Finland published its positions on public international law in cyberspace
Cyberspace is a global domain of information systems, where electronic data is processed using information technology. The special features of cyberspace may raise questions relating to the practical application of certain provisions of public international law. It is therefore important to take part in close international cooperation and to exchange views about how, in certain questions, international law regulates States’ use of information and communication technologies. That is why Finland is now joining the group of States that have publicly expressed their positions on international law in cyberspace.
Finland considers that public international law creates an essential framework for responsible State behaviour in cyberspace. In the same vein, the UN Group of Governmental Experts (GGE) has reaffirmed that “[i]nternational law, and in particular the Charter of the United Nations, is applicable [in cyberspace] and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment”.
The principle of State sovereignty undisputedly applies in cyberspace. Finland sees sovereignty as a primary norm of public international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This norm is fully applicable in cyberspace, too. The assessment of whether an unauthorized cyber intrusion violates the target State’s sovereignty depends on the nature and consequences of the intrusion. The matter is subject to a case-by-case assessment.
Hostile interference by cyber means may also breach the customary prohibition of intervention in the internal affairs of another State, provided that it is done with the purpose of compelling or coercing that State in relation to affairs regarding which it has free choice(so-called domaine réservé).
Each State is obligated not to allow its territory to be used to cause significant harm to the rights of other States. This also applies to cyberspace. This principle, referred to as due diligence, is applicable to any activity which involves the risk of causing significant transboundary harm.
When a State’s cyber operation violates its obligations under public international law, the operation constitutes an internationally wrongful act. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace, too. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the perpetrators of a cyber operation that violates the State’s international obligations, its responsibility is engaged.
There is currently no established definition of a cyberattack that would amount to “use of force” in the sense of article 2(4) of the UN Charter, or “an armed attack” in the sense of article 51. However, it is widely recognized that such a qualification depends on the consequences of a cyberattack. Most commentators agree that a cyberattack which is comparable to an armed attack in terms of its extent and impacts equates to an armed attack, and self-defence is justified as response. However, the use of force in self-defence must not be disproportionate or excessive. Any definition of the use of force in cyberspace should respect both the letter of the UN Charter and its object and purpose, which is to prevent the escalation of armed activities.
International humanitarian law only applies to cyber operations when such operations are part of, or trigger, an armed conflict. There is no reason to deny the need for the protections that international humanitarian law provides, when cyber means are used in the context of a pre-existing armed conflict.
Individuals enjoy the same human rights and States are bound by the same human rights obligations both online and offline. Furthermore, each State has an obligation to protect individuals from violations of their rights by third parties within its territory and jurisdiction.
The position, which has been prepared in the MFA in consultation with other relevant authorities, was published on 15 October.
Marja Lehto, Senior Adviser, tel. +358 295 350 086
Tarja Långström, Counsellor, tel. +358 295 351 445
The Foreign Ministry’s email addresses are in the format email@example.com.
Cyberspace is not wild west (Kybertoimintaympäristö ei ole villi länsi, in Finnish)