Low-Intensity Cyber Operations and State Sovereignty in Cyberspace
In March 2021, a UN report was adopted confirming that international law applies in cyberspace. Despite this UN report, there are still significant disagreements among states about what types of cyber operations international law prohibits. The states are especially divided on the issue of the most common types of cyber operations, called “low-intensity” cyber operations. Low-intensity cyber operations are operations that penetrate a computer system located on the territory of another state, but do not rise to the level of a use of force or prohibited intervention. This CMS Report “Low-intensity cyber operations and state sovereignty in cyberspace” compares and assesses three very different positions concerning whether low-intensity cyber operations violate the sovereignty of the territorial state. The report is authored by Professor Kevin Jon Heller (CMS), and is published in collaboration with DJØF Publishing.
Three different positions
The first position among states is that low-intensity cyber operations are never wrongful because sovereignty is a principle of international law, not a primary rule that can be independently violated. The second position, called the ‘pure sovereigntist’ approach, is that low-intensity cyber operations are always wrongful because sovereignty is a primary rule of international law that is violated by any non-consensual penetration of a computer system located on the territory of another state. The third position, called the ‘relative sovereigntist’ approach, is that although sovereignty is a primary rule of international law, only low-intensity cyber operations that cause some kind of physical damage to the territorial state or render its cyberinfrastructure inoperable are wrongful.
Recommendations
Many states, including Denmark, has not adopted a position on the legality of low-intensity cyber operations. This report concludes that a small state like Denmark - which is expected to be more concerned with defending itself against cyberattacks than using them for offensive purpose - should adopt either pure sovereignty or relative sovereignty. Which one of the approaches that is most attractive for Denmark will depend on both legal and policy considerations.