The International Legal Regime on States’ Interaction in Cyber Space

THE INTERNATIONAL LEGAL REGIME ON STATES’ INTERACTION IN CYBER SPACE

VICTOR ONYEKACHUKWU OJEAH LAW 1106382

FACULTY OF LAW UNIVERSITY OF BENIN BENIN CITY

JULY, 2016. THE INTERNATIONAL LEGAL REGIME ON STATES’ INTERACTION IN CYBER SPACE

VICTOR ONYEKACHUKWU OJEAH LAW 1106382

A LONG ESSAY WRITTEN AND SUBMITTED TO THE FACULTY OF LAW, IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF THE DEGREE OF BACHELOR OF LAWS (LL.B) OF THE UNIVERSITY OF BENIN, BENIN CITY.

JULY, 2016.

CERTIFICATION

I, Victor Onyekachukwu Ojeah, with Mat. No.: LAW1106382, do herby certify that apart from the references which have been made to other persons’ work which have been acknowledged, the entire work is the product of my personal research and that the project has neither in whole nor in part, been presented for another degree elsewhere.

______VICTOR ONYEKACHUKWU OJEAH DATE (STUDENT)

iii

APPROVAL

We certify that this project was written and completed by Victor Onyekachukwu Ojeah with

Mat. No.: LAW1106382, in partial fulfillment of the requirements for the award of the bachelor of laws (LL.B) degree.

______DR.G.L UMORU DATE (PROJECT SUPERVISOR)

______DR. A.O. EWERE DATE (PROJECT CO-ORDINATOR)

______PROF. N. A. INEGBEDION, Ph.D DATE (DEAN, FACULTY OF LAW)

DEDICATION

This work is dedicated to my parents Mr. & Mrs. Michael Ojeah, who are my spot-on inspiration for success.

ACKNOWLEDGMENT

I have a few persons to thank for their various roles in my life. Putting this work together is only a partial fulfilment of something that began some four years ago. These people have stood out in facilitating this half a decade pursuit for me.

I start by pouring my adoration to my beloved mummy and daddy. Their support, belief, care and overt affection for me marvels me, sometimes I wonder, how can a mortal love me this much? I cannot fully appreciate them without pausing for a moment to celebrate their maker, my God; Jesus Christ. Thank you for you hear me always, and give prompt responses. Always!

During my sojourn in this University, I have had the advantage of relating with different people on different platforms. Can I say a big thank you to every person I have worked with on a team for national, regional and international competitions. I sincerely appreciate my friend, brother and team mate Tami Koroye, I thank Divine Atsegbua “my sklon sklo”, ‘Mr.

Success’ and Nonso Anyasi, my brother, for going through the Jessup 2016 experience with me (being my very last competition in the University). I also appreciate all officers of the Jural court from 2015 to 2016. I am moved to mention Aziengbe J, for being a remarkable ‘brother’.

Someone I can always call on, my best friend; Rehoboth Juwah, thanks for being a standby and a true friend, I love you, you are indeed the best! My kid brother Joshua Ojeah deserves mention also, I just love you with all my heart, thanks for always being there for me. To

Stephen and Helen (Tikech) Ojeah my elder ones, when I remember you are family, I smile in most profound satisfaction, I am favoured to have you. For leadership skills and endurance,

I have the leadership structure of Christian Fellowship International to thank for initiating that in me.

I cannot escape irrationality if I don’t address the true purpose of this segment. International law is for me, more than a flair, in coming up with the idea behind this project, I am expectedly indebted to the International Law Students’ Association (ILSA) for fanning the embers of my

vi love for this area of law. I am particularly beholden to the 2016 Jessup for arousing in me, the teething and contemporary issue of the activities of States in cyberspace. Most of the materials and texts used in this project were those supplied by ILSA for the Jessup 2016 competition, to the entire team at Washington, Merci Beacoup! Importantly also, I am heavily in the debt of Katharina Ziolkowski, Marco Roscini and Michael N. Schmitt. Their books have not only inspired this work, but has also massively contributed to it. May I add that some lecturers deserve particular and palpable mention for their indelible roles in my life? To Dr. Godwin L.

Umoru, my project supervisor, I am ceaselessly grateful for your fatherly caution, your accommodation, skill and expertise in legal research, all these put together have inspired me to work harder. I am appreciably indebted to Dr. Gabriel Arishe, my father, thank you for your love in all of its various shades. Dr. Mobolaji Ezekiel, your motherly role and affection for me inspires me to be better, thank you. Barr Alero Fenemigho and Barr Keseme Odudu, my coaches inter alia, I am grateful for your concern and support for me. I am also in due of the

Adeloye family for accepting and outfitting me even without really knowing me. Aunty B and

Uncle D, I love you, “golly”!

A few of my friends deserve appreciation in clear mention; Ikoli Blessing, George Oneze Jnr,

Nosa Garrick, Raymond Ijeomah, Precious Kunu, Nosakhare Okungaye, Joy Nicholas, Mercy

Oluwafemi, Joy Jindu, Harrison Enoghayin, Chiamaka Nwokedi, Nkechukwu Otike-Odibi,

Jones Ogan, Edosomwan Ann, Eyituoyo Sakpa, Collins Arikor, Heritage Imoyera,

BeccaRoy… Oops! I love you all.

For printing and putting this work together in a fathomable state, I am obligated to Joy, thank you!

vii

TABLE OF CONTENT Title page ------ii Certification ------iii Approval ------iv Dedication ------v Acknowledgement ------vi Table of Content ------viii Table of Cases ------xi Table of Statutes ------xii Table of Treaties and other International Instruments - - - xiv Table of Abbreviation ------xvi Abstract ------xviii CHAPTER ONE : General Introduction 1.0 Introduction ------1 1.1 Definition of Cyberspace Operations - - - - - 2 1.1.1 Distinction between Cyberspace and Outer Space - - - 4 1.1.2 Terms Frequently Associated with Cyber Operations - - 6 1.2 Historical Background of Cyberspace - - - 11 1.3 Technical Methods, Techniques and Tools in Cyberspace Operations ------12 1.4 Effects of Cyber Operations - - - - - 23 Conclusion ------26 CHAPTER TWO: Applicability of General Principles of International Law to Cyberspace 2.0 Introduction ------27 2.1 Nature of the General Principles of International Law - - 28 2.2 Source and Content of the General Principles of International Law ------30 2.3 Relationship to Practice, Opinio Iuris and Consent of States ------37 2.4 Higher ‘Normative Value’ ------40 2.5 Relationship to the Concept of Fundamental Rights and Duties of States ------43 2.6 Instrument of Progressive Law Development - - - 46

viii

Conclusion ------48 CHAPTER THREE: Rights and Obligation of States in Cyber Space: Specific Applicable Laws and General Principles of International Law 3.0 Introduction ------50 3.1 Sovereign Equality of States and Corollary Principles - - - 51 3.1.1 Self-Preservation ------53 3.1.2 Territorial Sovereignty and Jurisdiction - - - - 58 3.1.3 Non-intervention in Domestic Affairs - - - - - 60 3.1.4 Duty Not to Harm Rights of Other States (Principle of Prevention, Precaution and ‘Due Diligence’) - - - - - 62 3.1.5 Principle of Good Neighbourliness and sic utere tuo - - - 68 3.2 International Telecommunications Law and the Regulations of Cyber Space 70 3.3 Space Law and Cyber Activities ------72 3.4 International Economic Law in the Cyber Arena - - - 73 3.5 Maintenance of international peace and security - - - - 80 3.5.1. Refrain from Threat or Use of Force in International Relations - 81 3.5.2. Peaceful Settlement of Disputes - - - - - 83 3.6 Cooperation and solidarity ------84 Conclusion ------87 CHAPTER FOUR: Proving State Responsibility for Cyber Operations 4.0 Introduction: State responsibility for cyber operations - - - 89

4.1 The International Law of Evidence - - - - - 93

4.2 Burden of Proof and Cyber Operations - - - - - 97

4.3 Standard of Proof and Cyber Operations - - - - - 103

4.4 Methods of Proof and Cyber Operations - - - - - 107

4.4.1 Documentary Evidence ------108

4.4.2 Official Statements ------113

4.4.3 Witness Testimony ------113

4.4.4 Enquiry and Experts ------114

4.4.5 Digital Evidence ------115

4.5 Presumptions and inferences in the cyber context - - - 116

4.6 Inadmissible evidence ------118 Conclusion ------120 CHAPTER FIVE 5.1 Summary ------122 5.2 Findings ------124 5.3 Recommendations ------129

TABLE OF CASES

 Applicability of the Obligation to Arbitrate under Section 21 of the United Nations Headquarters Agreement of 26 June 1947, Advisory Opinion (1988) ICJ Rep 12  Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J Rep 43  Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J Rep 168  Asylum Case (Colombia v. Perú), Judgment, 1950 I.C.J Rep 266  Avena and Other Mexican Nationals (Mex. v. U.S.), Judgment, 2004 I.C.J Rep 12  Barcelona Traction, Light and Power Company, Limited. (Belg. v. Spain), 1964 I.C.J Rep 6  Case Concerning Delimitation of the Maritime Boundary in the Gulf of Maine Area, Judgment (1984) ICJ Rep 246  Case Concerning Land and Maritime Boundary between Cameroon and Nigeria Case (Preliminary Objections), Judgement (1998) ICJ Rep 275  Case Concerning Right of Passage over Indian Territory Case, Preliminary Objections, (1957) ICJ Rep 125  Case Concerning the Factory at Chorzów, Merits (1928) PCIJ Rep Ser A, No 17  Case Concerning the Frontier Dispute, Judgement (1986) ICJ Rep 554  Case Concerning the Temple of Preah Vihear, Merits (1962) ICJ Rep 6  Certain Norwegian Loans (Fr. v. Nor.), Judgment, 1957 I.C.J Rep 9  Electricity Company of Sofia and Bulgaria, Order (1939) PCIJ Rep Ser A/B, No 79  Greco-Bulgarian ‘Communities’, Advisory Opinion (1930) PCIJ Rep Ser B, No 17  LaGrand Case, Judgement, (2001) lCJ Rep 466  Land, Island and Maritime Frontier Dispute (El Salvador/Honduras.: Nicaragua. intervening), Judgment, 1992 I.C.J. Rep 351  Legal Consequences for States of the Continued Presence of South Africa in Namibia (South West Africa) Advisory Opinion (1971) ICJ Rep 16  Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion (1996) International Court of Justice Rep 226  Mavrommatis Palestine Concessions, Judgement (1924) PCIJ Rep Ser A, No 2

 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment, 1986 I.C.J Rep 14  Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J Rep 161  Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J Rep 14  Reservations to the Convention on the Prevention and Punishment of the Crime of Genocide, Advisory Opinion (1951) ICJ Rep 15  Rights of Nationals of the United States of America in Morocco (Fr. v. U.S.), Judgment 1952 I.C.J Rep 176  South-West Africa – Voting Procedure, Advisory Opinion (1955) ICJ Rep 67  Sovereignty over Pulau Ligitan & Pulau Sipadan (Indon./Malay.), Judgment, , (Dec. 17 2002) I.C.J. Rep 69  S.S. ‘Lotus’, Merits (1927) PCIJ Rep Ser A, No 7, 18ff  Territorial and Maritime Dispute between Nicaragua and Honduras in the Caribbean Sea (Nicar. v. Hond.), Judgment, 2007 I.C.J. Rep 659  The Corfu Channel Case, Merits, (1949) ICJ Rep 4  United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J Rep 3  Western Sahara, Advisory Opinion (1975) ICJ Rep 12  Whaling in the Antarctic (Aust. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J Rep 148

xii

TABLE OF STATUTES

Cybercrime Prevention and Prohibition Act 2015

xiii

TABLE OF TREATIES AND OTHER INTERNATIONAL INSTRUMENTS

 Additional Protocol I to the Geneva Conventions 1977  Agreement Relating to the International Telecommunications Satellite Organization, “Intelsat,” 1971.  American Declaration of Rights and Duties of Nations 1916.  Constitution of the International Telecommunications Union, Dec. 22, 1992  Convention of the International Maritime Satellite Organization London 1976  Convention on Cybercrime, (Budapest Treaty), 2001.  Creation of a Global Culture of Cybersecurity and Taking Stock of National Efforts to Protect Critical Information Infrastructures, G.A. Res. 64/211, U.N. Doc. No. A/RES/64/211 (July 21, 2016).  Declaration of American Principles of the Eights International Conference of American States of 1938.  Declaration on Principles of International Law concerning Friendly Relations and Co- operation among States in accordance with the Charter of the United Nations UNGA Res 2625 (XXV) (24 October 1970)  Developments in the field of information and telecommunications in the context of international security UNGA Res 53/70 (4 December 1998)  Global Culture of Cybersecurity and the Protection of Critical Informational Infrastructures, G.A. Res. 58/199, U.N. Doc. No. A/RES/58/199 (July 21, 2016).  I.C.J. Rules of Court, Acts & Docs. 1978.  Montevideo Convention on Rights and Duties of States (inter-American) 1933.  Statute of the International Court of Justice  The Charter of the Organization of African Unity 1963  The Charter of the Organization of American States of 1948  The Constitutive Act of the African Union 2000  The Final Act of the Conference on Security and Cooperation in Europe (1 August 1975) (Helsinki Declaration)  Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (Outer Space Treaty) 1967.  United Nations Charter 1945  U.N.G.A Res 178 (II) (21 November 1947)

xiv

 U.N.G.A Res 375 (IV) (6 December 1949)  U.N.G.A Res 46/62 (9 December 1991)  U.N.G.A Res 37/10 (15 November 1982)  U.N.G.A. Res. 66/24, 2011  United Nations Millennium Declaration U.N.G.A Res 55/2 (8 September 2000)

TABLE OF ABBREVIATION

Am. J. Int’l L - American Journal of International Law AMU I.L.R - American University International Law Review Alb - Albania ART. - Article Aust. - Australia Belg. - Belgium Berkeley J. Int’l L - Berkeley Journal of International Law C.E.C.C - The Council of Europe’s Convention on Cybercrime C.D.M.A - Cyber Defence Management Authority D.D.O.S - Distributed Denial of Services D.R.C - Democratic Republic of Congo E.J.I.L - European Journal of International Law ENIISA - The European Union Agency for Network and Information Security E.P.I.L - Encyclopedia of Public International Law E.U - European Union Fordham Int’l L.J. - Fordham Journal of International Law G.L.S - German Law Journal Harv. J.L - Harvard Journal of Law Hond. - Honduras ICJ Rep - International Court of Justice Report I.L.C - International Law Commission I.L.R - International Law Report I.L.S - International Law Studies Indon. - Indonesia INMARSAT - Convention of the International Maritime Satellite Organisation INTELSAT - Agreement Relating to the International Telecommunications Satellite Organization I.T.U - International Telecommunications Union Jap - Japan Malay. - Malaysia MPEPIL - Max Planck Encyclopedia of Public International Law

xvi

NATO - North Atlantic Treaty Organisation Nicar. - Nicaragua N.Y. TIMES - New York Times N.S.A - National Security Agency N.Z. - New Zealand O.A.S - Organization of American States O.A.U - Organisation of African Unity OSINT - Open Source Intelligence PCIJ Rep Ser - Permanent Court of International Justice Report Series SCOOR - Shanghai Cooperation Organisation S.L.R - Stanford Law Review U.K. - United Kingdom U.N - United Nations U.N.G.A - United Nations General Assembly U.N RES - United Nations Resolution U.N.S.C - United Nations Security Council U.N.S.C.O.R - United Nations Security Council Ordinary Resolution U.S - United States U.S.S.R. - Union Soviet States Republic Virginia J. Int’l L - Virginia Journal of International Law VOL - Volume WTO - World Trade Organisation

xvii

ABSTRACT

At a time of growing global interconnectivity and increasing dependence of man on information and communication technology, State action without the use of cyberspace is almost unimaginable. States through their institutions operate both as providers of information and services on the internet and as internet users. But even beyond these operations, States depend on available and reliable information and communication technology infrastructures.

Security, the functioning of vital institutions, economic and scientific progress, the organisation of social and healthcare systems, as well as the prosperity and wellbeing of the population cannot be provided without the use of cyberspace. Cyber threats that materialise in the loss of confidentiality, integrity or availability of information and communication technology can have an impact on the stability of States, and in extreme cases, threatening their existence. In order to minimise such risks, technical precautions certainly need to be taken; however, technical measures alone will not suffice: a solid and reliable legal framework for State activities in cyberspace is essential.

The aim of this thesis is not only to propose such a framework by identifying existing prerequisites and offering diverse interpretations, but also to point out and address unsettled issues. One premise is certain: cyberspace cannot be deemed a legal lacuna. In this space, too, the rules of public international law must and does apply. For only then can the significance of the internet as a platform for economic and social development, as well as a contributor to understanding between States, truly unfold. However, the creation of a legal framework for cyberspace is not a task that any State could tackle alone. Due to the global nature of cyberspace, a global effort is needed to find answers to questions about which rules apply to users and providers operating in cyberspace, or how access to the internet and cross-border data flow should be regulated.

The international community has not yet come very far in determining a common regulatory regime for cyberspace. The starting point for such deliberations must be norms of international

xviii law as applicable outside the digital world. Once the application of such norms in cyberspace has been clarified and the basis for an appropriate legal regime thereby established, the question of the need for new regulation will arise. Various approaches to and interpretations of international law need to be aligned in order to progressively develop a common understanding of the legal regime for cyberspace.

In general, before a certain situation can be assessed from a legal point of view, the facts of the case must be scrutinized. Therefore, before describing the rights and obligations of States in cyberspace under international law, the first chapter of this project offers an overview of the technological possibilities and explains, inter alia, the functioning of internet communications, the methods, tools and techniques of cyber operations. The second chapter addresses the question of the operation and applicability of international law in cyber space and further answers questions that have intrigued cyber scholars over the decades. The third chapter will investigate some of the specific applicable rules of international law to cyber space and show how they apply. The fourth chapter then proceeds to address questions bordering on the method of proof and evidence in cyber operations under international law, and the issue of state responsibility in such situations of cyber operations. Finally, the fifth chapter provides recommendations, conclusions and submissions in the light of the afore- raised issues.

xix

CHAPTER ONE

1. INTRODUCTION

State actors’ activities in cyberspace do not focus solely on information technology (IT) security and cyber defence scenarios. Bodies of different State entities have found cyberspace to be a new domain of engagement within the scope of public authority activity. State authorities such as the police, the intelligence services and the military nowadays routinely operate in cyberspace to fulfil their duties: active forensics on suspicious systems as well as intelligence or even military peace time operations in cyberspace have become a reality. These activities, summarised under the term ‘cyber operations’, have one thing in common: breaking into foreign IT systems to extract or modify data, to change the system configuration1 or to take down the entire system. To put it another way, it is about hacking. The possibility of hacking/cyber operations will be explained by reference to the methods of a cyber-operation, which will be explained in seven subsequent stages. For each stage, tools and techniques are introduced with a focus on State actors’ use, and these are distinguished from malicious actors.

The crux of this chapter will examine three main concerns in understanding the nature, scope and gamut of cyber operations with respect to State activities. The first section gives a general definition and exposition of cyber operations as a concept and its attendant terminologies and further offers a brief history about cyberspace and operations in cyberspace. The second section further defines specific terms, techniques, tools and methods involved and utilised in the cyber domain and which are commonly associated with cyber operators, and finally, the chapter shall address the effects of cyber operations which would be followed by a fitting conclusion.

1 A change of the system configuration may include the deletion of files and/or services as well as blocking or taking down the entire system.

1.1 Definition of Cyberspace Operations

In order to fully appreciate the definition of cyberspace operations, it is pertinent to disambiguate the terms cyber operations and cyberspace. As a precursor, cyber operations are the activities that occur in cyberspace, which can be said to be a domain that permits such activities. To start with, on the one hand, the term “cyber operation” or, synonymously,

“computer network operation” (CNO) refers to the reduction of information to electronic format and the actual movement of that information between physical elements of cyber infrastructure.2 Cyber operations can be categorized as “computer network attack”, “computer network exploitation” and “computer network defence”.3 While computer network attacks

(CNA) comprise all cyber operations aiming “to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves”,4 computer network exploitation (CNE) refers to “enabling operations and intelligence collection to gather data from target or adversary automated information systems or networks”.5

Computer network defence (CND), in turn, refers to “actions taken to protect, monitor, analyse, detect, and respond to unauthorized activity within… information systems and computer networks” or, in short, the prevention of CNA and CNE through intelligence, counterintelligence, law enforcement and military capabilities.6 This terminology, which is specific to operations conducted in cyberspace, must be carefully distinguished from existing technical terms of international law such as, for example, “force”,7 “armed attack”8 and

“attack”. 9

2 Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual), (Michael N. Schmitt et al. Cambridge University Press, (2013). 258. 3 US Department of Defence, The National Military Strategy for Cyberspace Operations, 2006, GL-1. 4 Ibid. 5 Ibid. 6 Ibid. 7 UN Charter, art. 2(4). 8 Ibid, art. 51. 9 Additional Protocol I to the Geneva Conventions, art. 49(1).

On the other hand, several definitions has been accorded to the term; “cyberspace”. First cyberspace has been defined as “the notional environment in which communication over the computer networks occurs”.10 According to Chip Morningstar and F. Randall Farmer,

“cyberspace is defined more by the social interactions involved rather than its technical implementation”.11 Cyberspace is considered by the principal governments to be the fifth domain of warfare such as space, land, sea and air, and due to this reason, principal countries are mass investing in the development of new cyber capabilities to protect it. This is the position of the U.S. Government on the cyberspace. William J. Lynn, U.S. Deputy Secretary of Defense, states that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . which has become just as critical to military operations as land, sea, air, and space.”12 Unfortunately, however, there is no consensus on what “cyberspace” is, let alone what are the implications of State interactions in cyberspace. In an attempt to clarify the situation, another author suggests that cyberspace is a time-dependent set of interconnected information systems and the human users that interact with these systems. In all of these definitions, one golden thread runs through, which is the fact that cyberspace has to do with the functioning of computers and the internet. It follows then, for the purpose of this project, that cyberspace operations could be conceptualized as the activities which a State may engage in on the internet via computers which may or may not affect other States.

10 http://www.oxforddictionaries.com/us/definition/american_english/cyberspace. (May 3, 2016). 11 Morningstar, Chip and F. Randall Farmer. The lessons of Lucasfilm Habitat. The MIT Press, 2003. pp 664-667 Print. 12 U.S department of defence Journal, 2013, p 106.

1.1.1 Distinction between “Cyberspace” and “Outer Space”

The debate between the terms “cyberspace” and “outer space”, has been a heated one. Some scholars have used this two terms interchangeably,13 while others have vehemently opposed.14

The conundrum lies in the answer to the puzzle; whether cyberspace and outer space are indeed synonymous concepts, or is there any distinction. In truth however, the two concepts are indeed similar in some respects, for example, with respect to their “global commons character”. In both cases the international community has acknowledged that these environments in some way belong to humanity and are beyond national appropriation. In the case of outer space, this

‘global commons’ status is explicitly set out in the foundational Outer Space Treaty of 1967.

Article I of that treaty stipulates that the use of outer space ‘shall be carried out for the benefit and in the interests of all countries … and shall be the province of all mankind’. Article II reinforces this concept of global ownership by specifying that outer space, including the moon and other celestial bodies, is ‘not subject to national appropriation by claim of sovereignty, by means of use or occupation, or by any other means’.15 With respect to cyberspace, this ‘global commons’ status is not as explicitly or legally set out as is the case with outer space, but a similar vision animates the pronouncements of States. The most authoritative of these

Statements to date were those agreed to by consensus at the UN-mandated World Summit on the Information Society (WSIS), which was held in two stages in Geneva and Tunis in 2003 and 2005 respectively. The Declaration of Principles adopted by WSIS described ‘a people-

13 See Frank H. Easterbrook, Cyberspace and the Law of the Horse, 1996 U. Chi. Legal F. p 207; Richard A. Epstein, Cyber trespass, 70 U. Chi. L. Rev. pp 73, 82–84 (2003); Timothy S. Wu, Note, Cyberspace Sovereignty?—The Internet and the International System, 10 Harv. J.L. & Tech. pp 647, 662–665 (1997); Eugene Volokh, Freedom of Speech, Cyberspace, Harassment Law, and the Clinton Administration, Law & Contemp. Probs. Winter/Spring 2000, at pp 299, 302–03, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 122. 14 Foundational writings include Michel Foucault, Of Other Spaces; Diacritics Spring (1986), p 22, Henri Lefebvre, The Production of Space (Donald Nicholson-Smith trans., Blackwell 1991) p 79 and Kevin Hetherington, The Badlands of Modernity: Heterotopia and Social Ordering pp 20–38 (1997). 15 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (Outer Space Treaty), 10 October 1967, United Nations, Accessed at: (May 3, 2016).

4 centred, inclusive and development-oriented Information Society, where everyone can create, access, utilize and share information and knowledge …’16

Despite this similarity which only roots to the perception of States with respect to these two concepts, nothing else remotely links these two terms as otherwise synonymous. With respect to their distinction however, the first and most obvious is that outer space is a natural environment whereas cyberspace is a human-made one17. Outer space is a vast, timeless domain in which humankind is only gradually projecting itself. Cyberspace, while equally vast at one level, has been developed in the timeframe of a generation and its nature is purely within human control.

A second major difference between the two spaces might be described as the ‘threshold of entry’ to them. To enter and use outer space requires sophisticated and costly assets and capabilities, usually possessed by a small number of States and a few multinational companies.

Cyberspace, by contrast, can be explored by anyone with a personal computer or mobile device.

The basic equipment is relatively cheap and users are numbered in the billions.

A third difference between the realms is that outer space activity is still dominated by State actors although there is a recent trend towards privatisation of some services. Currently there are only ten spacefaring nations possessing an independent orbital launch capacity.18 In contrast, the infrastructure of cyberspace is largely owned and operated by the private sector and civil society.

Finally, if one is to look at the attitude of States holistically, one would find that there is a difference in the manner in which the two realms have been treated to date under international

16 First Phase of the World Summit on the Information Society, Declaration of Principles, Building the Information Society: A Global Challenge in the New Millennium, WSIS-03/GENEVA/DOC/4-E (12 December 2003), para. 1, http://www.itu.int/dms_pub/itu-s/md/03/wsis/doc/S03-WSIS-DOC-0004!!PDF-E.pdf. 17 Anna-Maria Osula & Henry roigas (eds.) International Cyber Norms: Legal, Policy and Industry Perspective, NATO CCD Publications, Tallim, 2016. Accessed at:

law, this is demonstrated for example in the fact that outer space has benefited from an early

foundational treaty that defined its character. Although this treaty is now 48 years old and many

States believe that the legal regime it created for outer space needs to be reinforced,19 it

nonetheless provides an authoritative reference point. No similar treaty has yet been devised to

define cyberspace and efforts to formalise cooperation via international legal instruments such

as the 2001 Budapest Convention on Cyber Crime have not as yet met with widespread support

amongst States.20 From the following disquisition, one point is clear; the intangibility of

cyberspace betrays its acclaimed semblance with outer space. Both realms are real, but greatly

distinguished. Amongst other things, is the outstanding distinction that while one is man-made,

the other is a creation of nature.

1.1.2 Terms Frequently Associated with Cyber Operations 1. Cyberspace

Cyberspace is said to be coined by William Gibson, who described the term as “a consensual

hallucination-lines of light ranged in the nonspace of the mind, clusters and constellation of

data. Like city lights, receding”21. Cyberspace has also been defined as the domain that is

characterized by the use of electronics and the electromagnetic spectrum to store, modify and

exchange data via network systems and associated physical infrastructures.22

19 See notably the resolution on the ‘Prevention of an Arms Race in Outer Space’ which is annually adopted by the UN General Assembly with near universal support and which in reference to the legal regime for outer space States that ‘there is a need to consolidate and reinforce that regime and enhance its effectiveness …’: United Nations, General Assembly resolution 69/31, Prevention of an Arms Race in Outer Space, A/RES/69/31 (11 December 2014), http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/69/31. (May 3, 2016). 20 The Convention developed by the Council of Europe has only been ratified or acceded to by 47 States of which only eight are non-member States of the Council of Europe, see Convention on Cybercrime, Budapest, 23 November 2001, Council of Europe Treaty Series, No. 185, http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_e n.pdf. (May 3, 2016). 21 William Gibson, “Father of Cyberspace” by Scott Thill; Wired; March 17, 1948, p 12. 22 Ibid.

2. Computer Network Attack (C.N.A)

This is a category of "fires" employed for offensive purposes in which actions are taken

through the use of computer networks to disrupt, deny, degrade, manipulate or destroy

information resident in the target information system or computer networks or the

systems/networks themselves. The ultimate intended effect is not necessarily on the target

system itself, but may support a larger effort, such as information operations or counter-

terrorism.23

3. Computer Network Exploitation (CNE)

This is a process which enables the operations and intelligence collection capabilities to be

conducted through the use of computer networks to gather data about target or adversary

automated information systems or networks24.

4. Countermeasures

It is some form of military science that, by the employment of devices and/or techniques, has

as its objective the impairment of the operational effectiveness of undesirable or adversarial

activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of

sensitive or classified information or information systems. There are two types of

countermeasures, namely:

(i) Defensive Countermeasures: Include actions to identify the source of hostile cyber activities,

protection/mitigation at the boundary, hunting within networks, passive and active intelligence

(including law enforcement) employed to detect cyber threats; and/or actions to temporarily

isolate a system engaged in hostile cyber activities.

(ii) Offensive Countermeasures: This might include electronic jamming or other negation

measures intended to disrupt an adversary's cyber capabilities during employment.25

23Note: the term "fires" means the use of weapon systems to create specific lethal or nonlethal effects on a target Accessed at: http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary. 24 Ibid, * See also computer network attack. 25 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.

5. Cyber-Attack

A hostile acts using computer or related networks or systems, and intended same to disrupt

and/or destroy an adversary's critical cyber systems, assets, or functions. The intended effects

of cyber-attack are not necessarily limited to the targeted computer systems or data themselves-

for instance, attacks on computer systems which are intended to degrade or destroy

infrastructure of C2 capability.26

6. Cyber Incident

A cyber incident is likely to cause, or is causing, harm to critical functions and services across

the public and private sectors by impairing the confidentiality, integrity, or availability of

electronic information, information systems, services, or networks; and/or threaten public

safety, undermine public confidence, have a negative effect on the national economy, or

diminish the security posture of the Nation.27

7. Cyber Operational Preparation of the Environment (C-OPE)

Non-intelligence enabling functions within cyberspace conducted to plan and prepare for

potential follow-on military operations. C-OPE include but is not limited to identifying data,

system/network configurations, or physical structures connected to or associated with the

network or system for the purpose of determining system vulnerabilities; and actions taken to

assure future access and/or control of the system, network, or data during anticipated hostilities.

C-OPE replaces CNE or CNA when used specifically as an enabling function for another

military operation.28

8. Cyber-Security

All organizational actions required to ensure freedom from danger and risk to the security of

information in all its forms (electronic, physical), and the security of the systems and networks

26 Ibid. 27 Ibid. 28 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.

where information is stored, accessed, processed, and transmitted, including precautions taken

to guard against crime, attack, sabotage, espionage, accidents, and failures. Cyber-security risks

may include those that damage stakeholder trust and confidence, affect customer retention and

growth, violate customer and partner identity and privacy protections, disrupt the ability or

conduct or fulfill business transactions, adversely affect health and cause loss of life, and

adversely affect the operations of national critical infrastructures.29

9. Cyberspace Superiority

The degree of dominance in cyberspace by one force that permits the secure, reliable conduct

of operations of that force, and its related land, air, sea, and space forces at a given time and

sphere of operations without prohibitive interference by an adversary.30

10. Cyber Warfare (CW)

An armed conflict conducted in whole or part by cyber means. Military operations conducted

to deny an opposing force the effective use of cyberspace systems and weapons in a conflict.

It includes cyber-attack, cyber defense, and cyber enabling actions.31

11. Defensive Counter-Cyber (DCC)

All defensive countermeasures designed to detect, identify, intercept, and destroy or negate

harmful activities attempting to penetrate or attack through cyberspace. DCC missions are

designed to preserve friendly network integrity, availability, and security, and protect friendly

cyber capabilities from attack, intrusion, or other malicious activity by pro-actively seeking,

intercepting, and neutralizing adversarial cyber means which present such threats. DCC

operations may include: military deception via honeypots and other operations; actions to

adversely affect adversary and/or intermediary systems engaged in a hostile act/imminent

29 Ibid. 30 Ibid. 31 Ibid.

hostile act; and redirection, deactivation, or removal of malware engaged in a hostile

act/imminent hostile act.32

12. Hostile Act

This refers to force or other means used directly to attach the US, US forces, or other designated

persons or property, to include critical cyber assets, systems or functions. It also includes force

or other means to preclude or impede the mission and/or duties of US forces, including the

recovery of US personnel or vital US Government property network operations.33

13. Mitigation (US CERT CONOPS, NRF)

These are solutions that contain or resolve risks through analysis of threat activity and

vulnerability data which provide timely and accurate responses to prevent attacks, reduce

vulnerabilities and fix systems.34

14. Network Operations (Net Ops)

This can be defined as activities conducted to operate and defend the DOD's Global information

Grid.35

15. Offensive Cyberspace Operations (OCO)

Activities that, through the use of cyberspace, actively gather information from computers,

information systems, or networks, or manipulate, disrupt, deny, degrade, or destroy targeted

computers, information systems, or networks. This definition includes Cyber Operational

Preparation of the Environment (C-OPE), Offensive Counter-Cyber (OCC), cyber-attack, and

related electronic attack and space control negation.36

1.2 Historical Background of Cyberspace

32 Accessed at: < https://en.m.wikipedia.org/wiki/cyberspace_definitions?-e_pi_7%page_ID> 33 Ibid. 34 Ibid. 35 Ibid. 36 http://www.pcmag.com/encyclopedia/term/62535/dod-cyberspace-glossary.

During the Cold War, the United States needed a system that is beyond destruction in the event of a nuclear attack in order to send and receive intelligence. The computers were linked in a network and not in a straight line to achieve the connection. So although it may seem like a new innovation, the net has actually been around for over forty (40) years and began at first as a university experiment in military communications. At first, each computer was physically linked by cable to the next computer, but this approach has obvious limitations, which led to the development of networks utilizing the telephone system. So people then decided that nuclear attack or not the computer network was a benefit to all and that they could use it to communicate with one other. Some university students started using the network to do their homework together. More people started to demand access, although initially the users were only from the university and government sectors. But more and more people could see the potential of computer networks and various community groups developed networks separate from the official networks for the use of their local communities.

The internet today is a collection of all the various users and various local, regional and national networks and it is an ever expanding network of people, computers and information coming together in ways the Pentagon never dreamed of forty years ago. So what began as an exercise in military paranoia has become a method of global communication.

The term “Cyberspace” first appeared in fiction in 1980’s in the work of cyberpunk science fiction author William Gibson, in his 1982 Short story “Burning Chrome” and later in his 1984 novel “Neuromancer.”37 Gibson’s fantasy of a world of connected computers has moved into a present reality in the form of the internet. In cyberspace,

37 William Gibson (1984). Neuromancer. New York: Ace Books. p. 69. ISBN 0-441-56956-0.

11 people are met electronically, without a face or a body.38. The reality of the above disquisition is that cyber operations began at the inception of cyberspace. In other words, people began to interact in cyberspace the moment it was incepted. Because it began with a group of students, it follows that States only began to interact in cyberspace as a body component a few years on. The history of cyberspace is the story of the internet, and once the internet begun, the possibility of trans-continental communication, interaction and operations was birthed.

1.3 Technical Methods, Techniques and Tools in Cyberspace Operations

A concise point of commencement is to identify the answers to the questions of how States conduct cyber operations and with what tools. Most of the activities constituting cyber operations, have one thing in common: breaking into foreign Information Technology systems to extract or modify data, to change the system configuration39 or to take down the entire system. To put it another way, it is about hacking. Hackers hack; this is more or less commonly known, but does that mean that State cyber operations are conducted by hackers? No less important is the question of why is hacking possible- which is key to understanding methods of cyber operations. This will be explained by reference to an abstract model for cyber operations which will be introduced in this chapter. Based on this model, the methods of a cyber operation will be explained in seven subsequent stages. For each stage, tools and techniques are introduced with a focus on State actors’ use, and these are distinguished from malicious actors.

38 . 39 A change of the system configuration may include the deletion of files and/or services as well as blocking or taking down the entire system, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 85.

1 Hacking – Mise-En-Scène (Staging the Operation)

How does hacking work? Unfortunately, this question cannot be answered within one or two simple sentences. It is essential to know how hacking works in order to defend against threats effectively, and for a State to make use of suitable tools and techniques within the parameters of law. In order to understand how hacking works, it is first of all essential to understand why hacking works at all – and the answer this time is simple: it works, because the hacked systems’ security is (or was) too weak. Again, this is easy to explain since there is not much secrecy around the fact that there is nothing like hundred percent (100%) security in Information

Technology. A strategy to hack a system can be derived from knowing that hacking is about getting information about a target system in cyberspace, finding clever ways to exploit its vulnerabilities, making use of its misconfigurations or taking profit from its users. This intrusion into systems, which basically describes the process of hacking, is referred to as a cyber-attack. NATO defines cyber-attacks as ‘actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves,40and most scientific and legal definitions define cyber-attacks in this or a similar way. Before any cyber-attacks against a target can be launched, the first two steps of reconnaissance and weaponisation, need to be carefully considered since they prepare the grounds for the success of any cyber operation, the following sections will explore each phases in detail.

2 Reconnaissance – Get Information about Your Target

As in any operation, cyber operations need to be planned based on relevant and reliable41

Information about the operation’s targets. This implies the need to gather information about the target in the best possible manner to be able to derive a solid situational picture, on which

40 NATO Standardization Agency, NATO Glossary of Terms and Definitions (AAP-6) at 2-C-12, 2012. 41 The integrity, authenticity and correctness of the information need to be assured. (May 5, 2016).

13 basis different courses of action can be assessed. It also requires reliable information about the status of one’s own capabilities and available resources. The process of collecting this information is called footprinting: collection of information available from open sources or provided by services is known as passive footprinting, while active footprinting refers to one’s own actions within the cyber operation to obtain missing information, and is analogous to battlefield reconnaissance. The most convenient way to gather the required information is open source intelligence (OSINT). Using OSINT for reconnaissance purposes must therefore be seen as a very important first step which should not only be considered in the operation’s planning stage, but also in any subsequent stage of the cyber operation as soon as new information is derived which updates the situational picture, and which might influence decision making and the action of current operations.42 Very often, further information can be found by simply accessing the target’s offered services43, or by using social media. Social networks have been identified as another primary source of information in the process of intelligence gathering.

If the target is a network, the network connections within that target must also be explored.

This is achieved by tracerouting: step by step, possible routes from the own systems to the target are tested, and a fine-grain network picture is derived. During the entire cyber operation, all this information must be updated regularly since owners of targets can be assumed to use modern techniques to strengthen their systems’ resilience. This is especially important if such changes are monitored in very short time intervals, otherwise successful weaponisation – as described in the following section – is almost impossible.

3 Weaponise – Prepare to Break the Shields

Intruders need to be equipped and trained to be able to engage in cyberspace. Once a target has been identified in cyberspace, a cyber situational picture has been derived and a network

42 OSINT tools and resources see: R. Hock. (2013 September 13). Internet Tools and Resources for Open Source Intelligence 54. 43 Such a service is, e.g., a hosted web-site

14 fingerprint has been made, the most challenging part of the mission preparation is to find suitable cyber means to take effect on the target. Such means of cyber activities in this context are all I.T hardware and software items as well as other systems capable of taking effect in cyberspace, such as computer programs or malicious software and are all generally known as cyber tools. A cyber tool can be a cyber weapon specially designed to break into foreign systems and perform malicious actions, or it can be a regular tool which is used within cyber operations as well as for regular system operations or maintenance. The penetrator of a cyber tool is called an ‘exploit’. Exploits are very clever pieces of software that use vulnerabilities, so the more a system is hardened, the more difficult it is to crack the virtual bunker. But it is possible.

Finally, weaponisation is an iterative process since updated information from the situational picture may highlight a need to change or modify the cyber tool of choice. Without appropriate cyber tools, access to systems can only be achieved by taking advantage of misconfigurations or user mistakes. If a target system is not properly protected and cyber tools are not needed at all, intruders can start to manipulate the target system directly. Otherwise, once a cyber tool has been tested successfully,44 the delivery of the tool to the target system needs to be planned.45

4 Delivery – Get the Tools to the Target

The delivery phase of a cyber operation describes the transfer of a cyber tool to the target system. Depending on the nature of the cyber tools, different approaches to delivery can be chosen. Again, State actors are more limited since they should ensure that intended manipulations only affect the target system and no side effects occur, whereas malicious hackers will not care too much, and may even use third party systems as proxies to launch their cyber-attacks. In case of user mistakes or misconfigurations, the delivery of the payload can be

44 A test is not always possible and reasonable, thus not all targets can be emulated to test the cyber tool. 45 The requirements of the cyber tool delivery can have influence on the tools’ development.

15 very simple: it may be that, due to missing or incorrect access control modifications on the target system, delivery is possible without any further action by the intruder and a payload can just be uploaded and installed. If user credentials at non-administrator level are used, this may not suffice to deliver the payload successfully to the target system. In that case, the available user credentials with minor privileges can be used to gain access to the system and – after successfully having logged on – to raise the privileges using other cyber tools made available in the weaponisation phase. If no cyber tools are available at that stage, a step back to reconnaissance might be required to evaluate the target system information accessible with the user credentials used to log on, and to consider new techniques to escalate the privileges. The most difficult and highly sophisticated form of delivery is the delivery by a service exploit. If the users of a target system do not ‘help’ the intruder to install the payload on their system, vulnerable services running on the target system can be used to get the payload in.

5 Exploitation – Hijacking the Control Flow

Hackers like to see themselves as very smart programmers, and there is good justification for that. When user credentials cannot be used to get administrator or system level access to a target system, clever ways of deviating target systems from their regular program control flow into payload execution must be found during the weaponisation phase. It is essential to understand why exploitation works and why it is at all possible to alter the control flow of a program during its runtime.46

One of the most important requirements for exploitation is the physical ability to alter the program control flow on the target system. This basically means that a program needs to be executed in a computer’s random access memory (RAM). The easiest way to alter the program control flow is to use so-called overflow techniques, for example buffer overflows. Buffers are

46 Software is usually executed in a process structure which is protected by the operating system against any external modification. See, Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 102.

16 dedicated pieces of memory used to store user input data during program execution. If user input is accepted during the execution of a subroutine within the program, it can be stored within a data structure which is called a stack. This is very likely, as programmes usually consist of a lot of subroutines that are reused by different parts of the program to keep the code short. A stack is the dedicated piece of memory space assigned to each process of a computer, and regulates subroutine calls. When a program calls a subroutine, it stores required parameters on the stack to provide the subprogram with the data it needs to process. Since a subprogram can be called from many different parts of the program, it needs to know the memory address to return to after the subroutine has finished. This return address is stored on the stack as well as data and buffers for inputs. Normally, all these items ‘pushed’ onto the stack have a dedicated size, so after the subroutine has finished, the stack can be cleaned up again47. The problem why exploitation of the stack worked quite well for a long time was that, unfortunately, a number of software compliers48 did not check if the user inputs to the system really did fit into the dedicated buffer space being reserved on the stack.

Thus, if a user created an input for the program that exceeded in size the dedicated buffer space, the rest of the buffer was overwritten with the rest of the user input as well, including the address to return to after the subroutine has finished. So by cleverly researching the exact length of required user input and replacing the return address on the stack with a memory address pointing to the payload placed on the target system, a program control flow can be altered during runtime. These techniques are called overflows; they not only work on a process stack but also on a process heap.49 So when the subroutine finishes after a successful overflow

47 Otherwise a process would run out of memory quite fast if all subroutine calls would just put things onto it. 48 A program that creates the executable binary containing the program code from a human readable programming language. 49 A ‘process heap’ is a memory space additionally allocated to a process during program execution.

17 exploit, the program will return not to the position the subroutine was called from, but to the new address specified in the submitted data.

6 Installation – Reside the Payload on the Target

Having successfully exploited a target system, or having gained access to the system due to misconfigurations or user mistakes, the malicious actions intended to be carried out on the target system may require the installation of additional software, unless the mission can be carried out by functionality provided by the target system’s operating system or software that is already installed. If the cyber operation is conducted to take the system down, software installation is usually also not required. In most cases, the software to be installed on the target system is a Remote Access Tool (RAT), which needs to be persistently available in the boot process of the system and which opens a ‘backdoor’ allowing the intruder to take control. The installation of such RAT software on a target system faces major challenges since:

• The users and administrators of the target systems should not recognise the RAT tool being installed on their system, so the RAT must be invisible to them;

• The RAT tool must be installed persistently, which means it needs to be able to

survive a system re-boot; and

• The RAT tool must be resilient to patches and installations or de-installations of

software.

Hiding a RAT is the most important challenge. Once the RAT is detected, the administrators of the target system knows that their system has been hacked and they can take actions to remove the RAT. Removing a RAT from a stand-alone system is easy and is normally done by a simple re-installation of the machine. Sometimes this is done by restoring it from a backup, which bears the risk of the RAT surviving, if the backup has been made before the RAT was detected but after its successful installation. Since good administrators will also check the backups for traces of the RAT, this is not very likely. Removing a RAT from multiple machines

18 within a network might be more challenging since it is often not possible to shut down the entire network. Trying to restore machine by machine only promises success if the vulnerability the intruder used to exploit the system and install the RAT has been found and can be patched successfully; otherwise, a restored system might simply be re-infected by other machines on the network which have not yet been treated.

If a RAT has been placed successfully, and not been detected and removed, the target system is controlled by the intruder and malicious actions of all kind can be conducted. RATs are often sustained to maintain access for the intruder persistently. Having installed such a combination on the target system, the intruder can control it and issue any desired command.

7 Command and Control – Remotely Control the Target System

If all required software needed for or intended to be used during the cyber operation has been installed on the target system, the planned action needs to be prepared and started.

For this, means of command and control have to be foreseen based on which the intruder can submit commands to the target system. They consist of a RAT being installed on the target machine and a control unit being operated by the intruder, together with some means of communication connecting the RAT with the control unit. Command and control are usually implemented by means of network communication. At the network level, command and control information can be embedded into packets of other network communication, for example in packets containing simple requests for a service running on the target system. The installed

RAT will intercept this information from the incoming network packets and ‘interpret’ them, i.e. extract the embedded information from the packets. Answers from the RAT will also be encoded into protocol information in response packets sent from the service back to the intruder; this technique is called tunnelling.

The RAT will analyse the content of the requests and extract the embedded command, as well as embed answers in regular service responses. The services used for this purpose will process

the intruder’s requests as regular requests, not noticing that the only purpose of this

communication is the transport of commands for a RAT; therefore, discovery of covert

channels is very challenging and needs a lot of experience and sophisticated tools for statistical

analysis or tools with a built-in anomaly detection features. Apart from network

communication, offline command and control can be built into the cyber tool as well. Once

delivered and installed, the tool carries all required information to act on the target system. This

technique is especially used in logic bombs which are launched against a target and which do

not require any link back to the intruder once the cyber tool is engaged.

8 Act – The System is Yours

If intruders can successfully submit commands to the target, the list of possible actions is more

or less unlimited. Taking down a system is the most commonly known impact of a cyber-attack;

the effect is not very challenging for the target system operators since the intrusion is noticed

instantly and can usually be countered by restoring the system from a backup or by system re-

installation. Still, system downtime and the effort required to bring the system up again can be

inconvenient. The most challenging intrusions are modifications that compromise a system and

force operators of the target system to work intensely to figure out which modifications to data

or software have been made, and to distinguish valid data from invalid data. The biggest

challenge here is the reverse proportion of acting effort against reacting effort: simple

modifications can disorganise target systems entirely and make them useless to their rightful

owners. The following examples of disturbing actions which intruders have performed

illustrate the great variety of possible actions from which they can choose, once they have

successfully exploited the target system:

(i) Renaming files:

Big companies or organisations store their files on servers. A very vicious interference is to

rename files or exchange file names of existing documents, either randomly or following a

plan. The effect increases if the intruder does not initially do this with files that are currently

or recently used but focuses on older files, so the changes are not seen immediately. In that

case, the modifications might also be applied to the backup device, so when the attack is finally

recognised, restoring the backup does not solve the problem.

(ii) Changing file versions and dates:

In any office environment, documents usually have different versions. Substituting this

information or swapping new with old versions can entirely disorganise business processes

until the cyber-attack is detected.

(iii) Modifying tables and charts in files:

This effect takes the already introduced effects to a more fine-grain level: all modifications can

be done at file level as well. Inserting false data or modifying information in documents can

disturb business processes and such changes – if done at system level, so the modifications are

not reflected in the file system – are even more difficult to detect.

(iv) Deleting single files:

Instead of taking down an entire system, deleting single files can cause more confusion, though

the effect is not great if the system is backed up regularly.

(v) Inserting bogus files:

Instead of deleting information, adding some information is also likely to cause confusion,

especially if this information is well-prepared and fits into the context of the business processes

of the target systems. Such additional information can be, for example, new versions of existing

documents or entirely bogus documents introducing new processes or workflows. Malware

spreading techniques have been implemented this way, but since that promotes detection, such

techniques are no longer used.

(vi) Modifying user privileges:

Modifying user privileges is especially effective when granting more right to users than they

should have. They tend to misuse their new privileges or accidentally make use of them causing

damage to the system. Taking rights from users is not a very efficient technique since they will

complain; system administrators will help out and probably detect the intrusion at the same

time.

(vii) Changing passwords:

Password changes of target system user accounts, often referred to as famous intruders’

activities, are not very effective since they can easily be changed again by the system

administrators. The picture changes if all system administrator passwords are changed. In such

a case, as with system takedown, only restoring the system from a backup or a system re-

installation will help.

(viii) Uninstalling software:

Whereas during a cyber operation additional software might have been installed, uninstalling

software or applying bogus software patches can have reasonable effects on the target system,

especially if system security software is being compromised. Additionally, introducing

software failures in COTS software is very efficient if, for example, the undo function is also

disabled, and bogus functionality affects information when working with business data.

This list of possible actions and effects is of course incomplete and only demonstrates the

potential impact an intruder can have on a target system. If the target system is steering the

controls of a machine, for example, the impact may be worse. Successful intrusion into control

devices of machines have been seen already, and with the Stuxnet case50, scenarios of cyber

tools indirectly causing physical damage to critical infrastructures are no longer science fiction.

50 The European Union Agency for Network and Information Security (ENISA) published a Stuxnet Analysis – see internet portal of ENISA. Available at:< http://www.enisa.europa.eu/media/press-releases/stuxnet-analysis>.

After a successful penetration of the target system, the effects of the intrusion are only limited by the technical capabilities of the targeted system. Whereas security researchers usually do not modify anything on the target since they more or less aim to work out a proof of concept, and State actors will act in accordance with their duties, malicious hackers will try to make a profit.

1.4 Effects of Cyber Operations.

The examples of effects that cyber operations may cause illustrate the threatening technical possibilities an information society is facing. The tools and techniques used to cause these effects are available on the internet and can be used by any talented actor, regardless of the particular intention or motivation. State actors’ cyber operations must be accepted as a consequence of the emerging threat to which everyone is exposed, and technical evolution will raise their importance. The effect of cyberspace operations could be positive or negative, depending on the intent and purpose of its use. In analysing the effects of cyber operations by

States, two ends of the spectrum must be considered. On one end of the spectrum, is the possibility that States could employ the use of cyberspace as a global network, where several inter-continental interactions can be effected. Such operations could also suffice as a social experience for individuals, where they can interact, exchange ideas, share information, provide social support, conduct business, direct actions, create artistic media, play games, engage in political discussions, and the list is endless.

On the other end of the spectrum is another use of cyberspace by States which has become increasingly popular over the decades, and this is the use of cyberspace for offensive purposes.

It appears that States have taken the cyberspace as an alternative battleground to address rising concerns amongst one another. Instead of the conventional warring, most States would rather attack other States using cyber weapons and causing harm than actually confronting those other

States using kinetic or nuclear weapons. A typical example of this kind of cyber operation is

“Cyber-attack”. The definition of cyber-attack used here is actions in cyberspace whose foreseeable results include damage or destruction of property, or death or injury to persons.51

To date, the best real-world example of a cyber-attack is “Stuxnet”,52 an operation reportedly carried out by Israel and the US to slow Iran’s development of nuclear weapons. Reports of

Stuxnet estimate 1,000 Iranian centrifuges were damaged beyond repair when stealthy malware caused machines to spin at certain high and low ranges. The result of the Stuxnet activity – destruction of equipment – would make it a cyber-attack under the cyber spectrum proposed here. Another obvious example would be a tragic accident that occurred in Russia in 2009.53

In that case, a damaged turbine at the Sayano-Shushenskaya hydroelectric power plant had been shut down for maintenance. A computer operator at a control facility, located far from the dam, seeking to correct for a loss in available power, brought the damaged turbine back on line. The operator’s electronically delivered command for increased activity caused the damaged turbine to spin out of control, killing 75 people and causing over $1 billion damage.

While the official investigation of the dam failure blamed poor management and technical flaws, this tragedy demonstrates how wrongdoers might theoretically take control of a computer system and cause horrific damage by manipulating it.

Finally, another effect malicious States’ operations may lead to is a phenomenon referred to as

“Cyber disruption”. Cyber disruption includes actions that interrupt the flow of information or the function of information systems without causing physical damage or injury. Examples of cyber disruptions include disturbing the ability of a government to communicate with its population, as occurred in Estonia (2007)54 and Georgia (2008)55. In 2007 in Estonia, cyber

51 Ibid. 52 William J. Broad, John Markoff, & David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear Delay, N.Y. TIMES, Jan. 15, 2011, Accessed at: (May 7, 2016). 53Available at: < https://en.wikipedia.org/.../2009_Sayano–Shushenskaya_power_station> (May 7, 2016). 54 "STUXNET Malware Targets SCADA Systems". Trend Micro. Jan 2012. 55 Cyber War Case study: Georgia 2008. David Hollis.

24 actions shut down the Government’s ability to communicate and froze the financial sector for about a month. The motivation for the actions was the Estonian government’s decision to move a memorial statue of a Soviet soldier in Tallinn to a less prominent location in the city. The activities were coercive in that they were imposed against Estonia’s will and the Government was not able to stop the effects. Estonia heavily relied on cyberspace for communications and commerce, and experienced significant disruption of its communication and economic systems.

Furthermore, in 2008, cyber disruption of Georgian web and telecommunications began just as

Russia commenced military operations in the Republic of Georgia. The disruptive activities prevented many government computer-based activities in the early days of the Russo-Georgian conflict. Georgia’s civilian communications, financial systems and media were also degraded by the cyber operations. And lastly, a lesser-known example of cyber disruption is the

GhostNet56 set of activities. GhostNet, was reportedly based in China, and affected government systems around the world. It penetrated systems in Canada’s Finance Department and Treasury

Board so pervasively that the Government took the systems off-line for nearly a month. As the

Canadian action demonstrates, certain access or espionage activities may be so damaging to the system’s trustworthiness or reliability, they can effectively render the system useless. This is especially true in the case of systems vital to national security or welfare. One notorious effect of this offensive cyber operations is that when unauthorized people gain deep or persistent access to sensitive information, the situation effectively forces a government to choose between shutting down a system or suffering exposure to unacceptable risk. Although cyber disruption is factually distinguishable from actions that cause death and destruction, the effects of both are largely the same. In both cases, the cyber operations inhibits one State from

56 Tracking GhostNet: Investigating a Cyber Espionage Network. Munk Centre for International Studies. May 9, 2016.

25 taking further or a particular action, either by destroying its cyber infrastructure or by effecting a dislocation to its functionality.

Conclusion In this chapter, we have considered holistically, the meaning, scope and gamut of cyberspace operations. We have also considered some of the phraseologies commonly associated with

“cyberspace”. In progression, a cursory examination into the fons et origo of cyberspace operations was provided. After pointing out the different roles of cyber actors and the implications their roles have on the conduct of a cyber operations, the stages of such an operation in cyberspace have been described. For each stage, common techniques used by the different actors have been explained and examples of the most commonly used tools have been given. Additionally, the effects caused by these tools and techniques have been discussed, especially the possible actions following a successful target system penetration. This chapter also demonstrated that a cyber operation is a very complex endeavour and requires not only deep system knowledge at expert level, but also a certain portion of talent to be truly successful.

With respect to the essence of this project, this chapter has demonstrated a detailed explication into the realm of the cyberspace. In this chapter, the intricacies surrounding cyberspace that befuddle many legal professionals have been brought to the glare in plain terms. One thing is obvious; cyberspace is a novel area in legal jurisprudence, as there is lacking, a direct and fitting provision of the law that circumspectively regulates operations in cyberspace, otherwise known as cyber operations. In the next chapter, we shall consider the possibility of the applicability of the law, specifically international law in cyberspace.

CHAPTER TWO

APPLICABILITY OF GENERAL PRINCIPLES OF INTERNATIONAL LAW TO CYBERSPACE

2.0. Introduction

This chapter describes general principles of international law as a source of international law

(pursuant to art 38(1) (c))57 and illustrates their application to cyberspace. For the purposes of the present analysis, cyberspace is understood as a global, non-physical, conceptual space, which includes physical and technical components i.e. the internet, the ‘global public memory’ contained on publicly accessible websites, as well as all entities and individuals connected to the internet. Cyberspace has political, economic, social and cultural aspects going far beyond the notion of a pure means of information transfer.

Some claim (inadequately, as the present chapter proves) that cyberspace is not or is only partly regulated by law, as cyber-specific international customs are absent and contractual regulation scarce. The classical international law approach to such a situation would be to invoke the basic principle as stated in 1927 by the Permanent Court of International Justice (PCIJ) in the Lotus58 case: “based on the notion of sovereignty, in the absence of a legal prohibition, a State enjoys freedom of action. However, the consequently competing freedoms of the coexisting sovereign

States are guided (and de-conflicted) by general principles of international law”. These principles are most important in the cyber context, since they form the basis for a progressive development of international law, enabling the international law system to respond to the dynamic needs of an international society and especially to meet the fast growing technological advances.

57 Article 38(1) (c), Statute of the International Court of Justice. 58 The Case of the S.S. ‘Lotus’, Merits (1927) PCIJ Rep Ser A, No 7, 18ff.

In the following, the nature, source and content of general principles of international law and other corollary precepts will be described. These sections will be followed by some concluding remarks.

2.1. Nature of the General Principles of International Law

The term ‘principles’ may refer to a meta-legal concept, generated within a philosophical or ethical discourse, or to principles inherent in or developed from a particular body of law or law in general.59 General principles of international law belong to the latter category, and must be distinguished from the notion of ‘justice’ (or equity in the broad sense) and from ‘general principles of moral law’, i.e., compelling or essential ethical principles endorsed in international law (e.g., prohibition of genocide).60 On a conceptual level, though, the ethical and legal meaning of the term ‘principles’ cannot be completely separated, as legal principles are always to be deemed as expressions of overarching values.61 General principles of international law reflect a genuine morality and the most basic values of the international society as inherent in the international order and absolute principles relative to that existing order.62 It should be mentioned that, because of this feature, general principles of international law are partly criticised in academic writings as being a ‘gateway into the legal discourse for natural law maxims’.63 As stated by one scholar, ‘general principles of law ... are arguably the most important but certainly the least used and most confused source of law ...’64

The jurisprudence of the International Court of Justice (ICJ) does not bring clarity to the matter, as hitherto the Court’s reference to general principles of international law has been

59 Rüdiger Wolfrum, ‘General International Law (Principles, Rules, and Standards)’ in idem (ed), The Max Planck. Encyclopedia of Public International Law (Oxford University Press 2008, online edition [www.mpepil.com]) in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 136. 60 Brian D. Lepard, Customary International Law. A New Theory with Practical Implications (Cambridge University Press 2010) 165. 61 Armin von Bogdandy, ‘General Principles of International Public Authority: Sketching a Research Field’ (2008) 9 German Law Journal 1909, 1912. 62 Lepard (n 3) 164. 63 Niels Petersen, ‘Customary Law without Custom? Rules, Principles, and the Role of State Practice in International Norm Creation’ (2008) 23 American University International Law Review 275, 292. 64 Hicks (n 5) 7.

‘inconsistent and confused’.65 The academic controversy pertains in particular to whether general principles of international law can be deemed a source of law of a normative character or merely reflecting juridical maxims or legal ideas. In addition, there are disagreements over whether they can present a source of obligations for States, whether they are a source of natural law, and which relation they show with regard to that concept; whether they are enshrined in

Article 38(1) (c) of the Statute of the International Court of Justice of 1945 (ICJ Statute), or are part of customary international law within the meaning of Article 38(1) (b) of the ICJ

Statute, even of a peremptory character, or whether they exist aside from the enumeration of the aforementioned Article as an autonomous source of law; and whether they have a merely persuasive authority of interpretative guidance or have the a nature of a quasi-constitutional norm of the most importance.

Thus, it is surely not an exaggeration to assert that every aspect of general principles of international law is disputed and unclear. Against this background, a thorough presentation of diverse scholarly opinions on the specific aspects of controversy, as well as a clarification with regard to the respective legal debate must be considered a task for a legal analysis of a major extent and cannot be provided for within the limited scope of the present chapter. Therefore, the following assessment can only offer a limited overview of the relevant court rulings and opinions of legal commentators, and attempt to describe the source and content (2.2) as well as its relationship to practice, opinion juris and consent of States (2.3), its Higher normative value

(2.4), its relationship to the concept of fundamental rights and duties of States (2.5) and finally their feature as a vehicle of progressive law development (2.6).

65 ibid.

2.2 Source and Content of the General Principles of International Law ‘General principles of law recognized by civilized nations’ within the meaning of Article 38(1)

(c) of the ICJ Statute are a (subsidiary)66 source of international law which is derived, according to the wording and as understood by the majority of scholars, from principles common to the domestic law systems of all ‘civilised’67 countries, in so far as they are applicable to inter-State relations.68 Some scholars assert that the provision (formerly Article 38 No. 3 of the Statute of the Permanent Court of International Justice (PCIJ Statute) of 1920)69 also includes general principles of international law, reflecting rather the international order of States than the national law systems.70 They refer to the PCIJ Statute’s travaux préparatoires of 1920, which show that the drafters had different views of the reference to ‘general principles of law’, including the notion that the principles are to be understood in a broad way as ‘maxims of law’.71 Furthermore, the drafting history shows that Article 38(c) (or as it was then, No. 3) was a response to the need for the completeness72 of the law and the intention of the drafters was to avoid a non liquet of the Court for lack of a positive rule (however, without giving the judges the possibility to legislate or opening a gateway for natural law).73 In this spirit, it is asserted that a modern interpretation of Article 38 is justified by the changes of the structure of the legal order since 1920 with regard to the means of determination of international rules based on an

66 Alain Pellet, ‘Art. 38’ in Andreas Zimmermann et al (eds), The Statute of the International Court of Justice. A Commentary (Oxford University Press 2006) MN 290. 67 The reference to ‘civilised’ nations was included in Article 38 of the Statute of the Permanent Court of Justice (League of Nations) of 13 December 1920 (and was reproduced in the Statute of the International Court of Justice). 68 ‘The Uses of “General Principles” in the Development of International Law’ (1963) 57 American Journal of International Law 279, 282, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski. 69 The provision was reproduced in the ICJ Statute without considerable discussion and with only minor alterations (in the numbering of the paragraphs and subparagraphs, instead of alphabetic characters, and the addition of a few words in the introductory phrase). cf Pellet (n 9) 42-45, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski. 70 Wolfrum, ‘General International Law’ (n 2) 28. 71 Cheng, General Principles of Law as Applied in International Courts and Tribunals (Cambridge University Press 1953) 6-21, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski.. 72 In 1920, customary law was considered a slowly developing source of international law. Additionally, the development of new rules of customary law was these days surrounded by scepticism, given the newly appeared heterogeneity of the international community by the establishment of the Marxist-Leninist regime of USSR. 73 cf Bassiouni (n 3) 772ff, 779; Petersen (n 6) 307ff; Pellet (n 9) 245 (with further references to the drafting history); Kolb (n 11) 30, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 138.

30 implicit consensus of States, which nowadays can be derived from more than the municipal legal systems, e.g., also from binding decisions of international organisations.74 Finally, it is noted that general principles as mentioned in the ICJ Statute and general principles of international law cannot always be distinguished from each other.75 Others76 assert that the reference to recognition by nations constitutes the distinguishing element between the principles referred to by Article 38(1) (c) of the ICJ Statute and the general principles of international law, of which only the latter derive from international law. Advocates of this approach also invoke the legislative history, object and purpose of Article 38(1) (c) of the ICJ

Statute as a supporting argument.77 Their view is supported by the wording of Article 21(1) of the Rome Statute of the International Criminal Court of 1998 (Rome Statute), which describes as the law applicable by the Court, inter alia, ‘principles and rules of international law’ and

‘general principles of law derived by the court from national laws of legal systems of the world’, thus explicitly distinguishing between the two forms of ‘general principles’. As the

Rome Statute hitherto has been signed by 139 States78, it can be asserted that the majority of

States, who are the primary subjects of international law, consider general principles of international law as existing aside from the general principles derived from national law systems, and consequently beside the enumeration of law sources in Article 38 of the ICJ

Statute.

This view is confirmed by the jurisprudence of the PCIJ and ICJ, which indicates the existence of general principles of law, irrespective of their correspondence to principles pertaining to

74 17 Heintschel von Heinegg (n 10) § 16 MN 17, 23; Wolfrum, ‘Sources of International Law’ (n 2) 10; Pellet (n 9) 96, 88-95; Petersen (n 6) 308. 75 Wolfrum, ‘General International Law’ (n 2) 20. 76 eg Pellet (n 9) 86 and 252; Wolfrum, ‘General International Law’ (n 2) 7 and 20; cf Heintschel von Heinegg (n 10) § 17 MN 1; Hicks (n 5) 3ff, 7, 35; Lepard (n 3) 163 and 166; Gaia (n 9) 32; JP Tammes, ‘The Legal System as a Source of International Law’ (1953) 1 Netherlands ILR (4) 374, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 139. 77 Wolfrum, ‘General International Law’ (n 2) 28. 78 Information of the UN Treaty Collection as of 9 May 2013, . (May 11, 2016).

31 municipal laws.79 The PCIJ, for example, referred to ‘principles of international law’,80 ‘an elementary principle of international law’,81 ‘a principle of international law, and even a general conception of law’,82 ‘general and essential principles’,83 ‘generally accepted principle of international law’,84 and to a ‘principle universally accepted’.85 The ICJ, for example, invoked ‘general and well recognized principles’,86 ‘rule(s) of law generally accepted’,87

‘general principles of international law’,88 ‘fundamental or cardinal principle of ... law’,89

‘fundamental principle of international law’,90 ‘well established principle of international law’,91 and a ‘principle universally accepted’.92 In none of the cases was Article 38(1) (c) of the ICJ Statute mentioned in the context. The question arises, upon which methodology the existence of general principles of international law is recognised. In the Lotus case, the PCIJ conducted ‘researches of all precedents, teachings and facts to which it had access and which might possibly have revealed the existence of one of the principles of international law (…)’.93

In the Chorzów Factory case, the Court ascertained an ‘essential principle’, because it ‘has …

79 Cf Gaia (n 9) 32. 80 Lotus (n 1) 31. 81. Mavrommatis Palestine Concessions, Judgement (1924) PCIJ Rep Ser A, No 2, 12 (referring to the principle that a State has a right to protect its subjects when injured by unlawful acts committed by another State), in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski,142. 82 Case Concerning the Factory at Chorzów, Merits (1928) PCIJ Rep Ser A, No 17, 29 (‘any breach of an engagement involves an obligation to make reparation’). 83 ibid 47-48. 84 Greco-Bulgarian ‘Communities’, Advisory Opinion (1930) PCIJ Rep Ser B, No 17, 32 (‘in relations between treaty parties treaty law prevails over municipal law’). 85 Electricity Company of Sofia and Bulgaria, Order (1939) PCIJ Rep Ser A/B, No 79, 199, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 142. 86 The Corfu Channel Case, Merits, (1949) ICJ Rep 4, para 22. 87 Case Concerning Right of Passage over Indian Territory Case, Preliminary Objections, (1957) ICJ Rep 125, 142. 88 Legal Consequences for States of the Continued Presence of South Africa in Namibia (South West Africa) notwithstanding Security Council Resolution 276 (1970), Advisory Opinion (1971) ICJ Rep 16, para 94 (‘the general principles of international law regulating termination of a treaty relationship on account of breach’). 89 Nicaragua (n 29) 190. 90 Applicability of the Obligation to Arbitrate under Section 21 of the United Nations Headquarters Agreement of 26 June 1947, Advisory Opinion (1988) ICJ Rep 12, para 57 (‘the fundamental principle of international law that international law prevails over domestic law’). 91 Case Concerning Land and Maritime Boundary Between Cameroon and Nigeria Case (Preliminary Objections), Judgement (1998) ICJ Rep 275, para 38 (‘the principle of good faith is a well-established principle of international law’). 92 LaGrand Case, Judgement, (2001) lCJ Rep 466, para 103. 93 Chorzów Factory (n 25) 29

32 never been disputed in the course of the proceedings in the various cases concerning the

Chorzów factory’94and ‘seem (ed) to be established by international practice and in particular by the decisions of arbitral tribunals’.95 In the Electricity Company of Sofia and Bulgaria case, the PCIJ concluded the existence of a principle, because it was ‘universally accepted by international tribunals and likewise laid down in many conventions’,96 without further explanation. The assertion by the ICJ of a general principle of law was only rarely accompanied by an adequate demonstration of its existence in international law.97 In the Nicaragua case, the

Court sought a ‘confirmation of the validity as customary international law of the principle of the prohibition of the use of force’ by reference to Article 2(4) of the Charter of the United

Nations (UN Charter) and ‘the fact that it is frequently referred to in statements by State representatives as being not only a principle of customary international law but also a fundamental or cardinal principle of such law’.98 In the Western Sahara99 advisory opinion, the

ICJ referred as the basis for the principle of international law of self-determination of peoples to the UN Charter, UN General Assembly (UNGA) resolutions and to its own prior decision.

Thus, it can be concluded that the jurisprudence of the international Courts did not develop any methods of identifying general principles of international law. Unfortunately, to quote a scholar, (scholarly writings on this question are few, and what writings exist are unclear.’100

The most accurate assertion might be the ambiguous proposal to identify general principles of international law ‘by way of successive “accretions” (inductive) and “concretization”

(deductive) to which the principle leans itself’.101

94 Ibid. 95 Ibid. 96 Electricity Company of Sofia and Bulgaria (n 28) 199. 97 Gaia (n 9) 20. 98 Nicaragua (n 29) 190. 99 Western Sahara, Advisory Opinion (1975) ICJ Rep 12, para 54-65. 100 Bassiouni (n 3) 817, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 149. 101 cf Kolb (n 11) 10.

By whichever methodology, academic literature and the jurisprudence of the PCIJ and ICJ indicate that general principles of international law can be derived from general considerations102 (for example, ‘elementary considerations of humanity’, as seen in Corfu

Channel Case103), legal logic (mostly pertaining to procedural rules), legal relations in general

(for example, the principle of good faith),104 from international relations, or from a particular treaty105 regime. Additionally, some scholars assert that general principles of international law can be derived from the ‘conception of [a specific] legal system’106 (e.g., the UN) and may emerge from ‘manifestations of international consensus expressed in [UN] General Assembly and Security Council Resolutions’.107

PCIJ and ICJ identified several principles of either general significance (freedom of maritime communications,108 damages109), of a contractual nature (pacta sunt servanda, good faith, estoppel110), of procedural character (nemo judex in causa sua)111 and of relevance to specific situations (self-determination of peoples,112 uti possidetis juris,113 ‘fundamental general principles of humanitarian law’,114 ‘elementary considerations of humanity’115). Academic writings assert, beside the above-mentioned principles, the existence of further general principles of international law, such as consent, reciprocity unjust enrichment, finality of

102 Wolfrum, ‘Sources of International Law’ (n 2) 37. 103 Corfu Channel (n 29) 22. 104 Wolfrum, ‘Sources of International Law’ (n 2) 37. 105 Reservations to the Convention on the Prevention and Punishment of the Crime of Genocide, Advisory Opinion (1951) ICJ Rep 15, 23. 106 cf Hermann Mosler, ‘General Principles of Law’ in Rudolf Bernhardt (ed), Encyclopedia of Public International Law (vol 2, Elsevier North Holland 1995) 511-27. 107 Bassiouni (n 3) 769, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 151. 108 Corfu Channel (n 29) 22, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 151. 109 Chorzów Factory (n 25) 29. 110 Case Concerning the Temple of Preah Vihear, Merits (1962) ICJ Rep 6, 31-32. 111 South-West Africa – Voting Procedure, Advisory Opinion (1955) ICJ Rep 67, 100 [separate opinion of Judge Lauterpacht]. 112 Western Sahara (n 42) 54-65. 113 Case Concerning the Frontier Dispute, Judgement (1986) ICJ Rep 554, para 20. 114 Nicaragua (n 29) 218, 220, 225. 115 Corfu Channel (n 29) 22.

34 settlements, and proportionality.116 Additionally, based on the notion of general principles as systematisation of existing norms of international law, the ‘principle of common heritage of mankind’ (developed in the context of the law of the sea and applied to certain common spaces) and the ‘principle of sustainable development’ (developed in the context of international environmental law) are affirmed.117

With regard to general principles of international law as pertaining to international peace and security, the international Courts did explicitly acknowledge the principles of State sovereignty118 (and the corollary principle of ‘every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’119), non-intervention,120 refraining from use of force in international relations,121 and peaceful settlement of disputes.122

Article 2 of the UN Charter enshrines these principles as legal obligations,123 i.e., the sovereign equality of States (No. 1), non-intervention in matters within the domestic jurisdiction of States

(No. 7, although only stating a respective prohibition for the UN), refraining from (threat or) use of force in international relations (No. 4), and peaceful settlement of disputes (No. 3).

Article 1 of the UN Charter, depicting the purposes of the organisation, refers to the organisation’s goal of achieving international cooperation in solving international problems

(No. 3). All the above mentioned principles of the UN and, additionally, the duty of States to cooperate are further elaborated upon in the UNGA Friendly Relations Declaration71 of

116 Ian Brownlie, International Law and the Use of Force by States (Oxford University Press 1963) 19. As stated before, it is noted in the academic writings that some of the principles may not be distinguishable from the ‘general principles of law recognized by civilized nations’ in the meaning of Article 38(1) (c) of the ICJ Statute. 117 Wolfrum, ‘General International Law’ (n 2) 8. 118 Nicaragua (n 29) 263 119 Corfu Channel (n 29) 22. 120 Nicaragua (n 29) 202, 204. 121 ibid 181. 122 ibid 290. 123 Andreas Paulus, ‘Article 2’ in Bruno Simma et al (ed), The Charter of the United Nations (3rd edn, vol 1, Oxford University Press 2012) MN 8.

1970124 (widely accepted as a quasi-binding interpretation of the UN Charter),125 which declares them to ‘constitute basic principles of international law’ (General Part, para. 3). These

‘basic principles’ were confirmed by the UNGA in its Millennium Declaration126 of 2000. At the regional level, States participating in the Conference on Security and Cooperation in

Europe in 1975 adopted a Declaration on Principles Guiding Relations between Participating

States127 (part of the so-called Helsinki Declaration), which affirms, apart from other principles, all the general principles of international law pertaining to international peace and security as stated in the Friendly Relations Declaration.

Scholarly writings in general confirm these principles as having the nature of general principles of international law, partly adding also into this category the principle of domestic jurisdiction

(corollary of State sovereignty).128 Thus, a common core of general principles of international law, as pertaining to international peace and security, can be identified, even if the finding is

‘… based on nothing grander than their having passed what Thomas Franck calls the ‘but of course test’ – a more or less unstable ‘common sense of the international community’ …’.129

In summary, general principles of international law as relevant to international peace and security can be deemed as consisting of the principles of:

1. Sovereign equality of States, including the corollary principles of:

a. Self-preservation,

124 71 Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations UNGA Res 2625 (XXV) (24 October 1970) annex (adopted without vote). 125 Bardo Fassbender, ‘Article 2(1)’ in Simma (n 70) MN 31. 126 United Nations Millennium Declaration UNGA Res 55/2 (8 September 2000) para 4. 127 The Final Act of the Conference on Security and Cooperation in Europe (1 August 1975) (Helsinki Declaration) (1978) 14 ILM 1292. 128 cf Crawford (n 11) 37 (naming the principles of equality of States and domestic jurisdiction); Kolb (n 11) 25ff (naming the principles of ‘non-use of force, peaceful settlement of disputes […], etc.’); Heintschel von Heinegg (n 10) § 16 MN 43 (naming the principle of equality and independence of States); Brownlie (n 63) 19, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 172. 129 International Law Commission (ILC), Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law (Report of the Study Group of the International Law Commission, finalized by Martti Koskenniemi, UN Doc No A/CN.4/L.682, 13 April 2006) para 468.

b. Independence,

c. Jurisdiction over domestic matters,

d. Non-intervention in matters within the domestic jurisdiction of other States,

e. Duty not to harm the rights of other States,

2. Maintenance of international peace and security, including the principles of:

a. Refrain from (threat or) use of force in international relations,

b. Duty to peaceful settlement of disputes, and

3. Duty of international cooperation in solving international problems.

The significance and concretisation of these principles for cyberspace will be introduced in detail, in the next chapter.

2.3 Relationship to Practice, Opinio Iuris and Consent of States It is widely recognised within scholarly writings that the development or recognition of general principles of international law either does not require proof of their existence, or exists independently from the consent or will of the States. Based on the consensual approach to international law (i.e., emphasising the importance of the will of the States, who are the primary subjects creating international law), and on the presumption of general principles of international law being part of international custom, some scholars assert that the existence of the general principles is based on the States’ opinio iuris, which, however, does not require to be evidenced.130 They affirm that there would be an agreement within the international community that the general principles of international law have been so long and generally accepted and are still believed to be desirable, so there would be no need for an evidence of

State practice for their recognition.131 This approach corresponds with the classical theory of

130 eg Heintschel von Heinegg (n 10) § 16 MN 43. 131 cf Heintschel von Heinegg (n 10) § 16 MN 43; Crawford (n 11) 37; Lepard (n 3) 166; Brownlie (n 63) 19.

37 international custom, which perceives State practice not as a normative requirement, but as a means to proving the existence of consent (in the meaning of a tacit treaty).132 In the case of general principles of international law, such a (tacit) consent or will of the States is presumed.133 However, such presumed (tacit) consent or will of the States could also be deemed irrelevant. The above-presented view is based on the notion that the existence of general principles of international law is based on the opinio iuris of the States. It is noted within scholarly writings that opinio iuris is an opinion, conviction, or belief referring to the legality or illegality of a certain behaviour of a State, thus not depending on the will of the State.134 It is rather based on a meta-legal notion or on general legal considerations that a certain State’s conduct is just, fair or reasonable and, for that reason, required under law.135 Thus, opinio iuris is based on a value judgement.136 General principles of international law, reflecting a genuine morality and most basic values of the international society as inherent to the international order, would consequently not depend on the (tacit) consent or will (evidenced by State practice) for the proof of their existence.

Furthermore, it is asserted that general principles of international law exist independently of the practice, consent or will of the States, because they form the ‘backbone’ of the international law system.137 As the international law system is an accepted reality of the international structure and order, and gives the States the platform to exercise their will, its very existence does not need consent or expression of will by the States.138 This finding is confirmed by the

ICJ, which held in the Gulf of Maine case: ... customary international law ... in fact comprises

132 Petersen (n 6) 294ff, 300. 133 Martti Koskenniemi, ‘The Politics of International Law’ (1990) 1 European Journal of International Law (4) 4, 20-27 (claiming the binding character of general principles of international law and other non-consensual general law because of a ‘subjective value of “justice”’), in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 190. 134 Treves (n 90) 9. 135 Wolfrum, ‘Sources of International Law’ (n 2) 25. 136 Ibid. 137 ibid; Treves (n 90) 9; Hicks (n 5) 9. 138 cf Hicks (n 5) 9, in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 192.

38 a limited set of norms for ensuring the co-existence and vital co-operation of the members of the international community, together with a set of customary rules whose presence in the opinio juris of States can be tested by induction based on the analysis of a sufficiently extensive and convincing practice, and not by deduction from preconceived ideas.139

The Court thus distinguished within the customary law a category of ‘a limited set of norms for ensuring the co-existence and vital co-operation’ of States deducted from ‘preconceived ideas’, and not from practice, opinio iuris, consent or any other expression of the will of States.

Thus, the binding nature of general principles of international law is based either on the assumption of a tacit consent or will of the subjects of international law, i.e., primarily

States, or on the notion that the general principles reflect universally accepted metalegal principles (justice, equity and fairness).140 This statement reflects the dichotomy of the consensual approach (recognising that international customary and contractual law is firmly based on the States’ consent) and a rather natural law approach to international law. This legal dichotomy, which, at first sight, appears to be of academic value only, is especially important in the context of general principles of international law, as some of them, according to jurisprudence of the ICJ and scholarly opinion, are derived from ‘preconceived ideas’ and apply regardless of the States’ practice, opinio iuris, consent or any other expression of will.

This results in a most significant consequence: States cannot ‘opt-out’ from general principles of law that are necessary for the ‘co-existence and vital co-operation’ within the international community. It can be asserted that such principles are reflected by the general principles of international law as pertaining to international peace and security as identified above (section

2.2). After a respective interpretation and concretisation with regard to the cyber realm, as will

139 Case Concerning Delimitation of the Maritime Boundary in the Gulf of Maine Area, Judgment (1984) ICJ Rep 246, para 111. 140 Wolfrum, ‘Sources of International Law’ (n 2) 3.

39 be provided infra, they ought to be observed by States regardless of their (other) practice, opinio iuris, consent or any other expression of will.

2.4 Higher ‘Normative Value’

General principles of international law were described by scholars as ‘so fundamental ... that no reasonable form of co-existence is possible without their being generally recognized as valid’, as ‘manifestations of the universal legal conscience’, or as principles that constitute unformulated reservoir of basic legal concepts ..., which form the irreducible essence of all legal systems’.141 Not surprisingly, advocates of the constitutionalist approach to international law attribute general principles that are essential for the existence of the present order structure a quasi-constitutional role within the international law system.142 Such principles would be, e.g., good faith, proportionality, restitution of unjust enrichment, self-determination of peoples, non use of force, and peaceful settlement of disputes.143 The constitutionalist approach distinguishes such ‘constitutional norms’ from other norms of international law and pronounces a priority of values which shall reflect a hierarchy of norms.144 The respective debates are characterised by controversy that can be related to diverging underlying conceptions of the relationship between morality and international law.145

Independently from the constitutionalist approach, some authors also claim that certain fundamental principles of international law would in theory present a superior source of law.146

This view is based on the notion that such basic principles would be applied for the purpose of modifying and superseding conventional and customary rules, as the principles would, due to

141 Bassiouni (n 3) 771. 142 Kolb (n 11) 9, 25 and 36 (‘the law of general principles is constitutional law in the fullest sense of the word. It is placed on the level of sources, of development of the law, of essential metabolistic functions within the legal order.’). 143 ibid 25ff. 144 Venzke and von Bernstorff (n 83) 17. 145 Ibid. 146 Martti Koskenniemi, ‘Hierarchy in International Law: A Sketch’ (1997) 8 European Journal of International Law 566, 577.

40 their general character and value-based content, present the standard for testing the conformity of other norms with the existing legal basis.147 For the same reasons, they could not be overridden by any other individual rule, however specific and enacted in formal fashion.148

A formal hierarchy between the sources of international law must be rejected.149 The informal hierarchy in the techniques of legal reasoning (i.e., successive orders of consideration based on ease of proof or on the approach to applicable law, proceeding from more specific to more general norms) does not introduce a hierarchy of norms.150 Also the UN Charter, enshrining some of general principles of international law (section 2.1), cannot be viewed as a constitution or basic norm of international society at a higher normative level. The Charter is an international treaty, which – according to its Article 103 – prevails only over contrasting contractual obligations taken by a UN Member State.

Furthermore, it is asserted that a ‘heightened normativity’ of certain general principles of international law could be derived from their character as peremptory norms (ius cogens) of international customary law.151 The notion of ius cogens was first proposed by (natural law) scholars in the 17th and 18th century and was adopted in the Vienna Convention on the Law of

Treaties (VCLT) of 1969.152 According to Article 53 of the VCLT, ius cogens is ‘... a norm accepted and recognized by the international community of States as a whole as a norm from which no derogation is permitted and which can be modified only by a subsequent norm of general international law having the same character.’ Given that norms, which are ‘accepted and recognized by the international community of States as a whole’ are based on the consent, or at least acquiescence, of the world, the ius cogens concept is based on the consensual

147 Hicks (n 5) 29; Bassiouni (n 3) 787. 148 Koskenniemi (n 123) 577. 149 Pellet (n 9) 265 and 268. 150 Koskenniemi (n 123) 566-582; ILC (n 76) 463. 151 Crawford (n 11) 37. 152 Wolfrum, ‘Sources of International Law’ (n 2) 49; Jochen A Frowein, ‘Ius Cogens’ in MPEPIL (n 2) MN 3; ILC (n 76) 361.

41 foundation and not on the notion of a gateway of meta-legal or general considerations (as envisioned by the naturalists).153 Though, ius cogens also indicates a certain recognition of a

‘public order of the international community’ based on the consensus concerning fundamental values which are not at the disposal of the subjects of that legal order.154 Despite this distinctive nature, and in contrast to some assertions within scholarly writings,155 ius cogens is not a higher category of formal sources of international law, but a particular quality of customary law norms.156 This particular quality is not depicted by a hierarchical position, but by special consequences of the breach of the norms, as stated in Responsibility of States for Internationally

Wrongful Acts157of the International Law

Commission (ILC) with regard to ‘serious breach (es) by a State of an obligation arising under a peremptory norm of general international law’. Thus, it can be concluded, that, although there is no hierarchy among the sources of law, there is a notion that ius cogens, because of its fundamental content, is in one way or another intrinsically ‘superior’ to all other norms.158

Scholars are in disagreement as to what constitutes ius cogens and how a given rule, norm or principle rises to that level.159 Significant State practice, which could supportthe identification of specific peremptory norms, has not developed.160 Nonetheless, it is asserted that fundamental general principles of international law have the character of ius cogens (and are even ‘merely a semantic variation’161 of them).162 This is based on the understanding of fundamental principles of international law as norms ‘whose perceived importance, based on certain values and interests, rises to a level which is acknowledged to be superior, and thus capable of

153 Wolfrum, ‘Sources of International Law’ (n 2) 49. 154 Frowein (n 129) 3, 11. 155 Wolfrum, ‘Sources of International Law’ (n 2) 11; Cheng (n 14) 22. 156 Pellet (n 9) 279. 157 UNGA Res 56/83 (12 December 2001) annex. 158 Pellet (n 9) 280. 159 Bassiouni (n 3) 801ff. 160 Wolfrum, ‘Sources of International Law’ (n 2) 50. 161 Bassiouni (n 3) 780 162 ibid; Crawford (n 11) 37.

42 overriding another norm, rule, or principle in a given instance’.163 This view could be deemed as confirmed by the ICJ, which stated in the Nicaragua case164 ‘that … the customary international law flow(s) from a … fundamental principle outlawing the use of force in international relations’, i.e., a prohibition which is widely acknowledged as a ius cogens norm.

Thus, fundamental principles of international law can be attributed a ‘higher normative value’ without introducing a formal hierarchy into the sources of international law – either because of their quasi-constitutional role within the international law system, or as peremptory norms of international custom. Taking either approach, there seems to be an understanding within the academia and within the rulings of international Courts that the fundamental principles of international law do have a non-derogative character. This, as mentioned above, results in the finding that all States’ behaviour has to be guided by the general principles of international law, and, whenever they also show a normative character in terms of a legal obligation, States cannot ‘opt-out’ from fundamental principles of international law, i.e., those which are essential for the and vital co-operation of the members of the international community’. This finding is of significance for the principles as pertaining to international peace and security in cyberspace, as they will show a ‘normative value’ higher than other obligations deriving from international law.

2.5 Relationship to the Concept of Fundamental Rights and Duties of States

A different theoretical approach to the phenomenon of a ‘higher normative value’ of the fundamental principles of international law is given by the concept of fundamental rights and duties of States. The doctrine emerged in the 17th century (coinciding with the Peace of Westphalia of 1648, marking the beginning of modern international law) and is based on the independence (from papacy and empire) and equal sovereignty of States (with regard to their exclusive dominion

163 Bassiouni (n 3) 805. 164 Nicaragua (n 29) 181, 188, 190 (refrain from the use of force in international relations).

43 of territorial jurisdiction).165 According to the concept, the existence of fundamental rights and duties is inherent to the essence of a State.166 The specification of the nature of such fundamental rights and duties is problematic, as pursuant to the doctrine, they would present a quasi-constitutional basis, upon which all other international law norms are based.167

At the beginning of the 20th century (and especially on the American continents) several intergovernmental conferences dealing with fundamental rights and duties of States were conducted, resulting in respective political declarations.168 Additionally, diverse international lawyers’ associations developed declarations of fundamental rights and duties of States.169

Also, several international treaties codifying States’ views on fundamental rights and duties were concluded.170 In 1949, the ILC elaborated (upon request of the UNGA)171 a draft

Declaration on the Rights and Duties of States172 containing 14 articles, which was transmitted by the UNGA to States for considerations on further action. However, already within the ILC the draft was voted against (only) by the US and the USSR, and States never requested the

UNGA to take the issue up again.173 It should be mentioned that, according to the draft’s preparatory work, the ILC considered Article 2 of the UN Charter as expressing fundamental rights and duties of States.174 In the same line, the Friendly Relations Declaration could be

165 Sergio M Carbone and Lorenzo Schiano de Pepe, ‘States, Fundamental Rights and Duties’ in Peacetime Regime for State Activities in Cyberspace, Kaatharina Ziolkowski, 201. 166 Carbone and Schiano de Pepe (n 142) 1 and 30. 167 Epping and Gloria (n 143) § 26 MN 2. 168 eg Declaration of American Principles of the Eights International Conference of American States of 1938. 169 eg American Institute of International Law in 1916 (Declaration of Rights and Duties of Nations); the International Juridical Union in 1919 (Draft of a Declaration of Rights and Duties of Nations); the International Commission of American Jurists in 1927 (Report Project II, States: Existence, Equality, Recognition); the Union Juridique International/International Law Association in 1936, or the Inter-American Juridical Committee in 1942 (Reaffirmation of Fundamental Principles of International Law). 170 eg the ( Montevideo) Convention o n R ights a nd D uties o f S tates (inter-American) of 26 December 1933; the Charter of the Organization of American States of 30 April 1948 (Chapter IV), or the Charter of the Organization of African Unity of 25 May 1963 (Article III and V; abrogated in 2000 by the Constitutive Act of the African Union). Article III of the OAU Charter (Principles) referred to sovereign equality, non-interference, peaceful settlement of disputes; Article V (Rights and Duties of Member States) referred to equal ‘rights and duties of Member States’. 171 UNGA Res 178 (II) (21 November 1947) para 3. 172 UNGA Res 375 (IV) (6 December 1949) annex. 173 Carbone and Schiano de Pepe (n 142) 14; Fassbender (n 72) 30. 174 ILC (n 76) 140.

44 seen at first sight as reflecting fundamental rights and duties of States.175 However, despite mentioning ‘rights and duties of Member States under the (UN) Charter’ the declaration is drafted in terms of ‘basic principles’ rather than of ‘rights and duties’.

Summarising the different treaties, declarations and drafts, the catalogue of the fundamental rights and duties of States can be deemed to comprise:176

• Equal sovereignty,

• Independence,

• Jurisdiction,

• Non-intervention,

• Refrain from (threat or) use of force,

• Self-defence (also in the broader term of self-preservation),177

• Peaceful settlement of disputes,

• Mutual respect of the rights of all,

• Immunity of ambassadors,

• Pacta sunt servanda,

• Good faith,

• (Respect for human rights and fundamental freedoms).178

Scholars have asserted the fundamental rights and duties of States as forming part of general principles of international law that aim at governing the friendly and peaceful coexistence and cooperation of States, and have described them as being objective, independent of any expression of willingness by States, particularly inalienable and absolute in nature.179 Indeed, content-wise and with regard to the distinctive status claimed for the fundamental rights and

175 Epping and Gloria (n 143) § 26 MN 5. 176 The assessment is based on the texts of the aforementioned treaties and declarations, especially the draft declaration prepared by the ILC for UNGA (n 149) as well as on scholarly writings. 177 Carbone and Schiano de Pepe (n 142) 28. 178 eg Article 6 of the ILC draft declaration (n 149). 179 Carbone and Schiano de Pepe (n 142) 30ff; Epping and Gloria (n 143) § 26 MN 3.

45 duties, they resemble the general principles of international law that are essential for the ‘co- existence and vital co-operation of the members of the international community’.

The relevance of the doctrine of fundamental rights and duties of States can be judged as minimised by the emergence of international law subjects other than States (i.e., international organisations), by the increasingly complex (contractual) interaction and interdependence of

States in times of globalisation impairing their sovereignty, and perhaps also because of its natural law ascendancy. However, the contents, i.e., the legal independence and equal sovereignty as well as the principles deriving from this basic foundation, remain crucial to the functioning of the international order.

Thus, despite the different doctrinal approach, the concept recognises the notion that some basic principles form the very foundation of the international law order. Content-wise the fundamental rights and duties of States resemble the principles identified within the scholarly writings as ‘constitutional’, of ‘higher normativity’, and those essential for the ‘co-existence and vital co-operation of the members of the international community’.

2.6 Instrument of Progressive Law Development General principles of international law may serve different purposes. They are a normative source of law, which governs situations not regulated by formulated norms.180 By introducing overarching considerations into international law, they also serve as a guideline or framework for interpretation of conventional and customary international law.181 For the same reason, they have the function of systematisation of law, in the meaning of amelioration of the fragmentation of international law.182 However, the most important feature of general principles of international law is their function as a basis for the progressive development of international law.183 This feature is especially significant in the realm of international peace

180 Wolfrum, ‘Sources of International Law’ (n 2) 34ff. 181 ibid. 182 Wolfrum, ‘General International Law’ (n 2) 7 and 20. 183 ibid.

46 and security in the cyber context, as cyber specific customary law is absent and contractual regulation scarce.

General principles of international law have the necessary degree of abstraction and concreteness to be able to be dynamic yet filled with a certain legal meaning.184

Their generality and flexibility enables the principles to be the means of substantial, progressive development of international law.185 Such development can occur by progressive interpretation of international law guided by the principles, as there is (apart from relatively few exceptions) no law-application without some law-creation.186 General principles of law may also be the starting point for the evolution of a new rule of customary law and thus play the middle role between lex lata and lex ferenda.187 Last but not least, general principles can also serve per se as a basis for the development of new rights and obligations.188 Especially in the absence of relevant international practice and of applicable specific rules, the recourse to general principles of international law is the only option for not leaving a specific situation in a legal lacuna. Considering the inherent limitations for the modifications of treaty law as well as of customary international law, general principles of international law can be thus deemed as ‘transformators’ of rising extra-positive (social, moral, etc.) needs of the international community into international law by subsuming the new situation to a principle and by a deduction or reception from the principle.189 This way, general principles of law play a prominent role in legal dynamics, in the development of the law, in the adaptation of law to new situations, and consequently in the filling of the lacunae.190 They prevent a static application of archaic norms in a legal system which needs to respond to the dynamic needs of

184 Kolb (n 11) 9 185 ibid; Wolfrum, ‘Sources of International Law’ (n 2) 39. 186 Kolb (n 11) 7-9; Wolfrum, ‘Sources of International Law’ (n 2) 39. 187 Ibid. 188 Kolb (n 11) 30; Wolfrum, ‘Sources of International Law’ (n 2) 39. 189 Wolfrum, ‘General International Law’ (n 2) 60. 190 Kolb (n 11) 30.

47 the international society, especially to meet the needs of fast growing technological advances.191

The development of international law by a modern interpretation of the general principles (or creation of new sub-principles) will not occur in the abstract, but as a reaction to practical needs and specific phenomena that calls for development. The ‘emergence’ of cyberspace and its relevance for international peace and security justifies a reconsideration of that particular body of law. Thus, the new phenomenon of cyberspace as a new common space for inter-State relations, results in the need of a fundamental regulation as pertaining to the international peace and security. In this regard, a modern interpretation of the respective general principles of international law will support the progressive development of international law.

Conclusion

General principles of international law can be derived, inter alia, from general considerations, legal logic, legal relations in general, international relations, or from a particular treaty regime.

Hitherto, neither international Courts nor scholars have developed a methodology for identifying the principles. However, with regard to general principles of international law as pertaining to international peace and security, international Courts and academia acknowledge the existence of several principles based on sovereign equality of States, the duty to the maintenance of international peace and security, and the duty to international cooperation in solving international problems. These principles (and their sub-principles or corollary principles) are endorsed in Article 1 and 2 of the UN Charter and confirmed by the UNGA

Friendly Relations Declaration, as well as, for example, the Helsinki Declaration. General principles of international law may serve different purposes, of which the most significant is the function as a basis for the progressive development of international law (either by filling a legal lacuna or by progressive interpretation of existing international norms), responding to

191 Bassiouni (n 3) 777ff.

48 rising extrapositive needs of the international society, such as fast growing technical advances, e.g., the ‘emergence’ of cyberspace as a common space for inter-State relations.

This chapter has in detail, discussed the general principles of international law as a concept and its applicability in the novel area of cyberspace. Unequivocally, the chapter has demonstrated that despite the imprecise delineation of what these principles are, in their remotest form, they influence and have influenced the way States behave and act in interstate relations within other spheres, and has shown how they now, can inferably regulate the conduct of States in the cyber arena. In the next chapter, the applicable general principles shall be discussed as well as other international legal regimes directly applicable to cyberspace.

CHAPTER THREE RIGHTS AND OBLIGATION OF STATES IN CYBER SPACE: SPECIFIC

APPLICABLE LAWS AND GENERAL PRINCIPLES OF INTERNATIONAL LAW

3.0 Introduction

It is now widely recognised that the rules of international law also apply to cyberspace, ‘to be ignored by the digitally distracted at their own peril’.192 Much ink has been spilt on topics concerning cyber operations;193 but many questions of what rights and obligations States possess in peace-time remain to be answered.

In the early days of the internet, controversy emerged over the question of whether cyberspace should be covered by the usual rules of law, in particular international law, or whether a new space had emerged which would not be subject to the traditional notions and rules of law.

Famously, in his ‘Declaration of the Independence of Cyberspace’ Barlow argued that cyberspace should be left to its own inhabitants who would create the necessary self regulation194 His main argument was that there was no single legitimate decision-maker for cyberspace in international law.195 Others did not go as far, but still suggested that a special internet law was required to ensure sufficient space for self-regulation of actors in the new space that had emerged.196 Such ‘cyberspace autonomy’ was contested by those who thought that a special legal regime for cyberspace was unnecessary.197 Easterbrook famously claimed that establishing a specific discipline of cyber law made as little sense as to have a special ‘law

192 MJ Glennon, ‘The Road Ahead: Gaps, Leaks and Drips’ (2013) 89 International Law Studies 362, 377. 193 For example, on the notion of what constitutes an armed attack MC Waxman, ‘Self-defensive Force against Cyber-attacks: Legal, Strategic and Political Dimensions’ (2013) 89 International Law Studies 109, 111, also the Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual), Michael N. Schmitt et al. Cambridge University Press, (2013). 194 JP Barlow, 'A Declaration of the Independence of Cyberspace' (1996) Electronic Frontier Foundation 1 (May 14, 2016). 195 Ibid. 196 DR Johnson and D Post, ‘Law And Borders - The Rise of Law in Cyberspace’ (1995-1996) 48 Stanford Law Review 1367. 197 J Kulesza, International Internet Law (Routledge, London 2012), 146.

50 of the horse’.198 As the present state of regulation of cyberspace illustrates, the conflict between

‘cyber-libertarians and cyber-legal-positivists’199 resulted in a victory of the latter, more traditional approach. This approach suggested that cyberspace should be subject to the standard rules of international law and national laws of the competent State. Consequently, cyberspace did not emerge as a new dimension, but has continuously been subject to State practice acting according to the traditional rules of international law.

In the following, the aforementioned general principles of international law as pertaining to international peace and security namely; sovereign equality of States and its corollary principles (3.1), other settled areas of international law (mostly embedded in treaties) bearing relevance to regulations of cyberspace operations which are; International communications law and the regulations of cyberspace (3.2), Space law and cyber activities (3.3), International economic law in the cyber arena (3.4), and finally, implicit international law principles of States derivable from state practice and essentially the U.N Charter, such as; maintenance of international peace and security (3.5), and the duty to international cooperation in solving international problems (3.6), as well as their corollary principles, will be presented.

3.1 Sovereign Equality of States and Corollary Principles

Sovereignty is the core notion of statehood and the axiomatic principle on which, in the words of the International Court of Justice,200 ‘the whole of international law rests’.201 It can be asserted that most, if not all principles of international law directly or indirectly rely on State sovereignty.202 The principle is endorsed in Article 2(1) of the UN Charter in the form of an

198 FH Easterbrook, ‘Cyberspace and the Law of the Horse’ (1996) University of Chicago Legal Forum 207. 199 Murray, 499. 200 Nicaragua (n 29) 263. 201 Heintschel von Heinegg (n 10) § 16 MN 43, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 156. 202 Samantha Besson, ‘Sovereignty’ in MPEPIL (n 2) MN 2, ibid.

51 adjective (‘sovereign equality’) and ensures the juridical (not political, military, economic, geographic, demographic or other) equality of States.203

The understanding of sovereignty has undergone changes since its formal establishment in the

Peace of Westphalia in 1648. Especially since 1945, its impact has been impaired by the recognition of international organisations (approximately 7,000) as subjects of international law and the acknowledgment of their decisions as a potential source of international law, by globalisation, the growing interdependence of States, and subsequent extended cooperation in fields which were formerly considered as domestic matters (approximately 50,000 international treaties are registered with the UN), by the recognition of rights of peoples (self- determination) as well as of individuals before specific international Courts.204 Furthermore, the notion of sovereignty is complemented by the understanding that States are obliged to promote and safeguard common values and goals of the international community.205

This is especially true with regard to cyberspace. The internet developed into a global network by a bottom-up, distributed effort of mainly private stakeholders. Cyberspace, including its

‘global public memory’, is mainly driven by the civil society. The Westphalian elements of international order, i.e. of horizontal inter-State relations (emphasising the States as primary subjects of international law), are complemented in cyberspace in an extensive way by aspects of political, economic and social networks, characterised by vertical and diagonal linkages between governments, (transnational) companies, peoples, societies and individuals. The

Internet Corporation for Assigned Names and Numbers (ICANN),206 the non-governmental organisation (NGO) ‘governing’ the internet, can be deemed as reflecting this notion, as it takes an internationalised and multi-stakeholder approach to its operation.

203 d’Argent and Susani (n 105) 11, ibid. 204 Besson (n 171) 3-55, 153, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 156. 205 Fassbender (n 173) 1095, ibid. 206 ICANN is a Californian (US) non-profit, public benefit corporation, which, in the framework of a Public Private Partnership, acts on behalf of and reports to the US Department of Commerce.

Yet, although flexibly changing its nature, State sovereignty is still the foremost principle of international law and shows several significant facets and corollary principles, which will be presented in the following as applicable to cyberspace.

3.1.1. Self-Preservation

One of the corollary principles of equal sovereignty is a State’s right to self-preservation. In its

Nuclear Weapons207 advisory opinion, the International Court of Justice recognised ‘the fundamental right of every State to survival, and thus its right to resort to self-defence, in accordance with Article 51 of the U.N Charter, when its survival is at stake’. A right to self- defence is given in situations of an ‘armed attack’ launched by another State (or possibly by non-State actors), entitling the victim State to use defensive military force (Article 51 of the

UN Charter and corresponding international custom208). As cyberspace enables skilled and knowledge-wise, super-empowered individuals to cause severe physical effects through manipulations of computer systems that the functioning of highly developed post-industrial

States depends upon, the question arises whether non-State actors can trigger the right to self- defence. There are considerable pros and cons for either approach, the demonstration of which would exceed the scope of this chapter. In addition, the value of the so-called ‘safe haven’ theory,209 developed in the context of self-defence with regard to terrorists acting from the territory of States unwilling or unable (‘failed States’) to impede activities of non-State actors harmful to other States, should be considered in the context of State responsibility for malicious cyber activities conducted by non-State actors otherwise qualifying as ‘armed attack’. In this context, it would surely be beneficial to further discuss, e.g., the criteria of the terms ‘unable’ and ‘unwilling’ and the authority to determine their presence in a concrete case, as well as the

207 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion (1996) International Court of Justice Rep 226, para 96. 208 Albrecht Randelzhofer and Georg Nolte, ‘Article 51’ in Simma (n 70) MN 10-12, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 157. 209 For an overview on the major lines of argumentation, see Schmitt (n 181) 602ff. 159.

53 nature of justifiable defence measures. An academic and political discourse on the aforementioned matters can probably not be avoided in the future.

Furthermore, the ‘accumulation of events’ or ‘Nadelstichtaktik’ theory will surely need to be considered within the cyber realm. The concept States that, in a situation of a series of incidents, of which each one classifies as ‘use of armed force’ but does not show the necessary scale and intensity qualifying it as an ‘armed attack’, the whole series of these occurrences would cumulatively form the basis for the assessment of the immediacy, scope and intensity.

Advocates of this approach claim that a State facing a ‘hit and run’ tactic of another State would have no other choice but to undertake military measures to counter it.210 In the past, the concept was invoked by Israel (using the term Nadelstichtaktik)211 to justify the use of military force against terrorist groups located on the sovereign territory of its neighbouring States.212

Furthermore, the US made use of the concept (‘accumulations of events theory’),213 e.g., to justify the bombardment of specific sites in Sudan and Afghanistan on 20-21 August 1998 in a letter to the UN Security Council (UNSC), stating:

“These attacks were carried out only after repeated efforts to convince the

Governments of the Sudan and the Taliban regime in Afghanistan to shut

these terrorist activities down and to cease their cooperation with Bin Ladin’s

organization. That organization has issued a series of blatant warnings that

‘strikes will continue from everywhere’ against American targets [… The

United States, therefore, had no choice but to use armed force to prevent these

attacks from continuing. In doing so, the United States has acted pursuant to

210 Dietrich Schindler and Kay Hailbronner, Die Grenzen des völkerrechtlichen Gewaltverbots ( Müller 1986) 211 The term is used, eg, by Yehuda Zvi Blum, ‘The Legality of State Response to Acts of Terrorism’ in Benjamin Netanyahu (ed), Terrorism. How the West Can Win (Farrar, Straus and Giroux 1986) 133, 135. 212 Constantine Antonopoulos, The Unilateral Use of Force by States in International Law (A Sakkoulas 1997) 75. 213 Used first by the UNSC in 1953 during a meeting on military actions conducted by Israel against Libya, UN/SCOR 8th year, 637th meeting, para 4.

the right of self-defence confirmed by Article 51 of the Charter of the United

Nations.”214

Along these lines, some U.S and United Kingdom (UK) scholars view terrorist activities against the US as a continuous process.215 Consequently, these scholars affirm that, due to the cumulative assessment of all terrorist activities, immediacy as well as a sufficient scope and intensity of an ‘armed attack’ is given at any time. Interestingly, the UNSC, including the US as a veto-power, clearly refused the rationale of the ‘accumulation of events theory’ by condemning on several occasions (until the 1970s) military actions justified on the basis of that theory (partly explicitly referring to such acts as ‘retaliation’).216 On the contrary, the judgments of the International Court of Justice in the Nicaragua217 and Oil Platforms218 cases indicate that the Court accepted the theory in general. However, the concept should be approached with caution. In the cyber context, only malicious cyber activities qualifying as

‘use of armed force’, and which – upon reliable information – will be followed with the utmost probability by other malicious cyber activities of the same quality, can be deemed as cumulatively amounting to an ‘armed attack’.

Very likely, cases of preventive self-defence, i.e., in situations of an immediate ‘armed attack’, when ‘... the necessity of self-defence is instant, overwhelming, leaving no choice of means, and no moment for deliberation,’219 will stay theoretical. This is based on the fact that, despite potential additional intelligence, the intended effect of malicious cyber activities will not be

214 UN Doc S/1998/780 (20 August 1998). 215 Christopher Greenwood, ‘International Law and the “War against Terrorism”’ (2002) 78 International Affairs 301, 312. 216 UNSC Res 101 (1953) (24 November 1953) part B para 1 and part A para 1 (Israel against Jordan); Res 111 (1956) (19 January 1956) preamble para 4, para 3 and 6 (Israel against Syria); Res 188 (1964) (9 April 1964) para 1 and 3 (UK against Arabic Republic Yemen); Res 265 (1969) (1 April 1965) preamble para 4, para 3 (Israel against Jordan). 217 Nicaragua (n 29) 146. 218 Oil Platforms (n 179) 64. 219 So-called ‘Webster formula’, phrased by the US State Secretary Webster in a letter to the British government of 24 April 1837, on the occurrence of the destruction of the US ship ‘Caroline’; quoted by Brownlie (n 63) 43. On the ‘Caroline Case’ see Christopher Greenwood, ‘Caroline, The’ in MPEPIL (n 2).

55 visible beforehand. Moreover, judged from today’s perspective, even in the case of discovery of malicious codes in, for example, governmental computer networks, there still would be a

‘choice of means’ and a ‘moment for deliberation’. Malware can be isolated, penetrated networks disconnected and IT security measures directed at the affected networks.

Additionally, the concept of ‘pre-emptive’ (anticipatory) self-defence was asserted by some scholars, namely in the case of the implementation of the computer worm Stuxnet to Iranian nuclear facilities 2008-2010.220 The concept of ‘pre-emptive’ self-defence, i.e., in cases of a mere suspicion of future armed attacks primarily based on mistrust towards a State’s behaviour in international relations, is to be strictly refused221 for several reasons, also regarding the specific case of Stuxnet.222 Preventive measures against latent threats to international peace and security are within the decision-making authority of the UNSC (Article 39, 41-42 of the

UN Charter).

It should be mentioned that the usual expectation of defence measures being conducted by a

State’s armed forces will probably not be met in the pure cyber context. Armed forces must develop and maintain defensive cyber capabilities in order to be able to defend their own networks (including the deployable components thereof), and thus to ensure their operability.

They should develop offensive cyber capabilities as an additional military capability, enhancing the potential of precise, potentially non-lethal possibilities of interruption and disruption without necessarily causing physical damage outside of the targeted computer networks, i.e., to living beings or to objects. However, malicious cyber activities of a level which could be deemed as an ‘armed attack’ against a State will probably target critical infrastructure systems which, in technologically advanced States, are highly dependent on the availability and integrity of information and communication systems (ICTs), and which are in

220 Michael N Schmitt (gen ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013) Rule 13 para 13. 221 Greenwood (n 177) 47ff. 222 Ziolkowski (n 193) 143ff.

56 large part privately owned223. In the case of a cyber ‘armed attack’ in the meaning of Article

51 of the UN Charter, e.g., against the banking system as such or the energy generation and distribution systems, only the internet service providers (ISPs) will notice irregular data streams

(through monitoring of their network traffic sensors collecting information about the ‘net flow’, i.e., amount of routed data and their destination) and only the Computer Emergency Response

Teams (CERTs) of the respective private companies will notice infections by malicious software (by monitoring of the intrusion detection/prevention systems conducting deep package filtering or by indications of malfunctioning of the facility’s operations). At the same time, only these ISPs and CERTs will be able to deter such ‘attacks’ on a ‘bit for bit’ basis, as only they will have the possibility to block data streams or to undertake infection recovery activities based on the knowledge of the specific architecture, operating systems and adjustments the targeted complex computer systems show. Additionally, the defence against the actual ‘armed attack’ conducted by cyber means will most probably require recourse to the possibilities and capabilities of private cyber security companies or of companies which developed the targeted, specific, industrial IT systems or software, and which can provide

‘patches’ for the vulnerabilities used by the aggressor for penetrating the system in question.

This will leave the actual conduct of the ‘bit for bit’ cyber defence measures to the industry, i.e., to the civil society as opposed to armed forces. The armed forces and other governmental entities can only support the industry in such endeavours, for example, by providing intelligence or other forms of assistance (apart from conducting measures such as kinetic defence to deter the armed attack). One of the consequences could be that, according to Article

51(3) of the Additional Protocol I of 1977 to the Geneva Conventions of 1949 (and respective customary law), the acting ISP and CERT personnel could lose the protection civilians enjoy against direct attack and become a legitimate military target (for the duration of actively

223 General Principles of International Law as Applicable in Cyberspace Katharina Ziolkowski, 161.

57 defending the attacked networks). The existence of a (paramilitary) Estonian Defence League’s

Cyber Unit, the Austrian plan to establish a ‘cyber militia’ or ‘voluntary cyber fire-brigades’,224 and respective considerations as currently addressed in Latvia reflect the endeavours of States to link private cyber defence capabilities to the government.

Additionally, it can be asserted that the fundamental right of States to self-preservation also entails the right to take protective measures in situations of necessity.225 Necessity is given when essential interests of a State (or possibly of the international community as whole) are facing grave and imminent peril.226 Under strict conditions, States may safeguard such interests by taking protective measures (Article 25 of the ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts).

3.1.2 Territorial Sovereignty and Jurisdiction

Another principle corollary to equal sovereignty of States is the principle of territorial sovereignty, including the principle of jurisdiction.227

The aspect of territorial sovereignty, i.e., the exercise of full and exclusive authority over a territory, protects physical components of the internet (‘cyber infrastructure’) that are located on a State’s territory or are otherwise under its exclusive jurisdiction.228 This includes any technical and other physical components located on the land territory, in internal waters, territorial sea, archipelagic waters, in national airspace or on platforms (e.g., vessels, aircraft or satellites).229 The fact that the components of the internet are located on a State’s sovereign

224 ‘Österreich überlegt Aufstellung einer „Freiwilligen Cyberwehr“’ Der Standard (2012) . (May 17, 2016). 225 Robin Geiß and Henning Lahmann ‘Freedom and Security in Cyberspace: Shifting the Focus away from Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’, 97. 226 Ziolkowski (n 181) 285-331 on ‘necessity’ as a general principle of international law, which might exceed the notion of Article 25 ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts. 227 Benedikt Pirker, ‘Territorial Sovereignty and Integrity and the Challenges of Cyberspace’, 66. 228 Wolff Heintschel von Heinegg, ‘Legal Implications of Territorial Sovereignty in Cyberspace’ in Christian Czosseck, Rain Ottis, and Katharina Ziolkowski (eds), Proceedings of the 4th International Conference on Cyber Conflict (NATO CCD COE Publication 2012) 7, 10 and 13. 229 ibid 11.

58 territory but form, at the same time, part of the global internet, does not indicate a waiver of the exercise of such territorial jurisdiction.230 On the contrary, a State cannot claim territorial sovereignty (or right to appropriation) with regard to the internet as a whole (that is, a global resource) or to cyberspace (that is, a common space).231 Due to the global nature of the internet and cyberspace, this finding is not impaired by the fact that the internet is ‘governed’ by

ICANN, which acts on behalf of and reports to the US Department of Commerce.

Territorial sovereignty is violated by any acts causing physical effects on another State’s territory.232 However, as indicated by the US,233 who declared that it considered its (territorial) sovereignty as violated by ‘disruption of networks and systems’, i.e., including intrusions without (directly or indirectly) showing a physical effect, it could be argued that physical damage is irrelevant in the cyber context.234 Indeed, due to the enormous negative effects malicious cyber activities can have on the national security of another State, which can be, although not of physical nature, though well ‘perceptible’ (e.g., disruption of a State’s – digital

– stock exchange system), it can be claimed that such effects could violate the victim State’s sovereignty.

The principle of jurisdiction describes the power of a State to define and to enforce rights and duties, and to control the conduct of natural and juridical persons (primarily on its own territory).235 A State exercises its jurisdiction by establishing rules (legislative jurisdiction), procedures for identifying breaches of the rules and the precise consequences thereof (judicial jurisdiction), and by forcibly imposing consequences (enforcement jurisdiction).236

230 Heintschel von Heinegg (n 200) 14. 231 ibid 9. 232 ibid 11ff, 16; Lawrence T Greenberg, Seymour E Goodman and Kevin J Soo Hoo, Information Warfare and International Law (US National Defence University 1998) 24. 233 The President of the United States of America, International Strategy for Cyberspace. Prosperity, Security, and Openness in a Networked World (May 2011) 4 [call-out-box, ‘Defence Objective’]. 234 Similarly, in the context of territorial sovereignty Heintschel von Heinegg (n 200) 11ff, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 160. 235 Bernard H. Oxman, ‘Jurisdiction of States’ in MPEPIL (n 2) MN 3. 236 ibid.

The general access to the internet (or digitalised access to information) can be deemed as protected by the universal human right to seek, receive and impart information through any media (Article 19(1) of the International Covenant on Civil and Political Rights of 1966,

Article 10(1) of the European Convention on Human Rights of 1950). However, a State may regulate internet activities of its own (nationality principle) and foreign (territoriality principle) nationals in its territory (or those conducted on foreign territory but showing effects on its own territory),237 e.g., with regard to contents of uploads or downloads, including questions of what is deemed offensive in terms of morality, security and stability.238

The principle of jurisdiction would certainly be violated by law enforcement activities239

(i.e., exercise of authority) conducted by foreign agencies in networks and computers located on a State’s territory and outside of a cooperation framework or otherwise without a prior consent of the territorial State (e.g., online search). Especially with regard to cyber-crime law enforcement, the exercise of jurisdiction of States may overlap due to the competing territorial, personal and effects based facets of jurisdiction, additionally complicated by the mobility of users and technological advances such as cloud-based computing. These aspects call for intensified cooperation measures in cyber-crime law enforcement.

3.1.3 Non-intervention in Domestic Affairs

A further principle deriving from the sovereign equality of States is the principle of non- intervention in the internal or foreign affairs of another State.240 It is endorsed in regional conventions (e.g., Articles 16-19 of the Charter of the Organisation of American States, Article

3 (2) of the Charter of the Organization of African Unity), reflected in political declarations

237 Ibid 32. 238 ibid 31. 239 Oxman (n 207) 47. 240 Terry D Gill, ‘Non-Intervention in the Cyber Context’ and Chris Demchak, ‘Economic and Political Coercion and a Rising Cyber Westphalia’, 76, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, 162.

(e.g., Principle VI of the Helsinki Final Act of 1975)241, in UNGA resolutions,242 and is endorsed in Article 2(7) of the UN Charter (with regard to UN organs). The principle is confirmed by the International Court of Justice as a rule of international custom.243 An illegal intervention occurs when a State interferes with the internal or external affairs of another State considered by the latter as ‘internal’ or ‘domestic’ (domaine réservé), in order to coerce the other into certain behaviour.244

In general terms, it can be asserted that domaine réservé describes areas not regulated by international norms or not being of some common interest or value.245 Due to globalisation, the integration of States in international organisations, the growing interdependence and subsequent cooperation of States, and especially the myriad of conventional law, very few matters can nowadays be regarded as remaining within the limits of purely ‘domestic jurisdiction’.246 One of the matters which are still recognised as domaine réservé, although significantly internationalised by human rights law, is the jurisdiction over, and the regulation and treatment of own and foreign nationals.247 So far, the deliberations as presented above apply (section 3.1.2).

The internet communication as such (as opposed to national intranets) cannot be deemed as an internal affair of a State, as international telecommunications are regulated by international law

(Articles 33-48 of the Constitution of the International Telecommunication Union (ITU

Constitution), e.g., with regard to denial or restriction of internet connectivity). Additionally,

241 n.74, ibid. 242 Friendly Relations Declaration (n 71) Principle 1; Declaration on the Inadmissibility of Intervention in the Domestic Affairs of States and the Protection of their Independence and Sovereignty UNGA Res 2131 (XX) (21 December 1965) para 2; Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States UNGA Res 36/103 (9 December 1981) para 2, Principle I(b) and II(a); Declaration on the Enhancement of the Effectiveness of the Principle of Refraining from the Threat or Use of Force in International Relations UNGA Res 42/22 (18 November 1987) annex para 8. 243 Corfu Channel (n 29) 35; Nicaragua (n 29) 202. 244 Nicaragua (n 29) 202ff; Philip Kunig, ‘Intervention, Prohibition of’ in MPEPIL (n 2) MN 1. 245 Kunig (n 216) 3, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, (General Principles of International Law as Applicable in Cyberspace) 164. 246 Fassbender (n 72) 70, ibid. 247 Ziegler (n 217) 5.

61 due to the nature of the internet as a globally shared resource and to the – in general – worldwide spread of malicious software, aspects of national cyber security, i.e., questions of the establishment of cyber security measures of a strategic, political, legal, administrative, organisational and technical nature, including the establishment of a national CERT, must be deemed as of internationalised interest or value, and thus outside of the realm of purely internal affairs.

In order to violate the non-intervention principle, ‘coercion’, as opposed to perfectly legal

(political, economic, etc.) influence, must be employed.248 The meaning of the term is unclear.249 Scholars assert that illegal coercion implies massive influence, inducing the affected

State to adopt a decision with regard to its policy or practice which it would not envision as a free and sovereign State.250 The Friendly Relations Declaration (Principle 3) describes armed intervention, obtaining subordination of the exercise of a State’s sovereign rights, and actions directed towards the violent overthrow of a regime of another State, as violating the non- intervention principle. This results in the notion that ‘coercion’ occurs only in drastic cases of overwhelming (direct or indirect) force being put upon a State’s free and sovereign decision- making process.

Thus, it is not probable that, for example, online law enforcement activities of foreign agencies

(see section 3.1.2) would be considered by the affected State as meeting the threshold of impact as required by the notion of ‘coercion’. The question of access to the internet or demands for the establishment of a national cyber security framework can surely not be deemed as violating the non-intervention principle, as such matters cannot be categorised as purely internal affairs of a State.

3.1.4. Duty Not To Harm Rights of Other States (Principle of Prevention, Precaution and ‘Due Diligence’).

248 Discussion at Kunig (n 216) 5ff. 249 ibid. The Friendly Relations Declaration also preserves a vague wording in this regard, see Keller (n 72) 20ff. 250 Kunig (n 216) 22-27; Beyerlin (n 217) 809.

Another principle aiming to de-conflict equal sovereignties of States is the duty not to harm the rights of other States and consequently, as confirmed by the International Court of

Justice,251 not to let its own sovereign territory be used for activities causing damage to persons or objects protected by the sovereignty of another State (see also Article 1(2) of the UN Charter, endorsing a ‘principle of equal rights’).252 The principle is closely related to the principle of good neighbourliness and the supporting maxim (or normative rule) sic utere tuo ut alienum non laedas (use your own property so as not to harm that of another), which are discussed infra

(section 3.1.5) in more detail.

The no-harm principle includes the obligation of States to take preventive measures in concrete cases of risk of harm to other States’ rights, of which the State in question has knowledge or presumptive knowledge.253 Such an obligation can be derived from the logic of the no-harm obligation, and can be deemed as confirmed by the International Court of Justice in the

Hostages254 case (referring to preventive duties deriving from conventional and customary diplomatic law), and in the Nuclear Weapons255 advisory opinion. It is endorsed in a multitude of treaties concerning environmental protection, nuclear accidents, space objects, international watercourses, management of hazardous waste, and prevention of marine pollution.256 An obligation to prevention is further enshrined in Article 3 of the ILC Draft Articles on Prevention of Transboundary Harm from Hazardous Activities257 of 2001, which States: ‘The State ... shall take all appropriate measures to prevent significant transboundary harm (to the environment, persons or property) or at any event to minimize the risk thereof.’

251 Corfu Channel (n 29) 22. 252 Heintschel von Heinegg (n 200) 7ff, 16. 253 Epping and Gloria (n 143) & 26 MN 16. 254 Hostages (n 93) 68. 255 Nuclear Weapons (n 176) 29. 256 ILC, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with commentaries (2001) UN Doc A/56/10, General commentary, para 3 ; references at Philippe Sands, Principles of International Environmental Law (2nd edn, Cambridge University Press 2003) 246ff. (May 15, 2016). 257 supra n 228.

According to the draft articles, such measures comprise, for example:

• risk assessment (Article 7),

• notification and information in cases of risk of causing significant transboundary harm

(Article 8), and

• consultation on preventive measures (Article 9).

These procedural duties are nowadays widely recognised as being part of international law, either in the form of international custom or of general principles of international law.258 As

Article 1 of the aforementioned draft indicates, these obligations might refer only to risk of harm of physical nature. However, it could be argued that non-physical, though well perceptible, damage is relevant in the cyber context (section 3.1.2).

Furthermore, it can be attested that States are also obliged to take (general) precautionary measures with regard to potential cyber threats posing a significant risk of damage of a transboundary nature. The precautionary principle forms the basis of the legal regimes governing the high seas (The United Nations Agreement for the Implementation of the

Provisions of the United Nations Convention on the Law of the Sea of 10 December 1982 relating to the Conservation and Management of Straddling Fish Stocks and Highly Migratory

Fish Stocks of 1995) and Antarctica (Protocol on Environmental Protection to the Antarctic

Treaty of 1991). Additionally, it is enshrined in several international treaties on environmental protection,259 and is pronounced as either evolving260 or already existing261 customary rule of international environmental law.

As described above, it is certified by international Courts and by scholarly writings that general principles of international law can, inter alia, be identified by deduction from the legal logic

258 Günther Handl, ‘Transboundary Impact’ in Daniel Bodansky, Jutta Brunnée and Ellen Hey (eds), The Oxford Handbook of International Environmental Law (Oxford University Press 2007) 531, 541. 259 Discussion and references at Sands (n 228) 266-279. 260 ibid 279. 261 Ulrich Beyerlin and Jenny Grote Stoutenburg, ‘Environment, International Protection’ in MPEPIL (n 2) MN 24.

64 and from specific legal regimes or treaty regimes (see section 2.1). Once the existence of a general principle of international law is established in such a manner, and showing openness for concretisation in other circumstances, it can be applied to other situations or areas.262 Such a technique does not present an analogy263 (i.e., creation of new rules in cases of legal lacuna, by treating similar cases the same way legally) in stricto sensu.264 It should be mentioned that, due to the fact that the internet is another global resource beside the natural environment, and cyberspace is another common space beside the high seas and Antarctica, and that the area is sparsely regulated (especially the ITU rules on international telecommunications do not entail cyber security regulations), an analogy would, in theory, seem not to be far-reaching. A common feature and overarching principle of the above-mentioned treaty regimes for globally shared resources and common spaces is the obligation to take precautionary measures. Such a principle is open for concretisation in other situations, and can subsequently be applied to the internet as another globally shared resource, and to cyberspace as another common space.265

Taking another conceptual approach, it was proposed in diplomatic circles (and is claimed by the US266 to be an ‘emerging norm’) to introduce a principle of ‘due diligence’267 of States (by a broad interpretation of the no-harm rule) with regard to malicious cyber activities of non-

State actors originating from the States’ territories and harming rights of other States. Given that all States acknowledge the relevance of malicious cyber activities for national and international peace and security, as shown by the multitude of respective UNGA resolutions,268

262 Heintschel von Heinegg (n 10) & 19 MN 7. 263 The use of a legal rule in an analogous way (per analogiam) means the application of a rule which covers a particular case to another case which is similar to the first but itself not regulated by the rule. Ibid; MPEPIL (n 2) MN 1. 264 Heintschel von Heinegg (n 10) & 19 MN 6ff, in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, (General Principles of International Law as Applicable in Cyberspace) 167. 265 The application of principles of environmental law to the internet/cyberspace was first proposed by Torsten Stein and Thilo Marauhn, ‘Völkerrechtliche Aspekte von Informationsoperationen’ (2000) 60 Zeitschrift für ausländisches öffentliches Recht und Völkerrecht 1, 21. 266 The President of the United States of America (n 205) 10. 267 Robin Geiß and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus away from Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’, 77. 268 Developments in the field of information and telecommunications in the context of international security

65 including the establishment of all in all six GGEs269 on diverse cyber challenges, and by the adoption of Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems270 of 1992, it can be held that, assuming the thus confirmed common interest of States in cyber security, the duty to prevention could exceed concrete cases and be interpreted in general terms of ‘due diligence’ (similar to the

‘precautionary principle’ as a general principle of international law applicable in to the internet and to cyberspace). Some scholarly writings assert that cyber security ‘due diligence’ is already part of international custom.271 The concrete features of preventive and precautionary (or the proposed ‘due diligence’) measures would stay within the discretion of the States.

However, the prevention principle obliges States to undertake a risk assessment and to inform, notify, and consult other States in concrete cases of risk of significant transboundary harm.

This preconditions the ability of a State to notice irregular data streams or malicious software as such. This results, as a minimum, in the obligation of States to ensure (1) that the national

UNGA Res 53/70 (4 December 1998), 54/49 (1 December 1999), 55/28 (20 November 2000), 56/19 (29 November 2001), 57/53 (22 November 2002), 58/32 (8 December 2003), 59/61 (3 December 2004), 60/45 (8 December 2005), 61/54 (6 December 2006), 62/17 (5 December 2007), 63/37 (2 December 2008), 64/25 (2 December 2009), 65/41 (8 December 2010), 66/24 (2 December 2011), 67/27 (3 December 2012); Creation of a global culture of cybersecurity, UNGA Res 57/239 (20 December 2002) (proposing nine elements for creating a global culture of cybersecurity, annex), Creation of a global culture of cybersecurity and the protection of critical information infrastructures, UNGA Res 58/199 (23 December 2003) (proposing eleven elements for protecting critical information infrastructures, annex), and Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures, UNGA Res 64/211 (21 December 2009) (proposing ‘voluntary self-assessment tool for national efforts to protect critical information infrastructure’ of 18 points, annex); see also UNGA Res 55/63 (4 December 2000) and 56/121 (19 December 2001) (combating the criminal misuse of information technologies), 57/239 (20 December 2002) (creation of a global culture of cybersecurity) and 58/199 (23 December 2003) (creation of a global culture of cybersecurity and the protection of critical information infrastructures), 64/211 (21 December 2009) (creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures), 55/63 (22 January 2001) and 56/121 (23 January 2002) (combating the criminal misuse of information technologies), and UNGA Res 63/195 (18 December 2008), 64/179 (18 December 2009), and 65/232 (21 December 2011) (strengthening the United Nations Crime Prevention and Criminal Justice Programme, in particular, its technical cooperation capacity). The Third Committee deferred considerations on the subject on the criminal misuse of information technologies, pending work of the Commission on Crime Prevention and Criminal Justice, UNGA Res 56/121 (23 January 2002, para 3), in Peacetime Regime for State Activities in Cyberspace, Katharina Ziolkowski, (General Principles of International Law as Applicable in Cyberspace) 168. 269 For details see Katharina Ziolkowski, ‘Confidence Building Measures for Cyberspace’, 168. 270 The guidelines call for cooperation of States (Principle 6) in the area of ‘comprehensive protection’ of information systems (Principle 4), and stipulate an imperative of deliberation in the use of information systems (Principle 3), OECD Doc OCDE/GD (92)190. 271 Heintschel von Heinegg (n 200) 18.

ISPs install network sensors collecting information on ‘net flow’, i.e., amount of routed data and their destination (allowing the detection of, e.g., ‘DDoS attacks’), (2) that national tier 1

ISPs install intrusion detection/prevention systems at their ‘gates’ of international data transmission and conduct deep package filtering (allowing recognition of malicious software), and (3) that an obligatory reporting system to a governmental entity (e.g., a national or governmental CERT) with regard to significant cyber incidents is in place. Furthermore, the conduct of the above-described measures, the procedural obligations of notification, information and consultation, as well as the general management of the prevention of malicious cyber activities potentially harming other States’ rights, require the establishment of a framework of strategic, political, legal, administrative, organisational and technical nature.

Additionally, the preventive principle would also oblige a State to establish investigative cyber capabilities (allowing the identification of the source of the malicious cyber activities) either within a CERT, the police, or other security forces, depending on the division of responsibilities and authorisations pertaining to respective national laws (either existing or to be endorsed), as well as the organisational and legal framework allowing the prevention or discontinuation of concrete malicious cyber activities originating on the State’s territory and potentially harming the rights of other States.

The precautionary principle (as well as the proposed ‘due diligence’ principle) includes the duty to undertake all appropriate regulatory and other measures at an early stage, and well before the (concrete) risk of harm occurs.272 This would involve the implementation of strategic, political, organisational, administrative, legal and technical measures (including the above-mentioned measures) aimed at general prevention of the misuse of the possibilities that cyberspace offers for respective malicious activities by non-State actors, i.e., the establishment

272 Sands (n 228) 246ff.

67 of a national cyber security framework273. Such an obligation would apply only with regard to cyber activities possibly violating the rights of other States, thus inflicting severe damage (even if of a non-physical nature), i.e., with regard to cyber threats which can be deemed as clearly affecting other States’ national security.274 The specification of which malicious cyber activities would clearly affect the national security of States must be left to future State practice.

It can be only assumed that, due to the interests of States, espionage activities would not fall under this category.275 Nonetheless, the acknowledgement of the precautionary principle (or

‘due diligence’) for cyberspace entails the obligation to set up a national cyber security framework with regard to respective cyber threats (including these going beyond causing possible physical harm).

It should be mentioned that, as stated above (section 3.1.3), demands for the establishment of a national cyber security framework (including the technical aspects thereof) cannot be deemed as a forbidden intervention in domestic affairs, as, due to the global nature of cyberspace and the internet, questions of cyber security do not fall under the category of purely internal matters.

3.1.5 Principle of Good Neighbourliness and sic utere tuo

Furthermore, balancing the competing sovereign rights of States, the principle of good neighbourliness has a relevance to cyberspace. The principle needs to be distinguished from the ‘international law of neighbourliness’ governing the relations of neighbouring States only in the frontier zones of their territories.276 The principle of good neighbourliness is endorsed in a legally binding manner in the preamble of the UN Charter (whereas Article 74 refers to

‘general principle of good-neighbourliness ...’ as a binding aim for policies with regard to

273 On national cyber security framework see Alexander Klimburg (ed), National Cyber Security Framework Manual (NATO CCD COE Publication 2012). 274 Similarly: Heintschel von Heinegg (n 200) 16 (excluding cyber espionage and other ‘mere intrusions into foreign computers or networks’). 275 Ibid, though based on other deliberations. On espionage see Katharina Ziolkowski, ‘Peacetime Cyber Espionage – New Tendencies in Public International Law’. 276 Laurence Boisson de Chazounes and Danio Campanelli, ‘Neighbour States’ in MPEPIL (n 2) MN 6-8.

68 colonies).277 Moreover, the principle is endorsed as a legal obligation in international environmental law (especially referring to the use of trans-border resources such as rivers).278

The principle mutually limits the sovereign exercise of activities potentially affecting neighbours in an intolerable manner, and is confirmed by the maxim (or normative rule) of sic utere tuo ut alienum non laedas (use your own property so as not to harm the one of another).279

From the principle of good neighbourliness derive the obligations:280

• not to use or permit to use the territory in a manner as to cause damage to the territory

of neighbouring States (see also section 3.1.4),

• to adopt any necessary – preventive and precautionary – measures in order to avoid or

reduce damage beyond the own territory,

• to inform, notify, consult neighbours on any situation likely to cause damage beyond

own territory,

• to tolerate activities otherwise not prohibited under international law so long as the

consequences do not exceed an acceptable threshold of gravity (specified on a case-to-

case basis).

As the principle of good neighbourliness had already been introduced to other types of vicinity than frontier regions (e.g., to contiguous and exclusive economic zones on the high seas or to

‘regions’),281 a further extension to cyberspace seems justified due to its global nature, to the speed and density of the internet connections and to its importance for inter-State relations of political, economic and other nature; aspects creating as a whole a modern form of ‘vicinity’.

This view can be deemed as confirmed by the UNGA, which recognised already in 1991 that

‘great changes of political, economic and social nature, as well as the scientific and

277 Ulrich Fastenrath, ‘Article 74’ in Simma (n 70) MN 2. 278 ibid 2; Boisson de Chazounes and Campanelli (n 249) 18-20. 279 Boisson de Chazounes and Campanelli (n 249) 10. 280 Ibid, (n 249) 11. 281 Ibid, 12.

69 technological advances that have taken place in the word and led to unprecedented interdependence of nations, have given new dimensions to good-neighbourliness ...’, and emphasised that all States shall act as good neighbours ‘whether or not they are contiguous’.282

However, the above-mentioned obligations deriving from the principle of good neighbourliness refer to physical damage only, a finding which can be considered as confirmed by Article 1 of the aforementioned ILC Draft Articles on Prevention of Transboundary Harm from Hazardous Activities. As stated above, it could be suggested that the aspect of physical damage is irrelevant in the cyber context (section 3.1.2). Due to the enormous negative effects malicious cyber activities can have on the national security of another State it can be claimed that also harm of non-physical nature, though relevant to national security of another State, is governed by the principle of good neighbourliness.

This finding, comparable to the obligations deriving from the precautionary principle or from a potential ‘due diligence’ principle (section 3.1.4), invokes the obligations of States to take preventive and precautionary measures (i.e., enhancing national cyber security) with regard to respective cyber threats, as well as obligations to inform, notify, and consult in concrete cases of risk of significant transboundary harm.

3.2 International Telecommunications Law and the Regulations of Cyberspace

Cyber-operations that involve international wire or radio frequency communications may be subject to telecommunications law. Modern international telecommunications law is regulated by the International Telecommunications Union, the leading U.N. agency that establishes multinational standards for information and communication technology.283 The Union’s goal, as stated in its founding International Telecommunication Convention and International

Telecommunication Constitution, is “the preservation of peace and the social and economic

282 UNGA Res 46/62 (9 December 1991) preamble, para 3 and operative section, para 2. 283 Charles H. Kennedy & M. Veronica Pastor, An Introduction to International Telecommunications Law 30-33 (1996).

development of all countries ... by means of efficient telecommunications services.”284 The

International Telecommunications Union enacts rules known as Administrative Regulations, which are treaties that bind all member parties; Radio Regulations, which also bind all parties;

as well as non-binding Telecommunications Standards.285 The Union mainly regulates the use of radio and telecommunication technologies in order to distribute them to member States in an efficient and equitable manner-for example, through developing methods of assigning rights to radio spectrums.286

International Telecommunication regulations also apply to cyber-operations that make use of electromagnetic spectrum or international telecommunications networks. For instance, broadcasting stations from one nation may not interfere with broadcasts of other States’

services on their authorized frequencies.287 Member States may cut off any non-state “private telecommunications that may appear dangerous to the security of the State or contrary to its

laws, to public order or to decency”288 or suspend international telecommunication services

“either generally or only for certain relations and/or for certain kinds of correspondence, outgoing, incoming or in transit, provided that it immediately notifies such action to each of

the other Member States through the Secretary-General.”289 Member States also must regulate

against “harmful interference”290 that “endangers the functioning of a radio navigation service or of other safety services or seriously degrades, obstructs or repeatedly interrupts a radio

communication service”291 and pursue all possible measures to ensure the secrecy of

284 Constitution of the International Telecommunications Union, pmbl., Dec. 22, 1992, http:// itu. int/net/ about/ basic-texts/index.aspx; International Telecommunications Convention pmbl., U.N. Doc. 26559, Nov. 6, 1982 [hereinafter ITU Constitution]. 285 KENNEDY& PASTOR, supra note 204, at 33. 286 More information about the agency’s work is available at Committed to Connecting the World, INT’L COMM. UNION, http://www.itu.int/en/pages/default.aspx. (May 15, 2016). 287 ITU Constitution, supra note 205, art. 45. 288 Ibid, art. 34. 289 Ibid, art. 35. 290 Ibid, art. 6. 291 Ibid, annex.

71 international correspondence, unless such secrecy would contravene their domestic laws or international conventions.292

3.3 Space Law and Cyber Activities.

Cyberspace operations could implicate space law given that computer operated satellites are integral to international telecommunications and military operations. Multiple scholars have proposed that treaties on outer space, the moon, and damage caused by space objects, as well as satellite regulations, could be used to regulate cyber operations.293 The 1967 Outer Space

Treaty provides for the free exploration of space but also prohibits the use of space for particular destructive purposes.294 It stipulates that:

States Parties to the Treaty undertake not to place in orbit around the

Earth any objects carrying nuclear weapons or any other kinds of

weapons of mass destruction, install such weapons on celestial bodies,

or station such weapons in outer space in any other manner.

The Outer Space Treaty expressly permits certain military uses of space, such as earth-orbit military reconnaissance satellites, remote-sensing satellites, military global-positioning systems, and space-based aspects of an antiballistic missile system.295Because cyber-attacks will rarely be classified as causing mass destruction, it is unlikely that cyber-attacks could be properly characterized as prohibited by the treaty.296 Satellite regulations offer another potential avenue for cyberspace operations regulation. The Agreement Relating to the 1971

International Telecommunications Satellite Organization (Telecommunications Satellite

292 Ibid, art. 37. 293 Aldrich, supra note 203, at 20-24. 294 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T. 2410, 610 U.N.T.S. 205. 295 Shackelford, supra note 203, at 219. 296 Celestial bodies refer only to “natural bodies, such as the moon, asteroids, and planets, not to man-made satellites,” the main means in outer space by which cyber-warfare could be conducted. See also Aldrich, supra note 203, at 20.

Organization)297 and the Convention of the 1979 International Maritime Satellite Organization

(Maritime Satellite Organization)298 contain “peaceful purpose” provisions applicable to classes of satellites similar to the Outer Space Treaty. The regulations created by these organizations might appear to be more applicable, given that satellites are likely to have a role in cyber-attacks, for example.

3.4 International Economic Law in the Cyber Arena.

Cyber security activities, both defensive and offensive, may raise issues under international economic law. There are two main questions. Firstly, what types of possible cyber operations might violate particular provisions of international economic law, including trade, investment, and intellectual property law? And secondly, to what extent are the rules of international economic law qualified by national security exceptions that may allow defensive or offensive cyber operations that would otherwise violate the rules? Since most international economic law is in the form of treaty, the first question is largely one of treaty review and analysis. Since most potentially relevant exceptions are explicitly incorporated in treaty, the second question also involves analysis of national security or other potentially applicable exceptions. There is also the possibility that the customary international law necessity exception may be relevant in connection with international economic law obligations, either by way of interpretation or by way of application, or both.

It is useful to begin by describing the types of cyber operations with which this heading is concerned. The focus is on offensive and defensive cyber operations: cyber-attack and cyber defence. ‘By “cyberattack,” we usually mean a software program transmitted over digital networks and installed covertly on a target machine to disrupt data or services or destroy

297 Agreement Relating to the International Telecommunications Satellite Organization, “Intelsat,” Aug. 20, 1971, 23 U.S.T. 3813 [hereinafter Telecommunications Satellite Agreement]. 298 Convention of the International Maritime Satellite Organization London, Sept. 3, 1976, 31 U.S.T. 1, [hereinafter INMARSAT].

73 machinery. The stuxnet virus is a good example of this type of cyber-attack. Cyber-attack is less diverse than cyber defence, and there is only a limited body of international economic law that may be applicable. Most international economic law was established for a purpose quite separate from deterring cyber-attack. In addition to transmission over digital networks, it is possible that cyber-attack can take place through the use of software delivered physically.

Cyber defence includes measures designed to repel cyber-attack, and raises a broader range of international economic law rules; for our purposes, defensive measures in the form of counter- attack using cyber operations can be covered under ‘cyber-attack.’ It is important that cyber- attack can be transmitted across borders either through networks, through equipment, or by human activity accessing networks or equipment in situ.299

Defensive measures raise international economic law issues when they block or restrict these types of transmission. Generally speaking, these measures only raise international legal issues when they are carried out by governments, or when they are carried out by private persons where the government has an international legal duty to prevent the private person from taking the action at issue.300

Below, we discuss the international economic law that is potentially applicable to these offensive and defensive cyber operations.

1. WTO Law

As of March 2013, the World Trade Organization (WTO) had 159 Member States. The WTO treaty contains requirements for States to reduce barriers to access to their markets for goods

(the General Agreement on Tariffs and Trade or GATT) and, to a limited extent, services (the

General Agreement on Trade in Services or GATS). The obligations under GATT with respect to product standards and technical regulations are elaborated further in the Agreement on

299 Peacetime Regime for State Activities in Cyberspace International Law, International Relations and Diplomacy Katharina Ziolkowski (ed.) 373. 300 Ibid.

Technical Barriers to Trade (TBT). The WTO also includes the Agreement on Trade-Related

Aspects of Intellectual Property Rights (TRIPS). Finally, the WTO includes a plurilateral

Agreement on Government Procurement (GPA), amended as of 30 March 2012, to which 14 members, plus the 28 European Union (EU) members, adhere.301

This section will outline the WTO law restrictions contained in the GATT, TBT, GATS, and

GPA. Nothing in the GATT, TBT, GATS, or GPA imposes any prohibitions or requirements that would limit cyber-attack as defined above. They focus more on restraining national protectionism against imports than on the safety or other qualities of exports. So, the synopsis below focuses on defensive cyber operations. In particular, I focus on limitations on imports of goods or services from other WTO members. Treaty-based international economic law, such as the WTO, provides no rights to non-members.

It is not certain whether software would be treated as a good or as a service under WTO law.302

Different States take different positions on this issue, and the treatment depends in part on whether the software is incorporated into a physical medium or piece of equipment.

In the following subsections, I discuss very briefly, WTO law rules that discipline national barriers to trade in goods or services, or that discipline government procurement for countries party to the GPA. Subsequently, I in summary, address the security exceptions and general exceptions contained in each of these agreements, which might apply to relax these disciplines.

A. Trade in Goods

Article 2(4) of the TBT Agreement provides as follows:

301 While the amendment has not entered into force at the time of writing, I focus on the language of the amendment because it is highly likely to be the operative law in the future. The Protocol will enter into force for those Parties to the 1994 GPA that have deposited their respective instruments of acceptance of this Protocol, on the 30th day following such deposit by two thirds of the Parties to the 1994 GPA. The parties to the GPA are Armenia, Canada, the European Union (with respect to its 27 Member States), Hong Kong-China, Iceland, Israel, Japan, Korea, Liechtenstein, the Netherlands (with respect to Aruba), Norway, Singapore, Switzerland, Chinese Taipei, and the United States. 302 For an analysis, Althaf Marsoof, A Case for Sui Generis Treatment of Software Under the WTO Regime, 20 Int’l J. L. & Info. Tech. 291 (2012).

Where technical regulations are required and relevant international standards exist

or their completion is imminent, Members shall use them, or the relevant parts of

them, as a basis for their technical regulations except when such international

standards or relevant parts would be an ineffective or inappropriate means for the

fulfilment of the legitimate objectives pursued, for instance because of fundamental

climatic or geographical factors or fundamental technological problems.

Thus, international standards such as the network security provisions of ISO/IEC 27001,303 to the extent that they constitute a ‘relevant international standard’ in relation to a proposed or existing national measure, are required to be used as a basis for the national measure, except as specified in Article 2(4). This imposes some limitation on the flexibility available to States to impose restrictions on importation of goods for cyber security purposes. However, the limitation would not seem to restrict the ability of a State to set a higher standard in order to achieve its nationally-determined ‘appropriate level of protection.’

B. Trade in Services

In order to maintain cyber security, States may decide to regulate the provision of telecommunications, data processing, or other services. GATS is in part a ‘positive list’ agreement, meaning that some of its most significant disciplines only apply to the extent that a

State has listed on its schedule of commitments the relevant service sector, in the relevant mode of international trade in services, such as ‘cross-border provision’ or ‘commercial presence,’ and has not specified an applicable exception in its schedule of commitments.

The disciplines that are dependent on scheduling are ‘national treatment,’ which is similar to the rule of national treatment non-discrimination in the GATT, and ‘market access,’ which is

303 ISO/IEC 27033 Information technology – Security techniques – Network security (parts 1-3 published, parts 4-6 DRAFT), available at . (May 18, 2016).

76 specifically defined to prohibit several specific types of quantitative or other similar restrictions on trade in services.

The national treatment obligation under Article XVII of GATS requires each member to

‘accord to services and service suppliers of any other Member, in respect of all measures affecting the supply of services, treatment no less favourable than that it accords to its own like services and service suppliers.’ Therefore, it would be required for cyber security regulation to be applied in an even-handed way to foreign services and service suppliers, and in relation to domestic services and service suppliers. If foreign services or service suppliers, as a class, presented enhanced cyber security risks, it is not necessarily a violation of national treatment to treat them differently in a way that is responsive to the enhanced risk.

The market access obligation under Article XVI of GATS, while expressly limiting the ability of States to impose quantitative and certain other narrowly specified types of restrictions, has been interpreted by the WTO Appellate Body to apply to restrictions that might ordinarily be understood as qualitative. In the US-Gambling case, the Appellate Body found that restrictions on cross-border internet gambling services violated this restriction.304 So it is possible that cyber security restrictions applied to services might similarly be found to violate this restriction.

C. Government Procurement

Importantly, as noted above, the GPA is a plurilateral trade agreement, and such agreements do not create either obligations or rights for the members that have not accepted them. The

GPA applies to procurement for governmental purposes of both goods and services, and it is a positive list agreement, meaning that its obligations are dependent on scheduling of the covered products, services, and government entities.

304 WTO, 2005, Appellate Body Report, United States – Measures Affecting the Cross‑Border Supply of Gambling and Betting Services, WT/DS285/AB/R, adopted 20 April 2005.

In addition, a procuring entity is required under Article VIII to limit conditions for participation to those that are essential to ensure that the supplier has the legal and financial capacities and the commercial and technical abilities to undertake the relevant procurement. This obligation may make it difficult to impose cyber security conditions for participation.

States subject to these obligations would want to be sure to include cyber security parameters as part of the technical requirements relating to their procurement. Finally, Article X of the

GPA States that ‘a procuring entity shall not prepare, adopt or apply any technical specification or prescribe a conformity assessment procedure with the purpose or the effect of creating unnecessary obstacles to international trade.’ Under this requirement, technical specifications and conformity assessment intended to achieve cyber security goals must be the least- restrictive alternative to achieve the goal.

D. Security Exceptions

Article XXI of GATT, Article XIV of GATS, and Article III of the GPA provide security exceptions. Interestingly, these exceptions have different scopes of application. To the extent that these exceptions may apply, they would excuse measures that violate the provisions discussed above. Of course, the exceptions only become relevant if there is a violation.

GATT.

Article XXI of GATT provides that nothing in the GATT ‘shall be construed ... to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests ...; (ii) relating to the traffic in arms, ammunition and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; or (iii) taken in time of war or other emergency in international relations ....’

GATS

Article XIV bis of GATS provides in relevant part that nothing in the GATS ‘shall be construed

... to prevent any Member from taking any action which it considers necessary for the protection of its essential security interests: (i) relating to the supply of services as carried out directly or indirectly for the purpose of provisioning a military establishment; ... or (iii) taken in time of war or other emergency in international relations ....’

GPA

Article III of the GPA provides that ‘nothing in this Agreement shall be construed to prevent any party from taking any action ... that it considers necessary for the protection of its essential security interests relating to the procurement of arms, ammunition or war materials, or to procurement indispensable for national security or for national defence purposes.’

Curiously, while the TBT Agreement contains a provision providing that members shall not be required to furnish any information, the disclosure of which they consider contrary to their national security interests, it does not address the security issues addressed in the language of the other agreements excerpted above.

E. General Exceptions

In a pattern similar to that observed with respect to the security exception, each of the GATT,

GATS, and GPA Agreements contains a general exception that may be applicable to cyber security defence operations. The TBT Agreement contains no explicit general exception.

Article XX of GATT has been the basis for significant litigation in the WTO, and there has also been some litigation over the exceptional provision of GATS, Article XIV. The language of these exceptions is quite similar, and can be expected to be interpreted similarly.

Accordingly, Article XX of GATT provides in relevant part as follows:

Subject to the requirement that such measures are not applied in a manner which

would constitute a means of arbitrary or unjustifiable discrimination between

countries where the same conditions prevail, or a disguised restriction on

international trade, nothing in this Agreement shall be construed to prevent the

adoption or enforcement by any contracting party of measures: ... (b) necessary to

protect human, animal or plant life or health ...

Could restrictions on imports of goods (or services under the similar language of Article XIV of GATS) be necessary to protect human life or health? This provision is definitely not self- judging, but it is easy to see many cyber security defensive measures as ‘necessary to protect human life.’ In clause (a) of the similar provision of GATS, there is a reference to measures

‘necessary to protect public order.’ Many cyber security defensive measures may come under this clause also. The word ‘necessary’ in this context has been interpreted extensively. In some cases, the Appellate Body has explicitly interpreted this provision as requiring a balancing approach. In others, it has appeared to back away from a full balancing approach by permitting the member to choose its ‘level of protection’ and then validating the national measure if this level cannot be reached through a less trade-restrictive means.

In sum, the general exception contained in Article III:2 of the GPA essentially tracks the provisions of Article XX of GATT discussed above. Therefore, for procurement covered by the GPA, States may derogate from their GPA obligations in order to effect measures necessary to protect human life or health, and so forth.

3.5. Maintenance of International Peace and Security

Maintenance of international peace and security is the paramount purpose of the UN, enshrined in Article 1(1) of its Charter.305 According to a systematic interpretation of the Charter, as well as according to the UNGA Friendly Relations Declaration and the Proclamation of the

International Year of Peace306 of 1985, peace is not understood negatively, as an absence of

305 d’Argent and Susani (n 105) p 4. 306 UNGA Res 40/3 (24 October 1985).

(declared) war or of any other international armed conflict, but has become

‘multidimensional’,307 requiring a series of active actions, taken collectively by States and peoples, reaching, inter alia, from the removal of various threats to peace and security to the development of confidence building measures.308 The general principles of international law corollary to this aim are the duty to refrain from threat or use of force in international relations and the closely related duty to peaceful settlement of international disputes, both being the foremost means of prevention of (declared) war or of any other international armed conflict.309

This two principles shall be discussed below in synopsis:

3.5.1. Refrain from Threat or Use of Force in International Relations

The prohibition of threat or use of force in international relations constitutes one of the cornerstones of the international legal order.310 The principle is endorsed in Article 2(4) of the

UN Charter and is (in its core) widely considered as a peremptory norm of international custom.311 According to the systematic, historical and teleological interpretation of the UN

Charter, as well as pursuant to the jurisprudence of the International Court of Justice and scholarly writings, the term ‘force’ is to be understood as ‘armed force’.312 The term ‘use of armed force’, however, is not limited to the employment of military weaponry in the common sense of the term.313 The International Court of Justice attested over 25 years ago in its

Nicaragua314 judgement the possibility of an ‘indirect’ or non-military use of armed force (e.g., by arming and training insurgents) and scholarly writings describe, for example, spreading fire over the border or flooding another State’s territory as violating the prohibition of ‘use of armed force’.

307 d’Argent and Susani (n 105) 25. 308 ibid 7; Rüdiger Wolfrum, ‘Article 1’ in Simma (n 70) MN 9ff. Katharina Ziolkowski, ‘Confidence Building Measures for Cyberspace’, 144. 309 Albrecht Randelzhofer and Oliver Dörr, ‘Article 2(4)’ in Simma (n 70) MN 2. 310 ibid 1; Oliver Dörr, ‘Use of Force, Prohibition of’ in MPEPIL (n 2) 1. 311 Randelzhofer and Dörr (n 260) 64-68; Dörr (n 261) 1, 10, 32; Wolfrum, ‘General International Law’ (n 2) 45. 312 Dörr (n 261) 11; 313 Randelzhofer and Dörr (n 260) 21. 314 Nicaragua (n 29) 228.

In order to specify the meaning of ‘use of armed force’ conducted by means of the internet or other ICT systems, an effects-based approach inherent to public international law is appropriate

(ruling out other possible approaches, e.g., focusing on the target of the malicious activities, the intent of the malevolent actor, or the categorisation of the means used).315 Hereby, a comparison of the effects indirectly caused or intended by malicious cyber activities with the effects usually caused or intended by conventional, biological or chemical weapons (BC weapons) is necessary.316 According to the traditional understanding, ‘use of armed force’ requires the employment of kinetic weaponry, i.e., of a tool designed to cause kinetic effects of a physical nature on a body or on an object. The transfer of data and its delay or interruption, as well as the manipulation, suppression or deletion of data cannot be deemed to cause

(directly) kinetic effects in the common meaning of the term. In contrast, some similarities between malicious cyber activities and BC weapons can be conceived. The use of BC weapons does not cause destruction in the conventional sense, as these weapons do not release kinetic energy.317 The employment of BC weapons is considered as a form of ‘use of armed force’ because they can cause death or injury to living things.318 Thus, in the case of BC weapons, the term ‘weapon’ is defined with reference to their effects rather than their method, which perfectly corresponds with the effects-based approach inherent to public international law.

Consequently, the majority of scholars rightly insist on an effects-based interpretation of the term of ‘use of armed force’ in the cyber context.319

Therefore, it can be assumed that malicious cyber activities can be considered ‘use of armed force’ in the meaning of Article 2(4) of the UN Charter if they – indirectly – result in:320

315 Randelzhofer and Dörr (n 260) 22. 316 Randelzhofer and Nolte (n 177) 43. 317 Jason Barkham, ‘Information Warfare and International Law on the Use of Force’ (2001) 34 New York University Journal of International Law and Politics 57, 72. 318 Katharina Ziolkowski, ‘Computer Network Operations and the Law of Armed Conflict, 86. 319 Michael N Schmitt, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’ (1999) 37 Columbia Journal of Transnational Law (3) 885, 913 and 919. 320 Conflict’ (2010) 49 Military Law and the Law of War Review 47, 69-75.

• Death or physical injury to living beings and/or the destruction of property,321

• Massive, medium to long-term disruption of critical infrastructure systems of a State (if in its effect equal to the physical destruction of the respective systems).322

State practice and opinio iuris, apart from a political declaration of the U.S323 to respond to

‘hostile acts in cyberspace’ with self-defence measures, is hitherto not detectable. Although

States in general prefer to maintain a strategic ambiguity with regard to questions related to use of force, thus leaving the debate to academia, it would certainly support predictability and thus stability in international relations, if they shared their views on this aspect.

3.5.2. Peaceful Settlement of Disputes

The legal obligation to peaceful settlement of international disputes is endorsed in Article 2(3) of the UN Charter, specified by the UNGA in its Friendly Relations Declaration as well as in the Manila Declaration on the Peaceful Settlement of International Disputes324 of 1982, and recognised by the International Court of Justice as a ‘principle of customary international law.’325

The principle limits the notion of sovereignty and correlates to the principle of the prohibition of threat or use of force in international relations, recognising that unsettled disputes can lead to eruptive disturbances within the international community.326 The pacific means of dispute resolution consist of diplomatic-political measures (e.g. negotiation, inquiry, mediation, conciliation) and legal measures (arbitration and litigation)327 With regard to the means of peaceful settlement of international disputes, States have a wide-ranging discretion, although the UN Charter contains some proposals in its Chapter VI concerning disputes endangering

321 Randelzhofer and Nolte (n 177) 43. 322 Ibid. 323 The President of the United States of America (n 205) 12ff. and 14. 324 UNGA Res 37/10 (15 November 1982). 325 Nicaragua (n 29) 290. 326 Tomuschat (n 286) 2. 327 Anne Peters, ‘International Dispute Settlement: A Network of Cooperational Duties’ (2003) 14 European Journal of International Law (1) 1, 4.

83 international peace and security (including investigative powers of the UNSC and the possibility to bring a dispute to the attention of the UNGA or the UNSC).328

A violation of the principle can only be affirmed if a party to an international dispute constantly refuses to even attempt to reach a settlement.329

Thus, in cases of a concrete international dispute with regard to the cyber realm, on whichever aspect and of whatever intensity or possible consequences, the respective States have a legal obligation to attempt to seek a peaceful solution, but nothing more. In this sense, the obligation of peaceful settlement of disputes is a variation of the duty to cooperation.

3.6. Cooperation and Solidarity

The duty of States of cooperation has a normative character whenever it is endorsed in international treaties establishing and governing international organisations.330 The existence of a general duty to cooperate and its legal character is disputed among scholars.331 However, there are convincing indications for the normative character of a general duty to cooperate, when considering the interdependence of States in times of globalisation, the enormous number of intergovernmental organisations (approximately 7,000), the myriad of international treaty obligations governing almost all aspects of international relations (over 50,000 treaties are registered at the UN), and the endorsement of the duty of cooperation in the almost universal

UN Charter. This finding is supported by the emergence of an intensified form of cooperation through ‘trans-governmental networks’, i.e., direct interaction of specialised domestic officials

328 Tomuschat ibid. 329 Ibid 25. 330 Rüdiger Wolfrum, ‘Co-operation, International Law of’ in MPEPIL (n 2) MN (n 1) 5. 331 Jost Delbrück, ‘The International Obligation to Cooperate – An Empty Shell or a Hard Law Principle of International Law? – A Critical Look at a Much Debated Paradigm of Modern International Law’ in Holger P Hestermeyer et al (eds), Coexistence, Cooperation and Solidarity. Liber Amicorum Rüdiger Wolfrum (vol 1, Brill 2011) 3, 3-16.

84 in informal or formal modes, which is conditioned by the ‘information age’ and augmenting the traditional inter-State cooperation.332

The UN Charter sets as one of the purposes of the organisation (and indirectly as an obligation of its Member States) ‘to take effective collective measures’ to maintain international peace and security (Article 1(1)) and ‘to achieve international cooperation in solving international problems of an economic, social, cultural, or humanitarian character ...’(Article 1(3)). The

Friendly Relations Declaration emphasises the development of cooperation among States as

‘of the greatest importance for the maintenance of international peace and security’ (preamble, para. 5). Principle 4 of the declaration (The duty of States to co-operate with one another in accordance with the Charter) States:

... States shall co-operate with other States in the maintenance of international

peace and security .... States shall conduct their international relations in the

economic, social, cultural, technical and trade fields .... States should

cooperate ... in the field of science and technology ....

Thus, given the universality of the UN and the importance of the Declaration, nearly all States have a conventional obligation to cooperate, also in the realm of cyberspace, as far as it supports the maintenance of international peace and security.

The term ‘cooperation’ is not defined by an international treaty or in another multilateral document. However, based on an analysis of the Friendly Relations Declaration, cooperation can be perceived as the voluntary and proactive joint action of two or more States which serves a specific objective.333 Consequently, the duty to cooperate can be described as ‘the obligation to enter into such co-ordinated action as to achieve a specific goal’,334 which can be effectively

332 Kal Raustiala, ‘The Architecture of International Cooperation: Trans-governmental Networks and the Future of International Law’ (2002) 43 Virginia Journal of International Law (1) 1, 3ff and 10ff; in Peacetime Regime, Katharina Ziolkowski, 176.

333 Peters (n 290) 2. 334 Ibid.

85 undertaken by the States working together or when the interests of the international community require a joint action.335

Although the notion of ‘cooperation’ remains vague, the concept of solidarity indicates that cooperation in the cyber realm should show a heightened intensity. The concept of solidarity, to which some scholars336 attribute emerging normativity (because of references in UNGA resolutions and endorsement as a legal obligation in several international treaties),337 supports the interpretation of international law. Solidarity can be understood as an intensified form of cooperation for fostering common interests and shared values.338 The recognition of the concept of solidarity for the arena of the internet and cyberspace is justified on the grounds that the internet presents another global resource and cyberspace another common space, which certainly is in the common interest of the international community. Additionally, it seems reasonable that an intensified interdependence in the field of global communications (leading to an international community united in solidarity)339 would result in the need for an intensified cooperation.

Due to the global nature of the internet and cyberspace, the integrity of these ‘ecosystems’ and the reduction of cyber threats as relevant to national and international security can be deemed as of common interest of the international community and can only be effectively conducted by the joint efforts of all States. Therefore, States have a legal obligation to cooperate in this regard. Additionally, based on the notion of the internet as global resource and of cyberspace

335 Ibid. 336 304 Holger P Hestermeyer, ‘Reality or Aspiration? – Solidarity in International Environmental and World Trade Law’ in idem (n 298) 45, 48ff; Abdul G Koroma, ‘Solidarity: Evidence of an Emerging International Legal Principle’ in Hestermeyer (n 298) 103, 103-130; R St John McDonald, ‘Solidarity in the Practice and Discourse of Public International Law’ in (1996) 8 Pace International Law Review 259, 301. 337 eg Article 3(b) of the United Nations Convention to Combat Desertification in Those Countries Experiencing Serious Drought and/or Desertification, Particularly in Africa of 17 June 1994, Article 3(a) of The Constitutive Act of the African Union of 11 July 2000 (before: Article II(1)(a) of the OAU Charter of 25 May 1963); UN Millennium Declaration (n 73) 6; for further references see Hestermeyer (n 304) 50. 338 Wolfrum (n 295) 3. 339 Ahmed Mahiou, ‘Interdependence’ in MPEPIL (n 2) MN 17.

86 as common space, the cooperation should show a ‘heightened’ intensity. However, States have a wide discretion as to how to fulfil the legal obligation to cooperate in the cyber realm.

Conclusion

Sovereignty, although strongly affected by interdependence, globalisation, and the emergence of international organisations, among others (which is especially true for cyberspace, introducing vertical and diagonal relations between all stakeholders), is the core of the notion of statehood and an axiomatic principle upon which international law is based. The afore- discussed obligations and rights of States can be deemed as deriving from the equal sovereignty of States, and from principles respectively de-conflicting the competing sovereign rights within the international community. From the above disquisition, we have shown that based on legal logic, no State can claim sovereignty over the global resource that is; the internet or the common space of cyberspace. A State may regulate, within the boundaries of its own territory, internet activities (also with regard to contents) of its own or foreign nationals, if these are conducted on its territory or show effects on its own territory. Also, based on the principle of territorial sovereignty, there is a duty not to harm other States’ rights, by the principle of good neighbourliness and by the sic utere tuo principle, a State is forbidden to cause physical effects to technical components of the internet located on the territory of another State or to cause other effects relevant to the national security of the affected State. These and many more were discussed in emphasising the rights and obligations of States in cyberspace. More so, specific fields of international law were highlighted to show the applicability of international law in regulating the activities of cyberspace operators.

Finally, due to their nature as the foundation of the international law system, it is widely recognised within scholarly writings that such general principles of international law pertaining to international peace and security, as presented above, are essential for the ‘co-existence and

87 vital co-operation of the members of the international community’, and thus exist irrespective of the States’ (other) practice, opinio iuris, consent or any other expression of will.

CHAPTER FOUR

PROVING STATE RESPONSIBILITY FOR CYBERSPACE OPERATIONS 4.0 Introduction: State responsibility for cyber operations Evidentiary problems in inter-state litigation, particularly in relation to the attribution of certain unlawful conduct, are not peculiar to cyber operations.340 Well before the cyber age, the

International Court of Justice (ICJ) in the Nicaragua v. United States judgment conceded that

“the problem is . . . not . . . the legal process of imputing the act to a particular State . . . but the prior process of tracing material proof of the identity of the perpetrator.”341 As the United States declared in the views on information security that it submitted to the U.N. Secretary-General,

“the ambiguities of cyberspace simply reflect the challenges . . . that already exists in many contexts.”342 It is undeniable, however, that these challenges are particularly evident in the cyber context, where identifying who is behind a cyber operation presents significant technical problems.343 One needs only look at the three most famous cases of cyber-attacks against States allegedly launched by other States to realize how thorny the problem of evidence in relation to cyber operations is.344 It has been claimed, in particular, that the Russian Federation was behind both the 2007 Distributed Denial of Service (DDoS) attacks against Estonia and the 2008 cyber-attacks against Georgia.345 These allegations were based on the following facts. In the

Estonian case, the hackers claimed to be Russian, the tools to hack and deface were contained

340Tallin Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013) [hereinafter TALLINN MANUAL], in Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations, Marco Roscini, p. 234. 341 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment, 1986 I.C.J. 14, para. 57 (June 27). 342 U.N. Secretary-General, Developments in the Field of Information and Telecommunications in the Context of International Security: Rep. of the Secretary-General, 18, U.N. Doc. A/66/152 (July 15, 2011) [hereinafter Developments in the Field of Information and Telecommunications]. 343 Fireeye, Digital Bread Crumbs: Seven Clues to Identifying Who’s Behind Advanced Cyber-Attacks 4 (2014), available at < https://www.fireeye.com/resources/pdfs/digital-breadcrumbs. pdf> (describing the technical difficulty in pinning down the source of a cyber-attack given that “cyber criminals are experts at misdirection” even in the non-State actor context). (May 19, 2016). 344 The three most famous cases of cyber-attacks are the Distributed Denial of Services (DDoS) attacks against Estonia in 2007, the cyber-attacks against Georgia in 2008, and the Stuxnet attacks against Iran discovered in 2012. 345 Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, THE GUARDIAN, May 16, 2007, . (May 19, 2016).

89 in Russian websites and chatrooms, and the attacks peaked on May 9 (the day Russia celebrates victory in Europe Day in the Second World War).346 Furthermore, although the botnets included computers based in several countries, it seems that at least certain attacks originated from Russian IP addresses, including those of State institutions.347 According to the Estonian

Defense Minister, the attacks were “unusually well coordinated and required resources unavailable to common people.”348 The DDoS attacks also took place against the backdrop of the removal of a Russian war memorial from Tallinn’s city center.349 Finally, Russia did not cooperate with Estonia in tracking down those responsible, and the Russian Supreme

Procurature rejected a request for bilateral investigation under the Mutual Legal Assistance

Treaty between the two countries.350 The cyber-attacks against Georgia started immediately before and continued throughout the armed conflict between the Caucasian State and the

Russian Federation in August 2008.351 It seems that the Russian hacker community was involved in the cyber-attacks and that coordination “took place mainly in the Russian language” and in Russian or Russian-related fora.352 As in the Estonian case, some commentators claimed that the level of coordination and preparation suggested governmental support for the cyber- attacks.353 Finally, IP addresses belonging to Russian state-operated companies were used to launch the DDoS attacks. Russia again denied any responsibility.354

346 COMM. ON OFFENSIVE INFO. WARFARE, NAT’L RESEARCH COUNCIL, TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES 173 box 3.4 (William A. Owens, Kenneth W. Dam & Herbert S. Lin eds., 2009), in Marco Roscini, 235. 347 Ibid. 348 Ibid, (quoting Jaak Aaviksoo, Minister of Defense of Estonia, Strategic Impact of Cyber-attacks, Address before the Royal College of Defence Studies, available at www.irl.ee/en/articles/strategic-impactof-cyber-attacks. 349 U.S. Acquisition and Use of Cyberattack Capabilities. P.11. 350 Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber-attacks in International Law, 27 BERKELEY J. INT’L L. 192, 208 (2009), in in Marco Roscini,235. 351 John Markoff, Before the Gunfire, Cyberattacks, N.Y. TIMES, Aug. 13, 2008, http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0 (May 19, 2016). 352 Eneken Tikk Et Al., Coop. Cyber Def. Ctr. Of Excellence, International Cyber Incidents: Legal Considerations 75 (2010), available at http://www.ccdcoe.org/publications/books/ legalconsiderations.pdf 353 Ibid. 354 Ibid.

The third case of alleged inter-state cyber operation, and possibly the most famous of the three, is that of Stuxnet. In 2012, an article published in The New York Times revealed that the United

States, with Israel’s support, had been engaging in a cyber campaign against Iran, code named

“Olympic Games,” to disrupt the Islamic Republic’s nuclear program.355 Stuxnet, in particular, was allegedly designed to affect the gas centrifuges at the Natanz uranium enrichment facility.356 The Stuxnet incident was the first known use of malicious software designed to produce material damage by attacking the Supervisory Control and Data Acquisition (SCADA) system of a critical national infrastructure.357 Unlike other malware, the worm did not limit itself to self-replication, but also contained a weaponized payload designed to give instructions to other programs.358 The allegations against the United States and Israel were based on journalistic “interviews . . . with current and former American, European and Israeli officials” and other experts, whose names are not known.359 In a recent interview, the former U.S.

National Security Agency (NSA) contractor Edward Snowden also claimed that the NSA and

Israel were behind Stuxnet.360 Symantec’s researchers suggested that Stuxnet’s code included references to the 1979 date of execution of a prominent Jewish Iranian businessman.361 Other circumstantial evidence includes the fact that the worm primarily hit Iran and was specifically targeted at the Natanz nuclear facility, as the worm would activate itself only when it found the

355 David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. TIMES, June 1, 2012, . (May 19, 2016). 356 William J. Broad, John Markoff, & David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear Delay, N.Y. TIMES, Jan. 15, 2011, . (May 19, 2016). 357 Dominic Storey, Stuxnet–The First Worm of Many for SCADA?, IT RESELLER (Dec. 2, 2010), ; (May 19, 2016). 358 Jeremy Richmond, Note, Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict? 35 FORDHAM INT’L L.J. 842, 849–50 (2012). 359 Sanger, supra. 360 Edward Snowden Interview: The NSA and Its Willing Helpers, SPIEGEL ONLINE (July 8, 2013), . (May 19,2016). 361 Nicolas Falliere, Liam O. Murchu & Eric Chien, Symantec, W32.Stuxnet Dossier, Version 1.4, at 18 (2011), available at http://www.symantec.com/content/en/us/enterprise/media/security_response/ whitepapers/w32_stuxnet_dossier.pdf.

Siemens software used in that facility,362 and the implication that the attack required resources normally unavailable to individual hackers, which is supported by evidence of the high sophistication of the attack, the use of several zero-day hacks, and the insider knowledge of the attacked system.363 Israeli and U.S. officials have neither denied nor confirmed involvement in the operation: In response to a question about the attack on Iran, President Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sardonically pointed out,

“I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”364

Apart from the above well-known cyber-attacks, allegations of state involvement have also been made in relation to other cyber operations, including cyber exploitation activities. The

U.S. Department of Defense’s 2013 Report to Congress, for instance, claims that some of the

2012 cyber intrusions into U.S. government computers “appear to be attributable directly to the Chinese government and military,” although it is not entirely clear on what grounds.365

In spite of the obvious crucial importance of evidentiary issues, works on interstate cyber operations, both above and below the level of use of force, have so far focused on whether such operations are consistent with primary norms of international law and on the remedies available to the victim State under the jus ad bellum and the law of state responsibility. Thus, studies of these operations have almost entirely neglected a discussion of the evidence the victim State needs to produce to demonstrate, either before a judicial body or elsewhere, that an unlawful cyber operation has been conducted against it and that the attack is attributable to another

State.366 The first edition of the Tallinn Manual on the International Law Applicable to Cyber

362 Barzashka, supra. 363 Rid, supra. 364 Broad, Markoff & Sanger, supra. 365 U.S. Dep’t Of Def., Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2013, at 36 (2013), available at http://www.defense.gov/pubs/ 2013_china_report_final.pdf. 366 generally Robin Geiß & Henning Lahmann, Freedom and Security in Cyberspace: Shifting the Focus away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat- Prevention, in Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy 621 (Katharina Ziolkowski Ed., 2013) [hereinafter Peacetime Regime for State Activities in Cyberspace].

Warfare also does not discuss in depth evidentiary issues in the cyber context: The only references to evidence are contained in Rules 7 and 8.367 The present chapter aims to fill this gap. It will start with a brief account of the international law of evidence and will then discuss who has the burden of proof in relation to claims seeking remedies (including reparation) for damage caused by cyber operations. It will then analyze the standard of proof required in the cyber context. Finally, the possible methods of proof will be examined, distinguishing between those that are admissible and those that are inadmissible. The present chapter only deals with international disputes between States and will not discuss evidentiary issues in relation to cyber crime before domestic courts. It also does not look at evidence before international criminal tribunals, as the focus is on state responsibility for cyber operations and not on the criminal responsibility of individuals.368

4.1 The International Law of Evidence

“Evidence” is “information . . . with the view of establishing or disproving alleged facts.”369 It is different from proof in that “‘proof” is the result or effect of evidence, while ‘evidence’ is the medium or means by which a fact is proved or disproved.”370 Evidence is normally required to provide proof of both the objective (be it an act or omission) and subjective elements of an internationally wrongful act, i.e., its attribution to a State.371 In the Nicaragua case, the ICJ clearly explained the distinction between the objective and subjective elements from an evidentiary perspective:

One of the Court’s chief difficulties in the present case has been the determination of the facts relevant to the dispute. . . . Sometimes there is no question, in the sense that it does not appear to be disputed, that an act was done, but there are conflicting reports, or a lack of evidence, as to who did it

367 TALLINN MANUAL r. 7–8. 368 The statutes and rules of international criminal tribunals provide for specific evidentiary rules. Rüdiger Wolfrum, International Courts and Tribunals, Evidence, in 5 THE MAX PLANCK ENCYCLOPEDIA OF PUBLIC INTERNATIONAL LAW 552, 567–69 (Rüdiger Wolfrum ed., 2012), in Marco Roscini, 238. 369 Ibid. 370 31A C.J.S. Evidence 8 (1964), in Marco Roscini, 239. 371 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U. S.), Judgment, 1986 I.C.J. 14, para. 57 (June 27) (noting the difficulty of imputing acts to particular States).

. . . The occurrence of the act itself may however have been shrouded in secrecy. In the latter case, the Court has had to endeavour first to establish what actually happened, before entering on the next stage of considering whether the act (if proven) was imputable to the State to which it has been attributed.372

The Court’s observations were made against the backdrop of the secrecy that surrounded the U.S. and Nicaraguan covert operations in Central America,373 which is also a quintessential characteristic of cyber operations.374 In this context too, then, it is likely that evidence will be required both to establish the material elements of the wrongful act and to establish its attribution.375 It is still unclear, for instance, not only who is responsible for Stuxnet, but also whether the worm caused any damage and, if so, to what extent.376 This last question is essential in order to establish whether the cyber operation amounted to a use of force and, more importantly, whether it was an armed attack entitling the victim State to self-defense.377 As to establishing the subjective element of the internationally wrongful act, what is peculiar to cyber operations is that in fact three levels of evidence are needed to attribute a cyber operation to a State: First, the computer(s) or server(s) from which the operations originate must be located; second, the individual behind the operation needs to be identified; and third, it needs to be proved that the individual acted on behalf of a

State so that his or her conduct is attributable to it.378

This leads us to an important specification: The standard of proof must be distinguished from the rules of attribution. The former is “the quantum of evidence necessary to substantiate the

372 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 57. 373 Ibid. 374 Marco Roscini, 38. 375 Ibid, at 239. 376 Barzashka, supra, at 48 (noting that no one has admitted to the Stuxnet attack and that the “evidence of the worm’s impact . . . is circumstantial and inconclusive”). 377 Marco Roscini, at 45–63, 70–77 (describing the meaning of “use of force” and when and how a State can use self-defense). 378 See generally Marco Roscini,. at 98–103.

94 factual claims made by the parties.”379 The latter, on the other hand, determine the level of connection that must exist between an individual or group of individuals and a State for the conduct of the individuals to be attributed to the State at the international level.380 The rules of attribution for the purposes of state responsibility have been codified in Part One of the Articles on the Responsibility of States for Internationally Wrongful Acts adopted by the

International Law Commission (ILC), as well as having been articulated in the case law of the

International Court of Justice.381 Evidence according to the applicable standard must be provided to demonstrate that the attribution test has been satisfied: In Nicaragua, for instance, the ICJ had to assess whether there was sufficient evidence that the United States had exercised

“effective control” over the contras so that it could be held responsible for their violations of international humanitarian law.382

The standard of proof should also be distinguished from the burden of proof. The latter does not determine how much evidence, and of what type, is necessary to prove the alleged facts, but merely identifies the litigant that must provide that evidence.383 In other words, the burden of proof is “the obligation on a party to show that they have sufficient evidence on an issue to raise it in a case.”384 The burden of proof includes not only the “burden of persuasion,”385 but also the “burden of production,” which is the burden to produce the relevant evidence before a court.386

379 James A. Green, Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice, 58 INT’L & COMP. L.Q. 163, 165 (2009). 380 Marco Roscini, at 34–40. 381 Draft Articles on Responsibilities of States for Internationally Wrongful Acts, with Commentaries, Rep. of the Int’l Law Comm’n, 53d Sess., Apr. 23–June 1, July 2–Aug. 10, 2001, pt. 1, U.N. Doc. A/56/10 (2001). For case law development, see, e.g., Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 43, paras. 392–93 (Feb. 26); Military and Paramilitary Activities in and Against Nicaragua (Nicar. V. U.S.), Judgment, 1986 I.C.J. 14, paras. 110, 393 (June 27), in Marco Roscini, 240. 382 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 115. 383 Anna Riddell & Brendan Plant, Evidence before the International Court of Justice 81 (2009). 384 Ibid. 385 Ibid. 386 Markus Benzing, Evidentiary Issues, in THE STATUTE OF THE INTERNATIONAL COURT OF JUSTICE: A COMMENTARY 1234, 1245 (Andreas Zimmermann et al., eds., 2012) [hereinafter THE STATUTE OF THE INTERNATIONAL COURT OF JUSTICE: A COMMENTARY].

The political or judicial relevance of evidence may relate to the different phases of the same international dispute. For instance, the State invoking the right of self-defense against an armed attack by another State will normally try to justify the exercise of this right first before the international community and public opinion by providing evidence of the occurrence (or imminent occurrence) of the armed attack and of its attribution to the target State.387 If, as in the Nicaragua case, a State subsequently brings the case before an international court which has jurisdiction over the case, the evidence will have to be assessed by that court in order to establish international responsibility and its consequences, and in particular whether the requirements for the exercise of self-defence were met.388

Investigations of cyber attacks among States are complicated by the absence of a uniform body of rules on the production of evidence in international law.389 There is no treaty provision that regulates evidentiary issues in non-judicial contexts, and it is doubtful that international law has developed customary rules in that sense.390 As to the production of evidence in inter-state litigation, non-criminal international courts normally determine their own standards in each case, which may considerably differ according to the nature of the court or the case under examination.391 As it is not possible to identify uniform evidentiary rules applicable in all cases and before all international courts, this article will focus on proceedings before the ICJ. This is because the ICJ is the main U.N. judicial organ that deals, if the involved States have consented to its jurisdiction, with claims of state responsibility arising from the violation of any primary

387 Mary Ellen O’Connell, Lawful Self-Defense to Terrorism, 63 U. PITT. L. REV. 889, 895 (2002) [hereinafter O’Connell, Lawful Self-Defense] 388 See, e.g., Ruth Teitelbaum, Recent Fact-Finding Developments at the International Court of Justice, 6 L. & PRAC. INT’L CTS. & TRIBUNALS 119, 151 (2007), in Marco Roscini, 242. 389 Mary Ellen O’Connell, Evidence of Terror, 7 J. CONFLICT & SECURITY L. 19, 21 (2002) [hereinafter O’Connell, Evidence of Terror]. 390 Ibid. 391 Daniel Joyce, Fact-Finding and Evidence at the International Court of Justice: Systemic Crisis, Change or More of the Same? 18 FINNISH Y.B. INT’L L. 283, 286 (2007).

96 norm of international law.392 The overall purpose is to establish whether rules on evidence may be identified that would apply to claims in inter-state judicial proceedings seeking remedies for damage caused by cyber operations. It should be noted, however, that the conclusions reached with regard to the ICJ only apply to it and could not automatically be extended to other international courts.

Rules on the production of evidence before the ICJ are contained in the ICJ Statute, the Rules of Court (adopted in 1978), and Practice Directions for use by States appearing before the Court

(first adopted in 2001 and subsequently amended).393 In the following sections, the relevant rules on evidentiary issues contained in those documents, as well as those elaborated by the

Court in its jurisprudence, will be applied to allegations related to cyber operations.

4.2 Burden of Proof and Cyber Operations

The burden of proof identifies the litigant that has the onus of meeting the standard of proof by providing the necessary evidence.394 Once the burden has been discharged according to the appropriate standard, the burden shifts to the other litigant, who has to prove the contrary.395

Normally, the party that relies upon a certain fact is required to prove it (the principle onus probandi incumbit actori, derived from Roman law).396 This general principle of law, invoked consistently by the ICJ and other international courts and tribunals,397 “applies to the assertions of fact both by the Applicant and the Respondent.”398 The party bearing the burden of proof,

392 See, e.g., H. Vern Clemons, Comment, The Ethos of the International Court of Justice is Dependent Upon the Statutory Authority Attributed to its Rhetoric: A Metadiscourse, 20 FORDHAM INT’L L.J. 1479, 1486, 1490–91 (1997) (detailing modes of jurisdiction by the ICJ over States), in Marco Roscini, 242. 393 Rules of Court, arts. 38–89, 1978 I.C.J. Acts & Docs. 6; Statute of the International Court of Justice arts. 39– 64, June 26, 1945, 33 U.N.T.S. 933; I.C.J. Practice Directions of the International Court of Justice, Practice Direction IX, 2007 Acts & Docs. 163. 394 Green, supra, in Marco Roscini, at 165. 395 Roger B. Dworkin, Easy Cases, Bad Law, and Burdens of Proof, 25 VAND. L. REV. 1151, 1159 (1972) (“No one seems to have trouble understanding that the burden of producing evidence on one issue may shift from party to party as the case progresses.”). 396 Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 14, para. 162 (Apr. 20) 397 Teitelbaum, supra. 398 Arg. v. Uru., 2010 I.C.J. para. 162.

97 therefore, is not necessarily the applicant (i.e., the State that has brought the application before the tribunal) but is rather the party “who . . . raised an issue,”399 regardless of its procedural position.400 For instance, the party (applicant or respondent) that relies on an exception, including self-defense, has the burden of proving the facts that are the basis for the exception.401

It should also be recalled that the distinction between applicant and respondent may not always be clear in inter-state litigation, especially when the case is brought before an international court by special agreement between the parties.402

The onus probandi incumbit actori principle is subject to three main limitations. First, facts that are not disputed or that are agreed upon by the parties do not need to be proven.403 Second, the Court has relieved a party from the burden of providing evidence of facts that are

“notorious” or “of public knowledge.”404 In Nicaragua, for instance, the Court found that

“since there was no secrecy about the holding of the manoeuvres, the Court considers that it may treat the matter as one of public knowledge, and as such, sufficiently established.”405 As has been noted, “the notion of common or public knowledge has, over the years, expanded, given the wide availability of information on current events in the press and on the internet.”406

Companies like McAfee, Symantec, Mandiant, and Project Grey Goose, as well as think tanks like NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE), have also

399 RIDDELL & PLANT, supra. 400 According to Shabtai Rosenne, “the tendency of the Court is to separate the different issues arising in a case, treating each one separately, applying the rule actori incumbit probatio, requiring the party that advances a particular contention to establish it in fact and in law. The result is that each State putting forward a claim is under the general duty to establish its case, without there being any implication that such State is ‘plaintiff’ or ‘applicant’ in the sense in which internal litigation uses those terms.” SHABTAI ROSENNE, THE LAW AND PRACTICE OF THE INTERNATIONAL COURT, 1920–2005, at 1200–01 (4th ed. 2006), in Marco Roscini, 243. 401 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 57 (Nov. 6) 402 Andrés Aguilar Mawdsley, Evidence Before the International Court of Justice, in ESSAYS IN HONOUR OF WANG TIEYA 533, 538 (Ronald St. John Macdonald ed., 1994). 403 Wolfrum, supra. 404 See, e.g., Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 92 (June 27) (accepting a newspaper report as evidence of notoriety). Judicial notice has been frequently invoked by international criminal tribunals. Teitelbaum, supra note 65, at 144–45. 405 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 92.

406 RIDDELL & PLANT, supra note 53, at 142–43.

98 published reports on cyber incidents.407 These reports essentially contain technical analysis of cyber incidents and, with the possible exception of those of the CCD COE, do not normally investigate attribution for legal purposes of those incidents in any depth (if at all).408 The fact that cyber incidents have received extensive press coverage, as in the case of Stuxnet, may also contribute to the public knowledge character of certain facts. In Nicaragua, however, the ICJ warned that “widespread reports of a fact may prove on closer examination to derive from a single source, and such reports, however numerous, will in such case have no greater value as evidence than the original source.”409 The ICJ has also held that the “massive body of information” available to the Court, including newspapers, radio and television reports, may be useful only when it is “wholly consistent and concordant as to the main facts and circumstances of the case.”410

Third, the onus probandi incumbit actori principle only applies to facts, as opposed to the law, which does not need to be proven (jura novit curia).411 It should be noted, however, that, in inter-state litigation, municipal law is a fact that must be proven by the parties invoking it.412

Furthermore, the ICJ has often distinguished between treaty law and customary international law, holding that the existence and scope of customary rules—especially those of a regional character—must be proven by the parties because one of their two elements, state practice, is factual.413 A party invoking national legislation or the existence of a general or cyber-specific custom in its favour, therefore, will bear the burden of producing relevant evidence before the

Court. Certain authors have suggested that shifting the burden of proof “from the investigator

407 TIKK ET AL., supra note 14; MANDIANT, 2014 THREAT REPORT [hereinafter MANDIANT, THREAT REPORT], available at http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf. 408 See generally TIKK ET AL., supra note 14; MANDIANT, THREAT REPORT, supra note 84. 409 Nicar. v. U.S., Judgment, 1986 I.C.J. para. 63. 410 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May 24). 411 Wolfrum, supra. 412 Ibid at 557. 413 Asylum Case (Colom. v. Perú), Judgment, 1950 I.C.J. 266, 276–77 (Nov. 20); Rights of Nationals of the United States of America in Morocco (Fr. v. U.S.), Judgment 1952 I.C.J. 176, 200 (Aug. 27).

99 and accuser to the nation in which the attack software was launched” could solve the problems of identification and attribution in the cyber context.414 In such an approach, international law would require the State where the attack originated to prove that it neither carried out the operation nor negligently allowed others to misuse its infrastructure, as opposed to requiring the accuser to prove the contrary. Similarly, it has been argued that “the fact that a harmful cyber incident is conducted via the information infrastructure subject to a nation’s control is prima facie evidence that the nation knows of the use and is responsible for the cyber incident.”415 This, however, is not correct. First, mere knowledge does not automatically entail direct attribution, but rather merely a potential violation of the due diligence duty not to allow hostile acts from one’s territory.416 What is more, the views arguing for a reversal of the burden of proof are at odds with the jurisprudence constante of the ICJ.417 In the Corfu Channel case, the Court famously found that the exclusive control exercised by a State over its territory

“neither involves prima facie responsibility nor shifts the burden of proof” in relation to unlawful acts perpetrated therein.418 The Court, however, conceded that difficulties in discharging the burden of proof in such cases may allow “a more liberal recourse to inferences of fact and circumstantial evidence.”419 This point will be further explored below in Section

4.6.420 In Armed Activities (Dem. Rep. Congo v. Uganda), the ICJ also did not shift the burden of proving that Zaire had been in a position to stop the armed groups’ actions originating from its border regions, as claimed by Uganda in its counter-claim, from Uganda to the Democratic

Republic of the Congo (DRC), and therefore found that it could not “conclude that the absence

414 Richard A. Clarke & Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do about it 249 (2010), in Marco Roscini, 245. 415 Daniel J. Ryan, Maeve Dion, Eneken Tikk & Julie J. C. H. Ryan, International Cyberlaw: A Normative Approach, 42 GEO. J. INT’L L. 1161, 1185 (2011). 416 See Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 18 (Apr. 9) (“It cannot be concluded from the mere fact of the control exercised by a State over its territory and waters that that State necessarily knew, or ought to have known, of any unlawful act perpetrated therein . . . .”). 417 Ibid (stating that control by a State over its borders does not shift the burden of proof to the accused State). 418 Ibid. 419 Ibid. 420 See infra, section 4.6.

100 of action by Zaire’s Government against the rebel groups in the border area is tantamount to

‘tolerating’ or ‘acquiescing’ in their activities.”421

If one applies these findings in the cyber context, the fact that a State has exclusive “territorial” control of the cyber infrastructure from which the cyber operation originates does not per se shift the burden of proof, and it is therefore still up to the claimant to demonstrate that the territorial State is responsible for the cyber operation or that it failed to comply with its due diligence duty of vigilance, and not to the territorial State to demonstrate the contrary.422

Even beyond the principle of territorial control, the fact that relevant evidence is in the hands of the other party does not per se shift the burden of proof. In the Avena case, the ICJ held that it could not accept that, because such information may have been in part in the hands of Mexico, it was for Mexico to produce such information. It was for the United States to seek such information, with sufficient specificity, and to demonstrate both that this was done and that the

Mexican authorities declined or failed to respond to such specific requests. . . The Court accordingly concludes that the United States has not met its burden of proof in its attempt to show that persons of Mexican nationality were also United States nationals.423

The fact that cyber operations were conducted in the context of an armed conflict, as was the case of those against Georgia in 2008,424 also does not affect the normal application of the burden of proof.425 In Nicaragua, the ICJ recalled the Corfu Channel and Tehran Hostages judgments and found that “a situation of armed conflict is not the only one in which evidence of fact may be difficult to come by, and the Court has in the past recognized and made

421 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168, para. 301 (Dec. 19). 422 David J. Betz & Tim Stevens, Analogical Reasoning and Cyber Security, 44 SECURITY DIALOGUE 147, 151 (2013), in Marco Roscini, 246. 423 Avena and Other Mexican Nationals (Mex. v. U.S.), Judgment, 2004 I.C.J. 12, para. 57 (Mar. 31.). 424 Markoff, supra. 425 See generally Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14 (June 27).

101 allowance for this . . .”426 Even in such circumstances, therefore, “it is the litigant seeking to establish a fact who bears the burden of proving it . . .”427 In the El Salvador/Honduras case, the Court stated that it:

Fully appreciates the difficulties experienced by El Salvador in collecting its

evidence caused by the interference with governmental action resulting from

acts of violence. It cannot however apply a presumption that evidence which is

unavailable would, if produced, have supported a particular party’s case; still

less a presumption of the existence of evidence which has not been produced.428

The application of the onus probandi incumbit actori principle is also not affected by the possible asymmetry in the position of the litigants in discharging the burden of proof due to the fact that one has acted covertly (as is virtually always the case of cyber operations).429 As Judge

Owada points out in his Separate Opinion attached to the Oil Platforms judgment, however, the Court should “take a more proactive stance on the issue of evidence and that of fact-finding” in such cases in order to ensure that the rules of evidence are applied in a “fair and equitable manner” to both parties.430

Finally, it has been argued that a reversal of the burden of proof may derive from an application of the precautionary principle based on international environmental law in cyberspace.431 The precautionary principle entails “the duty to undertake all appropriate regulatory and other measures at an early stage, and well before the (concrete) risk of harm occurs.”432 On this view,

426 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1984 I.C.J. 392, para. 101 (Nov. 26). 427 Ibid. 428 Land, Island and Maritime Frontier Dispute (El Sal./Hond.: Nicar. intervening), Judgment, 1992 I.C.J. 351, para. 63 (Sept. 11). 429 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 306, para. 46 (Nov. 6); (separate opinion of Judge Owada). 430 Ibid para 47. 431 See Thilo Marauhn, Customary Rules of International Environmental Law – Can They Provide Guidance for Developing a Peacetime Regime for Cyberspace?, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra, at 475 (describing the precautionary approach’s relationship to international environmental law). 432 Katharina Ziolkowski, General Principles of International Law as Applicable in Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra note 34, at 169.

102

States would have an obligation to implement measures to prevent the possible misuse of their cyber infrastructure, in particular by establishing a national cyber security framework.433

Regardless of whether the precautionary principle, with its uncertain normativity, extends to cyberspace,434 it still would not lead to a reversal of the burden of proof from the claimant to the State from which a cyber operation originates. In the Pulp Mills case, the ICJ concluded that “while a precautionary approach may be relevant in the interpretation and application of the provisions of the Statute [of the River Uruguay], it does not follow that it operates as a reversal of the burden of proof.”435 The Court, however, did not specify whether the precautionary principle might result in at least a lowering of the standard of proof.436

In light of the above discussion, it can be concluded that it is unlikely that the ICJ would accept that there is a reversal of the burden of proof in the cyber context. As has been correctly argued,

“suggesting a reversal of the burden of proof could easily lead to wrong and even absurd results given the possibility of routing cyber operations through numerous countries, and to the denouncing of wholly uninvolved and innocent States.”437 In the case of the 2007 DDoS campaign against Estonia, for instance, the botnets included computers located not only in

Russia, but also in the United States, Europe, Canada, Brazil, Vietnam and other countries.438

Difficulties in discharging the burden of proof, which are particularly significant in the context under examination, may, however, result in an alleviation of the standard of proof required to demonstrate a particular fact. It is to this aspect that the analysis now turns.

4.3 Standard of Proof and Cyber Operations

It is well known that, while in civil law systems there are no specific standards of proof that judges have to apply because they are authorized to evaluate the evidence produced according

433 Ibid. 434 See Marauhn, supra at 475–76 (asserting doubt that the precautionary principle applies to cyberspace). 435 Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 14, para. 164 (Apr. 20). 436 Ibid. 437 Geiß & Lahmann, supra, at 628. 438 U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES, supra, at 173.

103 to their personal convictions on a case-by-case basis, common law jurisdictions employ a rigid classification of standards.439 From the most to the least stringent, these include: beyond reasonable doubt (i.e., indisputable evidence, a standard used in criminal trials), clear and convincing (or compelling) evidence (i.e., more than probable but short of indisputable), and the preponderance of evidence or balance of probabilities (i.e., more likely than not or reasonably probable, a standard normally used in civil proceedings).440 A fourth standard is that of prima facie evidence-a standard that merely requires indicative proof of the correctness of the contention made.441

The Statute of the ICJ and the Rules of Court neither require specific standards of proof nor indicate what methods of proof the Court will consider as being probative in order to meet a certain standard.442 The ICJ has to date avoided clearly indicating the standards of proof expected from the litigants during the proceedings.443 It has normally referred to the judgments, but at that point it is of course too late for the parties to take it into account in pleading their cases.444

There is no agreement on what standard of proof the ICJ should expect from the parties in the cases before it.445 If, because of their nature, international criminal courts use the beyond reasonable doubt standard in their proceedings,446 the most appropriate analogy for inter-state

439 Marko Milanović, State Responsibility for Genocide, 17 EUR. J. INT’L L. 553, 594 (2006), in Marco Roscini, 248. 440 . Mary Ellen O’Connell, Rules of Evidence for the Use of Force in International Law’s New Era, 100 AM. SOC’_Y INT’L L. PROC. 44, 45 (2006) [hereinafter O’Connell, Rules of Evidence]. 441 Green, supra, at 166. 442 See generally Statute of the International Court of Justice, June 26, 1945, 33 U.N.T.S. 933; Rules of Court, 1978 I.C.J. Acts & Docs. 6. 443 That approach has been criticized by judges from common law countries. See, e.g., Oil Platforms (Iran v. U.S.), 2003 I.C.J. 270, paras. 42–44 (Nov. 6) (separate opinion of Judge Buergenthal) (stating that the Court failed to explain a standard of proof); Oil Platforms (Iran v. U.S.), 2003 I.C.J. 225, paras. 30–39 (Nov. 6) (separate opinion of Judge Higgins) (criticizing the Court for not stating a standard of proof), in Marco Roscini, 248. 444 See Teitelbaum, supra, at 124 (“The Court’s determination of the standard of proof may be said to be made on an ad hoc basis, and is only revealed at the end of the process when the Court delivers its judgment.”). 445 H.E. Judge Rosalyn Higgins, President, Int’l Court of Justice, Speech to the Sixth Committee of the General Assembly 4 (Nov. 2, 2007). 446 Wolfrum, supra, at 569.

104 litigation is not with criminal trials, but with certain types of civil litigation.447 In his Dissenting

Opinion in the Corfu Channel case, Judge Krylov suggested that “one cannot condemn a State on the basis of probabilities. To establish international responsibility, one must have clear and indisputable facts.”448 Wolfrum has argued that, while the jurisdiction of an international court over a case should be established beyond reasonable doubt, the ICJ has generally applied a standard comparable to that of preponderance of evidence used in domestic civil proceedings when deciding disputes involving state responsibility.449 Others have maintained that such a standard only applies to cases not concerning attribution of international wrongful acts, such as border delimitations, and that when international responsibility is at stake, the standard is stricter and requires clear and convincing evidence.450

It is therefore difficult, and perhaps undesirable,451 to identify a uniform standard of proof generally applicable in inter-state litigation or even a predominant one: the Court “tends to look at issues as they arise.”452 This case-by-case approach, however, does not exclude that a standard of proof may be identified having regard to the primary rules in dispute, i.e., “the substantive rules of international law through . . . which the Court will reach its decision.”453

Indeed, when the allegation is the same, it seems logical that the evidentiary standard should also be the same.454

Views held by some U.S pontificate that the standard of proof for cyber operations should be low because it is very difficult to reach the clear and convincing standard in the cyber

447 Waxman, supra, at 59. 448 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 72 (Apr. 9) (dissenting opinion of Judge Krylov). 449 Wolfrum, supra, at 566. 450 RIDDELL & PLANT, supra, at 133. 451 Green, supra, at 167. 452 Sir Arthur Watts, Burden of Proof, and Evidence before the ECJ, in Improving WTO Dispute Settlement Procedures: Issues and Lessons from the Practice of Other International Courts and Tribunals 289, 294 (Friedl Weiss ed., 2000), in Marco Roscini, 250. 453 ROSENNE, supra, at 1043. 454 Green, supra, at 169–71.

105 context.455 However, the views mentioned above are also far from being unanimously held, even within the U.S. government: The Air Force Doctrine for Cyberspace Operations, for instance, States that attribution of cyber operations should be established with “sufficient confidence and verifiability.”456 A report prepared by Italy’s Parliamentary Committee on the

Security of the Republic goes further and requires it to be demonstrated “in modo inequivocabile” (unequivocally) that an armed attack by cyber means originated from a State and was undertaken on the instruction of governmental bodies.457 The document also suggests that attribution to a State requires “«prove» informatiche inconfutabili” (“irrefutable digital evidence”), which, the Report concedes, is a standard that is very difficult to meet.458 Germany also highlighted the danger of a lack of “reliable attribution” of malicious cyber activities in creating opportunities for “false flag attacks,” misunderstandings, and miscalculations.459 In relation to the DDoS attacks against Estonia, a U.K. House of Lords document lamented that

“the analysis of today is really very elusive, not conclusive and it would still be very difficult to act on it.”460 Finally, the AIV/CAVV Report, which has been endorsed by the Dutch government,461 requires “reliable intelligence . . . before a military response can be made to a cyber attack” and “sufficient certainty regarding the identity of the author of the attack.”462 In its response to the Report, the Dutch government argued that self-defense can be exercised

455 See generally; Developments in the Field of Information and Telecommunications, supra note 3, at 17; Advance questions for Lieutenant General Keith Alexander for Commander, USA Nominee for Commander, U.S. Cyber Command, S. Comm. Armed Servs. 12 (Apr. 15, 2010) (Lieutenant General Keith Alexander argued that “some level of mitigating action” can be taken against cyber attacks even when we are not certain who is responsible). 456 U.S. Air Force, Cyberspace Operations: Air Force Doctrine Document 3-12, at 10 (2010). 457 Comitato Parlamentare per la Sicurezza Della Repubblica, Relazione Sulle Possibili Implicazioni E Minacce per la Sicurezza Nazionale Derivanti Dall’utilizzo Dello Spazio Cibernetico 26 (2010), available at . 458 Ibid. 459 Letter from the Permanent Mission of the Fed. Republic of Ger. to the United Nations addressed to the Office for Disarmament Affairs, Note No. 516/2012 (Nov. 5, 2012). 460 European Union Committee, Protecting Europe against Large-Scale Cyberattacks, 2009–2010, H.L. 68, at 42. 461 Michael N. Schmitt, The Law of Cyber Warfare: Quo Vadis? 25 STAN. L. & POL’Y REV. 269, 280 n.40 (2014). 462 Advisory Council on Int’l Affairs & Advisory Comm. on Issues of Pub. Int’l Law, Cyber Warfare 22 (2011).

106 against cyber attacks “only if the origin of the attack and the identity of those responsible are sufficiently certain.”463

All in all, clear and convincing evidence seems the appropriate standard not only for claims of self-defense against traditional armed attacks, but also for those against cyber operations: a prima facie or preponderance of evidence standard might lead to specious claims and false or erroneous attribution, while a beyond reasonable doubt standard would be unrealistic. In the

Norwegian Loans case, Judge Lauterpacht emphasized that “the degree of burden of proof . . . adduced ought not to be so stringent as to render the proof unduly exacting.”464 As explained by Michael Schmitt, a clear and convincing standard “obliges a state to act reasonably, that is, in a fashion consistent with the normal state practice in same or similar circumstances.

Reasonable States neither respond precipitously on the basis of sketchy indications of who has attacked them nor sit back passively until they have gathered unassailable evidence.”465

4.4. Methods of Proof and Cyber Operations

What type of evidence may be relied on in order to meet the required standard of proof and establish that a cyber operation has occurred, has produced damage, and is attributable to a certain State or non-state actor? The production of evidence before the ICJ is regulated by

Articles 48 to 52 of its Statute and by the Rules of Court. There is, however, no list of the methods of proof available to parties before the Court nor any indication of their different probative weight.466 Article 48 of the ICJ Statute provides only that “the Court shall . . . make all arrangements connected with the taking of evidence,”467 while Article 58 of the Rules of

Court confirms that “the method of handling the evidence and of examining any witnesses and

463 GOV’T OF THE NETH., supra note 154, at 5. 464 Certain Norwegian Loans (Fr. v. Nor.), Judgment, 1957 I.C.J. 9, 39 (July 6) (separate opinion of Judge Sir Hersch Lauterpacht). 465 Schmitt’s exact verbiage calls for a “clear and compelling” standard. Michael N. Schmitt, Cyber Operations and the Jus Ad Bellum Revisited, 56 VILL. L. REV 569, 595 (2011). 466 Compare Statute of the International Court of Justice arts. 48–52, June 26, 1945, 33 U.N.T.S. 933, and Rules of Court, arts. 57, 58, 62–64, 71, 1978 I.C.J. Acts & Docs. 6 (together demonstrating that there are no methods of proof for dealing with the production of evidence before the ICJ). 467 Statute of the International Court of Justice art. 48, June 26, 1945, 33 U.N.T.S. 933.

107 experts . . . shall be settled by the Court after the views of the parties have been ascertained in accordance with Article 31 of these Rules.”468

As a leading commentator has observed, “the International Court of Justice has construed the absence of restrictive rules in its Statute to mean that a party may generally produce any evidence as a matter of right, so long as it is produced within the time limits fixed by the

Court.”469 Although it is primarily the parties’ responsibility to produce the evidence necessary to prove the facts alleged, the Court may also order the production of documents, call experts and witnesses, conduct site visits, and request relevant information from international organizations.470 In Nicaragua, for instance, the Court found that it was “not bound to confine its consideration to the material formally submitted to it by the parties.”471 In that judgment, the ICJ also emphasized the principle of free assessment of evidence, stating that “within the limits of its Statute and Rules, [the Court] has freedom in estimating the value of the various elements of evidence . . . .”472

In the next pages, methods of proof that may be relevant in relation to cyber operations will be examined.

A. Documentary Evidence

Although there is no formal hierarchy between different sources, the ICJ has taken a civil law court approach and has normally given primacy to written documents over oral evidence.473

Documentary evidence includes “all information submitted by the parties in support of the

468 Rules of the Court, art. 58, 2007 I.C.J. Acts & Docs. 91. 469 Durward V. Sandifer, Evidence before International Tribunals 184 (rev. ed. 1975). 470 Statute of the International Court of Justice arts. 49, 50, June 26, 1945, 33 U.N.T.S. 933; Rules of Court, arts. 62, 66, 67, 69, 1978 I.C.J. Acts & Docs. 6. 471 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 30 (June 27). 472 Nicar. v. U.S., 1986 I.C.J. para. 60. See also Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168, para. 59 (Dec. 19). 473 Aguilar Mawdsley, supra, at 543.

108 contentions contained in the pleadings other than expert and witness testimony.”474 According to Shabtai Rosenne, documentary evidence can be classified in four categories:

published treaties included in one of the recognized international or national

collections of treaty texts; official records of international organizations and

of national parliaments; published and unpublished diplomatic

correspondence, and communiqués and other miscellaneous materials,

including books, maps, plans, charts, accounts, archival material,

photographs, films, legal opinions and opinions of experts, etc.; and

affidavits and declarations.475

Official state documents, such as national legislation, cyber doctrines, manuals, strategies, directives and rules of engagement, may become relevant in establishing state responsibility for cyber operations.476 In Nicaragua, for instance, the responsibility of the United States for encouraging violations of international humanitarian law was established on the basis of the publication of a manual on psychological operations.477 According to the Court, “the publication and dissemination of a manual in fact containing the advice quoted above must . .

. be regarded as an encouragement, which was likely to be effective, to commit acts contrary to general principles of international humanitarian law reflected in treaties.”478 Not all state documents, however, have the same probative value: in Democratic Republic of the Congo v.

Uganda, the Court dismissed the relevance of certain internal military intelligence documents because they were unsigned, unauthenticated, or lacked explanation of how the information was obtained.479

474 Wolfrum, supra, at 558. 475 ROSENNE, supra, at 1246. 476 Mark D. Young, National Cyber Doctrine: The Missing Link in the Application of American Cyber Power, J. NAT’L SECURITY L. & POL’Y 173, 175–76 (2010). 477 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 113 (June 27). 478 Ibid. para. 256. 479 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 C.J. 168, paras. 125, 127–28, 133–34, 137 (Dec. 19).

109

Documents of international organizations may also be presented as evidence.480 Overall, the

Court has given particular credit to U.N. reports, Security Council resolutions, and other official U.N. documents.481 In Bosnian Genocide, the ICJ stated that the probative value of reports from official or independent bodies “depends, among other things, on (1) the source of the item of evidence (for instance, partisan or neutral), (2) the process by which it has been generated (for instance an anonymous press report or the product of a careful court or court- like process), and (3) the quality of the character of the item (such as statements against interest, and agreed or uncontested facts).”482 Several documents of international organizations address cyber issues.483

The Court has also relied on fact-finding from commissions and other courts.484 In Dem. Rep.

Congo v. Uganda, the Court considered the Report of the Porter Commission, observing that neither party had challenged its credibility.485 Furthermore, the Court accepted that “evidence

[included in the Report] obtained by examination of persons directly involved, and who were subsequently cross-examined by judges skilled in examination and experienced in assessing large amounts of factual information, some of it of a technical nature, merits special attention.”486 For these reasons, facts alleged by the parties that found confirmation in the

Report were considered clearly and convincingly proved.487 There are, however, no examples of reports by judicial commissions in relation to cyber operations.488 One can at best recall the

2009 Report of the Independent Fact-Finding Mission on the Conflict in Georgia established

480 See RIDDELL & PLANT, supra, at 85–87. 481 Teitelbaum, supra, at 146. 482 Bosn. & Herz. v. Serb. & Montenegro, 2007 I.C.J. para. 227 483 E.g., G.A. Res. 66/24, at 2, U.N. Doc. A/RES/66/24 (Dec 13, 2011) (expressing concern over “international information security”). 484 Teitelbaum, supra, at 152. 485 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), 2005 I.C.J. 168, para. 60 (Dec. 19). 486 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 61. 487 Teitelbaum, supra, at 153. 488 See generally Major Arie J. Schaap, Cyber Warfare Operations: Development and Use under International Law, 64 A.F. L. REV. 121, 121–73 (2009).

110 by the Council of the European Union,489 which briefly addressed the cyber operations against

Georgia.490 The Report, however is not of great probative weight, as it did not reach any conclusion on those operations’ attribution or legality, simply noting that “[i]f these attacks were directed by a government or governments, it is likely that this form of warfare was used for the first time in an inter-state armed conflict.”491 Even if not of use to establish attribution, however, the Report could be relied on to establish that the cyber operations against Georgia did in fact occur.492

Documents produced by NGOs and think tanks may also play an evidentiary role, albeit a limited one. In relation to cyber operations, the CCD COE has prepared reports containing technical and legal discussion of the Estonia, Georgia and Iran cases, as well as of other cyber incidents.493 Information security companies like Symantec, McAfee, and Mandiant also regularly compile detailed technical reports on cyber threats and specific incidents.230 In general, however, reports from NGOs and other non-governmental bodies have been considered by the ICJ as having less probative value than publications of States and international organizations and have been used in a corroborative role only.494 In Democratic

Republic of the Congo v. Uganda, for instance, the ICJ considered a report by International

Crisis Group not to constitute “reliable evidence.”495 Similarly, in Oil Platforms the Court did not find publications such as Lloyd’s Maritime Information Service, the General Council of

British Shipping or Jane’s Intelligence Review to be authoritative public sources, as it had no

489 INDEP. INT’L FACT-FINDING MISSION ON THE CONFLICT IN GEOR., REPORT 2 (2009), http://rt.com/files/politics/georgia-started-ossetian-war/iiffmcg-volume-ii.pdf. 490 Ibid, at 217–19. 491 Ibid at 219. 492 Ibid. 493 The CCD COE is a think tank based in Tallinn, Estonia that was created after the 2008 DDoS attacks against the Baltic state. 494 RIDDELL & PLANT, supra, at 249. 495 Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. 168, para. 129 (Dec. 19).

111

“indication of what was the original source, or sources, or evidence on which the public sources relied.”496

As far as press reports and media evidence are concerned, one may recall, in the cyber context, the above-mentioned New York Times articles attributing Stuxnet to the United States and

Israel.497 The ICJ, however, has been very reluctant to accept press reports as evidence and has treated them “with great caution.”498 Press reports that rely only on one source, rely on an interested source, or give no account of their sources have therefore been treated as having no probative value.499 In Nicaragua, the Court held that, even when they meet “high standards of objectivity,” it would regard the reports in press articles and extracts from books presented by the parties “not as evidence capable of proving facts, but as material which can nevertheless contribute, in some circumstances, to corroborating the existence of a fact, i.e., as illustrative material additional to other sources of evidence.”500 This was dependent on the sources being

“wholly consistent and concordant as to the main facts and circumstances of the case.”501

Apart from this, press reports may contribute, together with other sources, to demonstrate public knowledge of facts of which the Court may take judicial notice, thus relieving a party from having to discharge the burden of proof with regard to those facts.502

As already mentioned, in Nicaragua the ICJ noted that “widespread reports of a fact may prove on closer examination to derive from a single source, and such reports, however numerous, will in such case have no greater value as evidence than the original source.”503

B. Official Statements

496 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 60 (Nov. 6). 497 RIDDELL & PLANT, (text accompanying notes 18-21). 498 . Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 62 (June 27). 499 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 68. 500 Nicar. v. U.S., 1986 I.C.J. para. 62. 501 Dem. Rep. Congo v. Uganda, 2005 I.C.J. para. 68 (citing United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May 24) 502 Nicar. v. U.S., 1986 I.C.J. para. 63. 503 Ibid.

112

Statements made by official authorities outside the context of the judicial proceedings may play an important evidentiary role. In the Tehran Hostages case, for instance, the ICJ recalled that it had “a massive body of information from various sources concerning the facts and circumstances of the present case, including numerous official statements of both Iranian and

United States authorities.”504

Statements “emanating from high-ranking official political figures, sometimes indeed of the highest rank, are of particular probative value when they acknowledge facts or conduct unfavourable to the State represented by the person who made them.”505 However, all depends on how those statements were made public: “evidently, [the Court] cannot treat them as having the same value irrespective of whether the text is to be found in an official national or international publication, or in a book or newspaper.”506 In other words, statements that can be directly attributed to a state are of more probative value.

C. Witness Testimony

Witnesses may be called to provide direct oral evidence by the Court and by the litigants: The latter case is conditioned upon the absence of objections by the other litigant or the recognition by the Court that the evidence is likely to be relevant.507 The Court may also put questions to the witnesses and experts called by the parties.508 In Corfu Channel, for instance, naval officers were called to testify by the United Kingdom about the damage suffered by the Royal Navy ships and the nature and origin of the mines. Albania also called witnesses to testify to the absence of mines in the Channel.509 Nicaragua called five witnesses to testify in the Nicaragua case.510

504 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 3, para. 13 (May 24). 505 Nicar. v. U.S., 1986 I.C.J. para. 64. 506 Ibid, para 65. 507 Rules of Court, arts. 62(2), 63, 1978 I.C.J. Acts & Docs. 6. 508 Rules of Court, art. 65, 1978 I.C.J. Acts & Docs. 6. 509 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 7–8, 10 & 11 (Apr. 9). 510 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, para. 13 (June 27).

113

It is worth recalling that the Court has also accepted witness evidence given in written form and attached to the written pleadings, but it has treated it “with caution”511 and has generally considered it of a probative value inferior to that of direct oral witness testimony.512

D. Enquiry and Experts

According to Article 50 of the ICJ Statute, “the Court may, at any time, entrust any individual, body, bureau, commission, or other organization that it may select, with the task of carrying out an enquiry or giving an expert opinion.”513 Enquiries have never been commissioned by the Court, which has rather relied on fact-finding reports from other sources.514 Experts may be necessary in cases of a highly technical nature or that involve expertise not possessed by the judges. It is likely, therefore, that the Court will appoint experts in cases involving cyber technologies. The Court, however, would not be bound by their report. The parties may also call experts.515 In the Whaling in the Antarctic case, therefore, the experts called by both

Australia and Japan gave evidence as expert witnesses and were cross-examined,516 and the

Court relied heavily on their statements to conclude that the special permits granted by Japan for the killing, taking, and treatment of whales had not been granted “for purposes of scientific research.”517

E. Digital Evidence

Digital forensics “deals with identifying, storing, analyzing, and reporting computer finds, in order to present valid digital evidence that can be submitted in civil or criminal proceedings.”518

511 Territorial and Maritime Dispute between Nicaragua and Honduras in the Caribbean Sea (Nicar. v. Hond.), Judgment, 2007 I.C.J. 659, para. 244 (Oct. 8). 512 RIDDELL & PLANT, supra, at 280–8. 513 Statute of the International Court of Justice art. 50, June 26, 1945, 33 U.N.T.S. 933. 514 Benzing, supra, at 1259. 515 Rules of Court, art. 63, 1978 I.C.J. Acts & Docs. 6. 516 Whaling in the Antarctic (Aust. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J. 148, paras. 20–21 (Mar. 31). 517 Ibid, para. 227. 518 PRESIDENCY OF THE COUNCIL OF MINISTERS, NATIONAL STRATEGIC FRAMEWORK FOR CYBERSPACE SECURITY 42 (2013), available at http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/ uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf.

114

It includes the seizure, forensic imaging, and analysis of digital media, and the production of a report on the evidence so collected.519 It seems that most countries “do not make a legal distinction between electronic evidence and physical evidence. While approaches vary, many countries consider this good practice, as it ensures fair admissibility alongside all other types of evidence.”520 Of course, not only do data have to be collected, but they also need to be interpreted, and the parties may disagree on their interpretation.

For several reasons, however, digital evidence on its own is unlikely to play a decisive role in establishing state responsibility for cyber operations. First, digital evidence is “volatile, has a short life span, and is frequently located in foreign countries.”521 Second, the collection of digital evidence can be very time consuming and requires the cooperation of the relevant internet service providers, which may be difficult to obtain when the attack originates from other States.522 Third, although digital evidence may lead to the identification of the computer or computer system from which the cyber operation originates, it does not necessarily identify the individual(s) responsible for the cyber operation (as the computer may have been hijacked, or the IP spoofed).523 In any case, such digital evidence will say nothing about whether the conduct of those individuals can be attributed to a State under the law of state responsibility.

4.5. Presumptions and Inferences in the Cyber Context

As Judge ad hoc Franck emphasized in Sovereignty over Pulau Ligitan and Pulau Sipadan,

“presumptions are necessary and well-established aspects both of common and civil law and cannot but be a part of the fabric of public international law.”524 Previously, in his dissenting opinion in Corfu Channel, Judge Azevedo had argued that “it would be going too far for an

519 Jay P. Kesan & Carol M. Hayes, Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace, 25 HARV. J.L. & TECH. 429, 482 (2012). 520 U.N. Office on Drugs and Crime, Comprehensive Study on Cybercrime: Draft, 25 February 2013. 521 Fred Schreier, On Cyberwarfare 65 (DCAF Horizon 2015, Working Paper No. 7, 2012). 522 Ibid, at 46. 523 Ibid, at 65. 524 Sovereignty over Pulau Ligitan & Pulau Sipadan (Indon./Malay.), Judgment, 2002 I.C.J. 691, para. 44 (Dec. 17) (dissenting opinion of Judge ad hoc Franck).

115 international court to insist on direct and visual evidence and to refuse to admit, after reflection, a reasonable amount of human presumptions with a view to reaching that state of moral, human certainty with which, despite the risk of occasional errors, a court of justice must be content.”525

Although the difference is often blurred in inter-state litigation, presumptions may be prescribed by law (legal presumptions, or presumptions of law), or be reasoning tools used by the judges (presumptions of fact, or inferences).526 In other words, “presumptions of law derive their force from law, while presumptions of fact derive their force from logic.”527 In international law, presumptions of law can derive from treaties, international customs, and general principles of law.528 According to Judge Owada in his dissenting opinion in the

Whaling in the Antarctic case, for instance, good faith on the part of a contracting State in performing its obligations under a treaty “has necessarily to be presumed…although the presumption is subject to rebuttal”.529

Inferences, or presumptions of fact, are closely linked to circumstantial evidence.530 In the

Corfu Channel case, Judge Padawi Pasha defined circumstantial evidence as “facts which, while not supplying immediate proof of the charge, yet make the charge problable with the assistance of reasoning.”531 The ICJ, however, “has demonstrated an increasing resistance to the drawing of inferences from secondary evidence.”532 Only inferences to protect state sovereignty are normally drawn by the Court, while others are treated with great caution. The

525 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 90–91 (Apr. 9) (dissenting opinion of Judge Azevedo). 526 C.F. Amerasinghe, Presumptions and Inferences in Evidence in International Litigation, 3 L. & PRAC. INT’L CTS. & TRIBUNALS 395, 395 (2004) 527 . Thomas M. Franck & Peter Prows, The Role of Presumptions in International Tribunals, 4 L. & PRAC. INT’L CTS. & TRIBUNALS 197, 203 (2005) 528 Mojtaba Kazazi, Burden of Proof and Related Issues: a Study on Evidence before International Tribunals 245 (1996). 529 Whaling in the Antarctic (Austl. v. Japan: N.Z. intervening), Judgment, 2014 I.C.J. 148, para. 21 & 42 (Mar. 31) (dissenting opinion of Judge Owada). 530 Barcelona Traction, Light and Power Company, Limited. (Belg. v. Spain), 1964 I.C.J. 6, 80 (July 24) 531 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 59 (Apr. 9) (dissenting opinion of Judge Pasha). 532 Teitelbaum, supra, at 157.

116

ICJ has drawn inferences in situations such as exclusive control of territory and non-production of documents.533 As to the first, it has been argued that the State from which the cyber operation originates has presumptive knowledge of such operation. U.S. officials have claimed, for instance, that, with the control that the Iranian government exercises over the internet, it is

“hard to imagine” that cyber attacks originating from Iran against U.S. oil, gas, and electricity companies could be conducted without governmental knowledge, even in the absence of direct proof of state involvement.534 The Mandiant Report also traced the cyber intrusions into U.S. computers back to Chinese IP addresses.535 As has been seen, however, in the Corfu Channel case the ICJ held that “it cannot be concluded from the mere fact of the control exercised by a

State over its territory . . . that that State necessarily knew, or ought to have known, of any unlawful act perpetrated therein . . . .”536 Only if there are other indications of state involvement may territorial control contribute to establish knowledge. In Oil Platforms, the ICJ also refused to accept the US argument that the territorial control exercised by Iran over the area from which the missile against the Sea Isle City had been fired was sufficient to demonstrate Iran’s responsibility.537 These conclusions have been transposed in the cyber context538. If control of cyber infrastructure is not on its own sufficient to prove knowledge of the cyber operations originating therefrom, much less direct attribution, it may however have “a bearing upon the methods of proof available to establish the knowledge of that State as to such events.”539 In particular by reason of this exclusive control [within its frontiers], the other State, the victim

533 Waxman, supra, at 66. 534 Nicole Perlroth & David E. Sanger, New Computer Attacks Traced to Iran, Officials Say, N.Y. TIMES, May 24, 2013, http://www.nytimes.com/2013/05/25/world/middleeast/new-computer-attacks-comefrom-iran- officials-say.html?_r=0. (May 23, 2016). 535 MANDIANT, APT 1, supra, at 4. 536 Corfu Channel (U.K. v. Alb.), Judgment, Merits, 1949 I.C.J. 4, 18 (Apr. 9). 537 Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, para. 61 (Nov. 6). 538 TALLINN MANUAL r. 7 & 8 (which is to the effect that neither the fact that a cyber operation originates from a State’s governmental cyber infrastructure nor that it has been routed through the cyber infrastructure located in a State are sufficient evidence for attributing the operation to those States, although it may be “an indication that the State in question is associated with the operation). 539 U.K. v. Alb., 1949 I.C.J. at 18.

117 of a breach of international law, is often unable to furnish direct proof of facts giving rise to responsibility. Such a State should be allowed a more liberal recourse to inferences of fact and circumstantial evidence. This indirect evidence is admitted in all systems of law, and its use is recognized by international decisions.540

According to the Court, then, inferences become particularly valuable, and assume a probative value higher than normal, when a litigant is unable to provide direct proof of facts because the evidence is under the exclusive territorial control of the other litigant. Such indirect evidence

“must be regarded as of special weight when it is based on a series of facts linked together and leading logically to a single conclusion.”541

4.6. Inadmissible Evidence

There are no express rules on the admissibility of evidence in the ICJ Statute. Therefore, “the general practice of the Court has been to admit contested documents and testimony, subject to the reservation that the Court will itself be the judge of the weight to be accorded to it.”542

Evidence may, however, be declared inadmissible because it has been produced too late or not in the prescribed form.543 Another example of inadmissible evidence is provided by the decision of the Permanent Court of International Justice in the Factory at Chorzów case, where the ICJ’s predecessor held that it “cannot take account of declarations, admissions or proposals which the Parties may have made in the course of direct negotiations when . . . the negotiations in question have not . . . led to an agreement between the parties.”544

Is evidence obtained through a violation of international law also inadmissible? Traditional espionage and cyber exploitation, used in support of traceback technical tools, may be a helpful

540 Ibid. 541 Ibid. 542 Keith Highet, Evidence, the Court, and the Nicaragua Case, 81 AM. J. INT’L L. 1, 13 (1987). 543 Statute of the International Court of Justice art. 52, June 26, 1945, 33 U.N.T.S. 933. 544 Factory at Chorzów (Ger. v. Pol.), Claim for Indemnity, 1927 P.C.I.J. (ser. A) No. 9, at 19.

118 instrument to establish proof of state responsibility for cyber operations.545 It is doubtful whether the above activities constitute internationally wrongful acts, although one commentator has argued, for instance, that cyber espionage may be a violation of the sovereignty of the targeted State whenever it entails an unauthorized intrusion into cyber infrastructure located in another State (be it governmental or private).546

Assuming, arguendo, that espionage and cyber exploitation are, at least in certain instances, internationally wrongful acts, what is the probative value of the evidence so collected? There is no express rule in the Statute of the ICJ providing that evidence obtained through a violation of international law is inadmissible.547 It is also not a general principle of law, as it seems to be a rule essentially confined to the U.S. criminal system.548 In the Corfu Channel case, the ICJ did not dismiss evidence illegally obtained by the United Kingdom in Operation Retail; on the contrary, it relied on it in order to determine the place of the accident and the nature of the mines. What the Court found was not that the evidence had been illegally obtained, but that the purpose of gathering evidence did not exclude the illegality of certain conduct.549 In general,

The approach of the Court is to discourage self-help in the getting of evidence

involving internationally illicit acts, not by seeking to impose any bar on the

employment of evidence so collected, but by making it clear that such illicit

activity is not necessary, since secondary evidence will be received and

treated as convincing in appropriate circumstances.550

In a cyber context, this means that while litigants are not entitled to access direct evidence that is located in another State’s computers or networks without authorization to submit it in the

545 Nicholas Tsagourias, Cyber Attacks, Self-Defence and the Problem of Attribution, 17 J. CONFLICT & SEC. L. 229, 234 (2012). 546 Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace, 89 INT’L L. STUD. 123, 129 (2013). 547 RIDDELL & PLANT, at 158, in Marco Roscini, 271. 548 Hugh Thirlway, Dilemma or Chimera?—Admissibility of Illegally Obtained Evidence in International Adjudication, 78 AM. J. INT’L L. 622, 627–28 (1984). 549 U.K. v. Alb., 1949 I.C.J. at 34–35. 550 Thirlway, supra, at 641.

119 proceedings, that evidence’s existence allows the court to give more weight to circumstantial evidence.

Conclusion

Flowing from the above disquisition, it can be drawn from the application to cyber operations of the ICJ’s rules and case law on evidence that the burden of proof does not shift in the cyber context and continues to rest on the party that alleges a certain fact. Whilst it is uncertain that a uniform standard of proof applicable to all cases involving international responsibility for cyber operations can be identified, it appears that claims of self-defense against cyber operations, like those against kinetic attacks, must be proved with clear and convincing evidence. Also, we established that the Court may take ‘formal note’ of the refusal of a party to present classified cyber documents, but it has so far refrained from drawing negative inferences from the non-production of documents. In any case, any such negative inferences could not contradict factual conclusions based on consistent evidence produced by the parties.

What is more? The Court gives more probative weight to official documents of States and international organizations such as the United Nations. NGO reports and press articles on cyber incidents are only secondary sources of evidence that may be useful to corroborate other sources or to establish the public knowledge of certain facts, providing they are sufficiently rigorous and only when they are “wholly consistent and concordant as to the main facts and circumstances of the case.”551

The drawing of inferences is approached by the ICJ with great caution. When there are objective difficulties for a litigant to discharge the burden of proof because the direct evidence lies within the exclusive territorial control of the other litigant, including its cyber infrastructure, a more liberal recourse to inferences of fact is admissible providing that they leave no room for reasonable doubt. It has been argued, however, that evidence obtained

551 United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), 1980 I.C.J. 64, para. 13 (May 24).

120 through a jus cogens violation for instance, torture, should be deemed inadmissible. However, we have sought to show from this chapter that even if a litigant obtains evidence illegally, e.g., through an unauthorized intrusion into the computer systems of another State, the evidence so obtained may be taken into account by the Court, although the purpose of collecting evidence does not exclude the illegality of the conduct.552

552 Corfu Channel case supra, p.35.

121

CHAPTER FIVE

Summary

In this work we have examined the nature and scope of cyber operations with respect to State activities. The first chapter affords a general definition and exposition of cyber operations as a concept, by outlining such things as the difference between cyberspace and outer space, the various terminologies associated with cyber operations such as; Computer Network Attacks,

Cyber disruption, Cyber incidence, Cyber Hostility, Cyber counter measures, and so on. The chapter also offers a brief history of cyberspace and operations in cyberspace. Under that chapter, we further elucidated on specific techniques, tools and methods (such as hacking, reconnaissance, weaponisation and so on), involved and utilised in the cyber domain which are commonly associated with cyber operators. Finally, the chapter addressed the effects of cyber operations. Sometimes the effects may be positive, other times, negative depending on the intent and purpose of use. Chapters two and three generally introduce and establish the governability of cyberspace by international law. Chapter two emphasises that international law can apply to cyberspace operations through the general principles of law recognised by civilised nations as provided in the ICJ Statute. We discussed the nature, scope and content of the general principles and showed why they apply. Certainly, the flexibility of international law made such application entirely possible. We highlighted these principles and in chapter three, discussed how they actually applied substantively. In chapter three, we attacked the regulation of cyber operations from two angles. The first angle being general principles of law recognised by civilised nations namely; Sovereign equality of States, maintenance of international peace and security and the duty of international cooperation in solving international problems, the second angle being branch areas of international law exercising their own international regulations include; international economic law, space law and international telecommunications law. The regimes spell out the rights and duties of States in

122 the cybersphere, and also the consequences of a breach of the rules. Finally, in chapter four we dealt with the international rules of evidence and the question of State responsibility. We demonstrated that evidence could either be direct or circumstantial, so long as it leads to a single and clear logical conclusion. While the burden of proof remains on the applicant and could shift depending on who is at the moment asserting, the standard of proof is the clear and convincing standard as far as State responsibility is concerned. Certain evidence do weigh more than the other, documentary evidence still remains one of the most potent means of proving responsibility. Evidence may be admissible even if it was illegally obtained, according to the

ICJ, the means of procurement does not affect the quality of the evidence.

The concluding thought of this work explicates that cyber space is not law free, as in other spheres, there are wrongs and rights, duties as well as obligations, and importantly liability in the event of misfeasance.

123

Findings

Once upon a time we lived in a world where the internet was only but an invention of wonder, a tool in which global interconnectivity was seen as efficiently and speedily realized. A world in which wars were fought by brave soldiers who faced each other in furious combat in a way that today we would find it hard to recognize as valid. However, in the last decade, the way in which the states approach the concept of war has changed profoundly. The massive introduction of the technology component in our daily lives has meant that cyber operations in general are the main politically motivated activities undertaken by many governments. As lucidly identified from the foregone chapters, when the cyberspace by means of some cyber tools are employed by governments or state sponsored individuals to unlawfully interfere in the computer systems or internal matters of other states through a disruption of their computer systems, we have a situation of cyber warfare. Common examples of cyber warfare, could include cyber espionage and cyber attack. And once these are proved, the State involved will be internationally responsible subject to evidentiary considerations.

The crux of the first chapter examined three main concerns. First, in understanding the nature, scope and gamut of cyber operations with respect to State activities, we looked at the definition of cyberspace operations, its distinction from other realms of human interaction, its history, effects, and fundamentally, terms which we have seen to run through the entire scope of this discourse and even beyond. From the first chapter, one point is essentially glaring, the fact that cyberspace is beyond what most people think of it, it is a different world of its own and bears distinctive features. The first chapter introduced the reader to the conceptualisation of cyberspace, further analysis reveals that a multifarious outline of activities can be carried out in this sphere, by all means, it tranverses the traditional and regular known incidences on the internet like “cyber crime” for example. Over the last half decade, activities on and connected to the internet have diametrically snowballed to include other possibilities such as cyber

124 warfare, cyber espionage, cyber attacks, cyber disruption, cyber counter measures, cyber incidence and so on. Most of the activities constituting cyber operations, have one thing in common: breaking into foreign Information Technology systems to extract or modify data, to change the system configuration or to take down the entire system. It is this concern that has essentially birthed this project. In carrying out these cyber operations many actors conduct themselves in a manner reflective of legal indiscretion. The question then remains whether the law, in the remotest possibility can regulate or even actually regulates these actors and their activities.

It is in response to this poser that the second chapter finds realization. In the second chapter, we examined the notion of general principles of international law, we have shown by exposition that indeed cyberspace cannot possibly be unregulated. The idea promulgated by a few that cyberspace is too novel for regulation by international law rings hollow in the light of the daring decision of the International Court of Justice in the Lotus case.553 General principles of international law may serve different purposes, of which the most significant is the function as a basis for the progressive development of international law (either by filling a legal lacuna or by progressive interpretation of existing international norms), responding to rising extrapositive needs of the international society, such as fast growing technical advances, e.g., the ‘emergence’ of cyberspace as a common space for inter-State relations. By so doing, international law gainsays the postulates of those who claim cyberspace is unregulated. This chapter forms the basic foundation of the core of this work, the idea that cyber operators and their activities is not without the bounds of legal thinking. The third chapter concretises in polished fashion the laws that can be seen to apply to regulate cyberspace.

In the third chapter, we enumerated several principles of international law and even specific subject areas dealing directly with cyberspace. For example, we have described how the general

553 S.S. ‘Lotus’, Merits (1927) PCIJ No 7.

125 principles of international law introduced in the second chapter could apply to deconflict the competing interests of States in the cyber arena. We also established that International

Telecommunication Laws may be used to address cyber operations that make use of electromagnetic spectrum or international telecommunications networks. For instance, broadcasting stations from one nation may not interfere with broadcasts of other states’ services on their authorized frequencies. We demonstrated how international transactions concluded on the internet may be regulated by International Economic Rules and the extent to which the rules of International Economic Law may allow defensive or offensive cyber operations that would otherwise violate the rules. The nub of this chapter emphasizes the objective of this project from the beginning. Some have claimed that cyberspace is not or is only partly regulated by law, as a cyber-specific international custom is absent and contractual regulation scarce. The inadequacy of this position has been made poignant by this work, we have brought to the glare that even in the absence of a contractual regulation, States are still bound by the rules of international law. As regards the contention of an absence of cyber-specific norm, again, the facts point in the contrary and in favour of our position. For example Legal mechanisms have been created by the United Nations,554 NATO,555 the Council of Europe,556 the Organization of

American States,557 and the Shanghai Cooperation Organization558 to directly regulate cyber

554 Global Culture of Cybersecurity and the Protection of Critical Informational Infrastructures, G.A. Res. 58/199, U.N. Doc. No. A/RES/58/199 (Jan. 30, 2004), and Creation of a Global Culture of Cybersecurity and Taking Stock of National Efforts to Protect Critical Information Infrastructures, G.A. Res. 64/211, U.N. Doc. No. A/RES/64/211 (Mar. 17, 2010). 555 North Atlantic Treaty, arts. 4, 5; see also NATO Agrees Common Approach to Cyber Defence, 97 (“The competencies of the [Cyber Defence Management Authority] will fall exclusively on Article 4 of the North Atlantic Treaty.”). 556 Cybercrime Convention, note 64, pmbl.; (“The Council of Europe’s Convention on Cybercrime . . . is the first and only international treaty that deals explicitly with cybercrime.”). 557 Organization of American States, AG/RES. 2040 (XXXIV-O/04), at ch. IV, ¶ 8 (June 8, 2004), available at also, Organization of American States, AG/RES. 2004 (XXXIV-O/04), at app. A, (June 8, 2004), available at 558 CONSULATE GEN. OF UZB. IN N.Y.C., YEKATERINBURG DECLARATION OF THE HEADS OF THE MEMBER STATES OF THE SHANGHAI COOPERATION ORGANISATION, (July 9, 2009),

126 operations. These organisations are a body of several States put together, and therefore can be seen to reflect State practice, and ultimately evidence a custom of cyber norm amongst States.

Is cyberspace free from regulation? Clearly not!

How can a State be imputed with responsibility for distasteful cyber activities? What is the quantum of evidence required to fix fault on a State? Are there parameters regulating the obtainment of the said evidence, or are the windows of obtainment open? The fourth chapter of this project work attempts a riposte to these questions. It is legal truism that suspicion can never take the place of evidence. The question of evidence is an inherent matter in any litigation. Proof of facts is a sine qua non for the establishment of any case. In cyber operation issues however, matters of evidence appear rather wonky. First there is unsettlement as to the standard of proof required to impute responsibility on States for wrongful cyber activities.

Although practice of international courts seem to suggest that the standard of evidence implicating State responsibility should be clear and convincing. What is more? In obtaining evidence, the International Court of Justice and even other Courts including municipal common law systems seem to have embraced a lax view towards the legality or otherwise of evidence so obtained. What is important to us however, is the fact that States can be responsible for illegal cyberspace operations. And the ordinary rules of evidence in international law can apply to fix fault on the State in question.

Laws governing States’ interaction are real, perhaps not conclusive, but to a large extent sufficiently regulatory. A State cannot therefore, under the present although nascent international law cyber regime, conduct itself in manners inconsistent with the general principles of law and specific areas of legal jurisprudence applicable to cyberspace. Cyber operations are diverse, cyber regulatory instruments abound, responsibility for proscribed cyber activities are consistent. Cyberspace is no law free space.

127

Recommendations We have already established in this project that international law can, should and does apply

to cyberspace. Cyber operations present a new and growing issue-one that current international

and domestic laws are not yet fully prepared to meet. The law of war offers a basis for

responding only to those cyber-attacks that amount to an armed attack or that take place in the

context of an ongoing armed conflict. Other existing international legal frameworks offer only

embryonic or piecemeal protection. Most domestic laws, though potentially powerful tools for

regulating cyber operations, have not yet addressed directly the challenges associated with

cyber operations such as cyber attacks and cyber espionage, and what remedies exist are in

many cases restricted by jurisdictional limits.

To begin to fill the gaps in existing law, we propose legal reform on two angles namely;

a) Domestic reforms; and

b) International reforms a) Domestic Reforms

On our recommended domestic law reforms, it is important to recall that domestic criminal law

alone cannot regulate cyber operations because not all cyber operations are defined as cyber-

crimes. But many cyber operations such as cyber-attacks are also cyber crimes that fall within

the ambit of domestic criminal law. Unfortunately, only a small number of existing criminal

laws that might govern cyber-attacks explicitly provide for extraterritorial reach. To remedy

this limitation, legislators could amend domestic criminal statutes to give them extraterritorial

reach. If other states reciprocate by making their own criminal statutes pertaining to cyber-

attacks extraterritorial as well, this could greatly increase global enforcement. Indeed,

increased domestic enforcement through extraterritorial application will be much more

successful and legitimate if it takes place in concert with the creation of an international treaty

that establishes basic shared standards regarding cyber-attacks. Nigeria therefore should first,

128 add extraterritorial applicability to the recently enacted cyber crime Act 2015. Second, Nigeria should utilize limited countermeasures, as appropriate, to combat cyber-attacks that do not rise to the level of armed attacks under the law of war. b) International Reforms

These domestic measures will address elements of the problem, but getting at the root of the global cyber-attack challenge will require international solutions. While the development of international norms is useful, it will not provide governments and private actors with the clarity of a codified definition of cyber operations or written guidelines on how states should respond to certain types of challenges. For this reason, we recommend that the international community create a multilateral agreement with two central features. First, it must offer a shared definition of cyber operations in its entirety including such commonly associated terms as cyber-crime, cyber-attack, cyber-warfare and so on. Second, it should offer a framework for more robust international cooperation in information sharing, evidence collection, and criminal prosecution of those participating in cross-national offensive cyber operations. That framework should be attentive to the challenges of over criminalization, maintaining room for individuals to use the

Internet and related technologies to engage in lawful dissent.

Furthermore, once States develop a shared definition of cyber operations terminologies, the next step is more extensive cooperation among States on information sharing, evidence collection, and criminal prosecution of those involved in malicious cyber operations. A useful starting point for building such a treaty is the Council of Europe Convention on Cybercrime, which provides for harmonized regulation of a wide range of cyber-crimes. This treaty remains largely limited to Europe (though the United States has ratified the agreement) and it does not address all cyber operations that a comprehensive agreement would ideally regulate.

Nonetheless, it provides a framework from which a more comprehensive agreement might begin. Building on this framework, the new agreement should require parties to pass domestic

129 laws banning malicious cyber operations prohibited under the treaty, so as to harmonize laws across states. The agreement could begin with information-sharing, layering on additional mechanisms for fostering cooperation in identifying and stopping the sources of unlawful cyber operations through criminal law enforcement agencies. International cooperation in information sharing could be an extremely valuable complement to other regulation of cyber operations. Member states could agree to share access to cyber-related information with other member states. That information would not be available to non-members or to states that fail to comply with the treaty’s core obligations. Offering privileged access to information to member states in good standing would provide States with an incentive to participate in and comply with the treaty regime. Such sharing of information will ultimately lead to ease in tracing and tracking malicious State actors and their locations, and would also assist in procuring direct evidence which would in turn facilitate the standard of clear and convincing evidence.

Finally, cyber threats that materialise in the loss of confidentiality, integrity or availability of information and communication technology can have an impact on the stability of States, and in extreme cases threatening their existence. In order to minimise such risks, technical precautions certainly need to be taken; however, technical measures alone will not suffice, if clear cut standards of precaution are not incorporated in the treaty just proposed.

130

BIBLIOGRAPHY

Books

Alain P, 2006. “The Statute of the International Court of Justice. A Commentary” Oxford University Press

Antonopoulos C, 1997. “The Unilateral Use of Force by States in International Law” (A. Sakkoulas Press)

Anna M.O 2016. “International Cyber Norms: Legal, Policy and Industry Perspective”, NATO CCD Publications, Tallinn

Brian D. L, 2010. “Customary International Law. A New Theory with Practical Implications” Cambridge University Press. Brownlie I, 1963, “International Law and the Use of Force by States” (Oxford University Press)

Christopher Greenwood, 2002. “International Law and the “War against Terrorism” 78 International Affairs

David H, 2008. “Cyber War Case study: Georgia”.

Durward V. S, 1975. “Evidence before International Tribunals” (Rev.Ed).

European Union Committee, 2009. “Protecting Europe against Large-Scale Cyberattacks”.

Frank H. E, 1996. “Cyberspace and the Law of the Horse”, U. Chi. Legal F.

Henri. L, 1991. “The Production of Space” (Donald Nicholson-Smith trans) Blackwell Press.

James A. Green 2009. “Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice”, INT’L & COMP. L.Q. 1.

Julie J. C, 1994. “Essays in Honour of Wang Tieya” (Ronald St. John Macdonald Ed.).

Kaatharina Z, 2013. “Peacetime Regime for State Activities in Cyberspace”, NATO CCD COE Publication, Tallinn.

Kennedy C. H & Pastor V, 1996. “An Introduction to International Telecommunications Law”.

Kevin H, 1997. “The Badlands of Modernity: Heterotopia and Social Ordering”.

Koskenniemi M, 1997. “Hierarchy in International Law: A Sketch” 8 European Journal of International Law.

Michael N. S, 2013. “Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual)”, Cambridge University Press.

131

Michel F, 1986. “Of Other Spaces; Diacritics Spring”.

Mojtaba K, 1996. “Burden of Proof and Related Issues: a Study on Evidence before International Tribunals”.

Morningstar, Chip and Randall F, 2003. “The lessons of Lucasfilm Habitat”. The MIT Press.

Mosler H, 1995. “General Principles of Law” Encyclopedia of Public International Law (vol 2, Elsevier North Holland Press)

Rep. of the Int’l Law Comm’n, 53d Sess., 2001. “Draft Articles on Responsibilities of States for Internationally Wrongful Acts, with Commentaries”, Apr. 23–June 1, July 2–Aug. 10, 2001, pt. 1, U.N. Doc. A/56/10.

U.N. Office on Drugs and Crime, 25 February 2013. “Comprehensive Study on Cybercrime: Draft”.

U.S. Air Force, 2010. “Cyberspace Operations: Air Force Doctrine Document” 3-12, at 10.

US Department of Defence, 2006. “The National Military Strategy for Cyberspace Operations”.

William G, 1948. “Father of Cyberspace” by Scott Thill.

William G, 1984. “Neuromancer”. New York: Ace Books.

Wolfrum. R, 2008. “General International Law (Principles, Rules, and Standards)”, Oxford University Press.

Articles/Journals/Conference Papers

Advisory Council on Int’l Affairs & Advisory Comm. on Issues of Pub. Int’l Law, “Cyber

Warfare” (2011).

Amerasinghe C.F., “Presumptions and Inferences in Evidence in International Litigation”, 3

L. & PRAC. INT’L CTS. & TRIBUNALS (2004)

Armin V. B, “General Principles of International Public Authority: Sketching a Research

Field”

German Law Journal 1909, 1912.

Barkham J, “Information Warfare and International Law on the Use of Force’’ 34 New York

University Journal of International Law and Politics (2001)

132

Benzing M, “Evidentiary Issues, in THE STATUTE OF THE INTERNATIONAL COURT OF

JUSTICE: A COMMENTARY”, 2011.

Daniel J, “Fact-Finding and Evidence at the International Court of Justice: Systemic Crisis,

Change or More of the Same?” FINNISH Y.B. INT’L L. (2007).

Daniel J. R, Maeve D, Eneken T & Ryan H., “International Cyberlaw: A Normative

Approach”, 42 GEO. J. INT’L L. (2011).

DR Johnson and Post D, “Law and Borders - The Rise of Law in Cyberspace” 48 Stanford

Law

Review (1995-1996)

Easterbrook F. H, “Cyberspace and the Law of the Horse” University of Chicago Legal Forum

(1996)

Ellen O. M “Lawful Self-Defense to Terrorism”, 63 U. PITT. L. REV. (2002)

Fred S, “On Cyberwarfare” 65 (DCAF Horizon 2015, Working Paper No. 7, 2012).

Glennon M. J, “The Road Ahead: Gaps, Leaks and Drips” 89 International Law Studies (2013)

Greenberg L. T, Goodman E. S and Soo Hoo K. J, “Information Warfare and International

Law” (US National Defence University 1998).

Gill T. D, “Non-Intervention in the Cyber Context” 2006.

H.E. Judge Rosalyn Higgins, President, Int’l Court of Justice, Speech to the Sixth Committee of the General Assembly 4 (Nov. 2, 2007).

Hugh. T, “Dilemma or Chimera?—Admissibility of Illegally Obtained Evidence in

International Adjudication”, 78 AM. J. INT’L L. 622, 627–28 (1984).

International Law Commission (ILC), Fragmentation of International Law: Difficulties

Arising from the

Diversification and Expansion of International Law (Report of the Study Group of the

International Law

133

Commission, finalized by Martti Koskenniemi, UN Doc No A/CN.4/L.682, 13 April 2006)

Jay P. K & Carol M. H, “Mitigative Counterstriking: Self-Defense and Deterrence in

Cyberspace”, 25 HARV. J.L. & TECH. 429, 482 (2012).

Keith. H “Evidence, the Court, and the Nicaragua Case”, 81 AM. J. INT’L L. 1, 13 (1987).

Koskenniemi M, “The Politics of International Law” 1 European Journal of International Law

(1990)

Kulesza J, “International Internet Law” (Routledge, London Press 2012)

Letter from the Permanent Mission of the Fed. Republic of Ger. to the United Nations addressed to the Office for Disarmament Affairs, Note No. 516/2012 (Nov. 5, 2012).

Major Arie J. S, “Cyber Warfare Operations: Development and Use under International Law”,

64 A.F. L. REV. 121, 121–73 (2009).

Mark D. Y, “National Cyber Doctrine: The Missing Link in the Application of American Cyber

Power”, J. Nat’l Security L. & Pol’y , (2010).

Marsoof A, “A Case for Sui Generis Treatment of Software under the WTO Regime”, 20 Int’l

J. L. & Info. Tech. 291 (2012).

NATO Standardization Agency, “NATO Glossary of Terms and Definitions” (AAP-6) at 2-

C-12, 2012.

Nicholas T, “Cyber Attacks, Self-Defence and the Problem of Attribution”, 17 J. CONFLICT

& SEC. L. (2012).

Niels. P, “Customary Law without Custom? Rules, Principles, and the Role of State Practice in International Norm Creation” American University International Law Review 2008

Peters. A, “International Dispute Settlement: A Network of Cooperational Duties” 14

European Journal of International Law (2003)

Pirker B, “Territorial Sovereignty and Integrity and the Challenges of Cyberspace”, 2013.

134

Raustiala K, “The Architecture of International Cooperation: Trans-governmental Networks and the Future of International Law” 43 Virginia Journal of International Law (2002)

Richmond. J, “Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict?” 35 FORDHAM INT’L L.J. (2012).

Riddell. A & Plant. B, “Evidence before the International Court of Justice” Chicago University

Law Journal, (2009).

Roger B. D, “Easy Cases, Bad Law, and Burdens of Proof”, 25 VAND. L. REV. (1972)

Schmitt M. N, “Computer Network Attack and the Use of Force in International Law:

Thoughts on a Normative Framework” 37 Columbia Journal of Transnational Law (1999)

Teitelbaum R, “Recent Fact-Finding Developments at the International Court of Justice”, 6 L.

& PRAC. INT’L CTS. & TRIBUNALS (2007).

Thomas M. F & Peter P, “The Role of Presumptions in International Tribunals”, 4 L. & PRAC.

INT’L CTS. & TRIBUNALS 197, 203 (2005)

U.N. Secretary-General, “Developments in the Field of Information and Telecommunications in the

Context of International Security: Rep. of the Secretary-General”, 18, U.N. Doc. A/66/152

(July 15, 2011)

Wolff H. H “Territorial Sovereignty and Neutrality in Cyberspace”, 89 INT’L L. STUD.

(2013).

WTO, 2005, , United States – “Measures Affecting the Cross‑Border Supply of Gambling and

Betting Services”, Appellate Body Report WT/DS285/AB/R, adopted 20 April 2005.

Online Sources/Portable Display Formats

Barlow J. P, “A Declaration of the Independence of Cyberspace” (1996) Available online at;

Accessed on May 14, 2016.

135

Comitato Parlamentare per la Sicurezza Della Repubblica, Relazione Sulle Possibili

Implicazioni E Minacce per la Sicurezza Nazionale Derivanti Dall’utilizzo Dello Spazio

Cibernetico 26 (2010), Available online at;

ICUREZZA/Doc_XXXIV_n_4.pdf>. Accessed on July 17, 2016.

Consulate Gen. of Uzb. In N.Y.C., Yekaterinburg Declaration of the Heads of the Member

States of the Shanghai Cooperation Organisation; Available online at;

Accessed on July, 21, 2016.

Cyberspace Terms, Available online at;

accessed on

May 7, 2016.

Definition of Cyber Terms, available online at;

< https://en.m.wikipedia.org/wiki/cyberspace_definitions?-e_pi_7%page_ID> accessed on

May 7, 2016.

Definition of Cyberspace; Available online at;

Accessed on May 7, 2016.

Edward Snowden Interview: The NSA and Its Willing Helpers, Available online at;

. Accessed on May 19, 2016.

Falliere N, Liam O. M & Chien. E, Symantec, W32.Stuxnet Dossier, Version 1.4, (2011),

Available at;

32_stuxnet_dossier.pdf.> Accessed on July 13, 2016.

136

Fireeye, Digital Bread Crumbs: Seven Clues to Identifying Who’s Behind Advanced Cyber-

Attacks 4 (2014), Available online at;

Accessed on May 19,

2016.

First Phase of the World Summit on the Information Society, Declaration of Principles,

Building the Information Society: A Global Challenge in the New Millennium, WSIS-

03/GENEVA/DOC/4-E, Available online at;

Accessed on June 2, 2016.

History of Cyberspace, available online at:

Accessed on May 7, 2016.

INDEP. INT’L FACT-FINDING MISSION ON THE CONFLICT IN GEORGIA REPORT

Available at;

Accessed on July 18, 2016. Information of the UN Treaty Collection as of 9 May 2013. Available at;

=18&lang=e>. Accessed on May 11, 2016.

Information Technology – Security techniques – Network security (parts 1-3 published, parts 4-

6 DRAFT), Available at;

. Accessed on May 18, 2016.

ILC, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with commentaries (2001) UN Doc A/56/10, General commentary, Available online at;

Accessed on May 24, 2016.

Organization of American States, AG/RES. 2004 (XXXIV-O/04), at app. ; available at

137 at_threats_cybersecurity.htm>. Accessed on July 21, 2016.

Organization of American States, AG/RES. 2040 (XXXIV-O/04), at ch. IV; available at

. Accessed on July, 21, 2016.

Presidency of the Council of Ministers, National Strategic Framework for Cyberspace Security,

Available online at;

. Accessed on July 18, 2016.

Storey. D, Stuxnet–The First Worm of Many for SCADA?; Available at;

;

Accesed on May 19, 2016.

"STUXNET Malware Targets SCADA Systems". Available at:

Accessed on May

8, 2016.

The European Union Agency for Network and Information Security (ENISA) - Stuxnet

Analysis, Available at: < http://www.enisa.europa.eu/media/press-releases/stuxnet-analysis>.

Accessed on May 8, 2016.

Tikk E Et Al., Coop. Cyber Def. Ctr. Of Excellence, International Cyber Incidents: Legal

Considerations (2010), Available online at;

< http://www.ccdcoe.org/publications/books/ legalconsiderations.pdf> Accessed on July, 6,

2016.

U.S. Dep’t of Def., Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China (2013), Available at;

Accessed on July 13, 2016.

Newspapers/Magazines

138

Markoff J, “Before the Gunfire, Cyberattacks”, N.Y. TIMES, Aug. 13, 2008, Accessed on May

19, 2016.

Nicole P & Sanger D. E, “New Computer Attacks Traced to Iran, Officials Say”, N.Y. TIMES,

May 24, 2013. Accessed on June 19, 2016.

Sanger D. E, “Obama Order Sped Up Wave of Cyberattacks against Iran”, N.Y. TIMES, June

1, 2012. Accessed on May 19, 2016.

Traynor I, “Russia Accused of Unleashing Cyberwar to Disable Estonia”, THE GUARDIAN,

May

16, 2007, Accessed on May 19, 2016.

William J. Broad, John Markoff, & David E. Sanger, “Israeli Test on Worm Called Crucial in

Iran Nuclear Delay”, N.Y. TIMES, Jan. 15, 2011. Accessed on May 8, 2016.

139