This month, Finland published its key positions on how international law governs cyber operations. Long a champion of a robust legal architecture for cyberspace, it joins a growing list of states that have publicly announced their views on the subject (including Australia, Austria, Czech Republic, Estonia, France, Iran, Netherlands, United Kingdom, and the United States). It is a trend that reflects a recognition that states can influence international cyber law in a way that fosters their national interests. Indeed, states like Finland that seize the interpretive initiative in advance of other states secure a distinct advantage as the law develops.
The country has approached the topic with normative sophistication. During the UN Open-ended Working Group (OEWG) in February, for instance, it cautioned that while “voluntary non-binding norms of responsible state behavior,” such as those acknowledged in the 2013 and 2015 GGE Reports, are “essential elements in building and maintaining free, open and secure cyberspace,”
the OEWG must make sure that what is stated is consistent with international law and does not create confusion. Of course, any voluntary norms, rules and principles – whether already agreed or new – are without prejudice to States’ rights and obligations under international law. We would support including in the report of the OEWG a general clause stating that nothing in the work of the OEWG should be interpreted as undermining international law.
This was a perceptive observation, for the adoption of a non-binding norm risks being misinterpreted, among other things, as implying that what is in fact legally required behavior is instead merely encouraged. Responding to this risk, Finland’s representative urged, “It is time to move forward to discuss operationalization of international law.” Finland has done just that with the release of its positions by the Ministry of Foreign Affairs.
The MFA’s impressive statement begins, as do all such statements, by emphasizing that public international law applies in cyberspace. This being so, it notes that a state’s cyber operation in violation of international law constitutes an “internationally wrongful act” under the law of state responsibility. Internationally wrongful acts require a (1) breach of an international law obligation that is (2) attributable to a state (Articles on State Responsibility (ASR), art. 2).
With respect to the latter, Finland’s statement identifies the two most likely grounds for legal attribution of a cyber operation – that the perpetrator is either an organ of the state or acting “on behalf” of one. In doing so, the MFA implicitly draws on Articles 4 and 8 respectively of the ASR. Although Article 8 refers to “instructions, or direction or control” rather than acting “on behalf,” in practice this is a terminological distinction without practical difference Here, Finland’s meaning is clear because it refers specifically to the rules of attribution in the ASR, in which Articles 4 and 8 are key components.
In terms of the former element (breach), recent cyber operations targeting both pandemic responses and ongoing elections have moved the prohibition on intervention onto center stage. Finland has adopted the mainstream approach set out by the International Court of Justice (ICJ) in its Nicaragua judgment. There, the ICJ noted that an act must be “coercive” with respect to “matters in which each State is permitted, by the principle of State sovereignty, to decide freely.” Mirroring this dual element approach, the MFA statement notes, “[h]ostile interference by cyber means may also breach the customary prohibition of intervention…, provided that it is done with the purpose of compelling or coercing that State in relation to affairs regarding which it has free choice (so-called domaine réservé).”
The legal policy statements of other states are in accord (e.g., Australia, France, Netherlands, United Kingdom, United States, here and here, 2015 GGE report; see also Iran, here and here, and China in the context of sovereignty). Of course, unsettled issues surrounding application of the rule remain, most notably how to distinguish influential acts from coercive ones; but Finland’s statement nevertheless strengthens the centrality of the rule in guiding state behavior.
Finland also adopts an approach to jus ad bellum issues that is fast becoming the prevailing one. With respect to both the prohibition on the use of force in Article 2(4) of the UN Charter and the inherent right of self-defense captured in Article 51, it focuses on the consequences of a cyber operation when assessing (1) whether it rises to the level of a “use of force” with respect to Article 2(4) or (2) qualifies as an “armed attack” vis-a-vis Article 51.
Of particular note, the statement adopts the “scale and effects” test for “armed attack” that the ICJ set forth in its Nicaragua judgment. The Tallinn Manual experts (rules 69 & 71) and numerous states (e.g., Australia, France, Netherlands, United States) have focused on the concept of scale and effects as the correct approach to assessing cyber operations against both the use of force and armed attack thresholds. Although Finland uses the term only in the self-defense context, its consequence-based approach to the “use of force” threshold reflects a similar methodology.
Unsurprisingly, Finland supports the premise of a gap between the use of force threshold and that for armed attack, thereby adopting the ICJ’s characterization in Nicaragua of an armed attack as the “most grave form” of a use of force. In doing so the MFA rejects the U.S. position that the thresholds are identical, as have most other states. Also noteworthy is the reference to “a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy.” Like the Netherlands, Finland simply notes the “question merits further consideration.” Only France has opined that such a cyber operation could cross the armed attack threshold.
As to international humanitarian law, the MFA statement notes that it “only applies to cyber operations when such operations are part of, or amount to, an armed conflict.” This is an indisputable conclusion. Importantly, the caveat suggests that cyber operations alone can trigger an armed conflict. Although a very complex issue, it would seem incontrovertible that at least cyber operations that seriously injure or kill individuals or damage or destroy significant property would qualify as “hostilities” that initiate an international armed conflict (IAC) between the states concerned. The unsettled issues, which Finland does not address, are whether cyber operations falling short of these consequences, such as those that interfere with the functionality of cyberinfrastructure, initiate an IAC. And the issue of cyber operations initiating a non-international armed conflict remains even more unsettled. But as a general matter, Finland is correct in observing that the “unique characteristics of cyberspace, such as interconnectedness and anonymity, may affect how international humanitarian law is interpreted and applied with regard to certain cyber means and methods warfare. The related problems can nevertheless mostly be solved on the basis of existing rules.”
As did the 2013 and 2015 GGE reports, and as have most states that have addressed the issue (e.g., Australia, Netherlands, United Kingdom, Czech Republic), Finland confirms that “States are bound by the same human rights obligations both online and offline” (see also 2012, 2014, 2016, 2018 Human Rights Council resolutions; Tallinn Manual 2.0, rules 34-38). Of particular importance is the further assertion that “each State has to protect individuals within its territory and subject to its jurisdiction from interference with their rights by third parties.” In other words, states not only have a negative obligation to refrain from activities affect the human rights of individuals on their territory (such as shutting down online political activities without appropriate justification), they also bear a positive obligation to take measures in response to remote cyber operations that interfere with the exercise and enjoyment of human rights such as expression and privacy by individuals on their territory. This obligation was missing in the 2013 GGE report but included in that of 2015.
However, the MFA statement, like those of other states, avoids the controversial issue of whether human rights obligations are extraterritorial in character (see discussion here). For instance, the position Finland would take regarding the human rights obligations of a state that conducts cyber operations shutting down political websites in another state cannot be discerned from the statement itself. This is an important question because of the ability of a state to remotely control the enjoyment or exercise of human rights in another state by cyber means; it merits focused discussion among states. There are, however, other indications that Finland does support extraterritorial application of human rights law in general (see here, here and here).
Commendably, Finland has taken on two controversial issues from which some states have shied away. The first is whether there is an international law rule requiring respect for the sovereignty of other states. In 2018, the United Kingdom opined that no such rule existed. Not only was the assertion counter-normative, but it caused concern in other states, for it would deprive them of the ability to condemn hostile cyber operations as internationally wrongful on the basis of a sovereignty violation. A number of them, including close allies of the United Kingdom (e.g., France, Netherlands) quickly issued statements affirming a rule of sovereignty, as did NATO (with the UK reserving) in its cyber doctrine. The February OEWG proceedings (here and here) also saw states endorse the rule of sovereignty (e.g., Austria, Czech Republic, Switzerland). Indeed, to date, no other state has unambiguously supported the British position; even the United States has avoided doing so.
Finland is now firmly in the “sovereignty as a rule” camp.
Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace. Whether an unauthorized cyber intrusion violates the target State’s sovereignty depends on its nature and consequences and is subject to a case-by-case assessment.
Beyond confirmation of the rule itself, the MFA statement is significant in that it focuses on the consequences. Finland understands that the question is not whether there is a rule of sovereignty; there clearly is. Rather, the open question is when does a hostile cyber operation conducted from outside a state violate the sovereignty of the state into which it is conducted. The Tallinn Manual 2.0 experts were of the view that sovereignty violations may occur based on either territoriality or on interference with, or usurpation of, another state’s inherently governmental functions (rule 4). Finland agrees.
As to the first (territoriality), the question is what types of consequences amount to a sovereignty violation. Clearly, the causation of physical damage or injury does, as well as causing cyber infrastructure to no longer function. Below that level of consequentiality lies uncertainty. Accordingly, the MFA statement wisely insists on a case-by-case approach. It notes that “relevant considerations include whether an intrusion in the cyber infrastructure triggers a loss of functionality of the equipment relying on it, or modifies or deletes information belonging to the target State, or to private actors in its territory.” This is a fairly liberal interpretation of a violation, particularly the reference to alteration of information.
The second basis is equally important because the consequences it requires (interference, as in disrupting an election, or usurpation, like conducting remote law enforcement searches on another state’s territory) need not be physical or otherwise tangible in character. According to the MFA statement, the “rule put forward in the Tallinn Manual 2.0 is consistent with the understanding of violations of sovereignty as unauthorized exercise of authority in another State’s territory.” This basis for violation of sovereignty looms large in both the current election meddling and pandemic response interference contexts.
It is unsurprising that Finland has embraced sovereignty as a rule of law. Should respect for sovereignty not be a legal obligation, a hostile cyber operation attributable to another state would generally be lawful unless it violated the prohibition on intervention, which extends only to those that are coercive and affect a domaine réservé. Moreover, the victim state would be unable to take cyber or non-cyber countermeasures in response to the hostile operation, for wrongfulness is a condition precedent to taking them (ASR, arts. 22, 49-53; Tallinn Manual 2.0, rules 20-25). As the MFA statement correctly observes, “Agreeing that a hostile cyber operation below the threshold of prohibited intervention cannot amount to an internationally wrongful act would leave such operations unregulated and deprive the target State of an important opportunity to claim its rights.”
A second controversial issue that Finland addresses head on is the existence of a rule of due diligence. Drawing on such jurisprudence as the ICJ’s Corfu Channel judgment, the Tallinn Manual 2.0 experts concluded that states are subject to a due diligence rule by which they must take feasible measures to put an end to ongoing hostile cyber operations mounted from or through their territory that are posing serious adverse consequences with respect to the rights of another state and of which they know (rules 6 and 7). A number of states have taken the same approach (e.g., Brazil, Estonia, Finland, France, Korea, Netherlands, but see Argentina). However, the GGE was unable to achieve consensus on the matter in its 2013 and 2015 reports and therefore styled due diligence as a voluntary non-binding norm of responsible state behavior.
Finland is clear. States shoulder a due diligence obligation as a matter of international law.
Another cardinal principle flowing from sovereignty, closely related to the obligation to respect the sovereignty of other States, is each State’s obligation not to knowingly allow its territory to be used to cause significant harm to the rights of other States. It is widely recognized that this principle, often referred to as due diligence, is applicable to any activity which involves the risk of causing significant transboundary harm.
…
States may thus not knowingly allow their territory, or cyber infrastructure within a territory under their control, to be used to cyber operations that produce serious adverse consequences for other States. While only States can violate sovereignty, the sovereignty-based obligation of due diligence extends to private activities taking place in a State’s territory.
The MFA statement goes on to operationalize the obligation.
If harmful cyber activity takes place and causes serious harm to another State, the State of origin must take appropriate action to terminate it, as well as to investigate the incident and bring those responsible to justice. In order to be able to do this, States should have the necessary procedural and legal mechanisms in place. It should nevertheless be recalled that due diligence is an obligation of conduct, not one of result. In general, what is required of States is that they take all measures that are feasible under the circumstances.
This robust approach to the rule of due diligence raises the question of its limits. For instance, it is unclear whether the due diligence obligation attaches in the event of any significant transboundary harm or only that harm implicating a legal right, such as sovereignty, of the victim state. Similarly, Finland appears to suggest that due diligence requires law enforcement and judicial measures. It is not apparent that is the case when other alternatives would suffice to put an end to the hostile operation or when the hostile operation is no longer underway. But Finland’s approach makes an interpretive sense for a state that is likely to be the victim of hostile cyber operations, not the initiator of them. And Finland’s is the most granular discussion of the obligation by any state to date.
A number of contentious international law debates are not addressed in the MFA statement. I mention this not as criticism but rather as a reminder that much work is left to be done in the field. Most noteworthy in this regard is the issue of collective countermeasures. Countermeasures are actions that would be unlawful but for the fact that they respond to another state’s internationally wrongful act and are designed to put an end to them (ASR, arts. 22, 49-53). Finland takes a very traditional approach to the topic, as it does with another response option, the plea of necessity (ASR, art. 25; Tallinn Manual 2.0, rule 26).
A dispute arose over countermeasures in 2019 when the President of Estonia publicly took the position that one state could conduct cyber countermeasures on behalf of, or in collaboration with, a state facing unlawful cyber operations. France, by contrast, has rejected collective countermeasures as a lawful response option to unlawful cyber operations. Finland’s statement does not take on this contentious issue.
Reasonable arguments may be mounted in support of both sides of the debate, although it would seem that the restrictive view leaves less cyber-capable states somewhat at the mercy of cyber-enabled adversaries if they wish to respond with countermeasures in the same domain as the initial wrongful act. Given Finland’s geographical location, relative size, and cyber capabilities, it would appear to be in its national interest to join its neighbor in supporting collective countermeasures. Importantly, the International Law Commission did not rule out this prospect in its ASR commentary.
Concluding Thought
There are those who claim normative ambiguity in cyberspace is advantageous, that it affords states the leeway they need to operate in support of their national interests. To some extent, they are correct. After all, the rules of international law that apply in cyberspace were crafted prior to the advent of cyber operations; one should not expect a seamless normative tapestry to govern cyber operations
But ambiguity is a double-edged sword. Law that is unclear in the cyber context constitutes a dangerous grey zone in which states that operate maliciously can avoid both condemnation on the basis of law and the consequences international law imposes for unlawful conduct, such as countermeasures and reparations. Such uncertainty is the sweet spot within which bad actors will inevitably operate.
States like Finland realize that the grey zone must be reduced if the international community is ever to enjoy stability and security in cyberspace. Accordingly, I applaud Finland for joining other states that have publicly issued statements of legal policy regarding the applicability of international law in cyberspace. In particular, Finland is to be commended for taking a stand on some of the more contentious issues. Hopefully, other states soon will follow suit.