or belief referring to the legality
or illegality of a certain behaviour of a State, thus not depending on the will of the State.134 It
is rather based on a meta-legal notion or on general legal considerations that a certain State’s
conduct is just, fair or reasonable and, for that reason, required under law.135 Thus, opinio iuris
is based on a value judgement.136 General principles of international law, reflecting a genuine
morality and most basic values of the international society as inherent to the international order,
would consequently not depend on the (tacit) consent or will (evidenced by State practice) for
the proof of their existence.
Furthermore, it is asserted that general principles of international law exist independently of
the practice, consent or will of the States, because they form the ‘backbone’ of the international
law system.137 As the international law system is an accepted reality of the international
structure and order, and gives the States the platform to exercise their will, its very existence
does not need consent or expression of will by the States.138 This finding is confirmed by the
ICJ, which held in the Gulf of Maine case: ... customary international law ... in fact comprises
132 Petersen (n 6) 294ff, 300. 133 Martti Koskenniemi, ‘The Politics of International Law’ (1990) 1 European Journal of International Law (4)
4, 20-27 (claiming the binding character of general principles of international law and other non-consensual
general law because of a ‘subjective value of “justice”’), in Peacetime Regime for State Activities in Cyberspace,
Kaatharina Ziolkowski, 190. 134 Treves (n 90) 9. 135 Wolfrum, ‘Sources of International Law’ (n 2) 25. 136 Ibid. 137 ibid; Treves (n 90) 9; Hicks (n 5) 9. 138 cf Hicks (n 5) 9, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 192.
39
a limited set of norms for ensuring the co-existence and vital co-operation of the members of
the international community, together with a set of customary rules whose presence in the
opinio juris of States can be tested by induction based on the analysis of a sufficiently extensive
and convincing practice, and not by deduction from preconceived ideas.139
The Court thus distinguished within the customary law a category of ‘a limited set of norms
for ensuring the co-existence and vital co-operation’ of States deducted from ‘preconceived
ideas’, and not from practice, opinio iuris, consent or any other expression of the will of States.
Thus, the binding nature of general principles of international law is based either on the
assumption of a tacit consent or will of the subjects of international law, i.e., primarily
States, or on the notion that the general principles reflect universally accepted metalegal
principles (justice, equity and fairness).140 This statement reflects the dichotomy of the
consensual approach (recognising that international customary and contractual law is firmly
based on the States’ consent) and a rather natural law approach to international law. This legal
dichotomy, which, at first sight, appears to be of academic value only, is especially important
in the context of general principles of international law, as some of them, according to
jurisprudence of the ICJ and scholarly opinion, are derived from ‘preconceived ideas’ and
apply regardless of the States’ practice, opinio iuris, consent or any other expression of will.
This results in a most significant consequence: States cannot ‘opt-out’ from general principles
of law that are necessary for the ‘co-existence and vital co-operation’ within the international
community. It can be asserted that such principles are reflected by the general principles of
international law as pertaining to international peace and security as identified above (section
2.2). After a respective interpretation and concretisation with regard to the cyber realm, as will
139 Case Concerning Delimitation of the Maritime Boundary in the Gulf of Maine Area, Judgment (1984) ICJ Rep
246, para 111. 140 Wolfrum, ‘Sources of International Law’ (n 2) 3.
40
be provided infra, they ought to be observed by States regardless of their (other) practice,
opinio iuris, consent or any other expression of will.
2.4 Higher ‘Normative Value’
General principles of international law were described by scholars as ‘so fundamental ... that
no reasonable form of co-existence is possible without their being generally recognized as
valid’, as ‘manifestations of the universal legal conscience’, or as principles that constitute
unformulated reservoir of basic legal concepts ..., which form the irreducible essence of all
legal systems’.141 Not surprisingly, advocates of the constitutionalist approach to international
law attribute general principles that are essential for the existence of the present order structure
a quasi-constitutional role within the international law system.142 Such principles would be,
e.g., good faith, proportionality, restitution of unjust enrichment, self-determination of peoples,
non use of force, and peaceful settlement of disputes.143 The constitutionalist approach
distinguishes such ‘constitutional norms’ from other norms of international law and
pronounces a priority of values which shall reflect a hierarchy of norms.144 The respective
debates are characterised by controversy that can be related to diverging underlying
conceptions of the relationship between morality and international law.145
Independently from the constitutionalist approach, some authors also claim that certain
fundamental principles of international law would in theory present a superior source of law.146
This view is based on the notion that such basic principles would be applied for the purpose of
modifying and superseding conventional and customary rules, as the principles would, due to
141 Bassiouni (n 3) 771. 142 Kolb (n 11) 9, 25 and 36 (‘the law of general principles is constitutional law in the fullest sense of the word. It
is placed on the level of sources, of development of the law, of essential metabolistic functions within the legal
order.’). 143 ibid 25ff. 144 Venzke and von Bernstorff (n 83) 17. 145 Ibid. 146 Martti Koskenniemi, ‘Hierarchy in International Law: A Sketch’ (1997) 8 European Journal of International
Law 566, 577.
41
their general character and value-based content, present the standard for testing the conformity
of other norms with the existing legal basis.147 For the same reasons, they could not be
overridden by any other individual rule, however specific and enacted in formal fashion.148
A formal hierarchy between the sources of international law must be rejected.149 The informal
hierarchy in the techniques of legal reasoning (i.e., successive orders of consideration based on
ease of proof or on the approach to applicable law, proceeding from more specific to more
general norms) does not introduce a hierarchy of norms.150 Also the UN Charter, enshrining
some of general principles of international law (section 2.1), cannot be viewed as a constitution
or basic norm of international society at a higher normative level. The Charter is an
international treaty, which – according to its Article 103 – prevails only over contrasting
contractual obligations taken by a UN Member State.
Furthermore, it is asserted that a ‘heightened normativity’ of certain general principles of
international law could be derived from their character as peremptory norms (ius cogens) of
international customary law.151 The notion of ius cogens was first proposed by (natural law)
scholars in the 17th and 18th century and was adopted in the Vienna Convention on the Law of
Treaties (VCLT) of 1969.152 According to Article 53 of the VCLT, ius cogens is ‘... a norm
accepted and recognized by the international community of States as a whole as a norm from
which no derogation is permitted and which can be modified only by a subsequent norm of
general international law having the same character.’ Given that norms, which are ‘accepted
and recognized by the international community of States as a whole’ are based on the consent,
or at least acquiescence, of the world, the ius cogens concept is based on the consensual
147 Hicks (n 5) 29; Bassiouni (n 3) 787. 148 Koskenniemi (n 123) 577. 149 Pellet (n 9) 265 and 268. 150 Koskenniemi (n 123) 566-582; ILC (n 76) 463. 151 Crawford (n 11) 37. 152 Wolfrum, ‘Sources of International Law’ (n 2) 49; Jochen A Frowein, ‘Ius Cogens’ in MPEPIL (n 2) MN 3;
ILC (n 76) 361.
42
foundation and not on the notion of a gateway of meta-legal or general considerations (as
envisioned by the naturalists).153 Though, ius cogens also indicates a certain recognition of a
‘public order of the international community’ based on the consensus concerning fundamental
values which are not at the disposal of the subjects of that legal order.154 Despite this distinctive
nature, and in contrast to some assertions within scholarly writings,155 ius cogens is not a higher
category of formal sources of international law, but a particular quality of customary law
norms.156 This particular quality is not depicted by a hierarchical position, but by special
consequences of the breach of the norms, as stated in Responsibility of States for Internationally
Wrongful Acts157of the International Law
Commission (ILC) with regard to ‘serious breach (es) by a State of an obligation arising under
a peremptory norm of general international law’. Thus, it can be concluded, that, although there
is no hierarchy among the sources of law, there is a notion that ius cogens, because of its
fundamental content, is in one way or another intrinsically ‘superior’ to all other norms.158
Scholars are in disagreement as to what constitutes ius cogens and how a given rule, norm or
principle rises to that level.159 Significant State practice, which could supportthe identification
of specific peremptory norms, has not developed.160 Nonetheless, it is asserted that fundamental
general principles of international law have the character of ius cogens (and are even ‘merely
a semantic variation’161 of them).162 This is based on the understanding of fundamental
principles of international law as norms ‘whose perceived importance, based on certain values
and interests, rises to a level which is acknowledged to be superior, and thus capable of
153 Wolfrum, ‘Sources of International Law’ (n 2) 49. 154 Frowein (n 129) 3, 11. 155 Wolfrum, ‘Sources of International Law’ (n 2) 11; Cheng (n 14) 22. 156 Pellet (n 9) 279. 157 UNGA Res 56/83 (12 December 2001) annex. 158 Pellet (n 9) 280. 159 Bassiouni (n 3) 801ff. 160 Wolfrum, ‘Sources of International Law’ (n 2) 50. 161 Bassiouni (n 3) 780 162 ibid; Crawford (n 11) 37.
43
overriding another norm, rule, or principle in a given instance’.163 This view could be deemed
as confirmed by the ICJ, which stated in the Nicaragua case164 ‘that … the customary
international law flow(s) from a … fundamental principle outlawing the use of force in
international relations’, i.e., a prohibition which is widely acknowledged as a ius cogens norm.
Thus, fundamental principles of international law can be attributed a ‘higher normative value’
without introducing a formal hierarchy into the sources of international law – either because of
their quasi-constitutional role within the international law system, or as peremptory norms of
international custom. Taking either approach, there seems to be an understanding within the
academia and within the rulings of international Courts that the fundamental principles of
international law do have a non-derogative character. This, as mentioned above, results in the
finding that all States’ behaviour has to be guided by the general principles of international
law, and, whenever they also show a normative character in terms of a legal obligation, States
cannot ‘opt-out’ from fundamental principles of international law, i.e., those which are
essential for the and vital co-operation of the members of the international community’. This
finding is of significance for the principles as pertaining to international peace and security in
cyberspace, as they will show a ‘normative value’ higher than other obligations deriving from
international law.
2.5 Relationship to the Concept of Fundamental Rights and Duties of States
A different theoretical approach to the phenomenon of a ‘higher normative value’ of the
fundamental principles of international law is given by the concept of fundamental rights and
duties of States.
The doctrine emerged in the 17th century (coinciding with the Peace of Westphalia of 1648,
marking the beginning of modern international law) and is based on the independence (from
papacy and empire) and equal sovereignty of States (with regard to their exclusive dominion
163 Bassiouni (n 3) 805. 164 Nicaragua (n 29) 181, 188, 190 (refrain from the use of force in international relations).
44
of territorial jurisdiction).165 According to the concept, the existence of fundamental rights and
duties is inherent to the essence of a State.166 The specification of the nature of such
fundamental rights and duties is problematic, as pursuant to the doctrine, they would present a
quasi-constitutional basis, upon which all other international law norms are based.167
At the beginning of the 20th century (and especially on the American continents) several inter-
governmental conferences dealing with fundamental rights and duties of States were
conducted, resulting in respective political declarations.168 Additionally, diverse international
lawyers’ associations developed declarations of fundamental rights and duties of States.169
Also, several international treaties codifying States’ views on fundamental rights and duties
were concluded.170 In 1949, the ILC elaborated (upon request of the UNGA)171 a draft
Declaration on the Rights and Duties of States172 containing 14 articles, which was transmitted
by the UNGA to States for considerations on further action. However, already within the ILC
the draft was voted against (only) by the US and the USSR, and States never requested the
UNGA to take the issue up again.173 It should be mentioned that, according to the draft’s
preparatory work, the ILC considered Article 2 of the UN Charter as expressing fundamental
rights and duties of States.174 In the same line, the Friendly Relations Declaration could be
165 Sergio M Carbone and Lorenzo Schiano de Pepe, ‘States, Fundamental Rights and Duties’ in Peacetime
Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 201. 166 Carbone and Schiano de Pepe (n 142) 1 and 30. 167 Epping and Gloria (n 143) § 26 MN 2. 168 eg Declaration of American Principles of the Eights International Conference of American States of 1938. 169 eg American Institute of International Law in 1916 (Declaration of Rights and Duties of Nations); the
International Juridical Union in 1919 (Draft of a Declaration of Rights and Duties of Nations); the International
Commission of American Jurists in 1927 (Report Project II, States: Existence, Equality, Recognition); the Union
Juridique International/International Law Association in 1936, or the Inter-American Juridical Committee in 1942
(Reaffirmation of Fundamental Principles of International Law). 170 eg the ( Montevideo) Convention o n R ights a nd D uties o f S tates (inter-American) of 26 December 1933;
the Charter of the Organization of American States of 30 April 1948 (Chapter IV), or the Charter of the
Organization of African Unity of 25 May 1963 (Article III and V; abrogated in 2000 by the Constitutive Act of
the African Union). Article III of the OAU Charter (Principles) referred to sovereign equality, non-interference,
peaceful settlement of disputes; Article V (Rights and Duties of Member States) referred to equal ‘rights and
duties of Member States’. 171 UNGA Res 178 (II) (21 November 1947) para 3. 172 UNGA Res 375 (IV) (6 December 1949) annex. 173 Carbone and Schiano de Pepe (n 142) 14; Fassbender (n 72) 30. 174 ILC (n 76) 140.
45
seen at first sight as reflecting fundamental rights and duties of States.175 However, despite
mentioning ‘rights and duties of Member States under the (UN) Charter’ the declaration is
drafted in terms of ‘basic principles’ rather than of ‘rights and duties’.
Summarising the different treaties, declarations and drafts, the catalogue of the fundamental
rights and duties of States can be deemed to comprise:176
• Equal sovereignty,
• Independence,
• Jurisdiction,
• Non-intervention,
• Refrain from (threat or) use of force,
• Self-defence (also in the broader term of self-preservation),177
• Peaceful settlement of disputes,
• Mutual respect of the rights of all,
• Immunity of ambassadors,
• Pacta sunt servanda,
• Good faith,
• (Respect for human rights and fundamental freedoms).178
Scholars have asserted the fundamental rights and duties of States as forming part of general
principles of international law that aim at governing the friendly and peaceful coexistence and
cooperation of States, and have described them as being objective, independent of any
expression of willingness by States, particularly inalienable and absolute in nature.179 Indeed,
content-wise and with regard to the distinctive status claimed for the fundamental rights and
175 Epping and Gloria (n 143) § 26 MN 5. 176 The assessment is based on the texts of the aforementioned treaties and declarations, especially the draft
declaration prepared by the ILC for UNGA (n 149) as well as on scholarly writings. 177 Carbone and Schiano de Pepe (n 142) 28. 178 eg Article 6 of the ILC draft declaration (n 149). 179 Carbone and Schiano de Pepe (n 142) 30ff; Epping and Gloria (n 143) § 26 MN 3.
46
duties, they resemble the general principles of international law that are essential for the ‘co-
existence and vital co-operation of the members of the international community’.
The relevance of the doctrine of fundamental rights and duties of States can be judged as
minimised by the emergence of international law subjects other than States (i.e., international
organisations), by the increasingly complex (contractual) interaction and interdependence of
States in times of globalisation impairing their sovereignty, and perhaps also because of its
natural law ascendancy. However, the contents, i.e., the legal independence and equal
sovereignty as well as the principles deriving from this basic foundation, remain crucial to the
functioning of the international order.
Thus, despite the different doctrinal approach, the concept recognises the notion that some
basic principles form the very foundation of the international law order. Content-wise the
fundamental rights and duties of States resemble the principles identified within the scholarly
writings as ‘constitutional’, of ‘higher normativity’, and those essential for the ‘co-existence
and vital co-operation of the members of the international community’.
2.6 Instrument of Progressive Law Development
General principles of international law may serve different purposes. They are a normative
source of law, which governs situations not regulated by formulated norms.180
By introducing overarching considerations into international law, they also serve as a guideline
or framework for interpretation of conventional and customary international law.181 For the
same reason, they have the function of systematisation of law, in the meaning of amelioration
of the fragmentation of international law.182 However, the most important feature of general
principles of international law is their function as a basis for the progressive development of
international law.183 This feature is especially significant in the realm of international peace
180 Wolfrum, ‘Sources of International Law’ (n 2) 34ff. 181 ibid. 182 Wolfrum, ‘General International Law’ (n 2) 7 and 20. 183 ibid.
47
and security in the cyber context, as cyber specific customary law is absent and contractual
regulation scarce.
General principles of international law have the necessary degree of abstraction and
concreteness to be able to be dynamic yet filled with a certain legal meaning.184
Their generality and flexibility enables the principles to be the means of substantial,
progressive development of international law.185 Such development can occur by progressive
interpretation of international law guided by the principles, as there is (apart from relatively
few exceptions) no law-application without some law-creation.186 General principles of law
may also be the starting point for the evolution of a new rule of customary law and thus play
the middle role between lex lata and lex ferenda.187 Last but not least, general principles can
also serve per se as a basis for the development of new rights and obligations.188 Especially in
the absence of relevant international practice and of applicable specific rules, the recourse to
general principles of international law is the only option for not leaving a specific situation in
a legal lacuna. Considering the inherent limitations for the modifications of treaty law as well
as of customary international law, general principles of international law can be thus deemed
as ‘transformators’ of rising extra-positive (social, moral, etc.) needs of the international
community into international law by subsuming the new situation to a principle and by a
deduction or reception from the principle.189 This way, general principles of law play a
prominent role in legal dynamics, in the development of the law, in the adaptation of law to
new situations, and consequently in the filling of the lacunae.190 They prevent a static
application of archaic norms in a legal system which needs to respond to the dynamic needs of
184 Kolb (n 11) 9 185 ibid; Wolfrum, ‘Sources of International Law’ (n 2) 39. 186 Kolb (n 11) 7-9; Wolfrum, ‘Sources of International Law’ (n 2) 39. 187 Ibid. 188 Kolb (n 11) 30; Wolfrum, ‘Sources of International Law’ (n 2) 39. 189 Wolfrum, ‘General International Law’ (n 2) 60. 190 Kolb (n 11) 30.
48
the international society, especially to meet the needs of fast growing technological
advances.191
The development of international law by a modern interpretation of the general principles (or
creation of new sub-principles) will not occur in the abstract, but as a reaction to practical needs
and specific phenomena that calls for development. The ‘emergence’ of cyberspace and its
relevance for international peace and security justifies a reconsideration of that particular body
of law. Thus, the new phenomenon of cyberspace as a new common space for inter-State
relations, results in the need of a fundamental regulation as pertaining to the international peace
and security. In this regard, a modern interpretation of the respective general principles of
international law will support the progressive development of international law.
Conclusion
General principles of international law can be derived, inter alia, from general considerations,
legal logic, legal relations in general, international relations, or from a particular treaty regime.
Hitherto, neither international Courts nor scholars have developed a methodology for
identifying the principles. However, with regard to general principles of international law as
pertaining to international peace and security, international Courts and academia acknowledge
the existence of several principles based on sovereign equality of States, the duty to the
maintenance of international peace and security, and the duty to international cooperation in
solving international problems. These principles (and their sub-principles or corollary
principles) are endorsed in Article 1 and 2 of the UN Charter and confirmed by the UNGA
Friendly Relations Declaration, as well as, for example, the Helsinki Declaration. General
principles of international law may serve different purposes, of which the most significant is
the function as a basis for the progressive development of international law (either by filling a
legal lacuna or by progressive interpretation of existing international norms), responding to
191 Bassiouni (n 3) 777ff.
49
rising extrapositive needs of the international society, such as fast growing technical advances,
e.g., the ‘emergence’ of cyberspace as a common space for inter-State relations.
This chapter has in detail, discussed the general principles of international law as a concept and
its applicability in the novel area of cyberspace. Unequivocally, the chapter has demonstrated
that despite the imprecise delineation of what these principles are, in their remotest form, they
influence and have influenced the way States behave and act in interstate relations within other
spheres, and has shown how they now, can inferably regulate the conduct of States in the cyber
arena. In the next chapter, the applicable general principles shall be discussed as well as other
international legal regimes directly applicable to cyberspace.
50
CHAPTER THREE
RIGHTS AND OBLIGATION OF STATES IN CYBER SPACE: SPECIFIC
APPLICABLE LAWS AND GENERAL PRINCIPLES OF INTERNATIONAL LAW
3.0 Introduction
It is now widely recognised that the rules of international law also apply to cyberspace, ‘to be
ignored by the digitally distracted at their own peril’.192 Much ink has been spilt on topics
concerning cyber operations;193 but many questions of what rights and obligations States
possess in peace-time remain to be answered.
In the early days of the internet, controversy emerged over the question of whether cyberspace
should be covered by the usual rules of law, in particular international law, or whether a new
space had emerged which would not be subject to the traditional notions and rules of law.
Famously, in his ‘Declaration of the Independence of Cyberspace’ Barlow argued that
cyberspace should be left to its own inhabitants who would create the necessary self
regulation194 His main argument was that there was no single legitimate decision-maker for
cyberspace in international law.195 Others did not go as far, but still suggested that a special
internet law was required to ensure sufficient space for self-regulation of actors in the new
space that had emerged.196 Such ‘cyberspace autonomy’ was contested by those who thought
that a special legal regime for cyberspace was unnecessary.197 Easterbrook famously claimed
that establishing a specific discipline of cyber law made as little sense as to have a special ‘law
192 MJ Glennon, ‘The Road Ahead: Gaps, Leaks and Drips’ (2013) 89 International Law Studies 362, 377. 193 For example, on the notion of what constitutes an armed attack MC Waxman, ‘Self-defensive Force against
Cyber-attacks: Legal, Strategic and Political Dimensions’ (2013) 89 International Law Studies 109, 111, also the
Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual), Michael N. Schmitt et al.
Cambridge University Press, (2013). 194 JP Barlow, 'A Declaration of the Independence of Cyberspace' (1996) Electronic Frontier Foundation
<https://projects.eff.org/~barlow/Declaration-Final.html> 1 (May 14, 2016). 195 Ibid. 196 DR Johnson and D Post, ‘Law And Borders - The Rise of Law in Cyberspace’ (1995-1996) 48 Stanford Law
Review 1367. 197 J Kulesza, International Internet Law (Routledge, London 2012), 146.
51
of the horse’.198 As the present state of regulation of cyberspace illustrates, the conflict between
‘cyber-libertarians and cyber-legal-positivists’199 resulted in a victory of the latter, more
traditional approach. This approach suggested that cyberspace should be subject to the standard
rules of international law and national laws of the competent State. Consequently, cyberspace
did not emerge as a new dimension, but has continuously been subject to State practice acting
according to the traditional rules of international law.
In the following, the aforementioned general principles of international law as pertaining to
international peace and security namely; sovereign equality of States and its corollary
principles (3.1), other settled areas of international law (mostly embedded in treaties) bearing
relevance to regulations of cyberspace operations which are; International communications law
and the regulations of cyberspace (3.2), Space law and cyber activities (3.3), International
economic law in the cyber arena (3.4), and finally, implicit international law principles of States
derivable from state practice and essentially the U.N Charter, such as; maintenance of
international peace and security (3.5), and the duty to international cooperation in solving
international problems (3.6), as well as their corollary principles, will be presented.
3.1 Sovereign Equality of States and Corollary Principles
Sovereignty is the core notion of statehood and the axiomatic principle on which, in the words
of the International Court of Justice,200 ‘the whole of international law rests’.201 It can be
asserted that most, if not all principles of international law directly or indirectly rely on State
sovereignty.202 The principle is endorsed in Article 2(1) of the UN Charter in the form of an
198 FH Easterbrook, ‘Cyberspace and the Law of the Horse’ (1996) University of Chicago Legal Forum 207. 199 Murray, 499. 200 Nicaragua (n 29) 263. 201 Heintschel von Heinegg (n 10) § 16 MN 43, in Peacetime Regime for State Activities in Cyberspace, Katharina
Ziolkowski, 156. 202 Samantha Besson, ‘Sovereignty’ in MPEPIL (n 2) MN 2, ibid.
52
adjective (‘sovereign equality’) and ensures the juridical (not political, military, economic,
geographic, demographic or other) equality of States.203
The understanding of sovereignty has undergone changes since its formal establishment in the
Peace of Westphalia in 1648. Especially since 1945, its impact has been impaired by the
recognition of international organisations (approximately 7,000) as subjects of international
law and the acknowledgment of their decisions as a potential source of international law, by
globalisation, the growing interdependence of States, and subsequent extended cooperation in
fields which were formerly considered as domestic matters (approximately 50,000
international treaties are registered with the UN), by the recognition of rights of peoples (self-
determination) as well as of individuals before specific international Courts.204 Furthermore,
the notion of sovereignty is complemented by the understanding that States are obliged to
promote and safeguard common values and goals of the international community.205
This is especially true with regard to cyberspace. The internet developed into a global network
by a bottom-up, distributed effort of mainly private stakeholders. Cyberspace, including its
‘global public memory’, is mainly driven by the civil society. The Westphalian elements of
international order, i.e. of horizontal inter-State relations (emphasising the States as primary
subjects of international law), are complemented in cyberspace in an extensive way by aspects
of political, economic and social networks, characterised by vertical and diagonal linkages
between governments, (transnational) companies, peoples, societies and individuals. The
Internet Corporation for Assigned Names and Numbers (ICANN),206 the non-governmental
organisation (NGO) ‘governing’ the internet, can be deemed as reflecting this notion, as it takes
an internationalised and multi-stakeholder approach to its operation.
203 d’Argent and Susani (n 105) 11, ibid. 204 Besson (n 171) 3-55, 153, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 156. 205 Fassbender (n 173) 1095, ibid. 206 ICANN is a Californian (US) non-profit, public benefit corporation, which, in the framework of a Public Private
Partnership, acts on behalf of and reports to the US Department of Commerce.
53
Yet, although flexibly changing its nature, State sovereignty is still the foremost principle of
international law and shows several significant facets and corollary principles, which will be
presented in the following as applicable to cyberspace.
3.1.1. Self-Preservation
One of the corollary principles of equal sovereignty is a State’s right to self-preservation. In its
Nuclear Weapons207 advisory opinion, the International Court of Justice recognised ‘the
fundamental right of every State to survival, and thus its right to resort to self-defence, in
accordance with Article 51 of the U.N Charter, when its survival is at stake’. A right to self-
defence is given in situations of an ‘armed attack’ launched by another State (or possibly by
non-State actors), entitling the victim State to use defensive military force (Article 51 of the
UN Charter and corresponding international custom208). As cyberspace enables skilled and
knowledge-wise, super-empowered individuals to cause severe physical effects through
manipulations of computer systems that the functioning of highly developed post-industrial
States depends upon, the question arises whether non-State actors can trigger the right to self-
defence. There are considerable pros and cons for either approach, the demonstration of which
would exceed the scope of this chapter. In addition, the value of the so-called ‘safe haven’
theory,209 developed in the context of self-defence with regard to terrorists acting from the
territory of States unwilling or unable (‘failed States’) to impede activities of non-State actors
harmful to other States, should be considered in the context of State responsibility for malicious
cyber activities conducted by non-State actors otherwise qualifying as ‘armed attack’. In this
context, it would surely be beneficial to further discuss, e.g., the criteria of the terms ‘unable’
and ‘unwilling’ and the authority to determine their presence in a concrete case, as well as the
207 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion (1996) International Court of Justice Rep
226, para 96. 208 Albrecht Randelzhofer and Georg Nolte, ‘Article 51’ in Simma (n 70) MN 10-12, in Peacetime Regime for
State Activities in Cyberspace, Katharina Ziolkowski, 157. 209 For an overview on the major lines of argumentation, see Schmitt (n 181) 602ff. 159.
54
nature of justifiable defence measures. An academic and political discourse on the
aforementioned matters can probably not be avoided in the future.
Furthermore, the ‘accumulation of events’ or ‘Nadelstichtaktik’ theory will surely need to be
considered within the cyber realm. The concept States that, in a situation of a series of incidents,
of which each one classifies as ‘use of armed force’ but does not show the necessary scale and
intensity qualifying it as an ‘armed attack’, the whole series of these occurrences would
cumulatively form the basis for the assessment of the immediacy, scope and intensity.
Advocates of this approach claim that a State facing a ‘hit and run’ tactic of another State would
have no other choice but to undertake military measures to counter it.210 In the past, the concept
was invoked by Israel (using the term Nadelstichtaktik)211 to justify the use of military force
against terrorist groups located on the sovereign territory of its neighbouring States.212
Furthermore, the US made use of the concept (‘accumulations of events theory’),213 e.g., to
justify the bombardment of specific sites in Sudan and Afghanistan on 20-21 August 1998 in
a letter to the UN Security Council (UNSC), stating:
“These attacks were carried out only after repeated efforts to convince the
Governments of the Sudan and the Taliban regime in Afghanistan to shut
these terrorist activities down and to cease their cooperation with Bin Ladin’s
organization. That organization has issued a series of blatant warnings that
‘strikes will continue from everywhere’ against American targets [… The
United States, therefore, had no choice but to use armed force to prevent these
attacks from continuing. In doing so, the United States has acted pursuant to
210 Dietrich Schindler and Kay Hailbronner, Die Grenzen des völkerrechtlichen Gewaltverbots ( Müller 1986) 211 The term is used, eg, by Yehuda Zvi Blum, ‘The Legality of State Response to Acts of Terrorism’ in Benjamin
Netanyahu (ed), Terrorism. How the West Can Win (Farrar, Straus and Giroux 1986) 133, 135. 212 Constantine Antonopoulos, The Unilateral Use of Force by States in International Law (A Sakkoulas 1997)
75. 213 Used first by the UNSC in 1953 during a meeting on military actions conducted by Israel against Libya,
UN/SCOR 8th year, 637th meeting, para 4.
55
the right of self-defence confirmed by Article 51 of the Charter of the United
Nations.”214
Along these lines, some U.S and United Kingdom (UK) scholars view terrorist activities
against the US as a continuous process.215 Consequently, these scholars affirm that, due to the
cumulative assessment of all terrorist activities, immediacy as well as a sufficient scope and
intensity of an ‘armed attack’ is given at any time. Interestingly, the UNSC, including the US
as a veto-power, clearly refused the rationale of the ‘accumulation of events theory’ by
condemning on several occasions (until the 1970s) military actions justified on the basis of that
theory (partly explicitly referring to such acts as ‘retaliation’).216 On the contrary, the
judgments of the International Court of Justice in the Nicaragua217 and Oil Platforms218 cases
indicate that the Court accepted the theory in general. However, the concept should be
approached with caution. In the cyber context, only malicious cyber activities qualifying as
‘use of armed force’, and which – upon reliable information – will be followed with the utmost
probability by other malicious cyber activities of the same quality, can be deemed as
cumulatively amounting to an ‘armed attack’.
Very likely, cases of preventive self-defence, i.e., in situations of an immediate ‘armed attack’,
when ‘... the necessity of self-defence is instant, overwhelming, leaving no choice of means,
and no moment for deliberation,’219 will stay theoretical. This is based on the fact that, despite
potential additional intelligence, the intended effect of malicious cyber activities will not be
214 UN Doc S/1998/780 (20 August 1998). 215 Christopher Greenwood, ‘International Law and the “War against Terrorism”’ (2002) 78 International Affairs
301, 312. 216 UNSC Res 101 (1953) (24 November 1953) part B para 1 and part A para 1 (Israel against Jordan); Res 111
(1956) (19 January 1956) preamble para 4, para 3 and 6 (Israel against Syria); Res 188 (1964) (9 April 1964)
para 1 and 3 (UK against Arabic Republic Yemen); Res 265 (1969) (1 April 1965) preamble para 4, para 3 (Israel
against Jordan). 217 Nicaragua (n 29) 146. 218 Oil Platforms (n 179) 64. 219 So-called ‘Webster formula’, phrased by the US State Secretary Webster in a letter to the British government
of 24 April 1837, on the occurrence of the destruction of the US ship ‘Caroline’; quoted by Brownlie (n 63) 43.
On the ‘Caroline Case’ see Christopher Greenwood, ‘Caroline, The’ in MPEPIL (n 2).
56
visible beforehand. Moreover, judged from today’s perspective, even in the case of discovery
of malicious codes in, for example, governmental computer networks, there still would be a
‘choice of means’ and a ‘moment for deliberation’. Malware can be isolated, penetrated
networks disconnected and IT security measures directed at the affected networks.
Additionally, the concept of ‘pre-emptive’ (anticipatory) self-defence was asserted by some
scholars, namely in the case of the implementation of the computer worm Stuxnet to Iranian
nuclear facilities 2008-2010.220 The concept of ‘pre-emptive’ self-defence, i.e., in cases of a
mere suspicion of future armed attacks primarily based on mistrust towards a State’s behaviour
in international relations, is to be strictly refused221 for several reasons, also regarding the
specific case of Stuxnet.222 Preventive measures against latent threats to international peace
and security are within the decision-making authority of the UNSC (Article 39, 41-42 of the
UN Charter).
It should be mentioned that the usual expectation of defence measures being conducted by a
State’s armed forces will probably not be met in the pure cyber context. Armed forces must
develop and maintain defensive cyber capabilities in order to be able to defend their own
networks (including the deployable components thereof), and thus to ensure their operability.
They should develop offensive cyber capabilities as an additional military capability,
enhancing the potential of precise, potentially non-lethal possibilities of interruption and
disruption without necessarily causing physical damage outside of the targeted computer
networks, i.e., to living beings or to objects. However, malicious cyber activities of a level
which could be deemed as an ‘armed attack’ against a State will probably target critical
infrastructure systems which, in technologically advanced States, are highly dependent on the
availability and integrity of information and communication systems (ICTs), and which are in
220 Michael N Schmitt (gen ed), Tallinn Manual on the International Law Applicable to Cyber Warfare
(Cambridge University Press 2013) Rule 13 para 13. 221 Greenwood (n 177) 47ff. 222 Ziolkowski (n 193) 143ff.
57
large part privately owned223. In the case of a cyber ‘armed attack’ in the meaning of Article
51 of the UN Charter, e.g., against the banking system as such or the energy generation and
distribution systems, only the internet service providers (ISPs) will notice irregular data streams
(through monitoring of their network traffic sensors collecting information about the ‘net flow’,
i.e., amount of routed data and their destination) and only the Computer Emergency Response
Teams (CERTs) of the respective private companies will notice infections by malicious
software (by monitoring of the intrusion detection/prevention systems conducting deep
package filtering or by indications of malfunctioning of the facility’s operations). At the same
time, only these ISPs and CERTs will be able to deter such ‘attacks’ on a ‘bit for bit’ basis, as
only they will have the possibility to block data streams or to undertake infection recovery
activities based on the knowledge of the specific architecture, operating systems and
adjustments the targeted complex computer systems show. Additionally, the defence against
the actual ‘armed attack’ conducted by cyber means will most probably require recourse to the
possibilities and capabilities of private cyber security companies or of companies which
developed the targeted, specific, industrial IT systems or software, and which can provide
‘patches’ for the vulnerabilities used by the aggressor for penetrating the system in question.
This will leave the actual conduct of the ‘bit for bit’ cyber defence measures to the industry,
i.e., to the civil society as opposed to armed forces. The armed forces and other governmental
entities can only support the industry in such endeavours, for example, by providing
intelligence or other forms of assistance (apart from conducting measures such as kinetic
defence to deter the armed attack). One of the consequences could be that, according to Article
51(3) of the Additional Protocol I of 1977 to the Geneva Conventions of 1949 (and respective
customary law), the acting ISP and CERT personnel could lose the protection civilians enjoy
against direct attack and become a legitimate military target (for the duration of actively
223 General Principles of International Law as Applicable in Cyberspace Katharina Ziolkowski, 161.
58
defending the attacked networks). The existence of a (paramilitary) Estonian Defence League’s
Cyber Unit, the Austrian plan to establish a ‘cyber militia’ or ‘voluntary cyber fire-brigades’,224
and respective considerations as currently addressed in Latvia reflect the endeavours of States
to link private cyber defence capabilities to the government.
Additionally, it can be asserted that the fundamental right of States to self-preservation also
entails the right to take protective measures in situations of necessity.225 Necessity is given
when essential interests of a State (or possibly of the international community as whole) are
facing grave and imminent peril.226 Under strict conditions, States may safeguard such interests
by taking protective measures (Article 25 of the ILC Draft Articles on Responsibility of States
for Internationally Wrongful Acts).
3.1.2 Territorial Sovereignty and Jurisdiction
Another principle corollary to equal sovereignty of States is the principle of territorial
sovereignty, including the principle of jurisdiction.227
The aspect of territorial sovereignty, i.e., the exercise of full and exclusive authority over a
territory, protects physical components of the internet (‘cyber infrastructure’) that are located
on a State’s territory or are otherwise under its exclusive jurisdiction.228 This includes any
technical and other physical components located on the land territory, in internal waters,
territorial sea, archipelagic waters, in national airspace or on platforms (e.g., vessels, aircraft
or satellites).229 The fact that the components of the internet are located on a State’s sovereign
224 ‘Österreich überlegt Aufstellung einer „Freiwilligen Cyberwehr“’ Der Standard (2012)
<http://derstandard.at/1339639277027/Oesterreich-ueberlegt-Aufstellung-einer-Freiwilligen-Cyberwehr>. (May
17, 2016). 225 Robin Geiß and Henning Lahmann ‘Freedom and Security in Cyberspace: Shifting the Focus away from
Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’, 97. 226 Ziolkowski (n 181) 285-331 on ‘necessity’ as a general principle of international law, which might exceed the
notion of Article 25 ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts. 227 Benedikt Pirker, ‘Territorial Sovereignty and Integrity and the Challenges of Cyberspace’, 66. 228 Wolff Heintschel von Heinegg, ‘Legal Implications of Territorial Sovereignty in Cyberspace’ in Christian
Czosseck, Rain Ottis, and Katharina Ziolkowski (eds), Proceedings of the 4th International Conference on
Cyber Conflict (NATO CCD COE Publication 2012) 7, 10 and 13. 229 ibid 11.
59
territory but form, at the same time, part of the global internet, does not indicate a waiver of
the exercise of such territorial jurisdiction.230 On the contrary, a State cannot claim territorial
sovereignty (or right to appropriation) with regard to the internet as a whole (that is, a global
resource) or to cyberspace (that is, a common space).231 Due to the global nature of the internet
and cyberspace, this finding is not impaired by the fact that the internet is ‘governed’ by
ICANN, which acts on behalf of and reports to the US Department of Commerce.
Territorial sovereignty is violated by any acts causing physical effects on another State’s
territory.232 However, as indicated by the US,233 who declared that it considered its (territorial)
sovereignty as violated by ‘disruption of networks and systems’, i.e., including intrusions
without (directly or indirectly) showing a physical effect, it could be argued that physical
damage is irrelevant in the cyber context.234 Indeed, due to the enormous negative effects
malicious cyber activities can have on the national security of another State, which can be,
although not of physical nature, though well ‘perceptible’ (e.g., disruption of a State’s – digital
– stock exchange system), it can be claimed that such effects could violate the victim State’s
sovereignty.
The principle of jurisdiction describes the power of a State to define and to enforce rights and
duties, and to control the conduct of natural and juridical persons (primarily on its own
territory).235 A State exercises its jurisdiction by establishing rules (legislative jurisdiction),
procedures for identifying breaches of the rules and the precise consequences thereof (judicial
jurisdiction), and by forcibly imposing consequences (enforcement jurisdiction).236
230 Heintschel von Heinegg (n 200) 14. 231 ibid 9. 232 ibid 11ff, 16; Lawrence T Greenberg, Seymour E Goodman and Kevin J Soo Hoo, Information Warfare and
International Law (US National Defence University 1998) 24. 233 The President of the United States of America, International Strategy for Cyberspace. Prosperity, Security,
and Openness in a Networked World (May 2011) 4 [call-out-box, ‘Defence Objective’]. 234 Similarly, in the context of territorial sovereignty Heintschel von Heinegg (n 200) 11ff, in Peacetime Regime
for State Activities in Cyberspace, Katharina Ziolkowski, 160. 235 Bernard H. Oxman, ‘Jurisdiction of States’ in MPEPIL (n 2) MN 3. 236 ibid.
60
The general access to the internet (or digitalised access to information) can be deemed as
protected by the universal human right to seek, receive and impart information through any
media (Article 19(1) of the International Covenant on Civil and Political Rights of 1966,
Article 10(1) of the European Convention on Human Rights of 1950). However, a State may
regulate internet activities of its own (nationality principle) and foreign (territoriality principle)
nationals in its territory (or those conducted on foreign territory but showing effects on its own
territory),237 e.g., with regard to contents of uploads or downloads, including questions of what
is deemed offensive in terms of morality, security and stability.238
The principle of jurisdiction would certainly be violated by law enforcement activities239
(i.e., exercise of authority) conducted by foreign agencies in networks and computers located
on a State’s territory and outside of a cooperation framework or otherwise without a prior
consent of the territorial State (e.g., online search). Especially with regard to cyber-crime law
enforcement, the exercise of jurisdiction of States may overlap due to the competing territorial,
personal and effects based facets of jurisdiction, additionally complicated by the mobility of
users and technological advances such as cloud-based computing. These aspects call for
intensified cooperation measures in cyber-crime law enforcement.
3.1.3 Non-intervention in Domestic Affairs
A further principle deriving from the sovereign equality of States is the principle of non-
intervention in the internal or foreign affairs of another State.240 It is endorsed in regional
conventions (e.g., Articles 16-19 of the Charter of the Organisation of American States, Article
3 (2) of the Charter of the Organization of African Unity), reflected in political declarations
237 Ibid 32. 238 ibid 31. 239 Oxman (n 207) 47. 240 Terry D Gill, ‘Non-Intervention in the Cyber Context’ and Chris Demchak, ‘Economic and Political Coercion
and a Rising Cyber Westphalia’, 76, in Peacetime Regime for State Activities in Cyberspace, Katharina
Ziolkowski, 162.
61
(e.g., Principle VI of the Helsinki Final Act of 1975)241, in UNGA resolutions,242 and is
endorsed in Article 2(7) of the UN Charter (with regard to UN organs). The principle is
confirmed by the International Court of Justice as a rule of international custom.243 An illegal
intervention occurs when a State interferes with the internal or external affairs of another State
considered by the latter as ‘internal’ or ‘domestic’ (domaine réservé), in order to coerce the
other into certain behaviour.244
In general terms, it can be asserted that domaine réservé describes areas not regulated by
international norms or not being of some common interest or value.245 Due to globalisation, the
integration of States in international organisations, the growing interdependence and
subsequent cooperation of States, and especially the myriad of conventional law, very few
matters can nowadays be regarded as remaining within the limits of purely ‘domestic
jurisdiction’.246 One of the matters which are still recognised as domaine réservé, although
significantly internationalised by human rights law, is the jurisdiction over, and the regulation
and treatment of own and foreign nationals.247 So far, the deliberations as presented above
apply (section 3.1.2).
The internet communication as such (as opposed to national intranets) cannot be deemed as an
internal affair of a State, as international telecommunications are regulated by international law
(Articles 33-48 of the Constitution of the International Telecommunication Union (ITU
Constitution), e.g., with regard to denial or restriction of internet connectivity). Additionally,
241 n.74, ibid. 242 Friendly Relations Declaration (n 71) Principle 1; Declaration on the Inadmissibility of Intervention in
the Domestic Affairs of States and the Protection of their Independence and Sovereignty UNGA Res 2131
(XX) (21 December 1965) para 2; Declaration on the Inadmissibility of Intervention and Interference in the
Internal Affairs of States UNGA Res 36/103 (9 December 1981) para 2, Principle I(b) and II(a); Declaration
on the Enhancement of the Effectiveness of the Principle of Refraining from the Threat or Use of Force in
International Relations UNGA Res 42/22 (18 November 1987) annex para 8. 243 Corfu Channel (n 29) 35; Nicaragua (n 29) 202. 244 Nicaragua (n 29) 202ff; Philip Kunig, ‘Intervention, Prohibition of’ in MPEPIL (n 2) MN 1. 245 Kunig (n 216) 3, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, (General
Principles of International Law as Applicable in Cyberspace) 164. 246 Fassbender (n 72) 70, ibid. 247 Ziegler (n 217) 5.
62
due to the nature of the internet as a globally shared resource and to the – in general – worldwide
spread of malicious software, aspects of national cyber security, i.e., questions of the
establishment of cyber security measures of a strategic, political, legal, administrative,
organisational and technical nature, including the establishment of a national CERT, must be
deemed as of internationalised interest or value, and thus outside of the realm of purely internal
affairs.
In order to violate the non-intervention principle, ‘coercion’, as opposed to perfectly legal
(political, economic, etc.) influence, must be employed.248 The meaning of the term is
unclear.249 Scholars assert that illegal coercion implies massive influence, inducing the affected
State to adopt a decision with regard to its policy or practice which it would not envision as a
free and sovereign State.250 The Friendly Relations Declaration (Principle 3) describes armed
intervention, obtaining subordination of the exercise of a State’s sovereign rights, and actions
directed towards the violent overthrow of a regime of another State, as violating the non-
intervention principle. This results in the notion that ‘coercion’ occurs only in drastic cases of
overwhelming (direct or indirect) force being put upon a State’s free and sovereign decision-
making process.
Thus, it is not probable that, for example, online law enforcement activities of foreign agencies
(see section 3.1.2) would be considered by the affected State as meeting the threshold of impact
as required by the notion of ‘coercion’. The question of access to the internet or demands for
the establishment of a national cyber security framework can surely not be deemed as violating
the non-intervention principle, as such matters cannot be categorised as purely internal affairs
of a State.
3.1.4. Duty Not To Harm Rights of Other States (Principle of Prevention, Precaution and ‘Due
Diligence’).
248 Discussion at Kunig (n 216) 5ff. 249 ibid. The Friendly Relations Declaration also preserves a vague wording in this regard, see Keller (n 72) 20ff. 250 Kunig (n 216) 22-27; Beyerlin (n 217) 809.
63
Another principle aiming to de-conflict equal sovereignties of States is the duty not to harm
the rights of other States and consequently, as confirmed by the International Court of
Justice,251 not to let its own sovereign territory be used for activities causing damage to persons
or objects protected by the sovereignty of another State (see also Article 1(2) of the UN Charter,
endorsing a ‘principle of equal rights’).252 The principle is closely related to the principle of
good neighbourliness and the supporting maxim (or normative rule) sic utere tuo ut alienum
non laedas (use your own property so as not to harm that of another), which are discussed infra
(section 3.1.5) in more detail.
The no-harm principle includes the obligation of States to take preventive measures in concrete
cases of risk of harm to other States’ rights, of which the State in question has knowledge or
presumptive knowledge.253 Such an obligation can be derived from the logic of the no-harm
obligation, and can be deemed as confirmed by the International Court of Justice in the
Hostages254 case (referring to preventive duties deriving from conventional and customary
diplomatic law), and in the Nuclear Weapons255 advisory opinion. It is endorsed in a multitude
of treaties concerning environmental protection, nuclear accidents, space objects, international
watercourses, management of hazardous waste, and prevention of marine pollution.256 An
obligation to prevention is further enshrined in Article 3 of the ILC Draft Articles on Prevention
of Transboundary Harm from Hazardous Activities257 of 2001, which States: ‘The State ... shall
take all appropriate measures to prevent significant transboundary harm (to the environment,
persons or property) or at any event to minimize the risk thereof.’
251 Corfu Channel (n 29) 22. 252 Heintschel von Heinegg (n 200) 7ff, 16. 253 Epping and Gloria (n 143) & 26 MN 16. 254 Hostages (n 93) 68. 255 Nuclear Weapons (n 176) 29. 256 ILC, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with commentaries
(2001) UN Doc A/56/10, General commentary, para 3 <http://untreaty.un.org/ilc/texts/instruments/english/
commentaries/9_7_2001.pdf>; references at Philippe Sands, Principles of International Environmental Law
(2nd edn, Cambridge University Press 2003) 246ff. (May 15, 2016). 257 supra n 228.
64
According to the draft articles, such measures comprise, for example:
• risk assessment (Article 7),
• notification and information in cases of risk of causing significant transboundary harm
(Article 8), and
• consultation on preventive measures (Article 9).
These procedural duties are nowadays widely recognised as being part of international law,
either in the form of international custom or of general principles of international law.258 As
Article 1 of the aforementioned draft indicates, these obligations might refer only to risk of
harm of physical nature. However, it could be argued that non-physical, though well
perceptible, damage is relevant in the cyber context (section 3.1.2).
Furthermore, it can be attested that States are also obliged to take (general) precautionary
measures with regard to potential cyber threats posing a significant risk of damage of a
transboundary nature. The precautionary principle forms the basis of the legal regimes
governing the high seas (The United Nations Agreement for the Implementation of the
Provisions of the United Nations Convention on the Law of the Sea of 10 December 1982
relating to the Conservation and Management of Straddling Fish Stocks and Highly Migratory
Fish Stocks of 1995) and Antarctica (Protocol on Environmental Protection to the Antarctic
Treaty of 1991). Additionally, it is enshrined in several international treaties on environmental
protection,259 and is pronounced as either evolving260 or already existing261 customary rule of
international environmental law.
As described above, it is certified by international Courts and by scholarly writings that general
principles of international law can, inter alia, be identified by deduction from the legal logic
258 Günther Handl, ‘Transboundary Impact’ in Daniel Bodansky, Jutta Brunnée and Ellen Hey (eds), The
Oxford Handbook of International Environmental Law (Oxford University Press 2007) 531, 541. 259 Discussion and references at Sands (n 228) 266-279. 260 ibid 279. 261 Ulrich Beyerlin and Jenny Grote Stoutenburg, ‘Environment, International Protection’ in MPEPIL (n 2) MN
24.
65
and from specific legal regimes or treaty regimes (see section 2.1). Once the existence of a
general principle of international law is established in such a manner, and showing openness
for concretisation in other circumstances, it can be applied to other situations or areas.262 Such
a technique does not present an analogy263 (i.e., creation of new rules in cases of legal lacuna,
by treating similar cases the same way legally) in stricto sensu.264 It should be mentioned that,
due to the fact that the internet is another global resource beside the natural environment, and
cyberspace is another common space beside the high seas and Antarctica, and that the area is
sparsely regulated (especially the ITU rules on international telecommunications do not entail
cyber security regulations), an analogy would, in theory, seem not to be far-reaching. A
common feature and overarching principle of the above-mentioned treaty regimes for globally
shared resources and common spaces is the obligation to take precautionary measures. Such a
principle is open for concretisation in other situations, and can subsequently be applied to the
internet as another globally shared resource, and to cyberspace as another common space.265
Taking another conceptual approach, it was proposed in diplomatic circles (and is claimed by
the US266 to be an ‘emerging norm’) to introduce a principle of ‘due diligence’267 of States (by
a broad interpretation of the no-harm rule) with regard to malicious cyber activities of non-
State actors originating from the States’ territories and harming rights of other States. Given
that all States acknowledge the relevance of malicious cyber activities for national and
international peace and security, as shown by the multitude of respective UNGA resolutions,268
262 Heintschel von Heinegg (n 10) & 19 MN 7. 263 The use of a legal rule in an analogous way (per analogiam) means the application of a rule which covers a
particular case to another case which is similar to the first but itself not regulated by the rule. Ibid; MPEPIL (n 2)
MN 1. 264 Heintschel von Heinegg (n 10) & 19 MN 6ff, in Peacetime Regime for State Activities in Cyberspace,
Katharina Ziolkowski, (General Principles of International Law as Applicable in Cyberspace) 167. 265 The application of principles of environmental law to the internet/cyberspace was first proposed by Torsten
Stein and Thilo Marauhn, ‘Völkerrechtliche Aspekte von Informationsoperationen’ (2000) 60 Zeitschrift für
ausländisches öffentliches Recht und Völkerrecht 1, 21. 266 The President of the United States of America (n 205) 10. 267 Robin Geiß and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus away from
Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’, 77. 268 Developments in the field of information and telecommunications in the context of international security
66
including the establishment of all in all six GGEs269 on diverse cyber challenges, and by the
adoption of Organisation for Economic Co-operation and Development (OECD) Guidelines
for the Security of Information Systems270 of 1992, it can be held that, assuming the thus
confirmed common interest of States in cyber security, the duty to prevention could exceed
concrete cases and be interpreted in general terms of ‘due diligence’ (similar to the
‘precautionary principle’ as a general principle of international law applicable in to the internet
and to cyberspace). Some scholarly writings assert that cyber security ‘due diligence’ is already
part of international custom.271 The concrete features of preventive and precautionary (or the
proposed ‘due diligence’) measures would stay within the discretion of the States.
However, the prevention principle obliges States to undertake a risk assessment and to inform,
notify, and consult other States in concrete cases of risk of significant transboundary harm.
This preconditions the ability of a State to notice irregular data streams or malicious software
as such. This results, as a minimum, in the obligation of States to ensure (1) that the national
UNGA Res 53/70 (4 December 1998), 54/49 (1 December 1999), 55/28 (20 November 2000), 56/19 (29
November 2001), 57/53 (22 November 2002), 58/32 (8 December 2003), 59/61 (3 December 2004), 60/45 (8
December 2005), 61/54 (6 December 2006), 62/17 (5 December 2007), 63/37 (2 December 2008), 64/25 (2
December 2009), 65/41 (8 December 2010), 66/24 (2 December 2011), 67/27 (3 December 2012);
Creation of a global culture of cybersecurity, UNGA Res 57/239 (20 December 2002) (proposing nine elements
for creating a global culture of cybersecurity, annex), Creation of a global culture of cybersecurity and the
protection of critical information infrastructures, UNGA Res 58/199 (23 December 2003) (proposing eleven
elements for protecting critical information infrastructures, annex), and Creation of a global culture of
cybersecurity and taking stock of national efforts to protect critical information infrastructures, UNGA Res
64/211 (21 December 2009) (proposing ‘voluntary self-assessment tool for national efforts to protect critical
information infrastructure’ of 18 points, annex);
see also UNGA Res 55/63 (4 December 2000) and 56/121 (19 December 2001) (combating the criminal misuse
of information technologies), 57/239 (20 December 2002) (creation of a global culture of cybersecurity)
and 58/199 (23 December 2003) (creation of a global culture of cybersecurity and the protection of critical
information infrastructures), 64/211 (21 December 2009) (creation of a global culture of cybersecurity and
taking stock of national efforts to protect critical information infrastructures), 55/63 (22 January 2001) and
56/121 (23 January 2002) (combating the criminal misuse of information technologies), and UNGA Res
63/195 (18 December 2008), 64/179 (18 December 2009), and 65/232 (21 December 2011) (strengthening the
United Nations Crime Prevention and Criminal Justice Programme, in particular, its technical cooperation
capacity). The Third Committee deferred considerations on the subject on the criminal misuse of information
technologies, pending work of the Commission on Crime Prevention and Criminal Justice, UNGA Res 56/121
(23 January 2002, para 3), in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski,
(General Principles of International Law as Applicable in Cyberspace) 168. 269 For details see Katharina Ziolkowski, ‘Confidence Building Measures for Cyberspace’, 168. 270 The guidelines call for cooperation of States (Principle 6) in the area of ‘comprehensive protection’ of
information systems (Principle 4), and stipulate an imperative of deliberation in the use of information systems
(Principle 3), OECD Doc OCDE/GD (92)190. 271 Heintschel von Heinegg (n 200) 18.
67
ISPs install network sensors collecting information on ‘net flow’, i.e., amount of routed data
and their destination (allowing the detection of, e.g., ‘DDoS attacks’), (2) that national tier 1
ISPs install intrusion detection/prevention systems at their ‘gates’ of international data
transmission and conduct deep package filtering (allowing recognition of malicious software),
and (3) that an obligatory reporting system to a governmental entity (e.g., a national or
governmental CERT) with regard to significant cyber incidents is in place. Furthermore, the
conduct of the above-described measures, the procedural obligations of notification,
information and consultation, as well as the general management of the prevention of malicious
cyber activities potentially harming other States’ rights, require the establishment of a
framework of strategic, political, legal, administrative, organisational and technical nature.
Additionally, the preventive principle would also oblige a State to establish investigative cyber
capabilities (allowing the identification of the source of the malicious cyber activities) either
within a CERT, the police, or other security forces, depending on the division of responsibilities
and authorisations pertaining to respective national laws (either existing or to be endorsed), as
well as the organisational and legal framework allowing the prevention or discontinuation of
concrete malicious cyber activities originating on the State’s territory and potentially harming
the rights of other States.
The precautionary principle (as well as the proposed ‘due diligence’ principle) includes the
duty to undertake all appropriate regulatory and other measures at an early stage, and well
before the (concrete) risk of harm occurs.272 This would involve the implementation of
strategic, political, organisational, administrative, legal and technical measures (including the
above-mentioned measures) aimed at general prevention of the misuse of the possibilities that
cyberspace offers for respective malicious activities by non-State actors, i.e., the establishment
272 Sands (n 228) 246ff.
68
of a national cyber security framework273. Such an obligation would apply only with regard to
cyber activities possibly violating the rights of other States, thus inflicting severe damage (even
if of a non-physical nature), i.e., with regard to cyber threats which can be deemed as clearly
affecting other States’ national security.274 The specification of which malicious cyber
activities would clearly affect the national security of States must be left to future State practice.
It can be only assumed that, due to the interests of States, espionage activities would not fall
under this category.275 Nonetheless, the acknowledgement of the precautionary principle (or
‘due diligence’) for cyberspace entails the obligation to set up a national cyber security
framework with regard to respective cyber threats (including these going beyond causing
possible physical harm).
It should be mentioned that, as stated above (section 3.1.3), demands for the establishment of
a national cyber security framework (including the technical aspects thereof) cannot be deemed
as a forbidden intervention in domestic affairs, as, due to the global nature of cyberspace and
the internet, questions of cyber security do not fall under the category of purely internal matters.
3.1.5 Principle of Good Neighbourliness and sic utere tuo
Furthermore, balancing the competing sovereign rights of States, the principle of good
neighbourliness has a relevance to cyberspace. The principle needs to be distinguished from
the ‘international law of neighbourliness’ governing the relations of neighbouring States only
in the frontier zones of their territories.276 The principle of good neighbourliness is endorsed in
a legally binding manner in the preamble of the UN Charter (whereas Article 74 refers to
‘general principle of good-neighbourliness ...’ as a binding aim for policies with regard to
273 On national cyber security framework see Alexander Klimburg (ed), National Cyber Security Framework
Manual (NATO CCD COE Publication 2012). 274 Similarly: Heintschel von Heinegg (n 200) 16 (excluding cyber espionage and other ‘mere intrusions into
foreign computers or networks’). 275 Ibid, though based on other deliberations. On espionage see Katharina Ziolkowski, ‘Peacetime Cyber
Espionage
– New Tendencies in Public International Law’. 276 Laurence Boisson de Chazounes and Danio Campanelli, ‘Neighbour States’ in MPEPIL (n 2) MN 6-8.
69
colonies).277 Moreover, the principle is endorsed as a legal obligation in international
environmental law (especially referring to the use of trans-border resources such as rivers).278
The principle mutually limits the sovereign exercise of activities potentially affecting
neighbours in an intolerable manner, and is confirmed by the maxim (or normative rule) of sic
utere tuo ut alienum non laedas (use your own property so as not to harm the one of another).279
From the principle of good neighbourliness derive the obligations:280
• not to use or permit to use the territory in a manner as to cause damage to the territory
of neighbouring States (see also section 3.1.4),
• to adopt any necessary – preventive and precautionary – measures in order to avoid or
reduce damage beyond the own territory,
• to inform, notify, consult neighbours on any situation likely to cause damage beyond
own territory,
• to tolerate activities otherwise not prohibited under international law so long as the
consequences do not exceed an acceptable threshold of gravity (specified on a case-to-
case basis).
As the principle of good neighbourliness had already been introduced to other types of vicinity
than frontier regions (e.g., to contiguous and exclusive economic zones on the high seas or to
‘regions’),281 a further extension to cyberspace seems justified due to its global nature, to the
speed and density of the internet connections and to its importance for inter-State relations of
political, economic and other nature; aspects creating as a whole a modern form of ‘vicinity’.
This view can be deemed as confirmed by the UNGA, which recognised already in 1991 that
‘great changes of political, economic and social nature, as well as the scientific and
277 Ulrich Fastenrath, ‘Article 74’ in Simma (n 70) MN 2. 278 ibid 2; Boisson de Chazounes and Campanelli (n 249) 18-20. 279 Boisson de Chazounes and Campanelli (n 249) 10. 280 Ibid, (n 249) 11. 281 Ibid, 12.
70
technological advances that have taken place in the word and led to unprecedented
interdependence of nations, have given new dimensions to good-neighbourliness ...’, and
emphasised that all States shall act as good neighbours ‘whether or not they are contiguous’.282
However, the above-mentioned obligations deriving from the principle of good
neighbourliness refer to physical damage only, a finding which can be considered as confirmed
by Article 1 of the aforementioned ILC Draft Articles on Prevention of Transboundary Harm
from Hazardous Activities. As stated above, it could be suggested that the aspect of physical
damage is irrelevant in the cyber context (section 3.1.2). Due to the enormous negative effects
malicious cyber activities can have on the national security of another State it can be claimed
that also harm of non-physical nature, though relevant to national security of another State, is
governed by the principle of good neighbourliness.
This finding, comparable to the obligations deriving from the precautionary principle or from
a potential ‘due diligence’ principle (section 3.1.4), invokes the obligations of States to take
preventive and precautionary measures (i.e., enhancing national cyber security) with regard to
respective cyber threats, as well as obligations to inform, notify, and consult in concrete cases
of risk of significant transboundary harm.
3.2 International Telecommunications Law and the Regulations of Cyberspace
Cyber-operations that involve international wire or radio frequency communications may be
subject to telecommunications law. Modern international telecommunications law is regulated
by the International Telecommunications Union, the leading U.N. agency that establishes
multinational standards for information and communication technology.283 The Union’s goal,
as stated in its founding International Telecommunication Convention and International
Telecommunication Constitution, is “the preservation of peace and the social and economic
282 UNGA Res 46/62 (9 December 1991) preamble, para 3 and operative section, para 2. 283 Charles H. Kennedy & M. Veronica Pastor, An Introduction to International Telecommunications Law 30-33
(1996).
71
development of all countries ... by means of efficient telecommunications services.”284 The
International Telecommunications Union enacts rules known as Administrative Regulations,
which are treaties that bind all member parties; Radio Regulations, which also bind all parties;
as well as non-binding Telecommunications Standards.285 The Union mainly regulates the use
of radio and telecommunication technologies in order to distribute them to member States in
an efficient and equitable manner-for example, through developing methods of assigning rights
to radio spectrums.286
International Telecommunication regulations also apply to cyber-operations that make use of
electromagnetic spectrum or international telecommunications networks. For instance,
broadcasting stations from one nation may not interfere with broadcasts of other States’
services on their authorized frequencies.287 Member States may cut off any non-state “private
telecommunications that may appear dangerous to the security of the State or contrary to its
laws, to public order or to decency”288 or suspend international telecommunication services
“either generally or only for certain relations and/or for certain kinds of correspondence,
outgoing, incoming or in transit, provided that it immediately notifies such action to each of
the other Member States through the Secretary-General.”289 Member States also must regulate
against “harmful interference”290 that “endangers the functioning of a radio navigation service
or of other safety services or seriously degrades, obstructs or repeatedly interrupts a radio
communication service”291 and pursue all possible measures to ensure the secrecy of
284 Constitution of the International Telecommunications Union, pmbl., Dec. 22, 1992, http:// itu. int/net/ about/
basic-texts/index.aspx; International Telecommunications Convention pmbl., U.N. Doc. 26559, Nov. 6, 1982
[hereinafter ITU Constitution]. 285 KENNEDY& PASTOR, supra note 204, at 33. 286 More information about the agency’s work is available at Committed to Connecting the
World, INT’L COMM. UNION, http://www.itu.int/en/pages/default.aspx. (May 15, 2016). 287 ITU Constitution, supra note 205, art. 45. 288 Ibid, art. 34. 289 Ibid, art. 35. 290 Ibid, art. 6. 291 Ibid, annex.
72
international correspondence, unless such secrecy would contravene their domestic laws or
international conventions.292
3.3 Space Law and Cyber Activities.
Cyberspace operations could implicate space law given that computer operated satellites are
integral to international telecommunications and military operations. Multiple scholars have
proposed that treaties on outer space, the moon, and damage caused by space objects, as well
as satellite regulations, could be used to regulate cyber operations.293 The 1967 Outer Space
Treaty provides for the free exploration of space but also prohibits the use of space for
particular destructive purposes.294 It stipulates that:
States Parties to the Treaty undertake not to place in orbit around the
Earth any objects carrying nuclear weapons or any other kinds of
weapons of mass destruction, install such weapons on celestial bodies,
or station such weapons in outer space in any other manner.
The Outer Space Treaty expressly permits certain military uses of space, such as earth-orbit
military reconnaissance satellites, remote-sensing satellites, military global-positioning
systems, and space-based aspects of an antiballistic missile system.295Because cyber-attacks
will rarely be classified as causing mass destruction, it is unlikely that cyber-attacks could be
properly characterized as prohibited by the treaty.296 Satellite regulations offer another
potential avenue for cyberspace operations regulation. The Agreement Relating to the 1971
International Telecommunications Satellite Organization (Telecommunications Satellite
292 Ibid, art. 37. 293 Aldrich, supra note 203, at 20-24. 294 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including
the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T. 2410, 610 U.N.T.S. 205. 295 Shackelford, supra note 203, at 219. 296 Celestial bodies refer only to “natural bodies, such as the moon, asteroids, and planets, not to man-made
satellites,” the main means in outer space by which cyber-warfare could be conducted. See also Aldrich, supra
note 203, at 20.
73
Organization)297 and the Convention of the 1979 International Maritime Satellite Organization
(Maritime Satellite Organization)298 contain “peaceful purpose” provisions applicable to
classes of satellites similar to the Outer Space Treaty. The regulations created by these
organizations might appear to be more applicable, given that satellites are likely to have a role
in cyber-attacks, for example.
3.4 International Economic Law in the Cyber Arena.
Cyber security activities, both defensive and offensive, may raise issues under international
economic law. There are two main questions. Firstly, what types of possible cyber operations
might violate particular provisions of international economic law, including trade, investment,
and intellectual property law? And secondly, to what extent are the rules of international
economic law qualified by national security exceptions that may allow defensive or offensive
cyber operations that would otherwise violate the rules? Since most international economic law
is in the form of treaty, the first question is largely one of treaty review and analysis. Since
most potentially relevant exceptions are explicitly incorporated in treaty, the second question
also involves analysis of national security or other potentially applicable exceptions. There is
also the possibility that the customary international law necessity exception may be relevant in
connection with international economic law obligations, either by way of interpretation or by
way of application, or both.
It is useful to begin by describing the types of cyber operations with which this heading is
concerned. The focus is on offensive and defensive cyber operations: cyber-attack and cyber
defence. ‘By “cyberattack,” we usually mean a software program transmitted over digital
networks and installed covertly on a target machine to disrupt data or services or destroy
297 Agreement Relating to the International Telecommunications Satellite Organization, “Intelsat,” Aug. 20, 1971,
23 U.S.T. 3813 [hereinafter Telecommunications Satellite Agreement]. 298 Convention of the International Maritime Satellite Organization London, Sept. 3, 1976, 31 U.S.T. 1,
[hereinafter INMARSAT].
74
machinery. The stuxnet virus is a good example of this type of cyber-attack. Cyber-attack is
less diverse than cyber defence, and there is only a limited body of international economic law
that may be applicable. Most international economic law was established for a purpose quite
separate from deterring cyber-attack. In addition to transmission over digital networks, it is
possible that cyber-attack can take place through the use of software delivered physically.
Cyber defence includes measures designed to repel cyber-attack, and raises a broader range of
international economic law rules; for our purposes, defensive measures in the form of counter-
attack using cyber operations can be covered under ‘cyber-attack.’ It is important that cyber-
attack can be transmitted across borders either through networks, through equipment, or by
human activity accessing networks or equipment in situ.299
Defensive measures raise international economic law issues when they block or restrict these
types of transmission. Generally speaking, these measures only raise international legal issues
when they are carried out by governments, or when they are carried out by private persons
where the government has an international legal duty to prevent the private person from taking
the action at issue.300
Below, we discuss the international economic law that is potentially applicable to these
offensive and defensive cyber operations.
1. WTO Law
As of March 2013, the World Trade Organization (WTO) had 159 Member States. The WTO
treaty contains requirements for States to reduce barriers to access to their markets for goods
(the General Agreement on Tariffs and Trade or GATT) and, to a limited extent, services (the
General Agreement on Trade in Services or GATS). The obligations under GATT with respect
to product standards and technical regulations are elaborated further in the Agreement on
299 Peacetime Regime for State Activities in Cyberspace International Law, International Relations and Diplomacy
Katharina Ziolkowski (ed.) 373. 300 Ibid.
75
Technical Barriers to Trade (TBT). The WTO also includes the Agreement on Trade-Related
Aspects of Intellectual Property Rights (TRIPS). Finally, the WTO includes a plurilateral
Agreement on Government Procurement (GPA), amended as of 30 March 2012, to which 14
members, plus the 28 European Union (EU) members, adhere.301
This section will outline the WTO law restrictions contained in the GATT, TBT, GATS, and
GPA. Nothing in the GATT, TBT, GATS, or GPA imposes any prohibitions or requirements
that would limit cyber-attack as defined above. They focus more on restraining national
protectionism against imports than on the safety or other qualities of exports. So, the synopsis
below focuses on defensive cyber operations. In particular, I focus on limitations on imports
of goods or services from other WTO members. Treaty-based international economic law, such
as the WTO, provides no rights to non-members.
It is not certain whether software would be treated as a good or as a service under WTO law.302
Different States take different positions on this issue, and the treatment depends in part on
whether the software is incorporated into a physical medium or piece of equipment.
In the following subsections, I discuss very briefly, WTO law rules that discipline national
barriers to trade in goods or services, or that discipline government procurement for countries
party to the GPA. Subsequently, I in summary, address the security exceptions and general
exceptions contained in each of these agreements, which might apply to relax these disciplines.
A. Trade in Goods
Article 2(4) of the TBT Agreement provides as follows:
301 While the amendment has not entered into force at the time of writing, I focus on the language of the
amendment because it is highly likely to be the operative law in the future. The Protocol will enter into force for
those Parties to the 1994 GPA that have deposited their respective instruments of acceptance of this Protocol, on
the 30th day following such deposit by two thirds of the Parties to the 1994 GPA. The parties to the GPA are
Armenia, Canada, the European Union (with respect to its 27 Member States), Hong Kong-China, Iceland, Israel,
Japan, Korea, Liechtenstein, the Netherlands (with respect to Aruba), Norway, Singapore, Switzerland,
Chinese Taipei, and the United States. 302 For an analysis, Althaf Marsoof, A Case for Sui Generis Treatment of Software Under the WTO Regime,
20 Int’l J. L. & Info. Tech. 291 (2012).
76
Where technical regulations are required and relevant international standards exist
or their completion is imminent, Members shall use them, or the relevant parts of
them, as a basis for their technical regulations except when such international
standards or relevant parts would be an ineffective or inappropriate means for the
fulfilment of the legitimate objectives pursued, for instance because of fundamental
climatic or geographical factors or fundamental technological problems.
Thus, international standards such as the network security provisions of ISO/IEC 27001,303 to
the extent that they constitute a ‘relevant international standard’ in relation to a proposed or
existing national measure, are required to be used as a basis for the national measure, except
as specified in Article 2(4). This imposes some limitation on the flexibility available to States
to impose restrictions on importation of goods for cyber security purposes. However, the
limitation would not seem to restrict the ability of a State to set a higher standard in order to
achieve its nationally-determined ‘appropriate level of protection.’
B. Trade in Services
In order to maintain cyber security, States may decide to regulate the provision of
telecommunications, data processing, or other services. GATS is in part a ‘positive list’
agreement, meaning that some of its most significant disciplines only apply to the extent that a
State has listed on its schedule of commitments the relevant service sector, in the relevant mode
of international trade in services, such as ‘cross-border provision’ or ‘commercial presence,’
and has not specified an applicable exception in its schedule of commitments.
The disciplines that are dependent on scheduling are ‘national treatment,’ which is similar to
the rule of national treatment non-discrimination in the GATT, and ‘market access,’ which is
303 ISO/IEC 27033 Information technology – Security techniques – Network security (parts 1-3 published, parts
4-6 DRAFT), available at <http://www.iso27001security.com/html/27033.html>. (May 18, 2016).
77
specifically defined to prohibit several specific types of quantitative or other similar restrictions
on trade in services.
The national treatment obligation under Article XVII of GATS requires each member to
‘accord to services and service suppliers of any other Member, in respect of all measures
affecting the supply of services, treatment no less favourable than that it accords to its own like
services and service suppliers.’ Therefore, it would be required for cyber security regulation to
be applied in an even-handed way to foreign services and service suppliers, and in relation to
domestic services and service suppliers. If foreign services or service suppliers, as a class,
presented enhanced cyber security risks, it is not necessarily a violation of national treatment
to treat them differently in a way that is responsive to the enhanced risk.
The market access obligation under Article XVI of GATS, while expressly limiting the ability
of States to impose quantitative and certain other narrowly specified types of restrictions, has
been interpreted by the WTO Appellate Body to apply to restrictions that might ordinarily be
understood as qualitative. In the US-Gambling case, the Appellate Body found that restrictions
on cross-border internet gambling services violated this restriction.304 So it is possible that
cyber security restrictions applied to services might similarly be found to violate this
restriction.
C. Government Procurement
Importantly, as noted above, the GPA is a plurilateral trade agreement, and such agreements
do not create either obligations or rights for the members that have not accepted them. The
GPA applies to procurement for governmental purposes of both goods and services, and it is a
positive list agreement, meaning that its obligations are dependent on scheduling of the covered
products, services, and government entities.
304 WTO, 2005, Appellate Body Report, United States – Measures Affecting the Cross‑Border Supply of Gambling
and Betting Services, WT/DS285/AB/R, adopted 20 April 2005.
78
In addition, a procuring entity is required under Article VIII to limit conditions for participation
to those that are essential to ensure that the supplier has the legal and financial capacities and
the commercial and technical abilities to undertake the relevant procurement. This obligation
may make it difficult to impose cyber security conditions for participation.
States subject to these obligations would want to be sure to include cyber security parameters
as part of the technical requirements relating to their procurement. Finally, Article X of the
GPA States that ‘a procuring entity shall not prepare, adopt or apply any technical specification
or prescribe a conformity assessment procedure with the purpose or the effect of creating
unnecessary obstacles to international trade.’ Under this requirement, technical specifications
and conformity assessment intended to achieve cyber security goals must be the least-
restrictive alternative to achieve the goal.
D. Security Exceptions
Article XXI of GATT, Article XIV of GATS, and Article III of the GPA provide security
exceptions. Interestingly, these exceptions have different scopes of application. To the extent
that these exceptions may apply, they would excuse measures that violate the provisions
discussed above. Of course, the exceptions only become relevant if there is a violation.
GATT.
Article XXI of GATT provides that nothing in the GATT ‘shall be construed ... to prevent any
contracting party from taking any action which it considers necessary for the protection of its
essential security interests ...; (ii) relating to the traffic in arms, ammunition and implements of
war and to such traffic in other goods and materials as is carried on directly or indirectly for
the purpose of supplying a military establishment; or (iii) taken in time of war or other
emergency in international relations ....’
79
GATS
Article XIV bis of GATS provides in relevant part that nothing in the GATS ‘shall be construed
... to prevent any Member from taking any action which it considers necessary for the protection
of its essential security interests: (i) relating to the supply of services as carried out directly or
indirectly for the purpose of provisioning a military establishment; ... or (iii) taken in time of
war or other emergency in international relations ....’
GPA
Article III of the GPA provides that ‘nothing in this Agreement shall be construed to prevent
any party from taking any action ... that it considers necessary for the protection of its essential
security interests relating to the procurement of arms, ammunition or war materials, or to
procurement indispensable for national security or for national defence purposes.’
Curiously, while the TBT Agreement contains a provision providing that members shall not
be required to furnish any information, the disclosure of which they consider contrary to their
national security interests, it does not address the security issues addressed in the language of
the other agreements excerpted above.
E. General Exceptions
In a pattern similar to that observed with respect to the security exception, each of the GATT,
GATS, and GPA Agreements contains a general exception that may be applicable to cyber
security defence operations. The TBT Agreement contains no explicit general exception.
Article XX of GATT has been the basis for significant litigation in the WTO, and there has
also been some litigation over the exceptional provision of GATS, Article XIV. The language
of these exceptions is quite similar, and can be expected to be interpreted similarly.
Accordingly, Article XX of GATT provides in relevant part as follows:
Subject to the requirement that such measures are not applied in a manner which
would constitute a means of arbitrary or unjustifiable discrimination between
80
countries where the same conditions prevail, or a disguised restriction on
international trade, nothing in this Agreement shall be construed to prevent the
adoption or enforcement by any contracting party of measures: ... (b) necessary to
protect human, animal or plant life or health ...
Could restrictions on imports of goods (or services under the similar language of Article XIV
of GATS) be necessary to protect human life or health? This provision is definitely not self-
judging, but it is easy to see many cyber security defensive measures as ‘necessary to protect
human life.’ In clause (a) of the similar provision of GATS, there is a reference to measures
‘necessary to protect public order.’ Many cyber security defensive measures may come under
this clause also. The word ‘necessary’ in this context has been interpreted extensively. In some
cases, the Appellate Body has explicitly interpreted this provision as requiring a balancing
approach. In others, it has appeared to back away from a full balancing approach by permitting
the member to choose its ‘level of protection’ and then validating the national measure if this
level cannot be reached through a less trade-restrictive means.
In sum, the general exception contained in Article III:2 of the GPA essentially tracks the
provisions of Article XX of GATT discussed above. Therefore, for procurement covered by
the GPA, States may derogate from their GPA obligations in order to effect measures necessary
to protect human life or health, and so forth.
3.5. Maintenance of International Peace and Security
Maintenance of international peace and security is the paramount purpose of the UN, enshrined
in Article 1(1) of its Charter.305 According to a systematic interpretation of the Charter, as well
as according to the UNGA Friendly Relations Declaration and the Proclamation of the
International Year of Peace306 of 1985, peace is not understood negatively, as an absence of
305 d’Argent and Susani (n 105) p 4. 306 UNGA Res 40/3 (24 October 1985).
81
(declared) war or of any other international armed conflict, but has become
‘multidimensional’,307 requiring a series of active actions, taken collectively by States and
peoples, reaching, inter alia, from the removal of various threats to peace and security to the
development of confidence building measures.308 The general principles of international law
corollary to this aim are the duty to refrain from threat or use of force in international relations
and the closely related duty to peaceful settlement of international disputes, both being the
foremost means of prevention of (declared) war or of any other international armed conflict.309
This two principles shall be discussed below in synopsis:
3.5.1. Refrain from Threat or Use of Force in International Relations
The prohibition of threat or use of force in international relations constitutes one of the
cornerstones of the international legal order.310 The principle is endorsed in Article 2(4) of the
UN Charter and is (in its core) widely considered as a peremptory norm of international
custom.311 According to the systematic, historical and teleological interpretation of the UN
Charter, as well as pursuant to the jurisprudence of the International Court of Justice and
scholarly writings, the term ‘force’ is to be understood as ‘armed force’.312 The term ‘use of
armed force’, however, is not limited to the employment of military weaponry in the common
sense of the term.313 The International Court of Justice attested over 25 years ago in its
Nicaragua314 judgement the possibility of an ‘indirect’ or non-military use of armed force (e.g.,
by arming and training insurgents) and scholarly writings describe, for example, spreading fire
over the border or flooding another State’s territory as violating the prohibition of ‘use of armed
force’.
307 d’Argent and Susani (n 105) 25. 308 ibid 7; Rüdiger Wolfrum, ‘Article 1’ in Simma (n 70) MN 9ff. Katharina Ziolkowski, ‘Confidence Building
Measures for Cyberspace’, 144. 309 Albrecht Randelzhofer and Oliver Dörr, ‘Article 2(4)’ in Simma (n 70) MN 2. 310 ibid 1; Oliver Dörr, ‘Use of Force, Prohibition of’ in MPEPIL (n 2) 1. 311 Randelzhofer and Dörr (n 260) 64-68; Dörr (n 261) 1, 10, 32; Wolfrum, ‘General International Law’ (n 2) 45. 312 Dörr (n 261) 11; 313 Randelzhofer and Dörr (n 260) 21. 314 Nicaragua (n 29) 228.
82
In order to specify the meaning of ‘use of armed force’ conducted by means of the internet or
other ICT systems, an effects-based approach inherent to public international law is appropriate
(ruling out other possible approaches, e.g., focusing on the target of the malicious activities,
the intent of the malevolent actor, or the categorisation of the means used).315 Hereby, a
comparison of the effects indirectly caused or intended by malicious cyber activities with the
effects usually caused or intended by conventional, biological or chemical weapons (BC
weapons) is necessary.316 According to the traditional understanding, ‘use of armed force’
requires the employment of kinetic weaponry, i.e., of a tool designed to cause kinetic effects
of a physical nature on a body or on an object. The transfer of data and its delay or interruption,
as well as the manipulation, suppression or deletion of data cannot be deemed to cause
(directly) kinetic effects in the common meaning of the term. In contrast, some similarities
between malicious cyber activities and BC weapons can be conceived. The use of BC weapons
does not cause destruction in the conventional sense, as these weapons do not release kinetic
energy.317 The employment of BC weapons is considered as a form of ‘use of armed force’
because they can cause death or injury to living things.318 Thus, in the case of BC weapons, the
term ‘weapon’ is defined with reference to their effects rather than their method, which
perfectly corresponds with the effects-based approach inherent to public international law.
Consequently, the majority of scholars rightly insist on an effects-based interpretation of the
term of ‘use of armed force’ in the cyber context.319
Therefore, it can be assumed that malicious cyber activities can be considered ‘use of armed
force’ in the meaning of Article 2(4) of the UN Charter if they – indirectly – result in:320
315 Randelzhofer and Dörr (n 260) 22. 316 Randelzhofer and Nolte (n 177) 43. 317 Jason Barkham, ‘Information Warfare and International Law on the Use of Force’ (2001) 34 New York
University Journal of International Law and Politics 57, 72. 318 Katharina Ziolkowski, ‘Computer Network Operations and the Law of Armed Conflict, 86. 319 Michael N Schmitt, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a
Normative Framework’ (1999) 37 Columbia Journal of Transnational Law (3) 885, 913 and 919. 320 Conflict’ (2010) 49 Military Law and the Law of War Review 47, 69-75.
83
• Death or physical injury to living beings and/or the destruction of property,321
• Massive, medium to long-term disruption of critical infrastructure systems of a State (if in its
effect equal to the physical destruction of the respective systems).322
State practice and opinio iuris, apart from a political declaration of the U.S323 to respond to
‘hostile acts in cyberspace’ with self-defence measures, is hitherto not detectable. Although
States in general prefer to maintain a strategic ambiguity with regard to questions related to use
of force, thus leaving the debate to academia, it would certainly support predictability and thus
stability in international relations, if they shared their views on this aspect.
3.5.2. Peaceful Settlement of Disputes
The legal obligation to peaceful settlement of international disputes is endorsed in Article 2(3)
of the UN Charter, specified by the UNGA in its Friendly Relations Declaration as well as in
the Manila Declaration on the Peaceful Settlement of International Disputes324 of 1982, and
recognised by the International Court of Justice as a ‘principle of customary international
law.’325
The principle limits the notion of sovereignty and correlates to the principle of the prohibition
of threat or use of force in international relations, recognising that unsettled disputes can lead
to eruptive disturbances within the international community.326 The pacific means of dispute
resolution consist of diplomatic-political measures (e.g. negotiation, inquiry, mediation,
conciliation) and legal measures (arbitration and litigation)327 With regard to the means of
peaceful settlement of international disputes, States have a wide-ranging discretion, although
the UN Charter contains some proposals in its Chapter VI concerning disputes endangering
321 Randelzhofer and Nolte (n 177) 43. 322 Ibid. 323 The President of the United States of America (n 205) 12ff. and 14. 324 UNGA Res 37/10 (15 November 1982). 325 Nicaragua (n 29) 290. 326 Tomuschat (n 286) 2. 327 Anne Peters, ‘International Dispute Settlement: A Network of Cooperational Duties’ (2003) 14 European
Journal of International Law (1) 1, 4.
84
international peace and security (including investigative powers of the UNSC and the
possibility to bring a dispute to the attention of the UNGA or the UNSC).328
A violation of the principle can only be affirmed if a party to an international dispute constantly
refuses to even attempt to reach a settlement.329
Thus, in cases of a concrete international dispute with regard to the cyber realm, on whichever
aspect and of whatever intensity or possible consequences, the respective States have a legal
obligation to attempt to seek a peaceful solution, but nothing more. In this sense, the obligation
of peaceful settlement of disputes is a variation of the duty to cooperation.
3.6. Cooperation and Solidarity
The duty of States of cooperation has a normative character whenever it is endorsed in
international treaties establishing and governing international organisations.330 The existence
of a general duty to cooperate and its legal character is disputed among scholars.331 However,
there are convincing indications for the normative character of a general duty to cooperate,
when considering the interdependence of States in times of globalisation, the enormous number
of intergovernmental organisations (approximately 7,000), the myriad of international treaty
obligations governing almost all aspects of international relations (over 50,000 treaties are
registered at the UN), and the endorsement of the duty of cooperation in the almost universal
UN Charter. This finding is supported by the emergence of an intensified form of cooperation
through ‘trans-governmental networks’, i.e., direct interaction of specialised domestic officials
328 Tomuschat ibid. 329 Ibid 25. 330 Rüdiger Wolfrum, ‘Co-operation, International Law of’ in MPEPIL (n 2) MN (n 1) 5. 331 Jost Delbrück, ‘The International Obligation to Cooperate – An Empty Shell or a Hard Law Principle of
International Law? – A Critical Look at a Much Debated Paradigm of Modern International Law’ in Holger P
Hestermeyer et al (eds), Coexistence, Cooperation and Solidarity. Liber Amicorum Rüdiger Wolfrum (vol 1, Brill
2011) 3, 3-16.
85
in informal or formal modes, which is conditioned by the ‘information age’ and augmenting
the traditional inter-State cooperation.332
The UN Charter sets as one of the purposes of the organisation (and indirectly as an obligation
of its Member States) ‘to take effective collective measures’ to maintain international peace
and security (Article 1(1)) and ‘to achieve international cooperation in solving international
problems of an economic, social, cultural, or humanitarian character ...’(Article 1(3)). The
Friendly Relations Declaration emphasises the development of cooperation among States as
‘of the greatest importance for the maintenance of international peace and security’ (preamble,
para. 5). Principle 4 of the declaration (The duty of States to co-operate with one another in
accordance with the Charter) States:
... States shall co-operate with other States in the maintenance of international
peace and security .... States shall conduct their international relations in the
economic, social, cultural, technical and trade fields .... States should
cooperate ... in the field of science and technology ....
Thus, given the universality of the UN and the importance of the Declaration, nearly all States
have a conventional obligation to cooperate, also in the realm of cyberspace, as far as it supports
the maintenance of international peace and security.
The term ‘cooperation’ is not defined by an international treaty or in another multilateral
document. However, based on an analysis of the Friendly Relations Declaration, cooperation
can be perceived as the voluntary and proactive joint action of two or more States which serves
a specific objective.333 Consequently, the duty to cooperate can be described as ‘the obligation
to enter into such co-ordinated action as to achieve a specific goal’,334 which can be effectively
332 Kal Raustiala, ‘The Architecture of International Cooperation: Trans-governmental Networks and the Future
of International Law’ (2002) 43 Virginia Journal of International Law (1) 1, 3ff and 10ff; in Peacetime Regime,
Katharina Ziolkowski, 176.
333 Peters (n 290) 2. 334 Ibid.
86
undertaken by the States working together or when the interests of the international community
require a joint action.335
Although the notion of ‘cooperation’ remains vague, the concept of solidarity indicates that
cooperation in the cyber realm should show a heightened intensity. The concept of solidarity,
to which some scholars336 attribute emerging normativity (because of references in UNGA
resolutions and endorsement as a legal obligation in several international treaties),337 supports
the interpretation of international law. Solidarity can be understood as an intensified form of
cooperation for fostering common interests and shared values.338 The recognition of the
concept of solidarity for the arena of the internet and cyberspace is justified on the grounds that
the internet presents another global resource and cyberspace another common space, which
certainly is in the common interest of the international community. Additionally, it seems
reasonable that an intensified interdependence in the field of global communications (leading
to an international community united in solidarity)339 would result in the need for an intensified
cooperation.
Due to the global nature of the internet and cyberspace, the integrity of these ‘ecosystems’ and
the reduction of cyber threats as relevant to national and international security can be deemed
as of common interest of the international community and can only be effectively conducted
by the joint efforts of all States. Therefore, States have a legal obligation to cooperate in this
regard. Additionally, based on the notion of the internet as global resource and of cyberspace
335 Ibid. 336 304 Holger P Hestermeyer, ‘Reality or Aspiration? – Solidarity in International Environmental and World
Trade Law’ in idem (n 298) 45, 48ff; Abdul G Koroma, ‘Solidarity: Evidence of an Emerging International Legal
Principle’ in Hestermeyer (n 298) 103, 103-130; R St John McDonald, ‘Solidarity in the Practice and Discourse
of Public International Law’ in (1996) 8 Pace International Law Review 259, 301. 337 eg Article 3(b) of the United Nations Convention to Combat Desertification in Those Countries Experiencing
Serious Drought and/or Desertification, Particularly in Africa of 17 June 1994, Article 3(a) of The Constitutive
Act of the African Union of 11 July 2000 (before: Article II(1)(a) of the OAU Charter of 25 May 1963); UN
Millennium Declaration (n 73) 6; for further references see Hestermeyer (n 304) 50. 338 Wolfrum (n 295) 3. 339 Ahmed Mahiou, ‘Interdependence’ in MPEPIL (n 2) MN 17.
87
as common space, the cooperation should show a ‘heightened’ intensity. However, States have
a wide discretion as to how to fulfil the legal obligation to cooperate in the cyber realm.
Conclusion
Sovereignty, although strongly affected by interdependence, globalisation, and the emergence
of international organisations, among others (which is especially true for cyberspace,
introducing vertical and diagonal relations between all stakeholders), is the core of the notion
of statehood and an axiomatic principle upon which international law is based. The afore-
discussed obligations and rights of States can be deemed as deriving from the equal sovereignty
of States, and from principles respectively de-conflicting the competing sovereign rights within
the international community. From the above disquisition, we have shown that based on legal
logic, no State can claim sovereignty over the global resource that is; the internet or the
common space of cyberspace. A State may regulate, within the boundaries of its own territory,
internet activities (also with regard to contents) of its own or foreign nationals, if these are
conducted on its territory or show effects on its own territory. Also, based on the principle of
territorial sovereignty, there is a duty not to harm other States’ rights, by the principle of good
neighbourliness and by the sic utere tuo principle, a State is forbidden to cause physical effects
to technical components of the internet located on the territory of another State or to cause
other effects relevant to the national security of the affected State. These and many more were
discussed in emphasising the rights and obligations of States in cyberspace. More so, specific
fields of international law were highlighted to show the applicability of international law in
regulating the activities of cyberspace operators.
Finally, due to their nature as the foundation of the international law system, it is widely
recognised within scholarly writings that such general principles of international law pertaining
to international peace and security, as presented above, are essential for the ‘co-existence and
88
vital co-operation of the members of the international community’, and thus exist irrespective
of the States’ (other) practice, opinio iuris, consent or any other expression of will.
89
CHAPTER FOUR
PROVING STATE RESPONSIBILITY FOR CYBERSPACE OPERATIONS
4.0 Introduction: State responsibility for cyber operations
Evidentiary problems in inter-state litigation, particularly in relation to the attribution of certain
unlawful conduct, are not peculiar to cyber operations.340 Well before the cyber age, the
International Court of Justice (ICJ) in the Nicaragua v. United States judgment conceded that
“the problem is . . . not . . . the legal process of imputing the act to a particular State . . . but the
prior process of tracing material proof of the identity of the perpetrator.”341 As the United States
declared in the views on information security that it submitted to the U.N. Secretary-General,
“the ambiguities of cyberspace simply reflect the challenges . . . that already exists in many
contexts.”342 It is undeniable, however, that these challenges are particularly evident in the
cyber context, where identifying who is behind a cyber operation presents significant technical
problems.343 One needs only look at the three most famous cases of cyber-attacks against States
allegedly launched by other States to realize how thorny the problem of evidence in relation to
cyber operations is.344 It has been claimed, in particular, that the Russian Federation was behind
both the 2007 Distributed Denial of Service (DDoS) attacks against Estonia and the 2008
cyber-attacks against Georgia.345 These allegations were based on the following facts. In the
Estonian case, the hackers claimed to be Russian, the tools to hack and deface were contained
340Tallin Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013)
[hereinafter TALLINN MANUAL], in Evidentiary Issues in International Disputes Related to State Responsibility
for Cyber Operations, Marco Roscini, p. 234. 341 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment, 1986 I.C.J. 14, para.
57 (June 27). 342 U.N. Secretary-General, Developments in the Field of Information and Telecommunications in the
Context of International Security: Rep. of the Secretary-General, 18, U.N. Doc. A/66/152 (July 15, 2011)
[hereinafter Developments in the Field of Information and Telecommunications]. 343 Fireeye, Digital Bread Crumbs: Seven Clues to Identifying Who’s Behind Advanced Cyber-Attacks 4 (2014),
available at < https://www.fireeye.com/resources/pdfs/digital-breadcrumbs. pdf> (describing the technical
difficulty in pinning down the source of a cyber-attack given that “cyber criminals are experts at misdirection”
even in the non-State actor context). (May 19, 2016). 344 The three most famous cases of cyber-attacks are the Distributed Denial of Services (DDoS) attacks against
Estonia in 2007, the cyber-attacks against Georgia in 2008, and the Stuxnet attacks against Iran discovered in
2012. 345 Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, THE GUARDIAN, May
16, 2007, <http://www.theguardian.com/world/2007/may/17/topstories3.russia>. (May 19, 2016).
90
in Russian websites and chatrooms, and the attacks peaked on May 9 (the day Russia celebrates
victory in Europe Day in the Second World War).346 Furthermore, although the botnets
included computers based in several countries, it seems that at least certain attacks originated
from Russian IP addresses, including those of State institutions.347 According to the Estonian
Defense Minister, the attacks were “unusually well coordinated and required resources
unavailable to common people.”348 The DDoS attacks also took place against the backdrop of
the removal of a Russian war memorial from Tallinn’s city center.349 Finally, Russia did not
cooperate with Estonia in tracking down those responsible, and the Russian Supreme
Procurature rejected a request for bilateral investigation under the Mutual Legal Assistance
Treaty between the two countries.350 The cyber-attacks against Georgia started immediately
before and continued throughout the armed conflict between the Caucasian State and the
Russian Federation in August 2008.351 It seems that the Russian hacker community was
involved in the cyber-attacks and that coordination “took place mainly in the Russian language”
and in Russian or Russian-related fora.352 As in the Estonian case, some commentators claimed
that the level of coordination and preparation suggested governmental support for the cyber-
attacks.353 Finally, IP addresses belonging to Russian state-operated companies were used to
launch the DDoS attacks. Russia again denied any responsibility.354
346 COMM. ON OFFENSIVE INFO. WARFARE, NAT’L RESEARCH COUNCIL, TECHNOLOGY, POLICY,
LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES
173 box 3.4 (William A. Owens, Kenneth W. Dam & Herbert S. Lin eds., 2009), in Marco Roscini, 235. 347 Ibid. 348 Ibid, (quoting Jaak Aaviksoo, Minister of Defense of Estonia, Strategic Impact of Cyber-attacks, Address
before the Royal College of Defence Studies, available at www.irl.ee/en/articles/strategic-impactof-cyber-attacks. 349 U.S. Acquisition and Use of Cyberattack Capabilities. P.11. 350 Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber-attacks in International Law, 27
BERKELEY J. INT’L L. 192, 208 (2009), in in Marco Roscini,235. 351 John Markoff, Before the Gunfire, Cyberattacks, N.Y. TIMES, Aug. 13, 2008,
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0 (May 19, 2016). 352 Eneken Tikk Et Al., Coop. Cyber Def. Ctr. Of Excellence, International Cyber Incidents: Legal Considerations
75 (2010), available at http://www.ccdcoe.org/publications/books/ legalconsiderations.pdf 353 Ibid. 354 Ibid.
91
The third case of alleged inter-state cyber operation, and possibly the most famous of the three,
is that of Stuxnet. In 2012, an article published in The New York Times revealed that the United
States, with Israel’s support, had been engaging in a cyber campaign against Iran, code named
“Olympic Games,” to disrupt the Islamic Republic’s nuclear program.355 Stuxnet, in particular,
was allegedly designed to affect the gas centrifuges at the Natanz uranium enrichment
facility.356 The Stuxnet incident was the first known use of malicious software designed to
produce material damage by attacking the Supervisory Control and Data Acquisition (SCADA)
system of a critical national infrastructure.357 Unlike other malware, the worm did not limit
itself to self-replication, but also contained a weaponized payload designed to give instructions
to other programs.358 The allegations against the United States and Israel were based on
journalistic “interviews . . . with current and former American, European and Israeli officials”
and other experts, whose names are not known.359 In a recent interview, the former U.S.
National Security Agency (NSA) contractor Edward Snowden also claimed that the NSA and
Israel were behind Stuxnet.360 Symantec’s researchers suggested that Stuxnet’s code included
references to the 1979 date of execution of a prominent Jewish Iranian businessman.361 Other
circumstantial evidence includes the fact that the worm primarily hit Iran and was specifically
targeted at the Natanz nuclear facility, as the worm would activate itself only when it found the
355 David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. TIMES, June 1, 2012,
<http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-againstiran.
html?pagewanted=all&_r=1&>. (May 19, 2016). 356 William J. Broad, John Markoff, & David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear
Delay, N.Y. TIMES, Jan. 15, 2011, <http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.
html?pagewanted=all>. (May 19, 2016). 357 Dominic Storey, Stuxnet–The First Worm of Many for SCADA?, IT RESELLER (Dec. 2, 2010),
<http://www.itrportal.com/articles/2010/12/02/6262-stuxnet-the-first-worm-of-many-for>; (May 19, 2016). 358 Jeremy Richmond, Note, Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the
Law of Armed Conflict? 35 FORDHAM INT’L L.J. 842, 849–50 (2012). 359 Sanger, supra. 360 Edward Snowden Interview: The NSA and Its Willing Helpers, SPIEGEL ONLINE (July 8, 2013),
<http://www.spiegel.de/international/world/interview-with-whistleblower-edward-snowden-on-globalspying-
a-910006.html>. (May 19,2016). 361 Nicolas Falliere, Liam O. Murchu & Eric Chien, Symantec, W32.Stuxnet Dossier, Version 1.4, at 18 (2011),
available at http://www.symantec.com/content/en/us/enterprise/media/security_response/
whitepapers/w32_stuxnet_dossier.pdf.
92
Siemens software used in that facility,362 and the implication that the attack required resources
normally unavailable to individual hackers, which is supported by evidence of the high
sophistication of the attack, the use of several zero-day hacks, and the insider knowledge of the
attacked system.363 Israeli and U.S. officials have neither denied nor confirmed involvement in
the operation: In response to a question about the attack on Iran, President Obama’s chief
strategist for combating weapons of mass destruction, Gary Samore, sardonically pointed out,
“I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its
allies are doing everything we can to make it more complicated.”364
Apart from the above well-known cyber-attacks, allegations of state involvement have also
been made in relation to other cyber operations, including cyber exploitation activities. The
U.S. Department of Defense’s 2013 Report to Congress, for instance, claims that some of the
2012 cyber intrusions into U.S. government computers “appear to be attributable directly to
the Chinese government and military,” although it is not entirely clear on what grounds.365
In spite of the obvious crucial importance of evidentiary issues, works on interstate cyber
operations, both above and below the level of use of force, have so far focused on whether such
operations are consistent with primary norms of international law and on the remedies available
to the victim State under the jus ad bellum and the law of state responsibility. Thus, studies of
these operations have almost entirely neglected a discussion of the evidence the victim State
needs to produce to demonstrate, either before a judicial body or elsewhere, that an unlawful
cyber operation has been conducted against it and that the attack is attributable to another
State.366 The first edition of the Tallinn Manual on the International Law Applicable to Cyber
362 Barzashka, supra. 363 Rid, supra. 364 Broad, Markoff & Sanger, supra. 365 U.S. Dep’t Of Def., Annual Report to Congress: Military and Security Developments Involving the People’s
Republic of China 2013, at 36 (2013), available at http://www.defense.gov/pubs/ 2013_china_report_final.pdf. 366 generally Robin Geiß & Henning Lahmann, Freedom and Security in Cyberspace: Shifting the Focus away
from Military Responses Towards Non-Forcible Countermeasures and Collective Threat- Prevention, in
Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy
621 (Katharina Ziolkowski Ed., 2013) [hereinafter Peacetime Regime for State Activities in Cyberspace].
93
Warfare also does not discuss in depth evidentiary issues in the cyber context: The only
references to evidence are contained in Rules 7 and 8.367 The present chapter aims to fill this
gap. It will start with a brief account of the international law of evidence and will then discuss
who has the burden of proof in relation to claims seeking remedies (including reparation) for
damage caused by cyber operations. It will then analyze the standard of proof required in the
cyber context. Finally, the possible methods of proof will be examined, distinguishing between
those that are admissible and those that are inadmissible. The present chapter only deals with
international disputes between States and will not discuss evidentiary issues in relation to cyber
crime before domestic courts. It also does not look at evidence before international criminal
tribunals, as the focus is on state responsibility for cyber operations and not on the criminal
responsibility of individuals.368
4.1 The International Law of Evidence
“Evidence” is “information . . . with the view of establishing or disproving alleged facts.”369 It
is different from proof in that “‘proof” is the result or effect of evidence, while ‘evidence’ is
the medium or means by which a fact is proved or disproved.”370 Evidence is normally required
to provide proof of both the objective (be it an act or omission) and subjective elements of an
internationally wrongful act, i.e., its attribution to a State.371 In the Nicaragua case, the ICJ
clearly explained the distinction between the objective and subjective elements from an
evidentiary perspective:
One of the Court’s chief difficulties in the present case has been the
determination of the facts relevant to the dispute. . . . Sometimes there is no
question, in the sense that it does not appear to be disputed, that an act was
done, but there are conflicting reports, or a lack of evidence, as to who did it
367 TALLINN MANUAL r. 7–8. 368 The statutes and rules of international criminal tribunals provide for specific evidentiary rules. Rüdiger
Wolfrum, International Courts and Tribunals, Evidence, in 5 THE MAX PLANCK ENCYCLOPEDIA OF
PUBLIC INTERNATIONAL LAW 552, 567–69 (Rüdiger Wolfrum ed., 2012), in Marco Roscini, 238. 369 Ibid. 370 31A C.J.S. Evidence 8 (1964), in Marco Roscini, 239. 371 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment, 1986 I.C.J. 14, para.
57 (June 27) (noting the difficulty of imputing acts to particular States).
94
. . . The occurrence of the act itself may however have been shrouded in
secrecy. In the latter case, the Court has had to endeavour first to establish
what actually happened, before entering on the next stage of considering
whether the act (if proven) was imputable to the State to which it has been
attributed.372
The Court’s observations were made against the backdrop of the secrecy that
surrounded the U.S. and Nicaraguan covert operations in Central America,373 which
is also a quintessential characteristic of cyber operations.374 In this context too, then,
it is likely that evidence will be required both to establish the material elements of
the wrongful act and to establish its attribution.375 It is still unclear, for instance, not
only who is responsible for Stuxnet, but also whether the worm caused any damage
and, if so, to what extent.376 This last question is essential in order to establish
whether the cyber operation amounted to a use of force and, more importantly,
whether it was an armed attack entitling the victim State to self-defense.377 As to
establishing the subjective element of the internationally wrongful act, what is
peculiar to cyber operations is that in fact three levels of evidence are needed to
attribute a cyber operation to a State: First, the computer(s) or server(s) from which
the operations originate must be located; second, the individual behind the operation
needs to be identified; and third, it needs to be proved that the individual acted on
behalf of a
State so that his or her conduct is attributable to it.378
This leads us to an important specification: The standard of proof must be distinguished from
the rules of attribution. The former is “the quantum of evidence necessary to substantiate the
372 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 57. 373 Ibid. 374 Marco Roscini, 38. 375 Ibid, at 239. 376 Barzashka, supra, at 48 (noting that no one has admitted to the Stuxnet attack and that the “evidence of the
worm’s impact . . . is circumstantial and inconclusive”). 377 Marco Roscini, at 45–63, 70–77 (describing the meaning of “use of force” and when and how a State can use
self-defense). 378 See generally Marco Roscini,. at 98–103.
95
factual claims made by the parties.”379 The latter, on the other hand, determine the level of
connection that must exist between an individual or group of individuals and a State for the
conduct of the individuals to be attributed to the State at the international level.380 The rules of
attribution for the purposes of state responsibility have been codified in Part One of the Articles
on the Responsibility of States for Internationally Wrongful Acts adopted by the
International Law Commission (ILC), as well as having been articulated in the case law of the
International Court of Justice.381 Evidence according to the applicable standard must be
provided to demonstrate that the attribution test has been satisfied: In Nicaragua, for instance,
the ICJ had to assess whether there was sufficient evidence that the United States had exercised
“effective control” over the contras so that it could be held responsible for their violations of
international humanitarian law.382
The standard of proof should also be distinguished from the burden of proof. The latter does
not determine how much evidence, and of what type, is necessary to prove the alleged facts,
but merely identifies the litigant that must provide that evidence.383 In other words, the burden
of proof is “the obligation on a party to show that they have sufficient evidence on an issue to
raise it in a case.”384 The burden of proof includes not only the “burden of persuasion,”385 but
also the “burden of production,” which is the burden to produce the relevant evidence before a
court.386
379 James A. Green, Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice, 58
INT’L & COMP. L.Q. 163, 165 (2009). 380 Marco Roscini, at 34–40. 381 Draft Articles on Responsibilities of States for Internationally Wrongful Acts, with Commentaries, Rep. of the
Int’l Law Comm’n, 53d Sess., Apr. 23–June 1, July 2–Aug. 10, 2001, pt. 1, U.N. Doc. A/56/10 (2001). For case
law development, see, e.g., Application of the Convention on the Prevention and Punishment of the Crime of
Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 43, paras. 392–93 (Feb. 26); Military
and Paramilitary Activities in and Against Nicaragua (Nicar. V. U.S.), Judgment, 1986 I.C.J. 14, paras. 110, 393
(June 27), in Marco Roscini, 240. 382 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 115. 383 Anna Riddell & Brendan Plant, Evidence before the International Court of Justice 81 (2009). 384 Ibid. 385 Ibid. 386 Markus Benzing, Evidentiary Issues, in THE STATUTE OF THE INTERNATIONAL COURT OF JUSTICE:
A COMMENTARY 1234, 1245 (Andreas Zimmermann et al., eds., 2012) [hereinafter THE STATUTE OF THE
INTERNATIONAL COURT OF JUSTICE: A COMMENTARY].
96
The political or judicial relevance of evidence may relate to the different phases of the same
international dispute. For instance, the State invoking the right of self-defense against an armed
attack by another State will normally try to justify the exercise of this right first before the
international community and public opinion by providing evidence of the occurrence (or
imminent occurrence) of the armed attack and of its attribution to the target State.387 If, as in
the Nicaragua case, a State subsequently brings the case before an international court which
has jurisdiction over the case, the evidence will have to be assessed by that court in order to
establish international responsibility and its consequences, and in particular whether the
requirements for the exercise of self-defence were met.388
Investigations of cyber attacks among States are complicated by the absence of a uniform body
of rules on the production of evidence in international law.389 There is no treaty provision that
regulates evidentiary issues in non-judicial contexts, and it is doubtful that international law
has developed customary rules in that sense.390 As to the production of evidence in inter-state
litigation, non-criminal international courts normally determine their own standards in each
case, which may considerably differ according to the nature of the court or the case under
examination.391 As it is not possible to identify uniform evidentiary rules applicable in all cases
and before all international courts, this article will focus on proceedings before the ICJ. This is
because the ICJ is the main U.N. judicial organ that deals, if the involved States have consented
to its jurisdiction, with claims of state responsibility arising from the violation of any primary
387 Mary Ellen O’Connell, Lawful Self-Defense to Terrorism, 63 U. PITT. L. REV. 889, 895 (2002) [hereinafter
O’Connell, Lawful Self-Defense] 388 See, e.g., Ruth Teitelbaum, Recent Fact-Finding Developments at the International Court of Justice, 6 L. &
PRAC. INT’L CTS. & TRIBUNALS 119, 151 (2007), in Marco Roscini, 242. 389 Mary Ellen O’Connell, Evidence of Terror, 7 J. CONFLICT & SECURITY L. 19, 21 (2002) [hereinafter
O’Connell, Evidence of Terror]. 390 Ibid. 391 Daniel Joyce, Fact-Finding and Evidence at the International Court of Justice: Systemic Crisis, Change or
More of the Same? 18 FINNISH Y.B. INT’L L. 283, 286 (2007).
97
norm of international law.392 The overall purpose is to establish whether rules on evidence may
be identified that would apply to claims in inter-state judicial proceedings seeking remedies for
damage caused by cyber operations. It should be noted, however, that the conclusions reached
with regard to the ICJ only apply to it and could not automatically be extended to other
international courts.
Rules on the production of evidence before the ICJ are contained in the ICJ Statute, the Rules
of Court (adopted in 1978), and Practice Directions for use by States appearing before the Court
(first adopted in 2001 and subsequently amended).393 In the following sections, the relevant
rules on evidentiary issues contained in those documents, as well as those elaborated by the
Court in its jurisprudence, will be applied to allegations related to cyber operations.
4.2 Burden of Proof and Cyber Operations
The burden of proof identifies the litigant that has the onus of meeting the standard of proof by
providing the necessary evidence.394 Once the burden has been discharged according to the
appropriate standard, the burden shifts to the other litigant, who has to prove the contrary.395
Normally, the party that relies upon a certain fact is required to prove it (the principle onus
probandi incumbit actori, derived from Roman law).396 This general principle of law, invoked
consistently by the ICJ and other international courts and tribunals,397 “applies to the assertions
of fact both by the Applicant and the Respondent.”398 The party bearing the burden of proof,
392 See, e.g., H. Vern Clemons, Comment, The Ethos of the International Court of Justice is Dependent Upon the
Statutory Authority Attributed to its Rhetoric: A Metadiscourse, 20 FORDHAM INT’L L.J. 1479, 1486, 1490–91
(1997) (detailing modes of jurisdiction by the ICJ over States), in Marco Roscini, 242. 393 Rules of Court, arts. 38–89, 1978 I.C.J. Acts & Docs. 6; Statute of the International Court of Justice arts. 39–
64, June 26, 1945, 33 U.N.T.S. 933; I.C.J. Practice Directions of the International Court of Justice, Practice
Direction IX, 2007 Acts & Docs. 163. 394 Green, supra, in Marco Roscini, at 165. 395 Roger B. Dworkin, Easy Cases, Bad Law, and Burdens of Proof, 25 VAND. L. REV. 1151,
1159 (1972) (“No one seems to have trouble understanding that the burden of producing evidence on one issue
may shift from party to party as the case progresses.”). 396 Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 14, para. 162 (Apr. 20) 397 Teitelbaum, supra. 398 Arg. v. Uru., 2010 I.C.J. para. 162.
98
therefore, is not necessarily the applicant (i.e., the State that has brought the application before
the tribunal) but is rather the party “who . . . raised an issue,”399 regardless of its procedural
position.400 For instance, the party (applicant or respondent) that relies on an exception,
including self-defense, has the burden of proving the facts that are the basis for the exception.401
It should also be recalled that the distinction between applicant and respondent may not always
be clear in inter-state litigation, especially when the case is brought before an international
court by special agreement between the parties.402
The onus probandi incumbit actori principle is subject to three main limitations. First, facts
that are not disputed or that are agreed upon by the parties do not need to be proven.403 Second,
the Court has relieved a party from the burden of providing evidence of facts that are
“notorious” or “of public knowledge.”404 In Nicaragua, for instance, the Court found that
“since there was no secrecy about the holding of the manoeuvres, the Court considers that it
may treat the matter as one of public knowledge, and as such, sufficiently established.”405 As
has been noted, “the notion of common or public knowledge has, over the years, expanded,
given the wide availability of information on current events in the press and on the internet.”406
Companies like McAfee, Symantec, Mandiant, and Project Grey Goose, as well as think tanks
like NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE), have also
399 RIDDELL & PLANT, supra. 400 According to Shabtai Rosenne, “the tendency of the Court is to separate the different issues arising in a case,
treating each one separately, applying the rule actori incumbit probatio, requiring the party that advances a
particular contention to establish it in fact and in law. The result is that each State putting forward a claim is under
the general duty to establish its case, without there being any implication that such State is ‘plaintiff’ or ‘applicant’
in the sense in which internal litigation uses those terms.” SHABTAI ROSENNE, THE LAW AND PRACTICE
OF THE INTERNATIONAL COURT, 1920–2005, at 1200–01 (4th ed. 2006), in Marco Roscini, 243. 401 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 57 (Nov. 6) 402 Andrés Aguilar Mawdsley, Evidence Before the International Court of Justice, in ESSAYS IN HONOUR OF
WANG TIEYA 533, 538 (Ronald St. John Macdonald ed., 1994). 403 Wolfrum, supra. 404 See, e.g., Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J.
14, para. 92 (June 27) (accepting a newspaper report as evidence of notoriety). Judicial notice has been frequently
invoked by international criminal tribunals. Teitelbaum, supra note 65, at 144–45. 405 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 92.
406 RIDDELL & PLANT, supra note 53, at 142–43.
99
published reports on cyber incidents.407 These reports essentially contain technical analysis of
cyber incidents and, with the possible exception of those of the CCD COE, do not normally
investigate attribution for legal purposes of those incidents in any depth (if at all).408 The fact
that cyber incidents have received extensive press coverage, as in the case of Stuxnet, may also
contribute to the public knowledge character of certain facts. In Nicaragua, however, the ICJ
warned that “widespread reports of a fact may prove on closer examination to derive from a
single source, and such reports, however numerous, will in such case have no greater value as
evidence than the original source.”409 The ICJ has also held that the “massive body of
information” available to the Court, including newspapers, radio and television reports, may
be useful only when it is “wholly consistent and concordant as to the main facts and
circumstances of the case.”410
Third, the onus probandi incumbit actori principle only applies to facts, as opposed to the law,
which does not need to be proven (jura novit curia).411 It should be noted, however, that, in
inter-state litigation, municipal law is a fact that must be proven by the parties invoking it.412
Furthermore, the ICJ has often distinguished between treaty law and customary international
law, holding that the existence and scope of customary rules—especially those of a regional
character—must be proven by the parties because one of their two elements, state practice, is
factual.413 A party invoking national legislation or the existence of a general or cyber-specific
custom in its favour, therefore, will bear the burden of producing relevant evidence before the
Court. Certain authors have suggested that shifting the burden of proof “from the investigator
407 TIKK ET AL., supra note 14; MANDIANT, 2014 THREAT REPORT [hereinafter MANDIANT,
THREAT REPORT], available at http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf. 408 See generally TIKK ET AL., supra note 14; MANDIANT, THREAT REPORT, supra note 84. 409 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 63. 410 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May
24). 411 Wolfrum, supra. 412 Ibid at 557. 413 Asylum Case (Colom. v. Perú), Judgment, 1950 I.C.J. 266, 276–77 (Nov. 20); Rights of Nationals of the United
States of America in Morocco (Fr. v. U.S.), Judgment 1952 I.C.J. 176, 200 (Aug. 27).
100
and accuser to the nation in which the attack software was launched” could solve the problems
of identification and attribution in the cyber context.414 In such an approach, international law
would require the State where the attack originated to prove that it neither carried out the
operation nor negligently allowed others to misuse its infrastructure, as opposed to requiring
the accuser to prove the contrary. Similarly, it has been argued that “the fact that a harmful
cyber incident is conducted via the information infrastructure subject to a nation’s control is
prima facie evidence that the nation knows of the use and is responsible for the cyber
incident.”415 This, however, is not correct. First, mere knowledge does not automatically entail
direct attribution, but rather merely a potential violation of the due diligence duty not to allow
hostile acts from one’s territory.416 What is more, the views arguing for a reversal of the burden
of proof are at odds with the jurisprudence constante of the ICJ.417 In the Corfu Channel case,
the Court famously found that the exclusive control exercised by a State over its territory
“neither involves prima facie responsibility nor shifts the burden of proof” in relation to
unlawful acts perpetrated therein.418 The Court, however, conceded that difficulties in
discharging the burden of proof in such cases may allow “a more liberal recourse to inferences
of fact and circumstantial evidence.”419 This point will be further explored below in Section
4.6.420 In Armed Activities (Dem. Rep. Congo v. Uganda), the ICJ also did not shift the burden
of proving that Zaire had been in a position to stop the armed groups’ actions originating from
its border regions, as claimed by Uganda in its counter-claim, from Uganda to the Democratic
Republic of the Congo (DRC), and therefore found that it could not “conclude that the absence
414 Richard A. Clarke & Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do
about it 249 (2010), in Marco Roscini, 245. 415 Daniel J. Ryan, Maeve Dion, Eneken Tikk & Julie J. C. H. Ryan, International Cyberlaw: A Normative
Approach, 42 GEO. J. INT’L L. 1161, 1185 (2011). 416 See Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 18 (Apr. 9) (“It cannot be concluded from the mere
fact of the control exercised by a State over its territory and waters that that State necessarily knew, or ought to
have known, of any unlawful act perpetrated therein . . . .”). 417 Ibid (stating that control by a State over its borders does not shift the burden of proof to the accused State). 418 Ibid. 419 Ibid. 420 See infra, section 4.6.
101
of action by Zaire’s Government against the rebel groups in the border area is tantamount to
‘tolerating’ or ‘acquiescing’ in their activities.”421
If one applies these findings in the cyber context, the fact that a State has exclusive “territorial”
control of the cyber infrastructure from which the cyber operation originates does not per se
shift the burden of proof, and it is therefore still up to the claimant to demonstrate that the
territorial State is responsible for the cyber operation or that it failed to comply with its due
diligence duty of vigilance, and not to the territorial State to demonstrate the contrary.422
Even beyond the principle of territorial control, the fact that relevant evidence is in the hands
of the other party does not per se shift the burden of proof. In the Avena case, the ICJ held that
it could not accept that, because such information may have been in part in the hands of Mexico,
it was for Mexico to produce such information. It was for the United States to seek such
information, with sufficient specificity, and to demonstrate both that this was done and that the
Mexican authorities declined or failed to respond to such specific requests. . . The Court
accordingly concludes that the United States has not met its burden of proof in its attempt to
show that persons of Mexican nationality were also United States nationals.423
The fact that cyber operations were conducted in the context of an armed conflict, as was the
case of those against Georgia in 2008,424 also does not affect the normal application of the
burden of proof.425 In Nicaragua, the ICJ recalled the Corfu Channel and Tehran Hostages
judgments and found that “a situation of armed conflict is not the only one in which evidence
of fact may be difficult to come by, and the Court has in the past recognized and made
421 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168,
para. 301 (Dec. 19). 422 David J. Betz & Tim Stevens, Analogical Reasoning and Cyber Security, 44 SECURITY DIALOGUE 147,
151 (2013), in Marco Roscini, 246. 423 Avena and Other Mexican Nationals (Mex. v. U.S.), Judgment, 2004 I.C.J. 12, para. 57 (Mar. 31.). 424 Markoff, supra. 425 See generally Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986
I.C.J. 14 (June 27).
102
allowance for this . . .”426 Even in such circumstances, therefore, “it is the litigant seeking to
establish a fact who bears the burden of proving it . . .”427 In the El Salvador/Honduras case,
the Court stated that it:
Fully appreciates the difficulties experienced by El Salvador in collecting its
evidence caused by the interference with governmental action resulting from
acts of violence. It cannot however apply a presumption that evidence which is
unavailable would, if produced, have supported a particular party’s case; still
less a presumption of the existence of evidence which has not been produced.428
The application of the onus probandi incumbit actori principle is also not affected by the
possible asymmetry in the position of the litigants in discharging the burden of proof due to the
fact that one has acted covertly (as is virtually always the case of cyber operations).429 As Judge
Owada points out in his Separate Opinion attached to the Oil Platforms judgment, however,
the Court should “take a more proactive stance on the issue of evidence and that of fact-finding”
in such cases in order to ensure that the rules of evidence are applied in a “fair and equitable
manner” to both parties.430
Finally, it has been argued that a reversal of the burden of proof may derive from an application
of the precautionary principle based on international environmental law in cyberspace.431 The
precautionary principle entails “the duty to undertake all appropriate regulatory and other
measures at an early stage, and well before the (concrete) risk of harm occurs.”432 On this view,
426 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1984 I.C.J. 392, para.
101 (Nov. 26). 427 Ibid. 428 Land, Island and Maritime Frontier Dispute (El Sal./Hond.: Nicar. intervening), Judgment, 1992
I.C.J. 351, para. 63 (Sept. 11). 429 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 306, para. 46 (Nov. 6); (separate opinion of Judge Owada). 430 Ibid para 47. 431 See Thilo Marauhn, Customary Rules of International Environmental Law – Can They Provide Guidance for
Developing a Peacetime Regime for Cyberspace?, in PEACETIME REGIME FOR STATE ACTIVITIES IN
CYBERSPACE, supra, at 475 (describing the precautionary approach’s relationship to international
environmental law). 432 Katharina Ziolkowski, General Principles of International Law as Applicable in Cyberspace, in PEACETIME
REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra note 34, at 169.
103
States would have an obligation to implement measures to prevent the possible misuse of their
cyber infrastructure, in particular by establishing a national cyber security framework.433
Regardless of whether the precautionary principle, with its uncertain normativity, extends to
cyberspace,434 it still would not lead to a reversal of the burden of proof from the claimant to
the State from which a cyber operation originates. In the Pulp Mills case, the ICJ concluded
that “while a precautionary approach may be relevant in the interpretation and application of
the provisions of the Statute [of the River Uruguay], it does not follow that it operates as a
reversal of the burden of proof.”435 The Court, however, did not specify whether the
precautionary principle might result in at least a lowering of the standard of proof.436
In light of the above discussion, it can be concluded that it is unlikely that the ICJ would accept
that there is a reversal of the burden of proof in the cyber context. As has been correctly argued,
“suggesting a reversal of the burden of proof could easily lead to wrong and even absurd results
given the possibility of routing cyber operations through numerous countries, and to the
denouncing of wholly uninvolved and innocent States.”437 In the case of the 2007 DDoS
campaign against Estonia, for instance, the botnets included computers located not only in
Russia, but also in the United States, Europe, Canada, Brazil, Vietnam and other countries.438
Difficulties in discharging the burden of proof, which are particularly significant in the context
under examination, may, however, result in an alleviation of the standard of proof required to
demonstrate a particular fact. It is to this aspect that the analysis now turns.
4.3 Standard of Proof and Cyber Operations
It is well known that, while in civil law systems there are no specific standards of proof that
judges have to apply because they are authorized to evaluate the evidence produced according
433 Ibid. 434 See Marauhn, supra at 475–76 (asserting doubt that the precautionary principle applies to cyberspace). 435 Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 14, para. 164 (Apr. 20). 436 Ibid. 437 Geiß & Lahmann, supra, at 628. 438 U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES, supra, at 173.
104
to their personal convictions on a case-by-case basis, common law jurisdictions employ a rigid
classification of standards.439 From the most to the least stringent, these include: beyond
reasonable doubt (i.e., indisputable evidence, a standard used in criminal trials), clear and
convincing (or compelling) evidence (i.e., more than probable but short of indisputable), and
the preponderance of evidence or balance of probabilities (i.e., more likely than not or
reasonably probable, a standard normally used in civil proceedings).440 A fourth standard is
that of prima facie evidence-a standard that merely requires indicative proof of the correctness
of the contention made.441
The Statute of the ICJ and the Rules of Court neither require specific standards of proof nor
indicate what methods of proof the Court will consider as being probative in order to meet a
certain standard.442 The ICJ has to date avoided clearly indicating the standards of proof
expected from the litigants during the proceedings.443 It has normally referred to the judgments,
but at that point it is of course too late for the parties to take it into account in pleading their
cases.444
There is no agreement on what standard of proof the ICJ should expect from the parties in the
cases before it.445 If, because of their nature, international criminal courts use the beyond
reasonable doubt standard in their proceedings,446 the most appropriate analogy for inter-state
439 Marko Milanović, State Responsibility for Genocide, 17 EUR. J. INT’L L. 553, 594 (2006), in Marco Roscini,
248. 440 . Mary Ellen O’Connell, Rules of Evidence for the Use of Force in International Law’s New Era, 100 AM.
SOC’_Y INT’L L. PROC. 44, 45 (2006) [hereinafter O’Connell, Rules of Evidence]. 441 Green, supra, at 166. 442 See generally Statute of the International Court of Justice, June 26, 1945, 33 U.N.T.S. 933; Rules of Court,
1978 I.C.J. Acts & Docs. 6. 443 That approach has been criticized by judges from common law countries. See, e.g., Oil Platforms (Iran v. U.S.),
2003 I.C.J. 270, paras. 42–44 (Nov. 6) (separate opinion of Judge Buergenthal) (stating that the Court failed to
explain a standard of proof); Oil Platforms (Iran v. U.S.), 2003 I.C.J. 225, paras. 30–39 (Nov. 6) (separate opinion
of Judge Higgins) (criticizing the Court for not stating a standard of proof), in Marco Roscini, 248. 444 See Teitelbaum, supra, at 124 (“The Court’s determination of the standard of proof may be said to be made on
an ad hoc basis, and is only revealed at the end of the process when the Court delivers its judgment.”). 445 H.E. Judge Rosalyn Higgins, President, Int’l Court of Justice, Speech to the Sixth Committee of the General
Assembly 4 (Nov. 2, 2007). 446 Wolfrum, supra, at 569.
105
litigation is not with criminal trials, but with certain types of civil litigation.447 In his Dissenting
Opinion in the Corfu Channel case, Judge Krylov suggested that “one cannot condemn a State
on the basis of probabilities. To establish international responsibility, one must have clear and
indisputable facts.”448 Wolfrum has argued that, while the jurisdiction of an international court
over a case should be established beyond reasonable doubt, the ICJ has generally applied a
standard comparable to that of preponderance of evidence used in domestic civil proceedings
when deciding disputes involving state responsibility.449 Others have maintained that such a
standard only applies to cases not concerning attribution of international wrongful acts, such
as border delimitations, and that when international responsibility is at stake, the standard is
stricter and requires clear and convincing evidence.450
It is therefore difficult, and perhaps undesirable,451 to identify a uniform standard of proof
generally applicable in inter-state litigation or even a predominant one: the Court “tends to look
at issues as they arise.”452 This case-by-case approach, however, does not exclude that a
standard of proof may be identified having regard to the primary rules in dispute, i.e., “the
substantive rules of international law through . . . which the Court will reach its decision.”453
Indeed, when the allegation is the same, it seems logical that the evidentiary standard should
also be the same.454
Views held by some U.S pontificate that the standard of proof for cyber operations should be
low because it is very difficult to reach the clear and convincing standard in the cyber
447 Waxman, supra, at 59. 448 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 72 (Apr. 9) (dissenting opinion of Judge Krylov). 449 Wolfrum, supra, at 566. 450 RIDDELL & PLANT, supra, at 133. 451 Green, supra, at 167. 452 Sir Arthur Watts, Burden of Proof, and Evidence before the ECJ, in Improving WTO Dispute Settlement
Procedures: Issues and Lessons from the Practice of Other International Courts and Tribunals 289, 294 (Friedl
Weiss ed., 2000), in Marco Roscini, 250. 453 ROSENNE, supra, at 1043. 454 Green, supra, at 169–71.
106
context.455 However, the views mentioned above are also far from being unanimously held,
even within the U.S. government: The Air Force Doctrine for Cyberspace Operations, for
instance, States that attribution of cyber operations should be established with “sufficient
confidence and verifiability.”456 A report prepared by Italy’s Parliamentary Committee on the
Security of the Republic goes further and requires it to be demonstrated “in modo
inequivocabile” (unequivocally) that an armed attack by cyber means originated from a State
and was undertaken on the instruction of governmental bodies.457 The document also suggests
that attribution to a State requires “«prove» informatiche inconfutabili” (“irrefutable digital
evidence”), which, the Report concedes, is a standard that is very difficult to meet.458 Germany
also highlighted the danger of a lack of “reliable attribution” of malicious cyber activities in
creating opportunities for “false flag attacks,” misunderstandings, and miscalculations.459 In
relation to the DDoS attacks against Estonia, a U.K. House of Lords document lamented that
“the analysis of today is really very elusive, not conclusive and it would still be very difficult
to act on it.”460 Finally, the AIV/CAVV Report, which has been endorsed by the Dutch
government,461 requires “reliable intelligence . . . before a military response can be made to a
cyber attack” and “sufficient certainty regarding the identity of the author of the attack.”462 In
its response to the Report, the Dutch government argued that self-defense can be exercised
455 See generally; Developments in the Field of Information and Telecommunications, supra note 3, at 17;
Advance questions for Lieutenant General Keith Alexander for Commander, USA Nominee for Commander,
U.S. Cyber Command, S. Comm. Armed Servs. 12 (Apr. 15, 2010)
<https://epic.org/privacy/nsa/Alexander_04-15-10.pdf > (Lieutenant General Keith Alexander argued that
“some level of mitigating action” can be taken against cyber attacks even when we are not certain who is
responsible). 456 U.S. Air Force, Cyberspace Operations: Air Force Doctrine Document 3-12, at 10 (2010). 457 Comitato Parlamentare per la Sicurezza Della Repubblica, Relazione Sulle Possibili Implicazioni E Minacce
per la Sicurezza Nazionale Derivanti Dall’utilizzo Dello Spazio Cibernetico 26 (2010), available at
<http://www.parlamento.it/documenti/repository/commissioni/bicamerali/COMITATO%20SICUREZZA/Doc_
XXXIV_n_4.pdf>. 458 Ibid. 459 Letter from the Permanent Mission of the Fed. Republic of Ger. to the United Nations addressed to the Office
for Disarmament Affairs, Note No. 516/2012 (Nov. 5, 2012). 460 European Union Committee, Protecting Europe against Large-Scale Cyberattacks, 2009–2010, H.L. 68, at 42. 461 Michael N. Schmitt, The Law of Cyber Warfare: Quo Vadis? 25 STAN. L. & POL’Y REV. 269, 280 n.40
(2014). 462 Advisory Council on Int’l Affairs & Advisory Comm. on Issues of Pub. Int’l Law, Cyber Warfare 22 (2011).
107
against cyber attacks “only if the origin of the attack and the identity of those responsible are
sufficiently certain.”463
All in all, clear and convincing evidence seems the appropriate standard not only for claims of
self-defense against traditional armed attacks, but also for those against cyber operations: a
prima facie or preponderance of evidence standard might lead to specious claims and false or
erroneous attribution, while a beyond reasonable doubt standard would be unrealistic. In the
Norwegian Loans case, Judge Lauterpacht emphasized that “the degree of burden of proof . . .
adduced ought not to be so stringent as to render the proof unduly exacting.”464 As explained
by Michael Schmitt, a clear and convincing standard “obliges a state to act reasonably, that is,
in a fashion consistent with the normal state practice in same or similar circumstances.
Reasonable States neither respond precipitously on the basis of sketchy indications of who has
attacked them nor sit back passively until they have gathered unassailable evidence.”465
4.4. Methods of Proof and Cyber Operations
What type of evidence may be relied on in order to meet the required standard of proof and
establish that a cyber operation has occurred, has produced damage, and is attributable to a
certain State or non-state actor? The production of evidence before the ICJ is regulated by
Articles 48 to 52 of its Statute and by the Rules of Court. There is, however, no list of the
methods of proof available to parties before the Court nor any indication of their different
probative weight.466 Article 48 of the ICJ Statute provides only that “the Court shall . . . make
all arrangements connected with the taking of evidence,”467 while Article 58 of the Rules of
Court confirms that “the method of handling the evidence and of examining any witnesses and
463 GOV’T OF THE NETH., supra note 154, at 5. 464 Certain Norwegian Loans (Fr. v. Nor.), Judgment, 1957 I.C.J. 9, 39 (July 6) (separate opinion of Judge Sir
Hersch Lauterpacht). 465 Schmitt’s exact verbiage calls for a “clear and compelling” standard. Michael N. Schmitt, Cyber Operations
and the Jus Ad Bellum Revisited, 56 VILL. L. REV 569, 595 (2011). 466 Compare Statute of the International Court of Justice arts. 48–52, June 26, 1945, 33 U.N.T.S. 933, and Rules
of Court, arts. 57, 58, 62–64, 71, 1978 I.C.J. Acts & Docs. 6 (together demonstrating that there are no methods of
proof for dealing with the production of evidence before the ICJ). 467 Statute of the International Court of Justice art. 48, June 26, 1945, 33 U.N.T.S. 933.
108
experts . . . shall be settled by the Court after the views of the parties have been ascertained in
accordance with Article 31 of these Rules.”468
As a leading commentator has observed, “the International Court of Justice has construed the
absence of restrictive rules in its Statute to mean that a party may generally produce any
evidence as a matter of right, so long as it is produced within the time limits fixed by the
Court.”469 Although it is primarily the parties’ responsibility to produce the evidence necessary
to prove the facts alleged, the Court may also order the production of documents, call experts
and witnesses, conduct site visits, and request relevant information from international
organizations.470 In Nicaragua, for instance, the Court found that it was “not bound to confine
its consideration to the material formally submitted to it by the parties.”471 In that judgment,
the ICJ also emphasized the principle of free assessment of evidence, stating that “within the
limits of its Statute and Rules, [the Court] has freedom in estimating the value of the various
elements of evidence . . . .”472
In the next pages, methods of proof that may be relevant in relation to cyber operations will be
examined.
A. Documentary Evidence
Although there is no formal hierarchy between different sources, the ICJ has taken a civil law
court approach and has normally given primacy to written documents over oral evidence.473
Documentary evidence includes “all information submitted by the parties in support of the
468 Rules of the Court, art. 58, 2007 I.C.J. Acts & Docs. 91. 469 Durward V. Sandifer, Evidence before International Tribunals 184 (rev. ed. 1975). 470 Statute of the International Court of Justice arts. 49, 50, June 26, 1945, 33 U.N.T.S. 933; Rules of Court, arts.
62, 66, 67, 69, 1978 I.C.J. Acts & Docs. 6. 471 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para.
30 (June 27). 472 Nicar. v. U.S., 1986 I.C.J. para. 60. See also Armed Activities on the Territory of the Congo (Dem. Rep. Congo
v. Uganda), Judgment, 2005 I.C.J. 168, para. 59 (Dec. 19). 473 Aguilar Mawdsley, supra, at 543.
109
contentions contained in the pleadings other than expert and witness testimony.”474 According
to Shabtai Rosenne, documentary evidence can be classified in four categories:
published treaties included in one of the recognized international or national
collections of treaty texts; official records of international organizations and
of national parliaments; published and unpublished diplomatic
correspondence, and communiqués and other miscellaneous materials,
including books, maps, plans, charts, accounts, archival material,
photographs, films, legal opinions and opinions of experts, etc.; and
affidavits and declarations.475
Official state documents, such as national legislation, cyber doctrines, manuals, strategies,
directives and rules of engagement, may become relevant in establishing state responsibility
for cyber operations.476 In Nicaragua, for instance, the responsibility of the United States for
encouraging violations of international humanitarian law was established on the basis of the
publication of a manual on psychological operations.477 According to the Court, “the
publication and dissemination of a manual in fact containing the advice quoted above must . .
. be regarded as an encouragement, which was likely to be effective, to commit acts contrary
to general principles of international humanitarian law reflected in treaties.”478 Not all state
documents, however, have the same probative value: in Democratic Republic of the Congo v.
Uganda, the Court dismissed the relevance of certain internal military intelligence documents
because they were unsigned, unauthenticated, or lacked explanation of how the information
was obtained.479
474 Wolfrum, supra, at 558. 475 ROSENNE, supra, at 1246. 476 Mark D. Young, National Cyber Doctrine: The Missing Link in the Application of American Cyber Power, J.
NAT’L SECURITY L. & POL’Y 173, 175–76 (2010). 477 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para.
113 (June 27). 478 Ibid. para. 256. 479 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 C.J. 168, paras.
125, 127–28, 133–34, 137 (Dec. 19).
110
Documents of international organizations may also be presented as evidence.480 Overall, the
Court has given particular credit to U.N. reports, Security Council resolutions, and other
official U.N. documents.481 In Bosnian Genocide, the ICJ stated that the probative value of
reports from official or independent bodies “depends, among other things, on (1) the source of
the item of evidence (for instance, partisan or neutral), (2) the process by which it has been
generated (for instance an anonymous press report or the product of a careful court or court-
like process), and (3) the quality of the character of the item (such as statements against interest,
and agreed or uncontested facts).”482 Several documents of international organizations address
cyber issues.483
The Court has also relied on fact-finding from commissions and other courts.484 In Dem. Rep.
Congo v. Uganda, the Court considered the Report of the Porter Commission, observing that
neither party had challenged its credibility.485 Furthermore, the Court accepted that “evidence
[included in the Report] obtained by examination of persons directly involved, and who were
subsequently cross-examined by judges skilled in examination and experienced in assessing
large amounts of factual information, some of it of a technical nature, merits special
attention.”486 For these reasons, facts alleged by the parties that found confirmation in the
Report were considered clearly and convincingly proved.487 There are, however, no examples
of reports by judicial commissions in relation to cyber operations.488 One can at best recall the
2009 Report of the Independent Fact-Finding Mission on the Conflict in Georgia established
480 See RIDDELL & PLANT, supra, at 85–87. 481 Teitelbaum, supra, at 146. 482 Bosn. & Herz. v. Serb. & Montenegro, 2007 I.C.J. para. 227 483 E.g., G.A. Res. 66/24, at 2, U.N. Doc. A/RES/66/24 (Dec 13, 2011) (expressing concern over “international
information security”). 484 Teitelbaum, supra, at 152. 485 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), 2005 I.C.J. 168, para. 60 (Dec.
19). 486 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 61. 487 Teitelbaum, supra, at 153. 488 See generally Major Arie J. Schaap, Cyber Warfare Operations: Development and Use under International
Law, 64 A.F. L. REV. 121, 121–73 (2009).
111
by the Council of the European Union,489 which briefly addressed the cyber operations against
Georgia.490 The Report, however is not of great probative weight, as it did not reach any
conclusion on those operations’ attribution or legality, simply noting that “[i]f these attacks
were directed by a government or governments, it is likely that this form of warfare was used
for the first time in an inter-state armed conflict.”491 Even if not of use to establish attribution,
however, the Report could be relied on to establish that the cyber operations against Georgia
did in fact occur.492
Documents produced by NGOs and think tanks may also play an evidentiary role, albeit a
limited one. In relation to cyber operations, the CCD COE has prepared reports containing
technical and legal discussion of the Estonia, Georgia and Iran cases, as well as of other cyber
incidents.493 Information security companies like Symantec, McAfee, and Mandiant also
regularly compile detailed technical reports on cyber threats and specific incidents.230 In
general, however, reports from NGOs and other non-governmental bodies have been
considered by the ICJ as having less probative value than publications of States and
international organizations and have been used in a corroborative role only.494 In Democratic
Republic of the Congo v. Uganda, for instance, the ICJ considered a report by International
Crisis Group not to constitute “reliable evidence.”495 Similarly, in Oil Platforms the Court did
not find publications such as Lloyd’s Maritime Information Service, the General Council of
British Shipping or Jane’s Intelligence Review to be authoritative public sources, as it had no
489 INDEP. INT’L FACT-FINDING MISSION ON THE CONFLICT IN GEOR., REPORT 2 (2009),
http://rt.com/files/politics/georgia-started-ossetian-war/iiffmcg-volume-ii.pdf. 490 Ibid, at 217–19. 491 Ibid at 219. 492 Ibid. 493 The CCD COE is a think tank based in Tallinn, Estonia that was created after the 2008 DDoS attacks against
the Baltic state. 494 RIDDELL & PLANT, supra, at 249. 495 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168,
para. 129 (Dec. 19).
112
“indication of what was the original source, or sources, or evidence on which the public sources
relied.”496
As far as press reports and media evidence are concerned, one may recall, in the cyber context,
the above-mentioned New York Times articles attributing Stuxnet to the United States and
Israel.497 The ICJ, however, has been very reluctant to accept press reports as evidence and has
treated them “with great caution.”498 Press reports that rely only on one source, rely on an
interested source, or give no account of their sources have therefore been treated as having no
probative value.499 In Nicaragua, the Court held that, even when they meet “high standards of
objectivity,” it would regard the reports in press articles and extracts from books presented by
the parties “not as evidence capable of proving facts, but as material which can nevertheless
contribute, in some circumstances, to corroborating the existence of a fact, i.e., as illustrative
material additional to other sources of evidence.”500 This was dependent on the sources being
“wholly consistent and concordant as to the main facts and circumstances of the case.”501
Apart from this, press reports may contribute, together with other sources, to demonstrate
public knowledge of facts of which the Court may take judicial notice, thus relieving a party
from having to discharge the burden of proof with regard to those facts.502
As already mentioned, in Nicaragua the ICJ noted that “widespread reports of a fact may prove
on closer examination to derive from a single source, and such reports, however numerous, will
in such case have no greater value as evidence than the original source.”503
B. Official Statements
496 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 60 (Nov. 6). 497 RIDDELL & PLANT, (text accompanying notes 18-21). 498 . Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para.
62 (June 27). 499 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 68. 500 Nicar. v. U.S., 1986 I.C.J. para. 62. 501 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 68 (citing United States Diplomatic and Consular
Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May 24) 502 Nicar. v. U.S., 1986 I.C.J. para. 63. 503 Ibid.
113
Statements made by official authorities outside the context of the judicial proceedings may play
an important evidentiary role. In the Tehran Hostages case, for instance, the ICJ recalled that
it had “a massive body of information from various sources concerning the facts and
circumstances of the present case, including numerous official statements of both Iranian and
United States authorities.”504
Statements “emanating from high-ranking official political figures, sometimes indeed of the
highest rank, are of particular probative value when they acknowledge facts or conduct
unfavourable to the State represented by the person who made them.”505 However, all depends
on how those statements were made public: “evidently, [the Court] cannot treat them as having
the same value irrespective of whether the text is to be found in an official national or
international publication, or in a book or newspaper.”506 In other words, statements that can be
directly attributed to a state are of more probative value.
C. Witness Testimony
Witnesses may be called to provide direct oral evidence by the Court and by the litigants: The
latter case is conditioned upon the absence of objections by the other litigant or the recognition
by the Court that the evidence is likely to be relevant.507 The Court may also put questions to
the witnesses and experts called by the parties.508 In Corfu Channel, for instance, naval officers
were called to testify by the United Kingdom about the damage suffered by the Royal Navy
ships and the nature and origin of the mines. Albania also called witnesses to testify to the
absence of mines in the Channel.509 Nicaragua called five witnesses to testify in the Nicaragua
case.510
504 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May
24). 505 Nicar. v. U.S., 1986 I.C.J. para. 64. 506 Ibid, para 65. 507 Rules of Court, arts. 62(2), 63, 1978 I.C.J. Acts & Docs. 6. 508 Rules of Court, art. 65, 1978 I.C.J. Acts & Docs. 6. 509 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 7–8, 10 & 11 (Apr. 9). 510 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para.
13 (June 27).
114
It is worth recalling that the Court has also accepted witness evidence given in written form
and attached to the written pleadings, but it has treated it “with caution”511 and has generally
considered it of a probative value inferior to that of direct oral witness testimony.512
D. Enquiry and Experts
According to Article 50 of the ICJ Statute, “the Court may, at any time, entrust any individual,
body, bureau, commission, or other organization that it may select, with the task of carrying
out an enquiry or giving an expert opinion.”513 Enquiries have never been commissioned by
the Court, which has rather relied on fact-finding reports from other sources.514 Experts may
be necessary in cases of a highly technical nature or that involve expertise not possessed by the
judges. It is likely, therefore, that the Court will appoint experts in cases involving cyber
technologies. The Court, however, would not be bound by their report. The parties may also
call experts.515 In the Whaling in the Antarctic case, therefore, the experts called by both
Australia and Japan gave evidence as expert witnesses and were cross-examined,516 and the
Court relied heavily on their statements to conclude that the special permits granted by Japan
for the killing, taking, and treatment of whales had not been granted “for purposes of scientific
research.”517
E. Digital Evidence
Digital forensics “deals with identifying, storing, analyzing, and reporting computer finds, in
order to present valid digital evidence that can be submitted in civil or criminal proceedings.”518
511 Territorial and Maritime Dispute between Nicaragua and Honduras in the Caribbean Sea (Nicar. v. Hond.),
Judgment, 2007 I.C.J. 659, para. 244 (Oct. 8). 512 RIDDELL & PLANT, supra, at 280–8. 513 Statute of the International Court of Justice art. 50, June 26, 1945, 33 U.N.T.S. 933. 514 Benzing, supra, at 1259. 515 Rules of Court, art. 63, 1978 I.C.J. Acts & Docs. 6. 516 Whaling in the Antarctic (Aust. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J. 148, paras. 20–21 (Mar.
31). 517 Ibid, para. 227. 518 PRESIDENCY OF THE COUNCIL OF MINISTERS, NATIONAL STRATEGIC FRAMEWORK FOR
CYBERSPACE SECURITY 42 (2013), available at http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/
uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf.
115
It includes the seizure, forensic imaging, and analysis of digital media, and the production of a
report on the evidence so collected.519 It seems that most countries “do not make a legal
distinction between electronic evidence and physical evidence. While approaches vary, many
countries consider this good practice, as it ensures fair admissibility alongside all other types
of evidence.”520 Of course, not only do data have to be collected, but they also need to be
interpreted, and the parties may disagree on their interpretation.
For several reasons, however, digital evidence on its own is unlikely to play a decisive role in
establishing state responsibility for cyber operations. First, digital evidence is “volatile, has a
short life span, and is frequently located in foreign countries.”521 Second, the collection of
digital evidence can be very time consuming and requires the cooperation of the relevant
internet service providers, which may be difficult to obtain when the attack originates from
other States.522 Third, although digital evidence may lead to the identification of the computer
or computer system from which the cyber operation originates, it does not necessarily identify
the individual(s) responsible for the cyber operation (as the computer may have been hijacked,
or the IP spoofed).523 In any case, such digital evidence will say nothing about whether the
conduct of those individuals can be attributed to a State under the law of state responsibility.
4.5. Presumptions and Inferences in the Cyber Context
As Judge ad hoc Franck emphasized in Sovereignty over Pulau Ligitan and Pulau Sipadan,
“presumptions are necessary and well-established aspects both of common and civil law and
cannot but be a part of the fabric of public international law.”524 Previously, in his dissenting
opinion in Corfu Channel, Judge Azevedo had argued that “it would be going too far for an
519 Jay P. Kesan & Carol M. Hayes, Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace, 25
HARV. J.L. & TECH. 429, 482 (2012). 520 U.N. Office on Drugs and Crime, Comprehensive Study on Cybercrime: Draft, 25 February 2013. 521 Fred Schreier, On Cyberwarfare 65 (DCAF Horizon 2015, Working Paper No. 7, 2012). 522 Ibid, at 46. 523 Ibid, at 65. 524 Sovereignty over Pulau Ligitan & Pulau Sipadan (Indon./Malay.), Judgment, 2002 I.C.J. 691, para. 44 (Dec.
17) (dissenting opinion of Judge ad hoc Franck).
116
international court to insist on direct and visual evidence and to refuse to admit, after reflection,
a reasonable amount of human presumptions with a view to reaching that state of moral, human
certainty with which, despite the risk of occasional errors, a court of justice must be content.”525
Although the difference is often blurred in inter-state litigation, presumptions may be
prescribed by law (legal presumptions, or presumptions of law), or be reasoning tools used by
the judges (presumptions of fact, or inferences).526 In other words, “presumptions of law derive
their force from law, while presumptions of fact derive their force from logic.”527 In
international law, presumptions of law can derive from treaties, international customs, and
general principles of law.528 According to Judge Owada in his dissenting opinion in the
Whaling in the Antarctic case, for instance, good faith on the part of a contracting State in
performing its obligations under a treaty “has necessarily to be presumed…although the
presumption is subject to rebuttal”.529
Inferences, or presumptions of fact, are closely linked to circumstantial evidence.530 In the
Corfu Channel case, Judge Padawi Pasha defined circumstantial evidence as “facts which,
while not supplying immediate proof of the charge, yet make the charge problable with the
assistance of reasoning.”531 The ICJ, however, “has demonstrated an increasing resistance to
the drawing of inferences from secondary evidence.”532 Only inferences to protect state
sovereignty are normally drawn by the Court, while others are treated with great caution. The
525 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 90–91 (Apr. 9) (dissenting opinion of
Judge Azevedo). 526 C.F. Amerasinghe, Presumptions and Inferences in Evidence in International Litigation, 3 L. & PRAC. INT’L
CTS. & TRIBUNALS 395, 395 (2004) 527 . Thomas M. Franck & Peter Prows, The Role of Presumptions in International Tribunals, 4 L. & PRAC. INT’L
CTS. & TRIBUNALS 197, 203 (2005) 528 Mojtaba Kazazi, Burden of Proof and Related Issues: a Study on Evidence before International Tribunals 245
(1996). 529 Whaling in the Antarctic (Austl. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J. 148, para. 21 & 42 (Mar.
31) (dissenting opinion of Judge Owada). 530 Barcelona Traction, Light and Power Company, Limited. (Belg. v. Spain), 1964 I.C.J. 6, 80 (July 24) 531 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 59 (Apr. 9) (dissenting opinion of Judge Pasha). 532 Teitelbaum, supra, at 157.
117
ICJ has drawn inferences in situations such as exclusive control of territory and non-production
of documents.533 As to the first, it has been argued that the State from which the cyber operation
originates has presumptive knowledge of such operation. U.S. officials have claimed, for
instance, that, with the control that the Iranian government exercises over the internet, it is
“hard to imagine” that cyber attacks originating from Iran against U.S. oil, gas, and electricity
companies could be conducted without governmental knowledge, even in the absence of direct
proof of state involvement.534 The Mandiant Report also traced the cyber intrusions into U.S.
computers back to Chinese IP addresses.535 As has been seen, however, in the Corfu Channel
case the ICJ held that “it cannot be concluded from the mere fact of the control exercised by a
State over its territory . . . that that State necessarily knew, or ought to have known, of any
unlawful act perpetrated therein . . . .”536 Only if there are other indications of state involvement
may territorial control contribute to establish knowledge. In Oil Platforms, the ICJ also refused
to accept the US argument that the territorial control exercised by Iran over the area from which
the missile against the Sea Isle City had been fired was sufficient to demonstrate Iran’s
responsibility.537 These conclusions have been transposed in the cyber context538. If control of
cyber infrastructure is not on its own sufficient to prove knowledge of the cyber operations
originating therefrom, much less direct attribution, it may however have “a bearing upon the
methods of proof available to establish the knowledge of that State as to such events.”539 In
particular by reason of this exclusive control [within its frontiers], the other State, the victim
533 Waxman, supra, at 66. 534 Nicole Perlroth & David E. Sanger, New Computer Attacks Traced to Iran, Officials Say, N.Y. TIMES, May
24, 2013, http://www.nytimes.com/2013/05/25/world/middleeast/new-computer-attacks-comefrom-iran-
officials-say.html?_r=0. (May 23, 2016). 535 MANDIANT, APT 1, supra, at 4. 536 Corfu Channel (U.K. v. Alb.), Judgment, Merits, 1949 I.C.J. 4, 18 (Apr. 9). 537 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 61 (Nov. 6). 538 TALLINN MANUAL r. 7 & 8 (which is to the effect that neither the fact that a cyber operation originates
from a State’s governmental cyber infrastructure nor that it has been routed through the cyber infrastructure
located in a State are sufficient evidence for attributing the operation to those States, although it may be “an
indication that the State in question is associated with the operation). 539 U.K. v. Alb., 1949 I.C.J. at 18.
118
of a breach of international law, is often unable to furnish direct proof of facts giving rise to
responsibility. Such a State should be allowed a more liberal recourse to inferences of fact and
circumstantial evidence. This indirect evidence is admitted in all systems of law, and its use is
recognized by international decisions.540
According to the Court, then, inferences become particularly valuable, and assume a probative
value higher than normal, when a litigant is unable to provide direct proof of facts because the
evidence is under the exclusive territorial control of the other litigant. Such indirect evidence
“must be regarded as of special weight when it is based on a series of facts linked together and
leading logically to a single conclusion.”541
4.6. Inadmissible Evidence
There are no express rules on the admissibility of evidence in the ICJ Statute. Therefore, “the
general practice of the Court has been to admit contested documents and testimony, subject to
the reservation that the Court will itself be the judge of the weight to be accorded to it.”542
Evidence may, however, be declared inadmissible because it has been produced too late or not
in the prescribed form.543 Another example of inadmissible evidence is provided by the
decision of the Permanent Court of International Justice in the Factory at Chorzów case, where
the ICJ’s predecessor held that it “cannot take account of declarations, admissions or proposals
which the Parties may have made in the course of direct negotiations when . . . the negotiations
in question have not . . . led to an agreement between the parties.”544
Is evidence obtained through a violation of international law also inadmissible? Traditional
espionage and cyber exploitation, used in support of traceback technical tools, may be a helpful
540 Ibid. 541 Ibid. 542 Keith Highet, Evidence, the Court, and the Nicaragua Case, 81 AM. J. INT’L L. 1, 13 (1987). 543 Statute of the International Court of Justice art. 52, June 26, 1945, 33 U.N.T.S. 933. 544 Factory at Chorzów (Ger. v. Pol.), Claim for Indemnity, 1927 P.C.I.J. (ser. A) No. 9, at 19.
119
instrument to establish proof of state responsibility for cyber operations.545 It is doubtful
whether the above activities constitute internationally wrongful acts, although one
commentator has argued, for instance, that cyber espionage may be a violation of the
sovereignty of the targeted State whenever it entails an unauthorized intrusion into cyber
infrastructure located in another State (be it governmental or private).546
Assuming, arguendo, that espionage and cyber exploitation are, at least in certain instances,
internationally wrongful acts, what is the probative value of the evidence so collected? There
is no express rule in the Statute of the ICJ providing that evidence obtained through a violation
of international law is inadmissible.547 It is also not a general principle of law, as it seems to be
a rule essentially confined to the U.S. criminal system.548 In the Corfu Channel case, the ICJ
did not dismiss evidence illegally obtained by the United Kingdom in Operation Retail; on the
contrary, it relied on it in order to determine the place of the accident and the nature of the
mines. What the Court found was not that the evidence had been illegally obtained, but that the
purpose of gathering evidence did not exclude the illegality of certain conduct.549 In general,
The approach of the Court is to discourage self-help in the getting of evidence
involving internationally illicit acts, not by seeking to impose any bar on the
employment of evidence so collected, but by making it clear that such illicit
activity is not necessary, since secondary evidence will be received and
treated as convincing in appropriate circumstances.550
In a cyber context, this means that while litigants are not entitled to access direct evidence that
is located in another State’s computers or networks without authorization to submit it in the
545 Nicholas Tsagourias, Cyber Attacks, Self-Defence and the Problem of Attribution, 17 J. CONFLICT & SEC.
L. 229, 234 (2012). 546 Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace, 89 INT’L L. STUD.
123, 129 (2013). 547 RIDDELL & PLANT, at 158, in Marco Roscini, 271. 548 Hugh Thirlway, Dilemma or Chimera?—Admissibility of Illegally Obtained Evidence in International
Adjudication, 78 AM. J. INT’L L. 622, 627–28 (1984). 549 U.K. v. Alb., 1949 I.C.J. at 34–35. 550 Thirlway, supra, at 641.
120
proceedings, that evidence’s existence allows the court to give more weight to circumstantial
evidence.
Conclusion
Flowing from the above disquisition, it can be drawn from the application to cyber operations
of the ICJ’s rules and case law on evidence that the burden of proof does not shift in the cyber
context and continues to rest on the party that alleges a certain fact. Whilst it is uncertain that
a uniform standard of proof applicable to all cases involving international responsibility for
cyber operations can be identified, it appears that claims of self-defense against cyber
operations, like those against kinetic attacks, must be proved with clear and convincing
evidence. Also, we established that the Court may take ‘formal note’ of the refusal of a party
to present classified cyber documents, but it has so far refrained from drawing negative
inferences from the non-production of documents. In any case, any such negative inferences
could not contradict factual conclusions based on consistent evidence produced by the parties.
What is more? The Court gives more probative weight to official documents of States and
international organizations such as the United Nations. NGO reports and press articles on cyber
incidents are only secondary sources of evidence that may be useful to corroborate other
sources or to establish the public knowledge of certain facts, providing they are sufficiently
rigorous and only when they are “wholly consistent and concordant as to the main facts and
circumstances of the case.”551
The drawing of inferences is approached by the ICJ with great caution. When there are
objective difficulties for a litigant to discharge the burden of proof because the direct evidence
lies within the exclusive territorial control of the other litigant, including its cyber
infrastructure, a more liberal recourse to inferences of fact is admissible providing that they
leave no room for reasonable doubt. It has been argued, however, that evidence obtained
551 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), 1980 I.C.J. 64, para. 13 (May 24).
121
through a jus cogens violation for instance, torture, should be deemed inadmissible. However,
we have sought to show from this chapter that even if a litigant obtains evidence illegally, e.g.,
through an unauthorized intrusion into the computer systems of another State, the evidence so
obtained may be taken into account by the Court, although the purpose of collecting evidence
does not exclude the illegality of the conduct.552
552 Corfu Channel case supra, p.35.
122
CHAPTER FIVE
Summary
In this work we have examined the nature and scope of cyber operations with respect to State
activities. The first chapter affords a general definition and exposition of cyber operations as a
concept, by outlining such things as the difference between cyberspace and outer space, the
various terminologies associated with cyber operations such as; Computer Network Attacks,
Cyber disruption, Cyber incidence, Cyber Hostility, Cyber counter measures, and so on. The
chapter also offers a brief history of cyberspace and operations in cyberspace. Under that
chapter, we further elucidated on specific techniques, tools and methods (such as hacking,
reconnaissance, weaponisation and so on), involved and utilised in the cyber domain which are
commonly associated with cyber operators. Finally, the chapter addressed the effects of cyber
operations. Sometimes the effects may be positive, other times, negative depending on the
intent and purpose of use. Chapters two and three generally introduce and establish the
governability of cyberspace by international law. Chapter two emphasises that international
law can apply to cyberspace operations through the general principles of law recognised by
civilised nations as provided in the ICJ Statute. We discussed the nature, scope and content of
the general principles and showed why they apply. Certainly, the flexibility of international
law made such application entirely possible. We highlighted these principles and in chapter
three, discussed how they actually applied substantively. In chapter three, we attacked the
regulation of cyber operations from two angles. The first angle being general principles of law
recognised by civilised nations namely; Sovereign equality of States, maintenance of
international peace and security and the duty of international cooperation in solving
international problems, the second angle being branch areas of international law exercising
their own international regulations include; international economic law, space law and
international telecommunications law. The regimes spell out the rights and duties of States in
123
the cybersphere, and also the consequences of a breach of the rules. Finally, in chapter four we
dealt with the international rules of evidence and the question of State responsibility. We
demonstrated that evidence could either be direct or circumstantial, so long as it leads to a
single and clear logical conclusion. While the burden of proof remains on the applicant and
could shift depending on who is at the moment asserting, the standard of proof is the clear and
convincing standard as far as State responsibility is concerned. Certain evidence do weigh more
than the other, documentary evidence still remains one of the most potent means of proving
responsibility. Evidence may be admissible even if it was illegally obtained, according to the
ICJ, the means of procurement does not affect the quality of the evidence.
The concluding thought of this work explicates that cyber space is not law free, as in other
spheres, there are wrongs and rights, duties as well as obligations, and importantly liability in
the event of misfeasance.
124
Findings
Once upon a time we lived in a world where the internet was only but an invention of wonder,
a tool in which global interconnectivity was seen as efficiently and speedily realized. A world
in which wars were fought by brave soldiers who faced each other in furious combat in a way
that today we would find it hard to recognize as valid. However, in the last decade, the way in
which the states approach the concept of war has changed profoundly. The massive
introduction of the technology component in our daily lives has meant that cyber operations in
general are the main politically motivated activities undertaken by many governments. As
lucidly identified from the foregone chapters, when the cyberspace by means of some cyber
tools are employed by governments or state sponsored individuals to unlawfully interfere in
the computer systems or internal matters of other states through a disruption of their computer
systems, we have a situation of cyber warfare. Common examples of cyber warfare, could
include cyber espionage and cyber attack. And once these are proved, the State involved will
be internationally responsible subject to evidentiary considerations.
The crux of the first chapter examined three main concerns. First, in understanding the nature,
scope and gamut of cyber operations with respect to State activities, we looked at the definition
of cyberspace operations, its distinction from other realms of human interaction, its history,
effects, and fundamentally, terms which we have seen to run through the entire scope of this
discourse and even beyond. From the first chapter, one point is essentially glaring, the fact that
cyberspace is beyond what most people think of it, it is a different world of its own and bears
distinctive features. The first chapter introduced the reader to the conceptualisation of
cyberspace, further analysis reveals that a multifarious outline of activities can be carried out
in this sphere, by all means, it tranverses the traditional and regular known incidences on the
internet like “cyber crime” for example. Over the last half decade, activities on and connected
to the internet have diametrically snowballed to include other possibilities such as cyber
125
warfare, cyber espionage, cyber attacks, cyber disruption, cyber counter measures, cyber
incidence and so on. Most of the activities constituting cyber operations, have one thing in
common: breaking into foreign Information Technology systems to extract or modify data, to
change the system configuration or to take down the entire system. It is this concern that has
essentially birthed this project. In carrying out these cyber operations many actors conduct
themselves in a manner reflective of legal indiscretion. The question then remains whether the
law, in the remotest possibility can regulate or even actually regulates these actors and their
activities.
It is in response to this poser that the second chapter finds realization. In the second chapter,
we examined the notion of general principles of international law, we have shown by exposition
that indeed cyberspace cannot possibly be unregulated. The idea promulgated by a few that
cyberspace is too novel for regulation by international law rings hollow in the light of the daring
decision of the International Court of Justice in the Lotus case.553 General principles of
international law may serve different purposes, of which the most significant is the function as
a basis for the progressive development of international law (either by filling a legal lacuna or
by progressive interpretation of existing international norms), responding to rising
extrapositive needs of the international society, such as fast growing technical advances, e.g.,
the ‘emergence’ of cyberspace as a common space for inter-State relations. By so doing,
international law gainsays the postulates of those who claim cyberspace is unregulated. This
chapter forms the basic foundation of the core of this work, the idea that cyber operators and
their activities is not without the bounds of legal thinking. The third chapter concretises in
polished fashion the laws that can be seen to apply to regulate cyberspace.
In the third chapter, we enumerated several principles of international law and even specific
subject areas dealing directly with cyberspace. For example, we have described how the general
553 S.S. ‘Lotus’, Merits (1927) PCIJ No 7.
126
principles of international law introduced in the second chapter could apply to deconflict the
competing interests of States in the cyber arena. We also established that International
Telecommunication Laws may be used to address cyber operations that make use of
electromagnetic spectrum or international telecommunications networks. For instance,
broadcasting stations from one nation may not interfere with broadcasts of other states’ services
on their authorized frequencies. We demonstrated how international transactions concluded on
the internet may be regulated by International Economic Rules and the extent to which the rules
of International Economic Law may allow defensive or offensive cyber operations that would
otherwise violate the rules. The nub of this chapter emphasizes the objective of this project
from the beginning. Some have claimed that cyberspace is not or is only partly regulated by
law, as a cyber-specific international custom is absent and contractual regulation scarce. The
inadequacy of this position has been made poignant by this work, we have brought to the glare
that even in the absence of a contractual regulation, States are still bound by the rules of
international law. As regards the contention of an absence of cyber-specific norm, again, the
facts point in the contrary and in favour of our position. For example Legal mechanisms have
been created by the United Nations,554 NATO,555 the Council of Europe,556 the Organization of
American States,557 and the Shanghai Cooperation Organization558 to directly regulate cyber
554 Global Culture of Cybersecurity and the Protection of Critical Informational Infrastructures, G.A. Res.
58/199, U.N. Doc. No. A/RES/58/199 (Jan. 30, 2004), and Creation of a Global Culture of Cybersecurity and
Taking Stock of National Efforts to Protect Critical Information Infrastructures, G.A. Res. 64/211, U.N. Doc.
No. A/RES/64/211 (Mar. 17, 2010). 555 North Atlantic Treaty, arts. 4, 5; see also NATO Agrees Common Approach to Cyber Defence, 97 (“The
competencies of the [Cyber Defence Management Authority] will fall exclusively on Article 4 of the North
Atlantic Treaty.”). 556 Cybercrime Convention, note 64, pmbl.; (“The Council of Europe’s Convention on Cybercrime . . . is the
first and only international treaty that deals explicitly with cybercrime.”). 557 Organization of American States, AG/RES. 2040 (XXXIV-O/04), at ch. IV, ¶ 8 (June 8, 2004), available at
<http://www.oas.org/juridico/english/ga04/agres_2040.htm.> also, Organization of American States, AG/RES.
2004 (XXXIV-O/04), at app. A, (June 8, 2004), available at
<http://www.oas.org/XXXIVGA/english/docs/approved_documents/adoption_strategy_combat_threats_cyberse
curity.htm.> 558 CONSULATE GEN. OF UZB. IN N.Y.C., YEKATERINBURG DECLARATION OF THE HEADS OF
THE MEMBER STATES OF THE SHANGHAI COOPERATION ORGANISATION, (July 9, 2009),
<http://www.uzbekconsulny.org/news/572/.>
127
operations. These organisations are a body of several States put together, and therefore can be
seen to reflect State practice, and ultimately evidence a custom of cyber norm amongst States.
Is cyberspace free from regulation? Clearly not!
How can a State be imputed with responsibility for distasteful cyber activities? What is the
quantum of evidence required to fix fault on a State? Are there parameters regulating the
obtainment of the said evidence, or are the windows of obtainment open? The fourth chapter
of this project work attempts a riposte to these questions. It is legal truism that suspicion can
never take the place of evidence. The question of evidence is an inherent matter in any
litigation. Proof of facts is a sine qua non for the establishment of any case. In cyber operation
issues however, matters of evidence appear rather wonky. First there is unsettlement as to the
standard of proof required to impute responsibility on States for wrongful cyber activities.
Although practice of international courts seem to suggest that the standard of evidence
implicating State responsibility should be clear and convincing. What is more? In obtaining
evidence, the International Court of Justice and even other Courts including municipal common
law systems seem to have embraced a lax view towards the legality or otherwise of evidence
so obtained. What is important to us however, is the fact that States can be responsible for
illegal cyberspace operations. And the ordinary rules of evidence in international law can apply
to fix fault on the State in question.
Laws governing States’ interaction are real, perhaps not conclusive, but to a large extent
sufficiently regulatory. A State cannot therefore, under the present although nascent
international law cyber regime, conduct itself in manners inconsistent with the general
principles of law and specific areas of legal jurisprudence applicable to cyberspace. Cyber
operations are diverse, cyber regulatory instruments abound, responsibility for proscribed
cyber activities are consistent. Cyberspace is no law free space.
128
Recommendations
We have already established in this project that international law can, should and does apply
to cyberspace. Cyber operations present a new and growing issue-one that current international
and domestic laws are not yet fully prepared to meet. The law of war offers a basis for
responding only to those cyber-attacks that amount to an armed attack or that take place in the
context of an ongoing armed conflict. Other existing international legal frameworks offer only
embryonic or piecemeal protection. Most domestic laws, though potentially powerful tools for
regulating cyber operations, have not yet addressed directly the challenges associated with
cyber operations such as cyber attacks and cyber espionage, and what remedies exist are in
many cases restricted by jurisdictional limits.
To begin to fill the gaps in existing law, we propose legal reform on two angles namely;
a) Domestic reforms; and
b) International reforms
a) Domestic Reforms
On our recommended domestic law reforms, it is important to recall that domestic criminal law
alone cannot regulate cyber operations because not all cyber operations are defined as cyber-
crimes. But many cyber operations such as cyber-attacks are also cyber crimes that fall within
the ambit of domestic criminal law. Unfortunately, only a small number of existing criminal
laws that might govern cyber-attacks explicitly provide for extraterritorial reach. To remedy
this limitation, legislators could amend domestic criminal statutes to give them extraterritorial
reach. If other states reciprocate by making their own criminal statutes pertaining to cyber-
attacks extraterritorial as well, this could greatly increase global enforcement. Indeed,
increased domestic enforcement through extraterritorial application will be much more
successful and legitimate if it takes place in concert with the creation of an international treaty
that establishes basic shared standards regarding cyber-attacks. Nigeria therefore should first,
129
add extraterritorial applicability to the recently enacted cyber crime Act 2015. Second, Nigeria
should utilize limited countermeasures, as appropriate, to combat cyber-attacks that do not rise
to the level of armed attacks under the law of war.
b) International Reforms
These domestic measures will address elements of the problem, but getting at the root of the
global cyber-attack challenge will require international solutions. While the development of
international norms is useful, it will not provide governments and private actors with the clarity
of a codified definition of cyber operations or written guidelines on how states should respond
to certain types of challenges. For this reason, we recommend that the international community
create a multilateral agreement with two central features. First, it must offer a shared definition
of cyber operations in its entirety including such commonly associated terms as cyber-crime,
cyber-attack, cyber-warfare and so on. Second, it should offer a framework for more robust
international cooperation in information sharing, evidence collection, and criminal prosecution
of those participating in cross-national offensive cyber operations. That framework should be
attentive to the challenges of over criminalization, maintaining room for individuals to use the
Internet and related technologies to engage in lawful dissent.
Furthermore, once States develop a shared definition of cyber operations terminologies, the
next step is more extensive cooperation among States on information sharing, evidence
collection, and criminal prosecution of those involved in malicious cyber operations. A useful
starting point for building such a treaty is the Council of Europe Convention on Cybercrime,
which provides for harmonized regulation of a wide range of cyber-crimes. This treaty remains
largely limited to Europe (though the United States has ratified the agreement) and it does not
address all cyber operations that a comprehensive agreement would ideally regulate.
Nonetheless, it provides a framework from which a more comprehensive agreement might
begin. Building on this framework, the new agreement should require parties to pass domestic
130
laws banning malicious cyber operations prohibited under the treaty, so as to harmonize laws
across states. The agreement could begin with information-sharing, layering on additional
mechanisms for fostering cooperation in identifying and stopping the sources of unlawful cyber
operations through criminal law enforcement agencies. International cooperation in
information sharing could be an extremely valuable complement to other regulation of cyber
operations. Member states could agree to share access to cyber-related information with other
member states. That information would not be available to non-members or to states that fail
to comply with the treaty’s core obligations. Offering privileged access to information to
member states in good standing would provide States with an incentive to participate in and
comply with the treaty regime. Such sharing of information will ultimately lead to ease in
tracing and tracking malicious State actors and their locations, and would also assist in
procuring direct evidence which would in turn facilitate the standard of clear and convincing
evidence.
Finally, cyber threats that materialise in the loss of confidentiality, integrity or availability of
information and communication technology can have an impact on the stability of States, and
in extreme cases threatening their existence. In order to minimise such risks, technical
precautions certainly need to be taken; however, technical measures alone will not suffice, if
clear cut standards of precaution are not incorporated in the treaty just proposed.
131
BIBLIOGRAPHY
Books
Alain P, 2006. “The Statute of the International Court of Justice. A Commentary” Oxford
University Press
Antonopoulos C, 1997. “The Unilateral Use of Force by States in International Law” (A.
Sakkoulas Press)
Anna M.O 2016. “International Cyber Norms: Legal, Policy and Industry Perspective”,
NATO CCD Publications, Tallinn
Brian D. L, 2010. “Customary International Law. A New Theory with Practical Implications”
Cambridge University Press.
Brownlie I, 1963, “International Law and the Use of Force by States” (Oxford University
Press)
Christopher Greenwood, 2002. “International Law and the “War against Terrorism” 78
International Affairs
David H, 2008. “Cyber War Case study: Georgia”.
Durward V. S, 1975. “Evidence before International Tribunals” (Rev.Ed).
European Union Committee, 2009. “Protecting Europe against Large-Scale Cyberattacks”.
Frank H. E, 1996. “Cyberspace and the Law of the Horse”, U. Chi. Legal F.
Henri. L, 1991. “The Production of Space” (Donald Nicholson-Smith trans) Blackwell Press.
James A. Green 2009. “Fluctuating Evidentiary Standards for Self-Defence in the International
Court of Justice”, INT’L & COMP. L.Q. 1.
Julie J. C, 1994. “Essays in Honour of Wang Tieya” (Ronald St. John Macdonald Ed.).
Kaatharina Z, 2013. “Peacetime Regime for State Activities in Cyberspace”, NATO CCD COE
Publication, Tallinn.
Kennedy C. H & Pastor V, 1996. “An Introduction to International Telecommunications Law”.
Kevin H, 1997. “The Badlands of Modernity: Heterotopia and Social Ordering”.
Koskenniemi M, 1997. “Hierarchy in International Law: A Sketch” 8 European Journal of
International Law.
Michael N. S, 2013. “Manual on the International Law Applicable to Cyber Warfare (Tallinn
Manual)”, Cambridge University Press.
132
Michel F, 1986. “Of Other Spaces; Diacritics Spring”.
Mojtaba K, 1996. “Burden of Proof and Related Issues: a Study on Evidence before
International Tribunals”.
Morningstar, Chip and Randall F, 2003. “The lessons of Lucasfilm Habitat”. The MIT Press.
Mosler H, 1995. “General Principles of Law” Encyclopedia of Public International Law (vol
2, Elsevier North Holland Press)
Rep. of the Int’l Law Comm’n, 53d Sess., 2001. “Draft Articles on Responsibilities of States
for Internationally Wrongful Acts, with Commentaries”, Apr. 23–June 1, July 2–Aug. 10, 2001,
pt. 1, U.N. Doc. A/56/10.
U.N. Office on Drugs and Crime, 25 February 2013. “Comprehensive Study on Cybercrime:
Draft”.
U.S. Air Force, 2010. “Cyberspace Operations: Air Force Doctrine Document” 3-12, at 10.
US Department of Defence, 2006. “The National Military Strategy for Cyberspace
Operations”.
William G, 1948. “Father of Cyberspace” by Scott Thill.
William G, 1984. “Neuromancer”. New York: Ace Books.
Wolfrum. R, 2008. “General International Law (Principles, Rules, and Standards)”, Oxford
University Press.
Articles/Journals/Conference Papers
Advisory Council on Int’l Affairs & Advisory Comm. on Issues of Pub. Int’l Law, “Cyber
Warfare” (2011).
Amerasinghe C.F., “Presumptions and Inferences in Evidence in International Litigation”, 3
L. & PRAC. INT’L CTS. & TRIBUNALS (2004)
Armin V. B, “General Principles of International Public Authority: Sketching a Research
Field”
German Law Journal 1909, 1912.
Barkham J, “Information Warfare and International Law on the Use of Force’’ 34 New York
University Journal of International Law and Politics (2001)
133
Benzing M, “Evidentiary Issues, in THE STATUTE OF THE INTERNATIONAL COURT OF
JUSTICE: A COMMENTARY”, 2011.
Daniel J, “Fact-Finding and Evidence at the International Court of Justice: Systemic Crisis,
Change or More of the Same?” FINNISH Y.B. INT’L L. (2007).
Daniel J. R, Maeve D, Eneken T & Ryan H., “International Cyberlaw: A Normative
Approach”, 42 GEO. J. INT’L L. (2011).
DR Johnson and Post D, “Law and Borders - The Rise of Law in Cyberspace” 48 Stanford
Law
Review (1995-1996)
Easterbrook F. H, “Cyberspace and the Law of the Horse” University of Chicago Legal Forum
(1996)
Ellen O. M “Lawful Self-Defense to Terrorism”, 63 U. PITT. L. REV. (2002)
Fred S, “On Cyberwarfare” 65 (DCAF Horizon 2015, Working Paper No. 7, 2012).
Glennon M. J, “The Road Ahead: Gaps, Leaks and Drips” 89 International Law Studies (2013)
Greenberg L. T, Goodman E. S and Soo Hoo K. J, “Information Warfare and International
Law” (US National Defence University 1998).
Gill T. D, “Non-Intervention in the Cyber Context” 2006.
H.E. Judge Rosalyn Higgins, President, Int’l Court of Justice, Speech to the Sixth Committee
of the General Assembly 4 (Nov. 2, 2007).
Hugh. T, “Dilemma or Chimera?—Admissibility of Illegally Obtained Evidence in
International Adjudication”, 78 AM. J. INT’L L. 622, 627–28 (1984).
International Law Commission (ILC), Fragmentation of International Law: Difficulties
Arising from the
Diversification and Expansion of International Law (Report of the Study Group of the
International Law
134
Commission, finalized by Martti Koskenniemi, UN Doc No A/CN.4/L.682, 13 April 2006)
Jay P. K & Carol M. H, “Mitigative Counterstriking: Self-Defense and Deterrence in
Cyberspace”, 25 HARV. J.L. & TECH. 429, 482 (2012).
Keith. H “Evidence, the Court, and the Nicaragua Case”, 81 AM. J. INT’L L. 1, 13 (1987).
Koskenniemi M, “The Politics of International Law” 1 European Journal of International Law
(1990)
Kulesza J, “International Internet Law” (Routledge, London Press 2012)
Letter from the Permanent Mission of the Fed. Republic of Ger. to the United Nations
addressed to the Office for Disarmament Affairs, Note No. 516/2012 (Nov. 5, 2012).
Major Arie J. S, “Cyber Warfare Operations: Development and Use under International Law”,
64 A.F. L. REV. 121, 121–73 (2009).
Mark D. Y, “National Cyber Doctrine: The Missing Link in the Application of American Cyber
Power”, J. Nat’l Security L. & Pol’y , (2010).
Marsoof A, “A Case for Sui Generis Treatment of Software under the WTO Regime”, 20 Int’l
J. L. & Info. Tech. 291 (2012).
NATO Standardization Agency, “NATO Glossary of Terms and Definitions” (AAP-6) at 2-
C-12, 2012.
Nicholas T, “Cyber Attacks, Self-Defence and the Problem of Attribution”, 17 J. CONFLICT
& SEC. L. (2012).
Niels. P, “Customary Law without Custom? Rules, Principles, and the Role of State Practice
in International Norm Creation” American University International Law Review 2008
Peters. A, “International Dispute Settlement: A Network of Cooperational Duties” 14
European Journal of International Law (2003)
Pirker B, “Territorial Sovereignty and Integrity and the Challenges of Cyberspace”, 2013.
135
Raustiala K, “The Architecture of International Cooperation: Trans-governmental Networks
and the Future of International Law” 43 Virginia Journal of International Law (2002)
Richmond. J, “Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to
the Law of Armed Conflict?” 35 FORDHAM INT’L L.J. (2012).
Riddell. A & Plant. B, “Evidence before the International Court of Justice” Chicago University
Law Journal, (2009).
Roger B. D, “Easy Cases, Bad Law, and Burdens of Proof”, 25 VAND. L. REV. (1972)
Schmitt M. N, “Computer Network Attack and the Use of Force in International Law:
Thoughts on a Normative Framework” 37 Columbia Journal of Transnational Law (1999)
Teitelbaum R, “Recent Fact-Finding Developments at the International Court of Justice”, 6 L.
& PRAC. INT’L CTS. & TRIBUNALS (2007).
Thomas M. F & Peter P, “The Role of Presumptions in International Tribunals”, 4 L. & PRAC.
INT’L CTS. & TRIBUNALS 197, 203 (2005)
U.N. Secretary-General, “Developments in the Field of Information and Telecommunications
in the
Context of International Security: Rep. of the Secretary-General”, 18, U.N. Doc. A/66/152
(July 15, 2011)
Wolff H. H “Territorial Sovereignty and Neutrality in Cyberspace”, 89 INT’L L. STUD.
(2013).
WTO, 2005, , United States – “Measures Affecting the Cross‑Border Supply of Gambling and
Betting Services”, Appellate Body Report WT/DS285/AB/R, adopted 20 April 2005.
Online Sources/Portable Display Formats
Barlow J. P, “A Declaration of the Independence of Cyberspace” (1996) Available online at;
<https://projects.eff.org/~barlow/Declaration-Final.html> Accessed on May 14, 2016.
136
Comitato Parlamentare per la Sicurezza Della Repubblica, Relazione Sulle Possibili
Implicazioni E Minacce per la Sicurezza Nazionale Derivanti Dall’utilizzo Dello Spazio
Cibernetico 26 (2010), Available online at;
<http://www.parlamento.it/documenti/repository/commissioni/bicamerali/COMITATO%20S
ICUREZZA/Doc_XXXIV_n_4.pdf>. Accessed on July 17, 2016.
Consulate Gen. of Uzb. In N.Y.C., Yekaterinburg Declaration of the Heads of the Member
States of the Shanghai Cooperation Organisation; Available online at;
<http://www.uzbekconsulny.org/news/572/.> Accessed on July, 21, 2016.
Cyberspace Terms, Available online at;
<http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.> accessed on
May 7, 2016.
Definition of Cyber Terms, available online at;
< https://en.m.wikipedia.org/wiki/cyberspace_definitions?-e_pi_7%page_ID> accessed on
May 7, 2016.
Definition of Cyberspace; Available online at;
<http://www.oxforddictionaries.com/us/definition/american_english/cyberspace.> Accessed
on May 7, 2016.
Edward Snowden Interview: The NSA and Its Willing Helpers, Available online at;
<http://www.spiegel.de/international/world/interview-with-whistleblower-edward-snowden-
on globalspying-a-910006.html>. Accessed on May 19, 2016.
Falliere N, Liam O. M & Chien. E, Symantec, W32.Stuxnet Dossier, Version 1.4, (2011),
Available at;
<http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w
32_stuxnet_dossier.pdf.> Accessed on July 13, 2016.
137
Fireeye, Digital Bread Crumbs: Seven Clues to Identifying Who’s Behind Advanced Cyber-
Attacks 4 (2014), Available online at;
<https://www.fireeye.com/resources/pdfs/digital-breadcrumbs.pdf> Accessed on May 19,
2016.
First Phase of the World Summit on the Information Society, Declaration of Principles,
Building the Information Society: A Global Challenge in the New Millennium, WSIS-
03/GENEVA/DOC/4-E, Available online at;
<http://www.itu.int/dms_pub/itu-s/md/03/wsis/doc/S03-WSIS-DOC-0004!!PDF-E.pdf.>
Accessed on June 2, 2016.
History of Cyberspace, available online at:
<http://www.google.com/a brief history of cyberspace> Accessed on May 7, 2016.
INDEP. INT’L FACT-FINDING MISSION ON THE CONFLICT IN GEORGIA REPORT
Available at;<http://rt.com/files/politics/georgia-started-ossetian-war/iiffmcg-volume-ii.pdf.>
Accessed on July 18, 2016. Information of the UN Treaty Collection as of 9 May 2013. Available
at;<http://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XVIII10&chapter
=18&lang=e>. Accessed on May 11, 2016.
Information Technology – Security techniques – Network security (parts 1-3 published, parts 4-
6 DRAFT), Available at;
<http://www.iso27001security.com/html/27033.html>. Accessed on May 18, 2016.
ILC, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with
commentaries (2001) UN Doc A/56/10, General commentary, Available online at;
<http://untreaty.un.org/ilc/texts/instruments/english/commentaries/9_7_2001.pdf> Accessed
on May 24, 2016.
Organization of American States, AG/RES. 2004 (XXXIV-O/04), at app. ; available at
<http://www.oas.org/XXXIVGA/english/docs/approved_documents/adoption_strategy_comb
138
at_threats_cybersecurity.htm>. Accessed on July 21, 2016.
Organization of American States, AG/RES. 2040 (XXXIV-O/04), at ch. IV; available at
<http://www.oas.org/juridico/english/ga04/agres_2040.htm.>. Accessed on July, 21, 2016.
Presidency of the Council of Ministers, National Strategic Framework for Cyberspace Security,
Available online at;
<http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-
strategic-framework-for-cyberspace-security.pdf>. Accessed on July 18, 2016.
Storey. D, Stuxnet–The First Worm of Many for SCADA?; Available at;
<http://www.itrportal.com/articles/2010/12/02/6262-stuxnet-the-first-worm-of-many-for>;
Accesed on May 19, 2016.
"STUXNET Malware Targets SCADA Systems". Available at:
<https://en.wikipedia.org/.../2009_Sayano–Shushenskaya_power_station> Accessed on May
8, 2016.
The European Union Agency for Network and Information Security (ENISA) - Stuxnet
Analysis, Available at: < http://www.enisa.europa.eu/media/press-releases/stuxnet-analysis>.
Accessed on May 8, 2016.
Tikk E Et Al., Coop. Cyber Def. Ctr. Of Excellence, International Cyber Incidents: Legal
Considerations (2010), Available online at;
< http://www.ccdcoe.org/publications/books/ legalconsiderations.pdf> Accessed on July, 6,
2016.
U.S. Dep’t of Def., Annual Report to Congress: Military and Security Developments Involving
the People’s Republic of China (2013), Available at;
<http://www.defense.gov/pubs/ 2013_china_report_final.pdf.> Accessed on July 13, 2016.
Newspapers/Magazines
139
Markoff J, “Before the Gunfire, Cyberattacks”, N.Y. TIMES, Aug. 13, 2008, Accessed on May
19, 2016.
Nicole P & Sanger D. E, “New Computer Attacks Traced to Iran, Officials Say”, N.Y. TIMES,
May 24, 2013. Accessed on June 19, 2016.
Sanger D. E, “Obama Order Sped Up Wave of Cyberattacks against Iran”, N.Y. TIMES, June
1, 2012. Accessed on May 19, 2016.
Traynor I, “Russia Accused of Unleashing Cyberwar to Disable Estonia”, THE GUARDIAN,
May
16, 2007, Accessed on May 19, 2016.
William J. Broad, John Markoff, & David E. Sanger, “Israeli Test on Worm Called Crucial in
Iran Nuclear Delay”, N.Y. TIMES, Jan. 15, 2011. Accessed on May 8, 2016.