Israel published its perspective on key issues pertaining to the application of International Law to Cyber Operations.
Roy Schöndorf, Israel’s Perspective on Key Legal and Practical
Issues Concerning the Application of International Law to Cyber
Operations 97 INT’L L. STUD. 395 (2021).
Israel considers that
international law is applicable to cyberspace. Israeli officials have consistently expressed this
position over the years, including the Minister of Justice in 2016, as well as
the diplomatic representatives to the United Nations Governmental Group of
Experts (UNGGE) and the Open Ended Working Group (OEWG), as well as in other
fora. In December 2020, Israel's Deputy Attorney General for International Law
reaffirmed this position and laid out in more detail some key aspects of
Israel’s approach regarding the application of international law to
cyberspace, some of which will be highlighted below.
Traditional rules of
international law, which mainly evolved in a bricks-and-mortar world, and often
in domain-specific contexts, do not always lend themselves to application in
the cyber domain, which has certain distinctive characteristics. For example,
data travels globally across networks and infrastructure located in multiple
jurisdictions, transcending national borders and lacking meaningful physical
manifestations. Moreover, cyber infrastructure is, to a large extent,
privately-owned and decentralized, both at the domestic and international
levels. The cyber domain is also highly dynamic, with technological
developments and innovation advancing at a rapid pace.
When considering the
applicability of specific rules of international law to cyberspace, it is
important to be mindful of such distinctive features, and to carry out a
meticulous examination of the rules at play and the context in which these
rules emerged.
Sovereignty
Sovereignty is a foundational
concept in international law and international relations. In recent years, a
debate has emerged as to its legal implications, with one view advocating that
there is a general legal obligation under international law to respect another
State's sovereignty, and another view holding that sovereignty is merely a
general principle from which legal obligations emerge such as the prohibition
on use of force and the prohibition to intervene in another country's internal
affairs. It is Israel’s view that in international law there is a
firmly-entrenched legal rule with regard to respecting the territorial
sovereignty of other States. However, the application of this rule in the cyber
domain raises questions and challenges. In practice, cyber activity in the
exercise of State functions often implicates infrastructure physically located
in other States, without such activity being deemed by any party a violation of
territorial sovereignty. In addition, States' legitimate interests in the
protection of data and networks of its citizens and companies hosted abroad,
e.g. in cloud computing, should also be borne in mind.
Non-intervention
The prohibition on intervention
in other States’ internal affairs has been typically taken to mean that a State
cannot take actions to coerce another State into taking a course of action, or
refraining therefrom, in matters pertaining to the latter's core internal
affairs. This rule has usually been applied in the context of military
intervention and support to armed groups seeking the overthrow of the regime in
another State, entailing a high threshold of application. In the cyber context,
manipulation of election results or interfering with a State’s ability to hold an
election could also likely be considered a violation of this rule.
Due diligence
In the 2015 Report of the
UNGGE, due diligence is mentioned as a voluntary, non-binding norm of
responsible State behavior, providing that States should not allow their territory
to be used for the commission of international wrongful acts. The application
of due diligence to cyberspace presents practical and legal challenges. For
example, "shutting down" service providers' traffic could harm
freedom of expression. In light of current state practice and opinio juris, it
has not crystallized into a customary rule.
State responsibility
The
international law of State responsibility is generally applicable to the cyber
domain, determining whether States are responsible for internationally wrongful
acts in this domain. Attribution of acts to States in the cyber domain
in order to determine State responsibility is mainly a factual matter. There is
no international legal obligation to disclose information forming the basis of
an attribution of a particular act in cyberspace. While in some cases States
might find it useful to publish such details, it may not always be desirable or
possible to do so, for reasons such as national security or foreign relations.
A State's decision whether to provide details and to whom, remains its
exclusive discretion. The rules regulating countermeasures are also
relevant to cyberspace. There is no absolute duty to notify the responsible
State in advance of a countermeasure. Such a requirement would often undermine
the effectiveness of a countermeasure, render it obsolete or compromise other
interests of the State undertaking the countermeasure.
Use of force
Israel considers that the
Charter of the United Nations, including the prohibition set out in Article
2(4) of the Charter on the “threat or use of force” in international relations,
is applicable in the cyber domain. A cyber operation can amount to use of force
if it is expected to cause physical damage, injury or death, which would
establish the use of force if caused by kinetic means. Moreover, an action
taken in accordance with a State's inherent right of self-defense, enshrined in
Article 51 of the Charter, against an armed attack conducted through cyber
means, may be carried out by either cyber or kinetic means.
The law of armed conflict
The law of armed conflict
(LOAC) and its fundamental principles generally apply to cyber operations
conducted in the context of an armed conflict. Israel views that only an act
expected to cause death or injury to persons or physical damage to objects
beyond de-minimis, may constitute an “attack” within the meaning of this term
under LOAC. The LOAC rules on targeting relating to distinction, precautions
and proportionality apply only to cyber operations qualifying as
"attacks" under LOAC. Military operations not constituting “attacks”
are subject to general obligations under LOAC that do not depend on whether the
act is an attack or not.
Cybercrime
Israel is a party to the
Budapest Convention and cooperates with States across the globe in prosecuting
criminal actors. Israel also supports, and is taking part in, negotiations for
a protocol on law enforcement access to data on the cloud. It is imperative to
achieve better understandings of the interplay between law enforcement and
extraterritorial jurisdiction. State practice indicates that there are
different approaches on this matter, and greater clarity is required. In
addition, particular attention needs to be afforded to the protection of
government data stored by third-party cloud providers. In Israel's view, such
data is not – and should not be made – subject to access requests by law
enforcement authorities of other States.
Furthermore, Israeli law
enforcement agencies, aware of the "going dark" phenomenon, are
considering different approaches to address it. To that end, Israel views
international cooperation in this field as important.
Human rights
New
technologies present constantly evolving opportunities and dilemmas, including
in the field of human rights. As with other concepts of international law, our
common understanding of how human rights law applies may entail adjustments to
the digital context. In that regard, Israel is a party to seven international
human rights conventions. States' applicable obligations under these
conventions remain relevant also in the cyber domain, in particular in striving
to protect key rights such as freedom of speech and privacy.