Michael N. Schmitt & Sean Watts[*]
[Full text of this Article in PDF is available at this link]
I. Introduction
In May 2019, during remarks at the annual International Conference on Cyber Conflict, Estonian President Kersti Kaljulaid offered her government’s views on a number of key international legal questions relating to cyberspace.[1] Expressing concern at the growing frequency of malicious cyber operations, she announced the following:
Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. . . . It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace.[2]
Delivered by a vibrant liberal democracy’s head of state and an enthusiastic supporter of international law, the Estonian position on collective countermeasures should be taken seriously and at face value. The position bears evidence of careful, if somewhat veiled, deliberation. Such public pronouncements on international law by law-abiding states are not made lightly.
Yet, soon after President Kaljulaid’s remarks, the French Armed Forces Ministry published a document summarizing its views on how international law governs cyberspace.[3] Like President Kaljulaid’s speech, it highlighted growing security threats in cyberspace from both state and non-state actors.[4] However, the Ministry expressly rejected the option of collective countermeasures as a lawful response to breaches of international law.[5] Rather, it asserted, “Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.”[6]
States like New Zealand lie between these two positions, dealing cautiously and non-committedly with the matter in announcing:
Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law.[7]
Countermeasures are an established and instrumental aspect of the international legal system of self-help. They comprise non-forcible, but otherwise unlawful, acts undertaken in response to another state’s breach of an international law obligation.[8] Available to induce the offending state (the “responsible state”) to desist in its unlawful conduct and/or provide any reparations that may be due the victim state (the “injured state”),[9] a countermeasure is grounded in circumstances of “precluding wrongfulness” of a state’s actions under the law of state responsibility.[10]
Although the idea of countermeasures has long been a part of international law’s system of self-regulation,[11] the potential for their abuse and the risk that they might incite escalatory cycles of retaliation have resulted in strict limits found in the law of state responsibility, some of which are legally ambiguous.[12] The question whether the right to engage in countermeasures is strictly limited to injured states remains a key controversy. By one view, which we label the “bilateral” approach, an injured state may not enlist non-injured states to undertake “collective countermeasures,” that is, countermeasures engaged in on behalf of the injured state. Under this approach, non-injured states also may not offer or intervene with countermeasures on their own accord against the responsible state. France advances this legal position.
The shortcomings of the bilateral approach are apparent. The lack of collective responses to international law breaches would render self-help through countermeasures impossible for many weak states. If forced to respond alone, they would not be able to induce more powerful responsible states to cease unlawful activity. The Estonian case is paradigmatic. As a small NATO member lying on the border of a hostile Russia, it relies on its allies for security. This dependency is not only true with respect to a potential armed attack triggering Article 5 of the North Atlantic Treaty,[13] but also vis-a-vis “below the threshold” unlawful activity, including in cyberspace.[14] This situation leads to the Estonian position, which we shall label the “collectivist” approach, by which a non-injured state may assist an injured state to take countermeasures or engage in countermeasures on its behalf.
These differing perspectives on collective countermeasures reflect competing conceptions of international law—one that sees this body of law as primarily bilateral in character, the other as a normative system relying heavily on collective and cooperative means of self-help. Through the early twentieth century, internationally wrongful conduct was conceived chiefly as a bilateral matter, that is, exclusively between responsible and injured states.[15] That conception would be challenged in the second half of the century as support emerged for a collectivist vision of international law meant to both enhance the prospect of enforcement and better bind the international community together.[16]
The collectivist conception holds that certain international norms, like the prohibition on genocide, are owed to the international community as a whole, or erga omnes.[17] In case of breach, injured states include not only those that were directly injured, but also the international community, collectively and severally.[18] International law also began to feature codified collective enforcement mechanisms, such as the United Nations (UN) Security Council’s authority to authorize or mandate action, including the use of force, under Chapter VII of the 1945 UN Charter[19] and the right of collective self-defense in Article 51 of that instrument.[20]
Views admitting collective countermeasures soon surfaced in other contexts as well. In 1953, the UN General Assembly requested that the UN-sponsored International Law Commission (ILC) codify the “principles of international law governing State responsibility.”[21] Despite concerns that the availability of collective countermeasures might undermine the UN system,[22] the ILC, as discussed infra, identified no prohibition on a collectivist remedial regime including countermeasures.[23] After all, the UN system itself illustrates the authority of states to address breaches collectively; states drew from the same well of sovereign authority to create a system that, from the collectivist view, can also serve as a basis for collective measures lying outside the UN Charter.
As explained infra, although countermeasures have roots in history, the advent of cyber operations brought them to center stage in international law discourse among states, for they appeared to offer a legal basis for “hack backs” by injured states.[24] Indeed, every state has confirmed the specific right to resort to countermeasures in the cyber context, though they sometimes disagree on the precise parameters governing them.[25] This stance accords with the International Court of Justice’s (ICJ) insistence that pre-existing international law rules govern nuclear weapons and likely other new technologies.[26] However, on the narrower issue of collective countermeasures, neither the Estonian President’s remarks nor the French Ministry of the Armies document included, nor to date have they been followed by, supporting legal elaboration. In fact, the notion of collective countermeasures has never materialized into a coherent, universally agreed doctrine.
This Article examines the merits of the competing bilateral and collective positions, which we see as reflecting a broader tension between bilateralist and collectivist conceptions of international law. After introducing the notion of countermeasures generally, we examine the evolution of approaches to collective countermeasures, most of which is reflected in the work of the ICJ and the ILC. We then survey and assess the international security conditions relevant to the issue of collective countermeasures and emphasize their use in cyberspace. Finally, we conclude that the issue remains unsettled as a matter of law, but that the Estonian position is not only the more reasonable one but also the better of the two when applied to cyber operations.
[*] Professor of International Law, University of Reading; Francis Lieber Distinguished Scholar, United States Military Academy at West Point; Charles H. Stockton Distinguished Scholar-in-Residence, United States Naval War College. Note, the author had earlier taken the position that collective countermeasures are impermissible. Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law, 54 Va. J. Int’l L. 697, 731 (2014). His position has evolved in light of the evolving threat environment and discussions with government policy-makers in many countries in the ensuing seven years since the piece was completed.
Professor, Department of Law, United States Military Academy at West Point; Co-Director, Lieber Institute for Law and Land Warfare, West Point. The opinions expressed are those of the authors in their personal capacity and do not necessarily reflect those of the United States Military Academy or the United States government.
[1] See Michael N. Schmitt, Estonia Speaks Out on Key Rules for Cyberspace, Just Security (June 10, 2019), https://www.justsecurity.org/64490/estonia-speaks-out-on-key-rules-for-cyberspace/ [https://perma.cc/LJ2R-8BYG].
[2] Kersti Kaljulaid, President of Estonia, Opening at CyCon 2019 (May 29, 2019), https://www.president.ee/en/official-duties/speeches/15241-president-of-the-republic-at-the-opening-of-cycon-2019/index.html [https://perma.cc/9F9M-EUYG].
[3] See France, Ministry of the Armies, International Law Applied to Operations in Cyberspace (2019), https://www.defense.gouv.fr/content/download/567648/9770527/file/international+law+applied+to+operations+in+cyberspace.pdf [https://perma.cc/WJQ3-XBWT]; see also Michael N. Schmitt, France’s Major Statement on International Law and Cyber: An Assessment, Just Security (Sept. 16, 2019), https://www.justsecurity.org/66194/frances-major-statement-on-international-law-and-cyber-an-assessment/ [https://perma.cc/K29P-NKXL].
[4] See generally France, Ministry of the Armies, supra note 3.
[5] See id. ¶ 1.1.3.
[6] Id.
[7] New Zealand, Dep’t of Foreign Affs. and Trade, The Application of International Law to State Activity in Cyberspace, ¶ 22 (2020), https://www.mfat.govt.nz/en/media-and-resources/ministry-statements-and-speeches/cyber-il/ [perma.cc/H7HZ-ULML].
[8] See Int’l Law Comm’n, Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, reprinted in [2001] 2 Y.B. Int’l L. Comm’n, pt. 2 art. 49(1), U.N. Doc. A/56/10 [hereinafter Articles on State Responsibility].
[9] See id. art. 22(1).
[10] See id. Other conditions precluding wrongfulness include consent, self-defense, necessity, force majeure, and distress. Id. pt. 1, ch. V.
[11] See James Crawford, Brownlie’s Principles of Public International Law 585 (8th ed. 2012) (characterizing availability of countermeasures as an important distinction between domestic legal systems and the international law).
[12] See Articles on State Responsibility, supra note 8, pt. 3, ch. II (outlining proposed limits on states’ resort to countermeasures including conditions precedent).
[13] North Atlantic Treaty art. 5, Apr. 4, 1949, 63 Stat. 2241, 34 U.N.T.S. 243.
[14] See generally Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law, 54 Va. J. Int’l L. 697 (2013).
[15] See Dionisio Anzilotti, Cours de Droit International 467–?68 (Gilbert Gidel trans., Recueil Sirey, 1947) (1929); Martti Koskenniemi, Solidarity Measures: State Responsibility as a New International Order?, 72 Brit. Y.B. Int’l L. 337, 339–340 (2001) (observing until the middle of the 1980s, countermeasures “remained in the bilateralist framework of traditional law . . . .”).
[16] See Clark M. Eichelberger, UN: The First Ten Years 22-31 (1955) (describing post-Second World War collective security legal measures undertaken through United Nations auspices).
[18] See Institut de Droit International, Fifth Comm’n Resolution, Obligations and Rights Erga Omnes in International Law (Aug. 27, 2005), https://www.idi-iil.org/app/uploads/2017/06/2005kra01en.pdf [https://perma.cc/9F47-TR4U].
[19] U.N. Charter ch. VII.
[20] Id. art. 51.
[21] G.A. Res. 799 (VIII), at 52 (Dec. 7, 1953).
[22] See, e.g., Int’l Law Comm’n, Rep. on the Work of Its Fifty-Second Session, U.N. Doc. A/CN.4/513, at 33 (2001) (relating states’ concerns that collective countermeasures would conflict with the authority of the United Nations under UN Charter Articles 39 to 41).
[23] See Articles on State Responsibility, supra note 8, arts. 42, 48, 54.
[24] See generally Schmitt, supra note 14.
[25] See e.g., Applicability of International Law to Conflicts in Cyberspace, in Digest of U.S. Prac. in Int’l L. 732, 738–39 (2014); France, Ministry of the Armies, supra note 3, ¶ 1.1.3; Jeremy Wright, Attorney General of the U.K., Address at Chatham House, Cyber and International Law in the 21st Century (2018), https://www.chathamhouse.org/event/cyber-and-international-law-21st-century [https://perma.cc/ED6C-NFWE]; Netherlands, Ministry of Foreign Affs., Letter to the Parliament on the International Legal Order in Cyberspace, Appendix: International Law in Cyberspace 7 (2019); Michael N. Schmitt, The Netherlands Releases a Tour de Force on International Law in Cyberspace, Just Security (Oct. 14, 2019), https://www.justsecurity.org/66562/the-netherlands-releases-a-tour-de-force-on-international-law-in-cyberspace-analysis/ [https://perma.cc/9VXS-TRVQ]; Australia, Dep’t. of Foreign Affs. and Trade, Australia’s International Cyber Engagement Strategy: Annex A (2017), https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/annexes.html [https://perma.cc/AX57-XMZ6]; New Zealand, Dep’t of Foreign Affs. and Trade, supra note 7, ¶ 21; Finland, Ministry of Foreign Affs., International Law and Cyberspace: Finland’s National Positions 5–6 (2020), https://um.fi/documents/35732/0/KyberkannatPDFEN.pdf/12bbbbde-623b-9f86-b254-07d5af3c6d85?t=1603097522727 [https://perma.cc/2C34-PZ6S]; Roy Schondorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, EJIL: TALK! (Dec. 17, 2020), https://www.ejiltalk.org/israels-perspective-on-key-legal-and-practical-issues-concerning-the-application-of-international-law-to-cyber-operations/ [https://perma.cc/WJR4-MM3W]; Michael N. Schmitt, Israel’s Cautious Perspective on International Law in Cyberspace: Part I (Methodology and General International Law), EJIL: TALK! (Dec. 17, 2020), https://www.ejiltalk.org/israels-cautious-perspective-on-international-law-in-cyberspace-part-i-methodology-and-general-international-law/ [https://perma.cc/XB45-X3RQ]. Interestingly, the 2016-2017 UN Group of Governmental Experts was unable to agree on mentioning a right to respond to internationally wrongful acts, a veiled reference to countermeasures. States that opposed inclusion of the reference did not indicate that opposition was based on the non-existence of a right to engage in countermeasures. Indeed, states in opposition also objected to including the terms self-defense and international humanitarian law, two legal regimes that obviously apply in the cyber context and that they had supported, albeit without use of the terms, in the 2015 GGE Report. See Michael N. Schmitt and Liis Vihul, International Cyber Law Politicized: The UN GGE’s Failure to Advance Cyber Norms, Just Security (June 30, 2017), https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms/ [https://perma.cc/ABU2-GJ8Z].
[26] See Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, ¶¶ 39, 86 (July 8); The International Law Commission has similarly noted that new technologies are subject to preexisting obligations, such as due diligence. Prevention of Transboundary Harm from Hazardous Activities, Rep. of the Int’l Law Comm’n to the Gen. Assembly, art. 3 commentary ¶ 11, U.N. Doc A/56/10, GAOR, 56th Sess., Supp. No. 10 (2001), reprinted in [2001] 2 Y.B. Int’l L. Comm. 148, U.N. Doc. A/CN.4/SER.A/2001/Add.1 (Part 2) (2001). In the cyber context, participants in the UN’s Open-Ended Working Group, which is open to all states, have agreed, “measures to promote responsible State behaviour should remain technology-neutral, underscoring that it is the misuse of such technologies, not the technologies themselves, that is of concern.” Second “Pre-draft” of the Report of the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security, ¶ 21 (2020), https://front.un-arm.org/wp-content/uploads/2020/05/200527-oewg-ict-revised-pre-draft.pdf [https://perma.cc/27CG-FXFN].