International Law applicable in cyberspace
Table of contents
- General application of international law
- Due Diligence
- State Responsibility
- Internationally Wrongful Acts
- International human rights law (IHRL)
- Peaceful Settlement of disputes
- Threat or use of Force
- Self-Defence against Armed Attack
- International Humanitarian Law (IHL)
- The recent rise in malicious online activities and rapid developments in cyber capabilities have led States to consider questions on how international law applies to State activity in cyberspace.
- Canada supports the rules-based international order (RBIO), grounded in respect for international law. Canada considers that the RBIO extends to moderating State behaviour in cyberspace.Footnote 1 To this end, Canada has been active in multilateral efforts to create the framework for responsible State behaviour in cyberspace.Footnote 2
- Canada is committed to reinforcing the application of international law in cyberspace and building on the international acquis on responsible State behaviouraffirmed again last year by the United Nations (UN) Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG).Footnote 3 In plain terms, Canada believes that international law provides essential parameters for States’ behaviour in cyberspaceFootnote 4 and will continue to help ensure global stability and security.
- Canada supports calls for States to develop and publish their national views on how international law applies in cyberspace. States have started stepping forward to issue statements on their national views. Canada is now in a position to do this ourselves. This follows several years of intensive consultations, reflection on the views of a range of States, and participation in formal and informal processes with States and other key stakeholders.Footnote 5
- Canada believes that the articulation of national positions on how international law applies to State action in cyberspace will increase international dialogue and the development of common understandings and consensus on lawful and acceptable State behaviour.Footnote 6 These statements can help reduce the risk of misunderstandings and escalation between States arising from cyber activities.
- Canada continues to strongly advocate for capacity-building on the application of international law in cyberspace. We are committed to ensuring that the broadest possible group of States participates effectively in addressing these important questions, which increasingly affect all States.
- This statement sets out Canada’s current view on key aspects of international law applicable in cyberspace and explains how these apply. Where possible we have included examples to better illustrate our position on a given aspect. Cyber-related challenges are magnified by rapid technological developments and the ever-increasing activities of malicious actors. Recognizing the ongoing nature of technological change, Canada will continue to develop and publicise its views, including through dialogue with other States and stakeholders.
General application of international law
- Canada affirms that international law applies to the activities of every State in cyberspace. This includes the United Nations Charter (UN Charter) in its entirety and customary international law.Footnote 7 Canada recognizes the obligations of every State flowing from the principle of sovereignty to: refrain from the threat or use of force; settle disputes peacefully; and refrain from intervention in the internal affairs of other States. Canada further recognizes the obligations arising, in a non-exhaustive manner, from international human rights law (IHRL), international humanitarian law (IHL) and in relation to the law of State responsibility.
- Canada supports agreed voluntary, non-binding norms for responsible State behaviour in cyberspace,Footnote 8 as a complement to international law, and continues to promote their implementation by all States.Footnote 9 Such voluntary norms do not replace or alter States’ binding obligations or rights under international law: they provide additional specific guidance on what constitutes responsible State behaviour.Footnote 10
- Sovereignty is a fundamental element of international law and international relations. It is axiomatic that the principle of sovereignty applies in cyberspace, just as it does elsewhere. It animates a number of obligations for all States.
- In the relations between States, sovereignty signifies independence. It confers to each State the exclusive right to exercise the functions of a State within its territory.Footnote 11
- This concept is also reflected in Canadian jurisprudence where Canada’s highest court found that “sovereignty” referred to “the various powers, rights and duties that accompany statehood under international law…”Footnote 12 and “…one of the organizing principles of the relationships between independent states”.Footnote 13
- Territorial sovereignty is a rule under international law.Footnote 14 Every State must respect the territorial sovereignty of every other State. States enjoy sovereignty over their territory, including in particular infrastructure located within their territory and activities associated with that infrastructure. An infringement upon the affected State’s territorial integrity, or an interference with or usurpation of inherently governmental functions of the affected State, would be a violation of territorial sovereignty.Footnote 15
- In assessing the possible infringement of a State’s territorial sovereignty, several key factors must be considered. The scope, scale, impact or severity of disruption caused, including the disruption of economic and societal activities, essential services, inherently governmental functions, public order or public safety must be assessed to determine whether a violation of the territorial sovereignty of the affected State has taken place.
- In general, the impact or severity of cyber effects will be evaluated in the same manner and according to the same criteria as for physical activities. Cyber activities that rise above a level of negligible or de minimis effects, causing significant harmful effects within the territory of another State without that State’s consent, could amount to a violation of the rule of territorial sovereignty with respect to the affected State. It is also important to note that cyber activities with effects in another State do not constitute physical presence in the territory of that State. As such, territorial sovereignty is not violated by virtue merely of remote activities having been carried out on or through the cyber infrastructure located within the territory of another State. Furthermore, cyber activities carried out remotely from within Canada with negligible effects in a foreign State do not involve an extraterritorial exercise of enforcement jurisdiction by Canada.
- Cyber activities that cause a loss of functionality with respect to cyber infrastructure located within the territory of the affected State may also constitute a violation of territorial sovereignty if the resulting loss of functionality causes significant harmful effects similar to those caused by physical damage to persons or property. For example, a violation of the territorial sovereignty will occur when the cyber activity creates a significant harmful effect that necessitates the repair or replacement of physical components of cyber infrastructure in the affected State. The loss of functionality of physical equipment that relies on the affected infrastructure in order to operate could also form part of the violation. The assessment of the effects includes both intended and unintended consequences that reach the threshold required to trigger a violation.
- The rule of territorial sovereignty does not require consent for every cyber activity that has effects, including some loss of functionality, in another State. Activities causing negligible or de minimis effects would not constitute a violation of territorial sovereignty regardless of whether they are conducted in the cyber or non-cyber context. Nor are States precluded by the rule of territorial sovereignty from taking measures that have negligible or de minimis effects to defend against the harmful activity of malicious cyber actors or to protect their national security interests. For example, Canada considers that a cyber activity that requires rebooting or the reinstallation of an operating system is likely not a violation of territorial sovereignty.
- The other key basis for assessing a violation of territorial sovereignty is whether a cyber activity interferes with or usurps the inherently governmental functions of another State. Cyber activities that have significant harmful effects on the exercise of inherently governmental functions would constitute an internationally wrongful act. For Canada, this would include government activities in areas such as health care services, law enforcement, administration of elections, tax collection, national defence and the conduct of international relations, and the services on which these depend. There can be a violation of territorial sovereignty by way of effects on governmental functions regardless of whether there is physical damage, injury, or loss of functionality. An example would be a cyber activity that interrupts health care delivery by blocking access to patient health records or emergency room services, resulting in risk to the health or life of patients.
- Importantly, some cyber activities, such as cyber espionage, do not amount to a breach of territorial sovereignty, and hence to a violation of international law.Footnote 16 They may however be prohibited under the national laws of a State.Footnote 17
- It is possible that a series of cyber activities could lead to significant harmful effects that violate the rule of territorial sovereignty. This is the case even if the individual cyber activity on its own would not reach this threshold.
- Canada will assess whether a violation of territorial sovereignty has occurred on a case-by-case basis. As noted below, Canada believes further State practice and opinio juris will help clarify the scope of customary law in this area over time. In any event, Canada considers that the existence of varied approaches to assessing the legality of cyber activities should not prevent States from agreeing that particular malicious cyber activities are internationally wrongful acts.
- State cyber activities may breach the foundational international law prohibition of intervention in the internal or external affairs of another State. This would be the case where both of the following conditions are met:
- the activities aim to interfere with the internal or external affairs of the affected State involving its inherently sovereign functions, known as domaine réservéFootnote 18; and
- the activities would cause coercive effects that deprive, compel, or impose an outcome on the affected State on matters in which it has free choice.Footnote 19
- In its most serious form, coercion may arise through the threat or use of force but could also arise where a cyber activity is designed to deprive the affected State of its freedom of choice. Coercion must be distinguished from other conduct such as public diplomacy, criticism, persuasion, and propaganda.
- An example of a prohibited intervention would be a malicious cyber activity that hacks and disables a State’s election commission days before an election, preventing a significant number of citizens from voting, and ultimately influencing the election outcome. Another example would be a malicious cyber activity that disrupts the functioning of a major gas pipeline, compelling the affected State to change its position in bilateral negotiations surrounding an international energy accord.
- Whether or not a cyber activity meets the threshold for a violation of the rule on territorial sovereignty or rises to the level of a violation of the rule against intervention will be determined on a case-by-case basis. As with the thresholds for violations of territorial sovereignty, Canada believes that further State practice and opinio juris will help clarify the thresholds for the rule of non-intervention, and the scope of customary law in this area over time.
- No State should knowingly allow its territory to be used for acts contrary to the rights of other States.Footnote 20 This also applies in cyberspace. A State that has knowledge of a malicious cyber activity is expected to take all appropriate and reasonably available and feasible steps to stop ongoing or temporally imminent cyber activities that result or would result in significant harmful effects that impact the legal rights of another State.
- The precise threshold that triggers this expectation will depend on the totality of the circumstances in that situation. This would include whether the State has knowledge of the wrongful acts, its technical and other capacities to detect and stop these acts, and what is reasonable in that case. For example, a State with limited technical capabilities would not likely be expected to respond if it failed to detect a malicious cyber activity emanating from or through cyber infrastructure on its territory. However, once aware, the State would be expected to respond.
- The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.
- In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks.
Internationally Wrongful Acts
- An internationally wrongful act in the cyber context is a cyber-related action or omission that:
- constitutes a breach of an international legal obligation, whether to another State or the entire international community; and
- is attributable to a State under international law.
- International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures.
- Canada applies the customary international law on State responsibility to attribute wrongful conduct in cyberspace. Under the law of State responsibility, an important element is that of attribution, which involves the identification of a State as legally responsible for an internationally wrongful act. A State can be responsible directly, or indirectly where a non-State actor has acted on the instructions of, or under the direction or control of, that State.Footnote 21 In this respect, States cannot escape legal responsibility for internationally wrongful cyber acts by perpetrating them through non-state actors who act on a State’s instruction or under its direction or control.Footnote 22
- Attribution in its legal sense is of course distinct from the technical identification (or technical attribution) of the actor responsible for malicious cyber activity, whether State or non-State, as well as from the public denunciation of the responsible actor (political attribution). Further, Canada believes that the public attribution of internationally wrongful acts engages various political considerations beyond technical and legal attribution. To this end, States bear no obligation to publicly provide the basis upon which an attribution is made.
- Canada considers that States are entitled to use countermeasures in response to internationally wrongful acts including in cyberspace. The customary international law of State responsibility defines limits in the exercise of the right to take countermeasures, being actions that would otherwise be unlawful.Footnote 23 Countermeasures may not be taken in retaliation, but only to induce compliance, and directed at the State responsible for the internationally wrongful act. They may not constitute the threat or use of force, must be consistent with other peremptory norms of international law, and they must be proportional.
- Lawful countermeasures in response to internationally wrongful cyber acts can be non-cyber in nature, and can include cyber operations in response to non-cyber internationally wrongful acts.
- A State taking countermeasures is not obliged to provide detailed information equivalent to the level of evidence required in a judicial process to justify its cyber countermeasures; however, the State should have reasonable grounds to believe that the State that is alleged to have committed the internationally wrongful act was responsible for it. The precise scope of certain procedural aspects of countermeasures, such as notification, needs to be further defined through State practice given the unique nature of cyberspace.Footnote 24
- Assistance can be provided on request of an injured State, for example where the injured State does not possess all the technical or legal expertise to respond to internationally wrongful cyber acts. However, decisions as to possible responses remain solely with the injured State. Canada has considered the concept of “collective cyber countermeasures” but does not, to date, see sufficient State practice or opinio juris to conclude that these are permitted under international law. Canada distinguishes “collective cyber countermeasures” from actions taken in “collective self-defence” including measures taken in cyberspace.
International human rights law (IHRL)
- It is beyond dispute that international human rights law applies to activities in cyberspace. For many years, Canada has consistently advanced that all individuals enjoy the same human rights, and States are bound by the same human rights obligations, online just as offline.Footnote 25 States’ activities in cyberspace must be in accordance with their international human rights obligations as expressed in the international human rights treaties to which they are a party, and in customary international law.
- Canada notes that according to Article 2(1) of The International Covenant on Civil and Political Rights, each State Party is required to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in that instrument, without distinction.Footnote 26
- The internationally recognized human rights that are of particular concern in relation to cyberspace include the right to freedom of expression and to hold opinions without unlawful interference, freedom of association and of peaceful assembly, freedom from discrimination, and the right not to be subjected to arbitrary or unlawful interference with one’s privacy or correspondence.
Peaceful Settlement of disputes
- A central, and at times overlooked, rule of international law is the obligation of every State, under the UN Charter, to seek the settlement of disputes by peaceful means.Footnote 27 This is closely related to the prohibition of the threat or use of force.Footnote 28 Like that prohibition, it applies in cyberspace just as it does elsewhere. Thus, Canada considers that in line with the UN Charter, in case of disputes States may seek solutions through negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, and resort to regional agencies or arrangements, or other peaceful means of their own choice.
- The obligation to seek the settlement of disputes by peaceful means is not unlimited, nor does it diminish other international legal obligations or rights, such as the inherent right of self-defence.
- Canada considers that a State may always respond to an unfriendly act or an internationally wrongful act with unfriendly acts provided they are not contrary to international law.
Threat or use of Force
- Article 2(4) of the UN Charter requires that States refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the UN. This also applies in cyberspace. In general, cyber activities that amount to such a threat or use of force are unlawful, with recognised exceptions under international law.
- In Canada’s view, cyber activities may amount to such a threat or use of force where the scale and effects are comparable to those from other operations that constitute the use of force at international law. Canada will assess cyber activities that may amount to a threat or use of force on a case-by-case basis.
Self-Defence against Armed Attack
- Canada considers that the inherent right of self-defence if an armed attack occurs against a State also applies in cyberspace.Footnote 29
- Canada will respond to cyber activities that amount to an armed attack in a manner that is consistent with international law. Canada’s response may include cyber operations. The right to self-defence is both an individual and collective right of States.
International Humanitarian Law (IHL)
- IHL applies to cyber activities conducted in the context of both international and non-international armed conflict and regulates the conduct of hostilities and protects the victims of armed conflict.Footnote 30 In any armed conflict, the right of parties to choose means and methods of warfare is not unlimited.
- Cyber activities are an attack under IHL, whether in offence or defence, where their effects are reasonably expected to cause injury or death to persons or damage or destruction to objects.Footnote 31 This could include harmful effects above a de minimis threshold on cyber infrastructure, or the systems that rely on it. Such cyber activities must respect relevant treaty and customary IHL rules applicable to attacks including those relating to distinction, proportionality, and the requirement to take precautions in attack.
- States that are Parties to Additional Protocol I to the Geneva Conventions are required to review new weapons, means or methods of warfare to ensure compliance with IHL.Footnote 32 This obligation applies in the context of cyber capabilities and activities, although not all cyber capabilities and activities will constitute a weapon or means or method of warfare.
- Canada emphasises that acknowledging the application of IHL to cyber activities in armed conflict neither contributes to militarising cyberspace nor legitimises cyber activities that are unlawful.Footnote 33
- With this statement, Canada joins the many other States which have publicised their views on how international law applies in cyberspace. We hope that States which have not yet done so will consider publishing their own statements as well and thus contribute to the emergence of common understandings.
- To that end, Canada will continue to actively support capacity building on international law and cyberspace. Canada has found the process of consultations that led to this statement to be very beneficial in developing a deeper understanding of how international law applies to cyberspace.
- Canada believes it is crucial for all States to move beyond discussions of general concepts and build common understandings of what constitutes unlawful conduct in cyberspace. Canada will continue to develop and publicise its positions, including through dialogue with other States and stakeholders, in its ongoing efforts to contribute to security and stability in cyberspace.
Report a problem on this page
- Date Modified: