This post was contributed by Dr Samuli Haataja, Senior Lecturer at Griffith Law School and Law Futures Centre member.
In April 2022, Canada published its official position on how it considers international law to apply to state activities in cyberspace. An increasing number of states have published similar documents or statements, and many of these have been done in connection with the United Nations processes relating to international security in the cyber context. As part of the UN Group of Governmental Experts and the UN Open-Ended Working Group processes, states have reached general agreement that international law applies to state activities in cyberspace. However, as states have been unable to reach agreement on how the law applies, they have been encouraged to share their national views on this. Canada’s publication of its position on ‘international law applicable in cyberspace’ does just that. The importance of sharing national views on how the law applies, as Canada also notes, is that it contributes to developing common understanding and consensus about lawful and acceptable state behaviour in cyberspace. This can also reduce the risk of misunderstandings and escalation of conflict that may arise from cyber activities.
Canada’s position is detailed and covers a range of areas of law, from attribution under the law of state responsibility and due diligence, to international law on the use of force and international humanitarian law. The most detailed treatment is given to the question of sovereignty. As noted in a recent report that I co-authored, this is an area where there has been debate among states about whether and how the law applies, and this debate has important national security implications. At its core this debate is about whether or not sovereignty operates as a rule of international law that prohibits states from engaging in certain types of cyber activities, and if so, where the threshold for violations of sovereignty is. For example, if sovereignty is not a rule of international law that limits states from engaging in cyber activities, then a broad range of cyber operations are effectively deemed permissible provided they do cause significantly disruptive or destructive effects. The United Kingdom is a state that has explicitly adopted this position. The opposing position which has been adopted by an increasing number of states – now including Canada – regards sovereignty as a rule that does prohibit certain cyber activities. However, even among these states there is uncertainty about where that threshold lies. For this reason, Canada’s position is welcome in terms of the detailed account of how it will determine the circumstances in which a cyber operation violates sovereignty.
In relation to the legal status of sovereignty, Canada maintains it is axiomatic that ‘sovereignty applies in cyberspace, just as it does elsewhere’ and that there is a rule of ‘territorial sovereignty’ under international law. What this means, according to Canada, is that states enjoy sovereignty over their territory, including the infrastructure within their territory, and an infringement of the state’s territorial integrity or an interference with its inherently governmental functions constitute violations of sovereignty. This is consistent with the approach adopted by an international group of experts who examined how international law applies in the cyber context and authored the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
But when does a cyber operation violate territorial sovereignty? While Canada maintains that this is determined on a case-by-case basis, it lists the factors it takes into account and provides examples to illustrate what kinds of cyber activities it considers acceptable. When determining whether a violation of territorial sovereignty has occurred, Canada says it will consider ‘[t]he scope, scale, impact or severity of disruption caused, including the disruption of economic and societal activities, essential services, inherently governmental functions, public order or public safety’. It maintains that, for a violation of the law to occur where there are physical effects, these must involve ‘significant harmful effects’ and not just negligible ones. Similarly, in relation to cyber operations that cause loss of functionality, Canada says that violation of sovereignty can occur ‘if the resulting loss of functionality causes significant harmful effects similar to those caused by physical damage to persons or property’. Here it provides the example of ‘a significant harmful effect that necessitates the repair or replacement of physical components of cyber infrastructure’ as well as ‘loss of functionality of physical equipment that relies on the affected infrastructure in order to operate’. In this context Canada says it will assess both the ‘intended and unintended consequences’ of the cyber operation when determining whether a violation of sovereignty has taken place.
Canada also outlines its position in relation to cyber operations that it does not consider to violate sovereignty (and therefore those activities that it considers permissible). It maintains that states can engage in cyber activities without the consent of another state even where the activity causes ‘effects, including some loss of functionality’ in the other state. This could include, for example, ‘measures that have negligible or de minimis effects to defend against the harmful activity of malicious cyber actors or to protect their national security interests.’ Here it provides the example of ‘a cyber activity that requires rebooting or the reinstallation of an operating system’ and maintains it is ‘likely not a violation of territorial sovereignty.’ Further, Canada expressly notes that activities such as cyber espionage do not violate territorial sovereignty or international law.
Overall, Canada’s position on territorial sovereignty is similar to that adopted by others states including, for example, New Zealand. Canada regards territorial sovereignty as a rule that can be violated by cyber operations with significantly harmful effects. However, given its position on cyber espionage and on non-consensual cyber operations that cause effects in another state – even where they cause loss of functionality to the extent that the reinstallation of an operating system is required – this means it considers a range of cyber operations below the threshold of ‘significant harmful effects’ to be permissible. While this is not dissimilar from the position of many other states, it does mean that the way international law obligations are shaping in the cyber context (through states’ positions on how the law applies) is one in which states retain the prerogative to lawfully engage in various behaviours in pursuit of their national security objectives – from installation of spyware and other malicious software to pre-position themselves in the cyber infrastructure of other states – without violating international law. These kinds of activities are generally criminalised in national legal systems for individuals, corporations, and others, but increasingly seem to be regarded as lawful under international law for states.