International Law in Cyberspace

Author: Pia Hüsch

Required knowledge: Link

Learning objectives: Understanding XY.

This is where the text begins.[1] This template follows our style guide. Please take into account our guidelines for didactics. If you're wondering how to create text in Wikibooks, feel free to check out our guide on how to write in Wikibooks.

Advanced: Example

This is your advanced content. You can create this text box using our template "Advanced". How to do this is described here.

Example for to example topic: This is your example.

Test your knowledge in our learning area.

A. IntroductionEdit

The application of international law to cyberspace is one of the great challenges international law faces in the 21st century. By the second decade of the 21st century, cyber operations have become increasingly common in inter-state relations.[2] Whether in the form of cyber espionage or election interference, inter-state cyber operations are nowadays normalised. Although the application of international law to cyberspace was originally contested,[3] its application to cyberspace is nowadays widely agreed upon and has been confirmed by individual states,[4] UN working groups[5] and scholarship.[6] While such consensus is a laudable first step, it is at the same time an agreement that is minimal at best. Since then, the conversation has moved on to the decisive question of how exactly international law applies to cyberspace.

This chapter provides a first overview of the discourse on how international law applies to cyberspace. To this end, the chapter introduces a range of areas of international law that are relevant for the regulation of cyberspace and inter-state cyber operations. These areas are by no means an exhaustive list nor is each topic dealt with in depth. Instead, introducing this range of areas of international law demonstrates how complex and wide-ranging the question of how international law applies to cyberspace exactly is. This chapter will address topics such as international law-making and actors in cyberspace and the application of general principle of international law to cyberspace, including the prohibition of the use of force, the principles of sovereignty and non-intervention. Furthermore, it covers aspects such as jurisdiction in cyberspace and state responsibility. Finally, the chapter addresses the application of international humanitarian law as well as human rights law to cyberspace.

B. International Law-Making and Actors in CyberspaceEdit

To understand how international law applies to cyberspace, it makes sense to take a step back and to briefly consider relevant parties involved in determining such application and contributing to the discussion respectively. Firstly, states remain the primary lawmakers of international law. This also holds up in a cyber context where states primarily contribute to the discourse via state statements, setting out their specific interpretation of how the application of international law can be understood in cyberspace.[7] These statements are at the centre of the debate on how international law applies to cyberspace, but while some of them are detailed and entail useful examples, others remain somewhat generic.

Furthermore, a number of other actors and initiatives advance norm-making in cyberspace, including non-binding norms. Not all of these actors can be addressed here. Most prominently, however, there are the two UN working groups, the U.S.-led UN Group of Governmental Experts (GGE) that has come to an end in 2021[8] and the Russian-led UN Open ended working group (OEWG)[9] which continues to meet at the time of writing. Both groups work on similar issues and publish consensus reports, but their composition differs.[10] Other multilateral fora that have previously positioned themselves on the application of international law to cyberspace are organisations such as NATO[11] as well as collective groups of states like the G20.[12]

However, states are not the only relevant actors pursuing norm-development in cyberspace. They are joined by several multi-stakeholder fora advancing cyber norms, such as the Paris Call,[13] the Internet Governance Forum,[14] International Telecommunications Union[15] as well as ICANN, the Internet Cooperation for Assigned Names and Numbers which maintains the technical infrastructure of the internet.[16] The number of relevant actors is further complemented by private sector companies such as Microsoft that play an active role in norm development.[17] The most prominent collection of academic interpretations of international law in cyberspace are advanced in the non-binding Tallinn Manuals,[18] referenced frequently throughout this chapter. Whereas all of these organisations contribute to the discussion on how international law applies to cyberspace in one way or another, primary focus of this chapter rests on states’ individual and collective interpretations.

C. General Principles of International LawEdit

In the absence of a comprehensive cyber treaty that explicitly regulates cyberspace by advancing new norms, the debate on the application of international law to cyberspace primarily revolves around the application of existing principles of international law to cyberspace. The following section will exemplify such discussion by taking a closer look at a number of principles. These principles include the prohibition of the use of force and when a cyber operations amounts to an armed attack, triggering the right to self-defence. Closer attention will be paid to the Stuxnet Operation in Iran, wildly considered the only cyber operation seen until today that amounts to a use of force and potentially an armed attack. Secondly, this section addresses the application of sovereignty to cyberspace before thirdly, turning to the principle of non-intervention and its application in cyberspace.

I. Use of Force & Self-DefenseEdit

The prohibition of the use or threat of force is an ius cogens norm of public international law and wildly considered as the cornerstone of the UN Charter.[19] It is embodied in Art. 2(4) and is also applicable in cyberspace. This has been confirmed by states,[20] the UN working groups[21] and is also reflected in the Tallinn Manual[22] and academia.[23] Thus, there is no longer any debate on the applicability of the prohibition of use of force in cyberspace, but as is the case for so many principles of international law, the question remains how its application can be understood exactly, including the question of what amounts to a use of force in cyberspace addressed in this chapter.

As the term “force” is not defined in the UN Charter, its exact scope and meaning have been subject to much scholarly debate since the UN Charter came into force. As Delerue writes, “The lack of a precise definition is clearly problematic”.[24] At the very least, it leaves open fundamental questions, some of which are of pivotal importance for the cyber context. For example, the question arises whether force is merely restricted to “armed force”. Some support this interpretation,[25] while others suggest that force can extend beyond “armed force”.[26] The drafting process of the UN Charter reveals that the drafters did not intend to include any use of force, as they excluded economic, political and indirect force from Art. 2(4).[27] Clearly, only the latter interpretation includes cyber operations. In light of the development of modern technologies and weapons including biological and chemical weapons, “the debate on the qualification of cyber operations as armed operations comes across as relatively outdated” and it seems no longer “accurate to limit the prohibition of the use or threat of force to armed force”.[28]

Yet even where such first hurdle is taken, still not every use of a cyber operation amounts to a use of force. The exact qualification of when cyber operations amount to a use of force differs greatly amongst both states and scholars. Delerue identifies three different approaches that determine whether a use of force has occurred: the target-based approach, the instrument-based approach and the consequence-based approach.[29] The target-based approach considers that a cyber operations amounts to a use of force where it penetrates critical national infrastructure. However, as there is no minimum threshold that has to be met here, the approach is generally considered as too inclusive.[30] The second, instrument-based approach emphasises the “similarity between cyber operations and traditional weapons”, which, however, is often far-fetched. As such, this approach seems outdated and mis-matched to the realities of low-intensity cyber operations.[31] Finally, it is the consequence-based or effects-based approach that finds most support. It stresses the importance of the effects caused by cyber operations and foresees that any cyber operation resulting the physical destruction or loss of life amounts to a use of force.[32] Several criteria have been established to determine whether the effects caused by a cyber operation amounts to a use of force, including severity, immediacy and invasiveness.[33]

Even where this nowadays most popular interpretation is followed, it is less clear is the question whether non-physical effects can also amount to a use of force and whether there is a de minimis threshold that has to be met to constitute force.[34] Currently, there is no scholarly agreement on these matters. And although many states have since positioned themselves among these lines and often support an effects-based interpretation, these categories remain largely based on an existing legal framework tailored around kinetic uses of force. Consequently, the question remains whether a cyber-specific approach may still add value to the discourse.[35]

Closely related to the prohibition of the use of force is the question when such force amounts to an armed attack, triggering another state’s customary right to self-defence enshrined in Article 51 of the UN Charter. Although some states consider that any violation of the use of force also amounts to an armed attack,[36] this interpretation forms a minority view. The far more common interpretation understands that not any use of force amounts to an armed attack but that an armed attack is only reached where a significant threshold is met. Such interpretation is also supported by the ICJ’s Nicaragua case, in which the Court held that only the “most grave forms of the use of force” constitute an armed attack.[37] In order to determine what amounts to such “most grave form” of the use of force, the Nicaragua case set out the scale and effects test.[38] Such assessment considers whether the scale, i.e. “the magnitude and intensity of the cyber operation (amount of force used, its location and its duration)” and well as its effects, i.e. “the consequences of the cyber operation (damage and casualties)”.[39] Of course, the question arises what factors are taken into account when conducting such assessment. Whereas taking into account non-physical effects is still controversial, not every cyber operation with physical effects amounts to a most grave form of the use of force either. Instead, an assessment of scale and effects need to be made. The Tallinn Manual 2.0, for example, speaks of “all reasonably foreseeable consequences of the cyber operation” that must be taken into account.[40] Equally controversial is also the question whether the accumulation of events can mean that several cyber operations not meeting the threshold individually can collectively meet the threshold of an armed attack. To this day, no cyber operation has publicly been qualified as an armed attack.

Example for Stuxnet Cyber Operation in Iran: A prominent example of a cyber operation that is often referred to when discussion the use of force and armed attack thresholds in cyberspace is Stuxnet. Frome late 2009 to 2010, malware (i.e. malicious software) was used to infiltrate and subsequently attack the control system at Natanz, “Iran’s largest nuclear fuel enrichment facility”.[41] Moore has previously referred to Stuxnet as a magnum opus, crediting its outstanding success in causing harm.[42] It indeed stopped ten percent of the facility’s centrifuges from working properly. The intention was to make them spin faster and slower until they break, thus having physical effects. Given its complexity and sophistication, Stuxnet is largely considered to be of a state-sponsored nature, presumably a joint U.S.-Israeli operation, but no public attribution has been made nor has Iran declared that it constituted a use of force.[43] Despite the fact that there is widespread (scholarly) agreement that Stuxnet amounted to a use of force,[44] Iran never publicly qualified it as such. Ultimately, the legal question what amounts to a use of force remains distinct form the strategic and political decision that a state has to make when it publicly qualifies it as such.[45] Next to the question whether Stuxnet amounted to a use of force, it must further be considered whether Stuxnet also met the threshold of an armed attack. Generally speaking, both interpretations here are possible, also depending on whether or not all uses of force are understood to amount to an armed attack. To this date Stuxnet is “the only publicly known cyber operation that caused grave effects; it therefore demonstrates that a qualification as an armed attack is unlikely in the vast majority of cyber operations”.[46]

II. SovereigntyEdit

Already outside a cyber context, the principle of sovereignty is a highly complex principle of international law. While no authoritative definition of the principle exists, many scholarly suggestions of definitions evolve around concepts such as territory, control and independence. Besson, for example, calls it the “supreme authority over a territory”.[47] But scholarly debates around the role of sovereignty have been divided, some still considering sovereignty as a cornerstone of public international law in the 21st century, others considering it largely outdated.[48] Nevertheless, there is no doubt that states still consider it highly relevant, including in a cyber context. States have repeatedly stressed that state sovereignty applies to cyberspace.[49] However, again the question arises as to what that means exactly. Sovereignty is an incredibly broad, historically and politically complex principle. Such complexity means that already outside a cyber context it is difficult to pin-point as to what sovereignty means exactly – a problem that is now transposed to the cyberspace debate. Here, the question on how sovereignty applies to cyberspace can also be addressed from many different angles.

One way in which the principle of sovereignty plays out in cyberspace is through exercising jurisdiction. Jurisdiction is a key component of state sovereignty and as such, will be addressed separately in section XX. A second perspective that can be taken when examining how sovereignty applies in cyberspace is focusing on the question of governance of cyberspace.[50] Some considerations on this topic have already been shared in section 2.

It is a third perspective, however, that often receives the most attention when discussing the application of sovereignty to cyberspace: the question whether the sovereignty constitutes a principle or a rule of international law. Why does this debate matter in the first place? Where a cyber operation is attributable to a state (see state-responsibility section XX) and the activity in question violates a primary rule of international law but no circumstances precluding wrongfulness are applicable, the act constitutes an international wrongful act.[51] In response to such international wrongful act, the targeted state may use countermeasures.[52] These have to fulfil certain requirements like proportionality,[53] but overall, it allows a state to respond in a way that otherwise might be unlawful itself.[54] However, where no primary rule of international law was violated and consequently, no international wrongful act can be established, the targeted state may merely use retorsion in response but cannot legally resort to countermeasures.[55]

Many states and scholars have since positioned themselves in this so-called “principle vs rule” debate. On the one hand, there is the United Kingdom which has repeatedly confirmed its interpretation that sovereignty merely constitutes principles of international law.[56] This means that although many specific rights are closely related to this principle, where a cyber operation does not violate any of these specific rights, they do not constitute a violation of international law and thus, no international wrongful act either. The targeted state therefore cannot resort to lawful countermeasures. Some scholars have supported this view,[57] but overall, support for this interpretation remains somewhat limited.

In contrast, many states have positioned themselves in the “sovereignty as a rule” camp, confirming that they understand sovereignty as a primary rule of international law and that where such rule is violated, the activity in question amounts to an international wrongful act. Finland, for example, explicitly confirms this view by stating that it “sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility”.[58] So do New Zealand,[59] Germany[60] and France.[61] The interpretation that sovereignty constitutes a rule of international law has also been supported by the experts of the Tallinn Manuals[62] and many other international legal scholars.[63] Under this interpretation, sovereignty almost serves as a catch all function for those cyber operations that otherwise do not meet the threshold of other primary rules of international law.

Whereas the majority view thus sides with the sovereignty as a rule interpretation, this does not mean that states in this camp agree on one definition of sovereignty. To the contrary, considerable differences amongst these states remain. This primarily concerns the question when a violation of sovereignty occurs exactly. While all states in this group agree that such violation constitutes an international wrongful act, they differ on what they consider the relevant threshold that has to be met for such violation. Some states like France consider any penetration of their networks a violation of sovereignty,[64] others require a certain de minimis threshold to be met.[65] The question of what exactly constitutes such threshold often remains open in state statements. Some refer to the Tallinn Manuals on the matter,[66] others do not specify what they think constitutes such threshold.[67] It is clear though, that even where states agree that sovereignty constitutes a rule of international law, the devil is in the details and again, the question of how such principles applies exactly remains open.

Example for DDoS Attacks: Denial of Service attacks (DoS) are attacks that flood the targeted system, for example a government website or an online banking website, with more requests than the system can handle. The system thus breaks down and its services are temporarily disrupted. Where these requests are sent from a ranger of (hijacked) computers, one speaks of a distributed denial of service (DDoS) attack. These kinds of attacks are often used in inter-state cyber operations, e.g. by Russia against Estonia,[68] but are also frequently deployed by hacktivists, e.g. in the context of Russia’s invasion of Ukraine.[69] DoS attacks that merely cause disruption are not necessarily violations of sovereignty. In fact, even for France, which has advanced a very strict interpretation of sovereignty in cyberspace, it is unclear whether DDoS attacks would amount to a violation thereof.[70] This does not mean, however, that DDoS attacks are always lawful under international law. For example, the case-by-case analysis means that all circumstances have to be taken into account. With respect to the Russian DDoS attacks against Estonia, which took place for three weeks and were launched in response to Estonia’s decision to move the location of a Soviet statue, it can be argued that they amounted to an unlawful intervention even if not a violation of sovereignty.[71]

Whereas the principle vs rule debate has occupied a prominent spot in the discussion on the broader application of how international law applies to cyberspace, some scholars have pointed out that the practical impact of this debate is indeed limited.[72] This is particularly true for states that enjoy considerable cyber powers which can respond to offensive cyber operations in kind and may engage in such activities themselves. As a consequence, they may have limited interest in clarifying these thresholds.

Advanced: Cyber Espionage

Espionage constitutes a legal grey zone in international law. As it is not explicitly prohibited by any treaty or customary law, some have argued that espionage is not per se unlawful but may violate other norms of international law and the same reasoning applies to cyber espionage which therefore is also not explicitly prohibited.[73] However, it has been argued that the threshold debate with respect to the principle of sovereignty actually revolves around the question whether cyber espionage is considered a violation of sovereignty.[74] So far, even states that have advanced a strict sovereignty in cyberspace interpretation have not explicitly clarified whether they consider cyber espionage as unlawful. Taking past state practice as an indication, it seems unlikely that there will be a more explicit discussion of the lawfulness of states on espionage who benefit from the ambiguity and the existing legal grey zone.

III. Non-InterventionEdit

A further general principle of international law that applies to cyberspace is that of non-intervention. The principle of non-intervention is based on the idea of sovereign equality and that as all states are equal, one state may not intervene in the affairs of another state.[75] The application of the principle to cyberspace has been widely agreed upon, including in the UN working groups,[76] state statements,[77] the Tallinn Manuals[78] and academia[79] more widely. But although there is also general agreement that the principle of non-intervention also constitutes a primary rule of international law (in contrast to the principle vs rule debate that exists for the principle of sovereignty, see above),[80] its application remains subject to many grey zones and uncertainties.[81] This is especially true for those activities that remain below the use of force threshold. Whereas a military intervention is the most obvious form of intervention, the discussion on the application of non-intervention to cyberspace primarily revolve around those cyber operations that remain below the use of force threshold. This section will therefore focus on these so-called low-intensity or disruptive cyberoperations.

A first look at the principle raises the impression that the principle of non-intervention is – as far as general principles of international law go – not just well-established but also well-defined. The ICJ’s Nicaragua case is the key reference in this context when stating that “The principle of non-intervention involves the right of every sovereign State to conduct its affairs without outside interference” and that “The existence in the opinion juris of States of the principle of non-intervention is backed by established and substantial practice”.[82]

Two requirements follow from this judgment which have to be fulfilled in order for an activity to amount to an unlawful intervention. Firstly, the activity in question must target another state’s domaine réservé. The domaine réservé is typically defined as an area in which a state can decide freely. The Permanent Court of International Justice considers the decisive question whether the matter in question is “not, in principle, regulated by international law”.[83] As the scope of international law has, however, significantly expanded over the last decades, e.g. to include human rights law, international criminal law or international environmental law, the area outside the scope of international law decreases.[84] This is, however, not a cyber specific problem. Instead, the exact scope of the domaine réservé has always remained undefined.[85] Some areas very clearly fall under its scope though. The Nicaragua case lists a number of areas that fall under its scope, including “the choice of political, economic, social and cultural system, and the formulation of foreign policy”.[86] A prime example of an activity that falls within a state’s domaine réservé is holding elections.[87] As elections and related election interference is a prime example for how the principle of non-intervention can be applied in cyberspace, this chapter will take a closer look at cyber-enabled election interference below.

The activity in question must, however, also fulfil a second requirement in order to qualify as an unlawful intervention, that of coercion. The ICJ’s Nicaragua underlines the importance of this requirement when it refers to it as “the very essence” of intervention.[88] Coercion as a requirement is crucial and points to the “core of the mischief”[89] as it distinguishes mere influence, which may be unwanted but not unlawful, from unlawful intervention.

Much like is the case for the term domaine réservé, the exact definition of coercion remains unclear, particularly so in cyber context. Reismann, for example, speaks of coercion as an “imperative pressure”;[90] Oppenheim famously referred to it as “dictatorial interference”.[91]

What exactly constitutes coercion is thus not clear - a problem that is further augmented in the cyber context, where interaction between states are constant and often disruptive, but not always easily defined as coercive. The following example will demonstrate how difficult it is to apply these definitions to cyber operations.

Example for Russian election interference in 2016: Legal analysis around the lawfulness of Russian election interference in the 2016 U.S. presidential elections are a prominent example of how to apply non-intervention to cyber operations. More precisely, the question arises whether Russian activities, which included “hacking into the Democratic National Committee e-mails and the release of confidential information as well as disinformation operations”,[92] amount to an unlawful intervention. The U.S. has attributed these activities to Russia but has not referred to them as an unlawful intervention. Scholarship is divided over the question whether these activities met the high thresholds of the principle of non-intervention. While it is uncontroversial that targeting another state’s elections falls within the targeted state’s domaine réservé, it is unclear whether the coercion requirement was fulfilled. As Russia did not meddle with the vote count or directly changed the outcome, which would have amounted to an unlawful intervention, some argue that it was not fulfilled given that the U.S. was not forced into a specific outcome.[93] Others consider that the activities assessed collectively[94] or the fact that the election interference meddled with the people’s ability to choose their own government by influencing their choices[95] amounted to an unlawful intervention.

This example has demonstrated how difficult it is to apply the principle of non-intervention in practice. This is the case as most low-intensity cyber operations to not reach the high thresholds set out by the non-intervention principle. While some academic suggestions to redefine these thresholds exist,[96] they remain purely academic at this point. As the law stands, this means that most cyber operations fall short of these thresholds.

D. Jurisdiction in CyberspaceEdit

Exercising jurisdiction is “the legal competence of a State […] to make, apply, and enforce legal rules”.[97] As such, it is a way for the state to exercise its authority or control over a specific territory or activity and is a central competence of a state.[98] Like with many of the principles discussed here, there is little doubt that jurisdiction generally applies to cyberspace. States have repeatedly confirmed that they enjoy jurisdiction over Information and Communications Technology infrastructure in their territory.[99] Similarly, academia has also argued in favour of its applicability[100] and so do the Tallinn Manuals.[101] This includes prescriptive/legislative jurisdiction, enforcement jurisdiction and adjudicative jurisdiction alike.

While it might seem intuitive that a state would enjoy jurisdiction over cables and computers in its own territory, establishing jurisdiction is not always straight forward. Given the at least in part a-territorial nature of cyberspace, it is not always clear how such jurisdiction can be established in cyberspace. Generally speaking, jurisdiction can be established where there is a link between the state and the person or activity concerned. It can be established through a number of principles, such as territoriality or nationality as well as universality.[102] In cyberspace, however, it is primarily the question how the territoriality principle can be applied to establish a link between the state and the activity in question. This is because the nationality principle applies in the same fashion as outside a cyber context, even though identification of actors might be harder at times. Universal jurisdiction can be established for grave crimes or piracy, but not regular online behaviour.

A closer look at three theoretical approaches illustrates the difficulty of establishing jurisdiction in cyberspace. Let us take the example of a French website globally selling items online. Some argue that in this instance, the destination approach should be followed, i.e. granting a state jurisdiction if the website in question has been locally accessed.[103] Whereas this reasoning has been applied in the past,[104] it is ultimately not considered practical: given that customers from all over the world might be able to order from this website, it allows for too many competing claims for jurisdiction. This is because there is hardly any threshold that has to be met for a state to argue it has jurisdiction. As a consequence, it comes close to a universal jurisdiction which, traditionally, is only reserved for the most severe crimes, such as piracy,[105] but not to regular activities in cyberspace such as online shopping.

Therefore, a variation of the destination approach, i.e. the targeted destination approach, has been advanced. According to it, no longer any state that can access the website can establish jurisdiction but only those states that have been targeted by a website.[106] The targeted destination approach has been applied by the European Court of Justice, but has been criticised for advancing fragmentation of otherwise global cyberspace and has been consider unsuitable for intangible services, e.g. streaming films.[107]

Finally, there is the origin approach, i.e. the idea that jurisdiction is granted to the state where a website is either registered or hosted. Coming back to our example, this means that the French registered website would only have to comply with French law even when it sells items to customers in other states. While such approach is appreciated by businesses who under this approach merely have to comply with the law of one state, it also bears the risk of a “race to the bottom” as businesses are thus tempted to registered in the state with the most lenient regulation in place.[108]

This short overview is by no means comprehensive, but it has illustrated some of the factors that need to be considered when trying to apply existing principles around jurisdiction to activities in cyberspace and what risks and impacts follow. Finally, this section will take a closer look at a particularly controversial issue concerning jurisdiction in cyberspace.

Advanced: Extraterritorial Jurisdiction over Data

A much-debated issue exemplifying how matters of jurisdiction can play out in practice is the extra-territorial jurisdiction over data. In a day and age that considers data a resource, the question of who has access to and control over data is a critical one. The Microsoft Ireland case here has illustrated this when a 2013 warrant of U.S. federal prosecutors demanded access to emails and accounts stored by Microsoft. Microsoft handed over metadata stored on U.S. servers, but refused to include data stored on Irish servers. Before the case could be decided in front of the U.S. Supreme Court, the U.S. government withdrew its appeal and legislated the U.S. CLOUD Act, which grants extensive powers to U.S. law enforcement by specifying that data must be disclosed irrespective of its location.[109] It thereby unilaterally expanded its jurisdictional reach. The far-reaching powers of U.S. law enforcement have been much criticised, particularly in France according to which the U.S. Cloud Act “totally ignores the sovereignty of other States and the application of their law”.[110] It remains to be seen whether the newly agreed upon data sharing act between the U.S. and the EU can resolve ongoing disputes over the matter.[111]

E. State-ResponsibilityEdit

States are not the only active parties using cyber operations to achieve their aims. Various groups of users may deploy cyber operations, e.g. as cyber criminals with primarily monetary aims or hacktivist pursuing political aims. Many states also outsource their cyber operations to non-state actors or proxy-actors, benefitting from their skills, their cheap labour and the anonymity, given the lower risk of the activity being traced back to the state. However, the line between who is responsible for the activity in question is not always straight forward. Indeed, attributing a cyber operation to as much a question of fact and technical attribution as it is a legal one.[112]

Example for Proxy Groups: Several hacker groups have been identified as so-called proxy groups, acting for a state. Prominent examples include CozyBear (Russia, suspected behind SolarWinds hack), Lazarus Group (North Korea, launched Wannacry ransomware attack), and Double Dragon (China, significant hacking campaigns and espionage in i.a. UK and US).[113]

There are also criminal hacker groups that conduct attacks which are primarily conducted out of monetary motivation, but which are nevertheless suspected to have some ties to governments – at the very least in the sense that they do not fear prosecution for their actions from a certain state as long as they do not target it directly. For example, the Conti ransomware group was responsible for a wide range of ransomware attacks in 2020 and 2021.[114] Although “evidence of Conti’s direct ties to the Russian government remains elusive”, their activities largely aligned with the interest of the Russian government and they do not have to fear prosecution by the Russian state.[115]

In a domain that allows skilled actors to remain largely anonymous, understanding what cyber operation took place and what its consequences are is critical next to identifying from which machine a cyber operation was launched, who launched it and whether the act can be attributed to a state actor against whom the response can be taken is key.[116] While the attribution of a cyber operation to a machine or a person is primarily factual and technical, it is also extremely complex and often challenging to find evidence for attribution, especially where actors impersonate one another. Nevertheless, significant progress has been made in the forensic analysis that forms the basis for any factual assessment of attribution.

States are nowadays more likely to attribution cyber operations than they were in the beginning of the 21st century.[117] For such attribution, however, there also needs to be legal attribution. Legal attribution of an act or an omission to a state can be made under the law of state responsibility.[118] It determines whether the act of a group or an individual constitutes an international wrongful act that can be attributed to a state and, if this is the case, whether there are any circumstances precluding wrongfulness.[119] For the application of the law of state responsibility in cyberspace, which was confirmed by states,[120] the UN working groups,[121] and initiatives such as the Tallinn Manual,[122] it is primarily the issue of attribution that raises further debate.

The law of state responsibility can primarily be found in the 2001 Articles on State Responsibility which provide insights on when an act or omission can be attributed to a state. This is of course the case if state officials or a state organ acts on behalf of the state,[123] but may also be the case for individuals or groups as the proxy actors mentioned above. Art. 8, widely considered to reflect customary international law,[124] clearly states that

“The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct”.

The group or individual must therefore not act in complete dependence on the state, in which case they would amount to a state organ anyway, but it suffices if they are either under the instructions or direction or control of a state.[125] The difference between the three notions – if there is one – is not always clear.[126] If a state instructs a group to conduct a specific cyber operation, the act is attributable to the state. Although not all details must be determined, not every generic call for action qualifies as instruction, nor is an act attributable to a state if the group or individual exceed the instructions given.[127] Direction refers to an “ongoing relationship of subordination”, e.g. where a state gives long-term guidance rather than specific instructions to a group.[128] Finally, control that goes beyond mere control over the territory in question but amounts to actual control over the non-state actor means that the act or omission can be attributed to the state.[129]

Much more could be said here about the various degrees of connection between the state and the non-state actor in question and what legal consequences such relationship carries. For the purposes of this introductory chapter, however, it is important to remember that just because states outsource their cyber operations to individuals or groups, this does not mean they cannot be held responsible for such acts or omissions. Instead, the law of responsibility also applies in cyberspace and allows for the attribution for such acts or omissions to the state in question. Even though factual and technical attribution still remains challenging, much progress has been made on the forensics behind such analysis.

F. International Humanitarian Law in CyberspaceEdit

Unlike some of the other areas of international law examined here, the applicability of international humanitarian law (IHL) in cyberspace was a controversial topic amongst states. For example, the failure to reach agreement over the 2017 UN GGE report arguably at least partially stems from disagreement regarding the applicability of international humanitarian law in cyberspace.[130] The academics of the Tallinn Manual 1.0, published in 2013, had already clearly supported the applicability of IHL to cyber operations conducted in the context of an armed conflict.[131] Since then, individual states have confirmed this interpretation.[132]

Confirming the general applicability of IHL in cyberspace, a closer look at practice is needed to understand how and when it applies exactly. The narrative of a cyber pearl harbour and cyber Armageddon, which were particularly prominent in the 2010s, are nowadays considered inaccurate[133] - particularly in light of the Russian 2022 invasion of Ukraine. Nevertheless, such language raises the question of when and how IHL applies to cyber operations. The application of IHL is triggered where an international or non-international armed conflict exists.[134] However, to this day, no individual cyberattack has reached this threshold and it remains unlikely that this threshold will be reached.[135] As such, international humanitarian law will most likely apply to cyber operation where these form part of a conventional armed conflict, as is the case in Ukraine. Long subject to Russian cyber attacks, Ukraine faced an increase in number and intensity of such attacks in the context of the 2022 invasion. Russia continues to attack Ukraine through a range of cyber activities, including DDoS attacks and other cyber operations, some of which are coordinated with kinetic attacks.[136]

Where a cyber operation does form part of an international or non-international armed conflict and constitutes an attack, it has to comply with the same principles of IHL that also apply to kinetic attacks. Given this short introduction of this chapter, this section is limited to the following provisions that point the reader to key elements of international humanitarian law but naturally does not present a comprehensive analysis.

I. The Principle of DistinctionEdit

The principle of distinction is a central principle of IHL which forms part of customary international law and as such, it is applicable to international and non-international armed conflicts.[137] It foresees that an attack must at all times distinguish between combatants or military objectives who can be directly targeted and civilians or civilian objects who may not be directly targeted.[138] Medical or religious personnel of armed forces, injured combatants or prisoners of war may not be directly targeted. Military objectives, i.e. objects that according to their nature, use, purpose or location make an effective contribution to military operations and whose capture, destruction or neutralisation would confer a definite military advantage, may be directly targeted.[139] In contrast, civilian objects and civilians may not be directly targeted, unless they have been turned into a military objective (e.g. by location munition in a school) or are civilians directly participating in hostilities may not be targeted. Whereas these rules apply to cyberspace,[140] details thereof remain unclear.[141] The interconnectivity of ICT infrastructure further means that it is not always clear how to distinguish between civilian and military structures. To enable greater distinction, the ICRC has suggested a digital emblem marking hospitals and other digital infrastructure that may not be directly targeted.[142]

II. The Principle of ProportionalityEdit

The second cornerstone principle of IHL is that of proportionality, which is also part of international customary law, and therefore, applies to international and non-international armed conflicts alike.[143] It means that an attack against a military objectives is unlawful where the concrete and direct anticipated military advantage of an attack is excessive in relation to the attack’s impact on civilian life or the damage or destruction of civilian objects.[144] If an attack is directed against civilians or a civilian object, the attack is automatically unlawful and may even amount to a war crime.[145] The principle of proportionality also applies to cyber operations that are an attack in an armed conflict.[146] Controversial is the question whether attacks that do not cause or are intended to cause physical effects are also subject to the proportionality assessment. The Tallinn Manual, for example, argues that this is not the case. Accordingly, information operations or electronic warfare against communications systems are not subject to the proportionality assessment.[147]

III. The Principle of PrecautionEdit

Thirdly, an attack must comply with the customary principle of precaution, i.e. the attacker must take constant care to spare the civilian population, civilians and civilian object and must take all feasible precautions to minimise or avoid incidental loss of civilian life, injury or damage or destruction to civilian objects.[148] It follows that when planning or conducting an attack that is likely to result in excessive harm, such attack must be cancelled or suspended. As such, the principle is similar to the principle of proportionality, but refers to elements such as timing, means and methods of an attack.[149] The Tallinn Manual provides insights on how precautions can be taken for cyber attacks, e.g. by including technical experts in the planning of attacks.[150]

Further critical principles like the prohibition of perfidious attacks or questions such as the geographical scope of the applicability of IHL to cyber operations as well as the application of the law of neutrality cannot be covered here for reasons of scope. However, the previous examples have demonstrated that although it is unlikely that cyber attacks may amount to an armed conflict on their own, where they form part of such armed conflict, they are subject to the same key provisions conventional attacks are.

G. Human Rights LawEdit

Early versions of cyberspace and the development of the internet were seen as a revolutionary opportunity to advance human rights standards globally, the development of one fertilising the development of the other.[151] Such development, however, was not appreciated by authoritarian states which, by relying on notions of sovereignty and non-intervention, restricted access to the internet as a form to oppose U.S. soft power.[152] Nowadays, the intersection of cyberspace and human rights often raises associations of internet restrictions, internet shut downs and human rights infringements. Examples that come to mind is the Great Firewall in China,[153] the heavy free speech restrictions in Russia[154] or repeated shutdown of internet in Iran in response to protests.[155] They all illustrate how closely cyberspace and human rights are interconnected.

I. Freedom of Expression OnlineEdit

There is widespread agreement that human rights also apply online.[156] Amongst the most prominent examples of human rights online are some of the civil and political rights related to communications, including the right to freedom of expression and the right to privacy as well as connected rights such as the freedom of opinion and thought. The freedom of expression and its application to cyberspace is a particularly contentious topic,[157] but differences in interpretation of the scope of free speech have existed long before the popularity of the internet and social media. For example, the U.S. follows a much more expansive interpretation of freedom of speech than Germany, particularly when it comes to Holocaust denial and hate speech, but differences are also reflected amongst different human rights treaties like the ECHR or the ICCPR. However, varying restrictions of the freedom of expression are particularly evident when comparing restrictive practices of authoritarian and liberal states. In light of increased restrictions of free speech online, procedural protections of the right to free speech are crucial.[158]

Varying approaches to the restriction of free speech stand in particularly stark contrast to the divergence of communications enabled by the global reach of social media platforms. While large proportions of the globe are connected through platforms like Facebook or Twitter, access thereto is restricted in states like China or Iran.[159] Within these platforms, however, freedom of speech is not unregulated either. Instead, content moderation or the lack thereof by social media platforms is a reoccurring topic of controversy.[160] The powerful position of a handful of tech giants raises questions over who regulates freedom of speech and again, what procedural safeguards are in place.

II. The Right to Privacy OnlineEdit

The right to privacy is another key human right that is central in the debate on how human rights law applies online. It can be found in international human rights treaties such as Art. 17 ICCPR. As such, it pre-dates the rise of the internet, but in an increasingly inter-connected world fuelled by data, the right to privacy has gained ever more importance.

In some respects, much progress has been made with respect to protecting privacy in the digital age. Particularly the EU’s General Direction on Privacy Rights (GDPR) has been highly influential in setting standards of data protection in and beyond Europe.[161] However, there remain significant discrepancies between the standards set out in human rights treaties such as the ICCPR and “the reality of government practices on privacy”, such as expansive surveillance practices.[162] Additional concerns include the powerful role of tech-giants, fed by ever more information users post online, raises questions about privacy standards and how government can or wants to impose them via the private sector regulation as well as how government can protect citizens’ privacy from interferences via cyber crime or cyber espionage.[163]

III. A New Right to Internet Access?Edit

Human rights law online also addresses the realisation of economic, social and cultural rights. While it is clear that economic, social and cultural rights also apply online, how they can be advanced largely relates to aspects such as digital access and a stable and secure internet connection in the first place. These circumstances are, however, not always given but instead, there is a digital divide both across and within states. Given the economic and cultural importance of the internet, some find that access is key to realise the right to development while others have gone even further and advocated for a self-standing human right to internet access.[164] However, such argument is highly controversial and points out that many details on the question of how human rights law plays out online is in fact still unclear and under development.

Further ReadingsEdit

  • Source I
  • Source II


In a highly digitalised world, almost all aspects of life are interconnected with online activities. This is also true for subject matters that typically fall under the scope of international law, such as general principles of international law, humanitarian law or the law of state responsibility. This chapter has demonstrated that existing norms of international law find application in cyberspace, whether it is to inter-state cyber operations targeting foreign elections or those conducted in connection with armed conflicts, or whether it affects human rights law and the freedom of speech online. However, this chapter has also pointed out that although the application of international law to cyberspace is widely agreed upon, including the more specific areas thereof examined in this chapter, the discussions on how it applies exactly are still at their beginning. Both technology and state practice are developing further, feeding into the discourse on how international law exactly applies to cyberspace. Furthermore, numerous initiatives on norm-development in cyberspace add to the discourse. Against this backdrop, many of the details on the interpretation and application of international law remain unclear at this stage, requiring further research and clarification by both academia and state practice.

Table of ContentsEdit

Back to home page

Part I - History, Theory, and Methods

Part II - General International Law

Part III - Specialized Fields


  1. The first footnote. Please adhere to OSCOLA when formating citations. Whenever possible, provide a link with the citation, ideally to an open-access source.
  2. Sean Watts, 'Low Intensity Cyber Operations and the Principle of Non-Intervention' (2014) <> accessed 5 December 2022, 1.
  3. François Delerue, Cyber Operations and International Law (Cambridge University Press 2021), 1.
  4. See e.g. New Zealand Ministry of Foreign Affairs and Trade, The Application of International Law to State Activity in Cyberspace (2020), §3-4; The Federal Government of Germany, On the Application of International Law in Cyberspace (2021), 1.
  5. UN GGE Report 2013, §19; UN GGE Report 2015, §24.
  6. See e.g Delerue, 1-2.
  7. See e.g. The Federal Government of Germany; Finnish Ministry of Foreign Affairs, International Law and Cyberspace - Finland’s National Positions (2020); French Ministère des Armées, International Law Applied to Operations in Cyberspace (2019).
  8. = E.g. Cyber Peace Institute, ‘The UN GGE Final Report: A milestone in cyber diplomacy, but where is the accountability?’, 9 June 2021, available via, last accessed 25 February 2023. =
  9. E.g. Cyber Peace Institute, ‘Open-Ended Working Group on security of and use of information and communications technologies 2021-2025 (OEWG II), 25 March 2022, available via, last accessed 25 February 2023.
  10. Dan Efrony, The UN Cyber Groups, GGE and OEWG – A Consensus is Optimal, But Time is of the Essence (2021).
  11. NATO, AJP-3.20: Allied Joint Doctrine for Cyberspace Operations (2020).
  12. G20 Leaders’ Communiqué, Antalya, Turkey, 16 November 2015, available via, last accessed 25 February 2023, §26.
  13. See Paris Call, For Trust and Security in Cyberspace,
  14. Zhixiong Huang and Kubo Mačák, 'Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches' (2017) 16 Chinese Journal of International Law 271, 286.
  15. Andrew N. Liaropoulos, 'Cyberspace Governance and State Sovereignty' in Goerge Bitros and Nicholas Kyriazis (eds), Democracy and an Open-Economy World Order (Springer 2017), 30f.
  16. Ibid, 31.
  17. Brad Smith, 'The Need for a Digital Geneva Convention' (2017) <> accessed 17 June 2022.
  18. Michael N. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013); Michael N. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017).
  19. Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda) (Judgment) [2005] ICJ Reports 168, 223–224, para 148.
  20. Finnish Ministry of Foreign Affairs, International Law and Cyberspace - Finland’s National Positions (2020), 6-7; The Federal Government of Germany, 6; New Zealand Ministry of Foreign Affairs and Trade, §6-8.
  21. UN GGE Report 2015, §26.
  22. Michael N. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017), Rule 68.
  23. Confirming that „The absence of specific references to cyber operations does not render the UN Charter law inapplicable to cyber operations”, Delerue, 277.
  24. Ibid, 284.
  25. Tom Ruys, ‘The Meaning of “Force” and the Boundaries of the Jus Ad Bellum: Are “Minimal” Uses of Force Excluded from UN Charter Article 2(4)?’ (2014) 108 American Journal of International Law 159, 163.
  26. Michael N. Schmitt, 'Cyber Operations and the Jus Ad Bellum Revisited' (2011) 56 Vilanova Law Review 569.
  27. Delerue, 286.
  28. Ibid, 287.
  29. Ibid, 288.
  30. Delerue, 289.
  31. Delerue, 289.
  32. Russell Buchan and Nicholas Tsagourias, Regulating the Use of Force in International Law: Stability and Change, (Edward Elgar 2021), 118.
  33. Michael Schmitt, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’, 1998-1999 37 Columbia Journal of Transnational Law, 885, 914-915.
  34. Buchan and Tsagourias, 119ff.
  35. Delerue, 290.
  36. Michael N. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013), 47, §7.
  37. Nicaragua case, §191.
  38. Nicaragua case, §195.
  39. Delerue, 330-331, referencing Ruys, 139.
  40. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, commentary to rule 71, §13.
  41. Andrew (I) Moore, 'Stuxnet and Article 2(4)'s Prohibition against the Use of Force: Customary Law and Potential Models' (2015) 64 Naval Law Review 1, 1-2.
  42. Ibid
  43. Buchan and Tsagourias, 118-119, also note in footnote 19.
  44. Russell Buchan, 'Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?' (2012) 17 Journal of Conflict and Security Law 212, 219-221.
  45. Delerue, 297.
  46. Ibid, 333.
  47. Samantha Besson, Sovereignty (2011), §1.
  48. John H. Jackson, 'Sovereignty-Modern: A New Approach to an Outdated Concept' (2003) 97 The American Journal of International Law 782.
  49. For example in UN GGE, Report 2013, para. 20; UN GGE, Report 2021, para. 71(b).
  50. See e.g. Sarah Myers West, 'Globalizing Internet Governance: Negotiating Cyberspace Agreements in the Post-Snowden Era' (2014 TPRC); Andrew N. Liaropoulos, 'Cyberspace Governance and State Sovereignty' in Goerge Bitros and Nicholas Kyriazis (eds), Democracy and an Open-Economy World Order (Springer 2017).
  51. International Law Commission, ‘Responsibility of States for Internationally Wrongful Acts’ (2001), UN Doc A/56/49 (Vol. I)/Corr.4. (2005), Art. 2.
  52. Ibid, Art. 49.
  53. Ibid, Art. 51.
  54. Ibid, Art. 22.
  55. Kriangsak Kittichaisaree, Public International Law of Cyberspace, vol 32 (Law, Governance and Technology Series, Springer 2017), 194; Thomas Griegerich, ‘Retorsion’, Max Planck Encyclopedias of International Law, September 2020.
  56. Jeremy Wright, Cyber and International Law in the 21st Century (2018); Suella Braverman, International Law in Future Frontiers (2022).
  57. Most prominently see Gary P. Corn and Robert Taylor, 'Sovereignty in the Age of Cyber' (2017) 111 AJIL Unbound 207.
  58. Finnish Ministry of Foreign Affairs, 3.
  59. New Zealand Ministry of Foreign Affairs and Trade, §12.
  60. The Federal Government of Germany, 3-4.
  61. French Ministère des Armées, International Law Applied to Operations in Cyberspace (2019), 6-7.
  62. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, see commentary for rule 4.
  63. E.g. Przemyslaw Roguski, 'Layered Sovereignty: Adjusting Traditional Notions of Sovereignty to a Digital Environment' (11th International Conference on Cyber Conflict: Silent Battle); Kevin Jon Heller, 'In Defense of Pure Sovereignty in Cyberspace' (2021) 97 International Law Studies 1432; Michael N. Schmitt and Liis Vihul, 'Respect for Sovereignty in Cyberspace' (2017) 95 Texas Law Review 1639.
  64. French Ministère des Armées, 6-7; Przemyslaw Roguski, 'Violations of Territorial Sovereignty in Cyberspace - an Intrusion-based Approach' in Dennis Broeders and Bibi van den Berg (eds), Governing Cyberspace - Behavior, Power, and Diplomacy (Rowman & Littlefield 2020), 72.
  65. E.g. The Federal Government of Germany, 4.
  66. Dutch Minister of Foreign Affairs, Letter to Parliament: International Law in Cyberspace (2019), 3.
  67. New Zealand Ministry of Foreign Affairs and Trade, 3.
  68. Buchan, 218f.
  69. Kaspersky, 'Cyberwar in Ukraine leads to all-time-high levels of DDoS attack' (2022) <> accessed 14 June 2022.
  70. Michael N. Schmitt, France’s Major Statement on International Law and Cyber: An Assessment (2019).
  71. See e.g. Buchan.
  72. Henning Lahmann, 'On the Politics and Ideologies of the Sovereignty Discourse in Cyberspace' (2021) 32 Duke Journal of Comparative & International Law 61, XX.
  73. Delerue, 198.
  74. Heller, 1454ff.
  75. For a more detailed analysis preceding the cyber debate see, e.g. Christian Tomuschat, International Law: Ensuring the Survival of Mankind on the Eve of a New Century General Course on Public International Law (Volume 281) (Collected Courses of the Hague Academy of International Law, Brill 1999), 231ff.
  76. UN GGE Report 2021, §71; UN GGE Report 2015, §28(b).
  77. The Federal Government of Germany, 4-6; New Zealand Ministry of Foreign Affairs and Trade, §9-10; Finnish Ministry of Foreign Affairs, 3-4.
  78. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rule 66.
  79. Thibault Moulin, 'Reviving the Principle of Non-Intervention in Cyberspace: The Path Forward' (2020) 25 Journal of Conflict and Security Law 423; Nicholas Tsagourias, 'Electoral Cyber Interference, Self-Determination and the Principle of Non-Intervention in Cyberspace' in Dennis Broeders and Bibi van den Berg (eds), Governing Cyberspace - Behavior, Power, and Diplomacy (Rowman & Littlefield 2020); Ido Kilovaty, 'Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Waponized Information' (2018) 9 Harvard National Security Journal 146.
  80. Oppenheim, e.g., made clear “That intervention is, as a rule, forbidden by international law there is no doubt”, Robert Jennings and Arthur Watts (eds), Oppenheim’s International Law, vol 1 (9 edn, Addison Wesley Longman 1996); ibid, 428.
  81. Kunig, e.g. says that „the exact meaning of the principle remains unclear”, Philip Kunig, Prohibition of Intervention (2008), §1.
  82. Nicaragua case, §202.
  83. Nationality Decrees in Tunis and Morocco Case, 1923 PCIJ, Series B Number 4, 24.
  84. Kunig, §3.
  85. Moulin speaks of “shifting contours”, Moulin, 430.
  86. Nicaragua case, §205.
  87. Michael N. Schmitt, 'Foreign Cyber Interference in Elections' (2021) 97 International Law Studies 739, 746.
  88. Nicaragua case, §205.
  89. Maziar Jamnejad and Michael Wood, 'The Principle of Non-intervention' (2009) 22 Leiden Journal of International Law 345, 348.
  90. W. M. Reismann, Nullity and Revision: The Review and Enforcement of International Judgments and Awards (Yale University Press 1971), 859.
  91. Larsa Oppenheim, International Law: A Treatise (Longmans, Green and Co 1955), 305.
  92. Tsagourias, 48-49.
  93. Michael N. Schmitt, '“Virtual” Disenfranchisement: Cyber Election Meddling in the Grey Zones of International law' (2018) 19 Chicago Journal of International Law 30, 49-50.
  94. Steven J. Barela, Cross-Border Cyber Ops to Erode Legitimacy: An Act of Coercion (2017).
  95. Tsagourias, 54.
  96. Kilovaty, 169f.
  97. Gleider I. Hernández, International law (Oxford University Press 2019), 194.
  98. Ibid, 194.
  99. UN GGE, Report 2015, §28(a).
  100. See e.g. Uta Kohl, 'Jurisdiction in Cyberspace' in Nicholas Tsagourias and Russell Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar Publishing 2015).
  101. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 2; Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rule 8.
  102. Hernández, 199f.
  103. Kohl, 38.
  104. See e.g. LICRA v. Yahoo! Inc & Yahoo France (Tribunal de Grande Instance de Paris, 22 May 2000); Arzneimittelwerbung im Internet BGH (30 March 2006) I ZR 24/03, §27–30.
  105. Bernard Oxman, Jurisdiction of States (2007), Max Planck Encyclopedia of International Law, §37ff.
  106. Kohl, 45.
  107. Edouard Treppoz, 'Jurisdiction in the Cyberspace' (2016) 26 Swiss Review of International and European Law 273, 281-284.
  108. Kohl, 49-50.
  109. Jennifer Daskal, 'Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0' (2018) 71 Stanford Law Review Online 9, 11.
  110. Raphaël Gauvain, 'Rétablir la souveraineté de la France et de l’Europe et protéger nos entreprises des lois et mesures à portée extraterritoriale' (Assemblée Nationale, 2019) <> accessed 11 September 2022.
  111. Mark Scott et al, ‘Biden signs executive order on EU-US data privacy agreement’, Politico, 7 October 2022, but also Craig Hale, ‘EU lawmakers argue against signing US data-transfer pact’, Tech Radar, 23 February 2023,
  112. Delerue, 51.
  113. Edvardas Mikalauskas, ‘The World’s Most Dangerous State-Sponsored Hacker Groups’, Cybernews, 10 December 2021, available via, last accessed 21 February 2023.
  114. Flashpoint, ‘Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups’, Flashpoint, 4 October 2022, available via, last accessed 25 February 2023.
  115. Although some disagreement exists over the 2022 war against Ukraine, Matt Burgess, ‘Leaked Ransomware Docs Show Conti Helping Putin in the Shadows’, Wired, 18 March 2022, available via, last accessed 25 February 2023.
  116. Delerue, 51-52.
  117. Harriet Moynihan, The Application of International Law to State Cyberattacks - Sovereignty and Non-Intervention (2019), 3-4.
  118. See e.g. James Crawford, State Responsibility (2006), Max Planck Encyclopedia of International Law.
  119. Art. 1, 2 and 20ff, ILC Draft Articles on State Responsibility, available via
  120. E.g. New Zealand Ministry of Foreign Affairs and Trade, §3; The Federal Government of Germany, 10.
  121. UN GGE Report 2015, §7-8, §12-13.
  122. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare, 29-41.
  123. Art. 4 Draft Articles on State Responsibility.
  124. Kubo Macák, 'Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors' (2016) 21 Journal of Conflict and Security Law 405, 407.
  125. Commentary to Art. 8 Draft Articles on State Responsibility, §7, available via
  126. Macák, 411f.
  127. Ibid, 415ff.
  128. Ibid, 419.
  129. Ibid, 420.
  130. Samuele De Tomas Colatin, 'A Surprising Turn of Events: UN Creates Two Working Groups on Cyberspace' (CCDCOE, <> accessed 20 February 2021.
  131. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 80.
  132. See e.g. The Federal Government of Germany, 1; New Zealand Ministry of Foreign Affairs and Trade, §3; Finnish Ministry of Foreign Affairs, 6.
  133. See e.g. Shannon Vavra, ‘What gets lost in ‘cyber Pearl Harbor’-style rhetoric’, Cyberscoop, 7 April 2021, available via, last accessed 25 February 2023.
  134. For definitions thereof see ICRC Opinion Paper, “How is the Term “Armed Conflict” Defined in Interantional Humanitarian Law?”, March 2008, available via, last accessed 25 February 2023.
  135. Terry D. Gill, 'International humanitarian law applied to cyber-warfare: precautions, proportionality and the notion of ‘attack’ under the humanitarian law of armed conflict' in N. Tsagourias and R. Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2021), 458.
  136. See e.g. Jon Bateman, ‘Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications’, Carnegie Endowment for International Peace, December 2022, available via
  137. ICRC, Customary International Humanitarian Law Database, Rule 12,
  138. Art, 48 AP I.
  139. AP I 52(2).
  140. UN GGE Report 2015, §28(d).
  141. Karine Bannelier, 'Is the principle of distinction still relevant in cyberwarfare? From doctrinal discourse to States’ practice' in N. Tsagourias and R. Buchan (eds), Research handbook on international law and cyberspace (Edward Elgar 2021), 432ff,
  142. Tilman Rodenhäuser and Mauro Vignati, “How Can a ‘Digital Emblem’ Help Protect Medical Facilities Against Cyber Operations?”, 27 January 2023,, last accessed 25 February 2023.
  143. ICRC, Customary International Humanitarian Law Database, Rule 14,
  144. Art. 51(5)(b) AP I.
  145. ICRC, Customary International Humanitarian Law Database, Rule 11,
  146. Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare, rule 30; UN GGE Report 2015, §28(d).
  147. Gill, 465.
  148. ICRC, Customary International Humanitarian Law Database, Rule 15,
  149. Gill, 464.
  150. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, rule 114.
  151. David P. Fidler, ‘Cyberspace and human rights’, in Nicholas Tsagourias and Russel Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2021), 132.
  152. Fidler, 132-133.
  153. Elizabeth C Economy, 'The Great Firewall of China: Xi Jinping’s internet shutdown' The Guardian (London 29 June 2018) <> accessed 5 December 2022.
  154. Sarah Rainsford, 'Russia Internet: Law Introducing New Controls Comes into Force' BBC (London 20 February 2021) <> accessed 12 December 2020.
  155. Weronika Strzyznska, ‘Iran blocks capital’s internet access as Amini protests grow’ The Guardian (London 22 September 2022) <> accessed 25 February 2023.
  156. See e.g. Human Rights Council, Promotion and protection of all human rights, civil, political, economic, social and cultural rights, including the right to development, 7 July 2021, UN Doc A/HRC/47/L.22.
  157. See e.g. Barrie Sander, ‘Freedom of Expression in the Age of Online Platforms: The Promise and Pitfalls of a Human Rights-Based Approach to Content Moderation’ (2019-2020) 43 Fordham International Law Journal 939.
  158. Fidler, 136.
  159. Eloise Barry, ‘These are the countries where Twitter, Facebook and TikTok are banned’, Time (18 January 2022),, last accessed 25 February 2023.
  160. Kate Klonick, ‘The Facebook Oversight Board: Creating an Independent Institution to Adjudicate Online Free Expression’ (2020) 129 Yale Law Journal, No. 2418, <>; Natalie Alkiviadou, ‘Hate speech on social media networks: towards a regulatory framework?’, (2019) 28 Information & Communications Technology Law 1, 19-35.
  161. Giovanni Buttarelli, 'The EU GDPR as a clarion call for a new global digital gold standard' (2016) 6 International Data Privacy Law 77.
  162. Fidler, 138-139.
  163. Fidler, 139; referencing Human Rights Council, The Right to Privacy in the Digital Age: Report of the UN High Commissioner for Human Rights, UN Doc A/HRC/39/29, 3 August 2018.
  164. Stephen Tully, ‘A Human Right to Access the Internet? Problems and Prospects’, (2014) 14 Human Rights Law Review 2, 175-195.