Scroll Top

TERRITORIAL SOVEREIGNTY IN CYBERSPACE & CYBERESPIONAGE

Today, international law exists in a flux of developing technologies that present challenges hitherto undreamt of. Territorial sovereignty stands to be the fundamental governing rule in the international law landscape and has been recognized to have application in cyberspace too.

Introduction

Today, international law exists in a flux of developing technologies that present challenges hitherto undreamt of. Territorial sovereignty stands to be the fundamental governing rule in the international law landscape and has been recognized to have application in cyberspace too. Its applicability, however, varies in the type of operations in cyberspace and the manner in which it applies.

For the purpose of conciseness, this article’s scope is limited to the application of territorial sovereignty in operations conducted by states on another target state via cyber means. The article shall first discuss territorial sovereignty in cyberspace in general and then proceed to cyber espionage after discussing the existing international laws governing espionage activities between states.

Territorial sovereignty in cyberspace

Existing international norms and principles date back as early as 1648 when sovereignty was recognized as a fundamental object for a state. Actors in the international realm could not have had in mind the rise of Information and Communication Technology and its related development when the norms were created. Then the obvious question is whether these rules have any applicability in sporadic activities over the computer networks and internet. The question, however, has been answered by UN GGE 2013, 2015 and was recognized by states and experts in the field consistently. Long-standing norms and rules governing state conduct including sovereignty continue to apply in cyberspace.

State sovereignty is based on two grounds:

  1. Territoriality
  2. Inherently governmental functions are protected from external interference.

This section shall not discuss rules governing the latter, criminal activities in cyberspace, and states’ jurisdiction governing the internet and its users. A state can violate the sovereignty of another state in cyberspace on either of the grounds. The conduct, however, must be attributable to the state to attract state responsibility. The underlying rationale for the relevance of this rule in cyberspace is simple. Cyberspace, though existing and operating virtually, is not independent of physical infrastructure and legal persons using and operating them. As many experts in the field put it, cyberspace is indeed rooted in some physical existence and hence territorial sovereignty, as a rule, continues to apply in cyberspace.

Experts advocating that territorial sovereignty exists as a principle giving rise to primary rules assert that a violation of territorial sovereignty occurs only when a physical effect manifests on the state’s territory which would be likely if the activity had occurred in physical means. This position is termed as ‘relative sovereignty’.[1] However, when minor intrusions into another state’s territory have been held to be violations of territorial sovereignty even in the absence of any physical effect of harm, there is no plausible reason as to why the same standard cannot apply in cyberspace. Authors like Heller. K. J assert this position of ‘absolute sovereignty because of mutatis mutandis. States like France, Switzerland, Iran, and Venezuela among other Latin American nations have all taken this position in their official position papers and statements.

Mere interferences with the state’s cyberinfrastructure and computer networks might give rise to no or minor physical effects on the functioning of infrastructure and persons that will not rise to the use of force under Article 2 (4) of the UN Charter.[2] In growing threats that might not always be possible to trace back and give rise to little physical effects, taking an approach based on the effects manifested to determine violation is not exhorting. This is of primary concern, especially because such an approach seems to be the prevailing view in related literature and state practice.

Tallinn Manual 2.0, authored by a group of international experts, reflects a similar position. Positive developments in the UN GGE 2013 and 2015 sessions were not followed by consensus as to the “how” of territorial sovereignty among other rules in the 2017 program. With an absence of consistent state practice challenging and contesting violations of territorial sovereignty, and differing opinions put forth by experts and authors, customary international law does not provide any strict rules to cyberspace. Therefore, as a matter of conclusion, the character of territorial sovereignty’s applicability is not undisputed and settled.

To add to the existing lacunae, espionage conducted between states using and targeting cyber means presents new challenges particularly when it is generally opined that there is no violation of territorial sovereignty in absence of a physical effect or harm. To understand how the existing law applies in cyber espionage, it is essential to visit the understanding of state conducted espionage in international law.

International law in espionage activities

The fact that states have engaged in espionage activities for a long to collect military, political and economic strategies from fellow states to have a strategic advantage and make plans warily does not need to be explained in detail. Except for states condemning the other state’s actions, there arose no significant legal dispute regarding espionage activity.[3] Generally, States have exercised their domestic criminal jurisdiction in the event they take cognizance of such activity taking within the state. The contention, however, arises when the activity is conducted extraterritorially because then the states will either have to extradite the person(s) or dispute with the acting state if the conduct is attributable.

Authors taking sides with the illegality of espionage reasons that espionage activities threaten the national security and political integrity of states.[4] Other positions based on similar reasoning are ironic because states conduct espionage activities to protect their national security and state interests. Advocates of espionage’s legality base their reasoning sufficiently on the implied acceptance by states with the ‘policy of silence’. It is to be noted that state silence shall also amount to customary international law by the doctrine of acquiescence. Except for certain specialised regimes and activities like the law in foreign immunity and diplomacy, and outer space, it seems that states have and will continue to conduct espionage accepting the risk of violation of international law.

Territorial Sovereignty in Cyber espionage

Ziolkowski. K puts forward a comprehensive definition for cyber espionage after assessing espionage as defined by several dictionaries and states. She states that “Cyber espionage is the copying of data that is publicly not available, and which is in wireless transmission, saved or temporarily available on IT-systems or computer networks located on the territory or otherwise attributable to the state”. Two aspects require attention at this juncture.

Firstly, by emphasising on copying of data, the presence of any physical harm or effect is completely ruled out in this definition. In general practice too, states often collect and copy data to their servers without leaving a trace of any kind. The prevailing general approach to territorial sovereignty violations in cyberspace requiring physical harm, evidently, does not prohibit cyberespionage. The Tallinn Manual 2.0 experts in Rule 32 have observed that cyberespionage is not prohibited by international law per se. However, if minor intrusions into the state’s cyberspace give rise to international state responsibility under the absolute sovereignty approach, cyber espionage will also violate the territorial sovereignty of states. The means used to obtain access to documents and copies might strike a middle ground to establish a violation of territorial sovereignty. Attacks employing harmful spyware and autonomous malware often result in functional and operational harm. These effects, even to the extent of merely slowing down systems or resulting in irregular function should be taken into consideration.

It is not to say that all intrusions lead to a violation of the rule. States’ military intercepts radio communications as a general military practice. This along with the instance where a state gains access to miscellaneous government files do not lead to a violation. The second aspect comes into relevance at this point. If all intrusions do not amount to violation and if all types of data are covered by regulation of this rule’s applicability, how do we define keystrokes that settle the blurred lines? Perhaps, the answer lies in the type of documents and data forming the subject matter. It is more likely that documents containing confidential information, say, for instance, nuclear codes or industrial codes, amount to a violation of territorial sovereignty. Even in this case, the protection lies in the rule of non-intervention[5] than territorial sovereignty.

Therefore, a commonly agreed norm regulating cyberespionage remains elusive. This is complicated by the fact that espionage in general is itself unprohibited. However, with the scale and degree of effects, cyberspace opens for state conducted espionage, the need for a multilateral treaty among nations and Opinio Juris close to the state practice is higher than ever.

Conclusion

Many questions regarding when it amounts to a violation of territorial sovereignty remain open-ended and unanswered. The answers sought depending on the underlying approach to sovereignty, the existing answers, and the answers that can evolve in the reality of state practice are all exclusive of each other. A single common answer can only be arrived at by an understanding of what the states posit themselves on. Even with sufficient consensus on the law, the question of whether states will invoke a fundamental rule of international law to cyber activities that involve complexities of attribution, fact-finding, and enforcement is on the negative side.

Author(s) Name: Akhil Surya (NALSAR University of Law, Hyderabad)

References:

[1] Harriet Moynihan, The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention’ (Chatham House Research Paper 3, 2020), at 45.

[2] Id.

[3] Id.

[4] Quincy Wright, ‘Espionage and the Doctrine of Non-Intervention in Internal Affairs’ (1962) in Roland J Stanger (ed), Essays on Espionage and International Law at 24.

[5] Supra note 2.

Related Posts