On May 29, the United Nations Office for Disarmament Affairs published Austria’s national statement on how international law applies to cyber activities of States. The statement adds to the list of now more than 30 national positions and is a comprehensive document dealing with a wide array of issues ranging from State sovereignty, non-intervention, and due diligence, to diplomatic and consular law, to international humanitarian law and neutrality. On many of these issues, Austria takes a progressive stance addressing problems where consensus-building has only just begun and proposing solutions to topics which so far have not been widely addressed. This article will focus on four selected issues – sovereignty, non-intervention, countermeasures, and diplomatic and consular law – where Austria’s position either adds a new perspective to ongoing discussions or addresses issues where discussions and consensus-building are only beginning to develop.
Austria’s Expansive View on Sovereignty, Espionage and Pre-Positioning
The Austrian position paper starts its substantive part with a discussion of sovereignty, where Austria reiterates its previous view that the obligation to respect the sovereignty of other States is an rule of international law, separate and distinct from the prohibition of the use of force or the prohibition of intervention. In Austria’s view, a cyber activity violates the sovereignty of another State “when it violates a state’s territorial integrity, as well as when it constitutes an interference with or usurpation of an inherently governmental function of a state.”
Austria therefore endorses, at least on first read, the understanding of sovereignty proposed by the authors of the Tallinn Manual 2.0 and since endorsed by a number of States, including Canada, the Netherlands, Sweden and Switzerland. According to the authors of the Tallinn Manual 2.0, the lawfulness of remote cyber operations that manifest on a State’s territory depends on “(1) the degree of infringement upon the target State’s territorial integrity; and (2) whether there has been an interference with or usurpation of inherently governmental functions” (Tallinn Manual 2.0, Rule 4, para. 10). Consequently, in Austria’s view “cyber activities that result in physical damage or injury certainly constitute a violation of state sovereignty,” while other more limited intrusions leading to temporary loss of functionality of critical infrastructure or temporary loss of access to governmental services “may also constitute a violation of sovereignty.”
However, on a second reading of the national statement, Austria’s position seems to go beyond the Tallinn Manual view of sovereignty when it comes to issues such as espionage and pre-positioning of malware. Regarding cyber espionage, the authors of the Tallinn Manual 2.0 were of the view that “peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so” (Tallinn Manual 2.0, Rule 10). Accordingly, an act of cyber espionage would only violate sovereignty if it met the criteria highlighted above. The experts could not achieve consensus on whether the mere emplacing of malware into a system, without causing any other effects on the system, would suffice to qualify as a breach of sovereignty (Tallinn Manual 2.0, Rule 4, para. 14). Here, Austria seems to endorse a more expansive view by stating that “cyber espionage activities, including industrial cyber espionage against corporations, within a state’s territory may also violate that state’s sovereignty.”
This statement marks a clear departure from the usual treatment of cyber espionage by States. While most national positions remain silent on the issue, some States (Canada, New Zealand, United States) have argued the opposite of Austria: that pure espionage activity, while constituting a non-consensual intrusion into ICT infrastructure, is not itself regulated by international law and would therefore not be internationally wrongful. The view now espoused by Austria had previously been endorsed by China, which argued that “[n]o State shall engage in ICT-enabled espionage or damages against other States, including mass surveillance and theft of important data and personal information,” while Costa Rica allowed for the possibility “that, in some circumstances, cyber espionage may amount to a breach of State sovereignty.”
In Costa Rica’s view this is the case because “it is often difficult to technically distinguish between a mere data-gathering operation from an operation penetrating a governmental system in order to interfere with a State’s sovereign functions.” In consequence, “once a piece of malware successfully enters a system or network, it remains a latent threat to its integrity. This may damage software or hardware and thus interfere with the conduct of State affairs.” This view is implicitly endorsed by Austria via the example of a cyber espionage activity against the Foreign Ministry of a State, which – upon discovery – necessitates “a total shutdown of the system and [temporary establishment of an alternative] while the IT system is cleaned and restored.” Such a cyber activity, according to Austria, “would constitute a violation of [that State’s] sovereignty.”
However, Austria’s position goes even farther in also viewing “industrial cyber espionage against corporations” as a violation of sovereignty. Given that the target of such an operation is a private entity, it does not constitute an interference with or usurpation of inherently governmental functions, nor – at least without additional physical effects – a violation of the territorial integrity of a State. In consequence, this position would suggest greater closeness to the “pure sovereignty” or “penetration-based” approach to sovereignty, which views, in the words of the African Union’s statement, “any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State [as] unlawful.”
This conclusion finds additional support in the chapter on countermeasures, where Austria asserts that
[p]reventive cyber measures, prior to the commission of an internationally wrongful act conducted by or attributable to a state, such as exploiting vulnerabilities in other states’ ICT networks and placing “logic bombs” therein, cannot be justified under the law of state responsibility.
Thus, pre-positioning of malware in the ICT systems of another State for preventive reasons or as means of response to a potential future cyber operation would not be covered under the law of countermeasures. As the invocation of countermeasures is only necessary is when the act in question would otherwise violate international law, this passage seems to suggest that Austria would view the act of pre-positioning as a violation of an international obligation, most closely reflecting the sovereignty rule.
Given the examples provided in its position paper, it is not immediately clear whether Austria would view any other cyber operations which penetrated the ICT infrastructure of another State, but did not result in any damage or loss of functionality, as falling outside of the scope of the sovereignty rule or indeed what the justification for such a distinction would be. If unauthorized access to ICT infrastructure of a chip manufacturer for the purposes of industrial espionage (or pre-positioning) constitutes a breach of sovereignty, why should any other unauthorized access to ICT infrastructure be treated differently? At present, Austria’s position offers no dogmatic justification for such a distinction. On this, greater clarity from the drafters of the statement would have been welcome.
Finally, Austria’s position builds on the legal framework for “data embassies”, a concept pioneered by Estonia. “Data embassies” are centers that host the governmental data of one State but are physically located in another State, often under a bilateral treaty or agreement giving the ICT infrastructure and data located therein a status similar to archives under diplomatic law. Austria is the first State to advance the proposition that
a cyber activity that causes the destruction of governmental data in the data embassy of state A in the territory of state B, may be considered a violation of sovereignty of both state A and state B.
Austria’s position addresses the reality that States increasingly rely on cloud services for the provision and execution of governmental functions and these cloud services may, for various reasons, use ICT infrastructure located outside of the territory of that State. It will be fascinating to see whether other States will take up Austria’s lead on this issue.
Disinformation Campaigns can Violate the Non-Intervention Rule
Austria’s statement directly confronts the growing challenge of foreign cyber interference in electoral processes through disinformation campaigns. With foreign threat actors (ab)using the openness of social media such as Facebook or X to launch wide-scale disinformation campaigns, increasingly with the use of artificial intelligence, the question arises whether such campaigns, if conducted by another State, violate international law. While academia has been quite fast in offering assessments of this issue (for instance here, here or here), States have been hesitant to offer their views on whether and when disinformation breaches international legal obligations. Prior to the release of Austria’s position paper, only four States (Costa Rica, Germany, New Zealand and Poland) had endorsed the view that under certain conditions disinformation campaigns may breach the principle of non-intervention.
The Austrian national statement endorses the understanding, formulated in the U.N. Friendly Relations Declaration and the Nicaragua case, that the rule of non-intervention prohibits the coercive interference in the internal or external affairs of another State. Endorsing the ICJ’s definition in the Nicaragua case, Austria finds that
[c]oercion occurs when a state seeks to compel another state to change its behaviour with respect to its internal or external affairs, i.e. to force that state to act in an involuntary manner or involuntarily refrain from acting in a particular way.
In the cyber context,
cyber activity that interferes with a state’s ability to hold elections or which manipulates election results could, if undertaken to compel a state to involuntarily change a government policy, constitute a violation of the prohibition of intervention. Large-scale cyber activities, including disinformation campaigns, conducted by or attributable to a state may also constitute, if undertaken to compel another state to involuntarily change its behaviour, a violation of the prohibition of intervention.
Importantly, Austria distinguishes such disinformation campaigns from “lawful public relations activities of state representatives,” where mere criticism of, for instance, the human rights situation in another State on social media would not suffice to constitute coercion.
Austria considers large-scale campaigns which are intended to sow distrust within the population and causes the government’s eventual resignation and an ensuing governmental crisis as an example of a disinformation campaign which would cross the threshold of coercion.
Endorsing Collective Countermeasures
If a malicious cyber operation breaches an international obligation and therefore constitutes an internationally wrongful act, the targeted State may resort to countermeasures “in order to compel the responsible State to cease its internationally wrongful act and make full reparation.” While international law limits the right to take countermeasures to only the injured State (i.e. the State whose rights have been violated), some States have advocated for allowing States to respond collectively to cyber threats, with some approaches based on the doctrine of countermeasures. In 2019, Estonia was the first State to argue for the validity of collective countermeasures, stating that
states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. (…) The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace.
At first, the Estonian view received little support, with France and Canada arguing that there is insufficient State practice and opinio juris to conclude that collective countermeasures are permitted under international law. Subsequently, however, some States have reflected that at least in situations where a malicious cyber operation may violate erga omnes obligations, i.e. obligations owed to the international community as a whole, customary international law supports the right of non-injured States to take countermeasures against the responsible State. For instance, in the view of Denmark “there may be instances where one State suffers a violation of an obligation owed to the international community as a whole, and where the victim State may request the assistance of other States in applying proportionate and necessary countermeasures in collective response hereto.” Similar views have been put forward by Costa Rica, Ireland and Poland, while New Zealand declared itself “open” to the proposition.
This view is now also endorsed by Austria, which
holds the view that states may also take collective countermeasures against a state that breaches an obligation erga omnes, i.e. an obligation owed to the international community as a whole (cf. Art. 48 para 1(a) and Art. 54 ARSIWA), e.g. against a state that commits acts of aggression or genocide, especially if the directly injured state has requested the assistance of other states. (…) [A] public cyber campaign attributable to a state that calls for acts of violence against a national, ethnical or racial or religious group with the intention to destroy this group, could amount to public incitement to commit genocide in violation of Art. III(c) of the Genocide Convention. [footnotes omitted]
With Austria’s endorsement, momentum seems to be growing in recognition that third States have – in principle – the right to take countermeasures against the responsible State if the cyber operation violates erga omnes (or erga omnes partes) obligations. This view is also supported in academia (for instance here and here). However, further national statements on this issue, as well as on questions of procedure, are necessary before we can conclude that there is an established trend in State practice.
Inviolability of ICT Infrastructure on the Premises of a Diplomatic or Consular Mission or the Seat of an International Organization
As the seat of many international organizations (IO), Austria is particularly interested in clarifying how ICT infrastructure of diplomatic and consular missions and IOs is protected against malicious cyber operations. Austria starts by underlining that, based on the Vienna Convention on Diplomatic Relations (VCDR) and the Vienna Convention on Consular Relations (VCCR),
the premises of a mission are inviolable and must not be entered by agents of the host state except with consent by the head of mission. In addition, any property located within the mission – including ICT infrastructure – is immune from search, requisition, attachment or execution. This means that also remote access to the ICT infrastructure located within the mission without express consent is prohibited. [footnotes omitted]
Additionally,
[i]n the cyber context, (…) persons enjoying privileges and immunities must not engage in unlawful surveillance or espionage activities in the receiving state, and the premises of the mission must also not be used for such purposes.
These duties and obligations also apply with respect to International Organizations “to the extent they are specified in the headquarters agreements between the host State and the IO.” Moreover,
[h]ost states also have a duty to protect the premises of the IO from outside disturbances or unauthorized entry. Thus, if a state becomes aware of a malicious cyber activity against an IO situated on its territory, it has to take all appropriate steps to protect the IO from such an activity.
Consequently, Austria finds that host States have a duty of cooperation with IOs in addressing malicious cyber incidents. Furthermore, it would most likely regard malicious cyber operations directed against IOs as violations of Austrian sovereignty, if all the other prerequisites for a breach of sovereignty have been met.
Austria’s national statement thus offers a welcome clarification of the duties and obligations of a host State owed to another State or an IO with respect to the ICT infrastructure located on the premises of a diplomatic or consular mission or IO premises. The document is unfortunately silent on the question of how Austria would qualify malicious cyber operations conducted against the ICT infrastructure of diplomatic and consular missions and IOs located on its territory by third States. For instance, if a third State were to conduct a cyberattack against the servers of, say, the U.S. diplomatic mission in Vienna, resulting loss of functionality and permanent deletion of data, how would Austria qualify such an attack? Or, if a similar attack were to be conducted against the ICT infrastructure of the International Atomic Energy Agency – would Austria view this as a breach of its own sovereignty?
With regard to “data embassies” Austria has clarified that
a cyber activity that causes the destruction of governmental data in the data embassy of state A in the territory of state B, may be considered a violation of sovereignty of both state A and state B.
This fragment would suggest that Austria would regard a similar operation against a “regular” embassy as equally violating the sovereignty of both the host State and the sending State, but the national statement does not clearly address this. This raises follow-up questions of how Austria would view cyber operations against ICT infrastructure on the premises of a State such as the United Kingdom, which does not support the position that sovereignty is a rule of international law applicable to cyber activities, or how it would qualify operations against ICT infrastructure against IOs, which are not bearers of State sovereignty.
Conclusion
In summary, Austria’s national statement presents a detailed and nuanced perspective on the application of international law in cyberspace, advocating for a strict interpretation of sovereignty and a proactive stance against cyber espionage and other malicious cyber activities. Despite some unanswered questions, the Austrian national position on cyber activities and international law is remarkable for the breadth of the topics covered and the progressive approach. By offering detailed views on disinformation and endorsing collective countermeasures, Austria contributes significantly to the evolving discourse on State behavior in cyberspace. The statement’s approach to the inviolability of ICT infrastructure, the protection of data embassies, and the condemnation of disinformation as a form of intervention, reflect a commitment to upholding the rule of law in the digital domain. As cyber threats continue to evolve, Austria’s position is likely to influence ongoing international efforts to establish norms and principles that govern State conduct in cyberspace, potentially leading to more robust legal frameworks and cooperative measures to ensure cyber stability and security.
This article is based on research funded by the Polish National Science Centre (NCN) under grant number UMO-2021/43/D/HS5/03138.