A Victim’s Perspective on International Law in Cyberspace
Chris Carpenter, Duncan B. Hollis
Costa Rica’s recent position paper improves transparency on the country’s legal views and provides a framework for future dialogue with other states.
In the spring of 2022, two significant ransomware operations targeted 27 Costa Rican government bodies, in addition to the country’s health care system. Costa Rica’s government refused to pay the ransom demanded. In light of the hackers’ threats to leak sensitive information from the data they encrypted, many government-run systems had to be taken offline (including those related to tax collection, medicine, and social security). Costa Rica’s president, Rodrigo Chaves, declared that Costa Rica was “at war” with the attackers (who were affiliated with two Russian-language-speaking groups, known as Conti and Hive). The Costa Rican government has spent the last year working on recovery and remediation, with technical assistance from state governments (namely, the United States and Spain) and industry.
In light of these events, it is unsurprising that Costa Rica just released one of the most robust position papers on the applicability of international law in cyberspace. In doing so, it becomes (by our count) the 36th state to offer an official national position on the subject. Thus, Costa Rica joins a trend—though not yet a large sample—in which states appear increasingly interested in improving transparency on their respective legal views and providing a framework for future dialogue (and, perhaps, agreement).
Costa Rica’s statement tracks the vast majority of its predecessors in acknowledging the applicability of international law “in its entirety” to information and communication technologies (ICTs), including the prohibition on the use of force and international humanitarian law (IHL). It tackles many of the same topics covered in other states’ national statements—such as nonintervention, sovereignty, countermeasures, and due diligence—while raising others that have not received as much attention—including human rights, peaceful settlement of disputes, and neutrality. Costa Rica has clearly spent time examining other states’ statements and, in particular, “academic projects on the application of international law to cyber operations” including the Oxford Process (for which one of us is a co-convenor), the Tallinn Manuals, and the Cyberlaw Toolkit.
Temple University Law School’s Institute for Law, Innovation, and Technology, known as iLIT, has been working in conjunction with American University’s Tech, Law, and Security program to catalog and analyze the three dozen existing national statements on the application of international law. We were thus pleased to see Costa Rica’s elaborate statement. It provides an opportunity not only to engage with Costa Rica’s novel contributions but also to evaluate the overall state of play on the operation of international law in cyberspace.
Sovereignty
Costa Rica joins the majority of states that have addressed the topic of sovereignty (including Brazil, Canada, Japan, and, most recently, Ireland) by categorizing it as a rule that can be breached by other states’ cyber operations. In doing so, Costa Rica’s statement further isolates the United Kingdom—which has doubled-down on the idea that sovereignty is better thought of as a background principle informing other rules, noting that it “does not consider that the general concept of sovereignty by itself provides a sufficient or clear basis for extrapolating a specific rule or additional prohibition for cyber conduct.”
What cyber operations will violate sovereignty? Here, too, Costa Rica’s statement reaches widely, including not only physical attacks but also cyber operations that trigger a “loss of functionality of cyber infrastructure located in the victim State.” This position makes sense given the nonphysical (but extensive) economic damage Costa Rica suffered in the 2022 ransomware attacks. Similarly, Costa Rica includes an “usurpation of inherently governmental functions” as a violation of sovereignty, tracking the Tallinn Manual 2.0, and including operations “interfering with a State’s democratic processes, such as elections, responses to a national security or health emergency, such as the COVID-19 pandemic, and its choice of foreign policy.” Costa Rica’s position differs from the statement immediately preceding its own (from Ireland) that had not recognized usurpation of governmental functions as a sovereignty violating condition.
Where Costa Rica really separates itself from other states is in its willingness to envision violations of state sovereignty via cyber espionage. To be clear, Costa Rica recognizes that “it is often difficult to technically distinguish between a mere data-gathering operation from an operation penetrating a governmental system in order to interfere with a State’s sovereign functions. Real-world examples show that, once a piece of malware successfully enters a system or network, it remains a latent threat to its integrity.” But rather than default to a position allowing espionage, given the difficulty in making such distinctions, Costa Rica’s statement cuts in the other direction, suggesting that at least some surveillance operations and cyber espionage can be conducted in a manner that breaches state sovereignty and other rules of international law. As such, Costa Rica stands apart from many other states—Germany, Japan, Poland, and Israel, to name a few—that declined to expressly tie surveillance operations to potential violations of state sovereignty. In fact, Costa Rica is the first state to adopt this position in such clear and unequivocal terms.
Nonintervention
Costa Rica’s position, like most of the other national statements, relies on the 1986 International Court of Justice case Nicaragua v. United States and the UN General Assembly’s Friendly Relations Declaration to identify a prohibition on intervention that includes behavior below the use-of-force threshold, which involves coercive interference in another state’s domestic affairs (the domaine réservé). As with sovereignty, Costa Rica is again expansive in its reading of what conduct will violate this obligation, including “ransomware attacks crippling or simply interfering with a State’s ability to run public services, such as finance, education, and social security.” Relying on the Tallinn Manual 2.0, Costa Rica suggests an intervention can also occur “when [a State] engages in or supports subversive or hostile propaganda or the dissemination of false news that interfere in the internal or external affairs of another State” and (joining New Zealand, Australia, Brazil, and others) “foreign election interference.” Thus, Costa Rica breaks ahead of the pack in suggesting that the principle of nonintervention can be applied as a tool to respond to state-sponsored mis- and disinformation campaigns. Furthermore, in Costa Rica’s view, the attempted cyber intervention does not need to be successful in order to violate this principle—intent to coerce is sufficient.
Countermeasures
Countermeasures involve otherwise internationally wrongful conduct whose wrongfulness is precluded when done in response to a prior internationally wrongful act (and various other substantive and process conditions are satisfied). Costa Rica’s statement acknowledges the substantive and procedural constraints articulated by the UN International Law Commission (for example, that countermeasures must not be punitive, must be proportionate, and must not disrupt fundamental human rights). At the same time, Costa Rica’s position acknowledges that the procedural requirements—namely (a) summation (calling on the state to cease its wrongful acts), (b) notice to that state of the intention to take countermeasures, and (c) the offer to negotiate—“do not have to be met when compliance with them would defeat the purpose of the intended countermeasures.” Other states have opined on exceptions to procedural requirements, albeit in slightly different terms (such as Italy, France, Netherlands, and Norway).
More importantly, Costa Rica’s statement weighs in (positively) on the possibility of states employing countermeasures collectively, a position championed originally by Estonia and supported more recently by Ireland. Costa Rica’s statement signals support for the idea of collective countermeasures not only for violations of obligations erga omnes but also at the request of a victim state. In contrast, states such as France and Canada have suggested collective countermeasures are not permitted by international law at present, while Brazil has poured cold water on the idea of countermeasures in general.
Due Diligence
The U.S. has notably declined to endorse the idea of due diligence as a rule of international law governing cyberspace, supporting it as a “voluntary” norm instead in the influential 2015 UN Group of Governmental Experts Report. Costa Rica, in contrast, comes out strongly supporting due diligence as a standard that manifests across at least four different areas of international law. Thus, Costa Rica cites due diligence as including the Corfu Channel standard (a state is “not to allow knowingly its territory to be used for acts contrary to the rights of other States”), with constructive notice being possible where a state “knows or should have known” that the act contrary to the rights of other states “originates from or transits through its territory.” Costa Rica, moreover, takes the position that states “must exercise a reasonable degree of vigilance over their networks” and “must also put in place certain basic protective measures” over their cyber infrastructure.
At the same time, Costa Rica looks beyond Corfuto tie its vision of the due diligence obligation to taking “appropriate measures to prevent significant transboundary harm” (independent of whether that harm violates the rights of other states). Previously, this reading of due diligence has mostly been applied to international environmental law in the context of pollution (for example, in Trail Smelter, where an arbitral tribunal ruled in favor of U.S. claims that Canada should bear responsibility for pollution caused by smoke from the smelter on the Canadian side of the border that drifted downwind into Washington state, causing harm to crops and forests there). Here, Costa Rica cites the application of due diligence in the cyberspace context as covering “non-physical harms … including those caused through or to ICTs,” such as “online incitement to violence, hostility or discrimination and disinformation campaigns causing harm to individuals.”
International Humanitarian Law
Costa Rica’s position on the applicability of international humanitarian law in cyberspace is one of the most detailed, nuanced, and wide ranging of those disseminated thus far. The statement describes in detail how IHL applies to cyber operations as a part of ongoing armed conflicts, and where a cyber operation has the ability to commence an armed conflict on its own. It takes the time, moreover, to walk through the application of the core IHL principles. Regarding the principle of distinction, for example, Costa Rica adopts the position that, “[w]ith respect to cyber infrastructure, the assessment of whether an object qualifies as a military objective must be done at the lowest level practically possible,” by which it means, “at the level of each particular computer, cable, router, or other specific device that can be separated from a network or a system as a whole.” Cyberattacks (for purposes of the prohibition of attacks on civilians or civilian objects) involve conduct “designed or [that] can be reasonably expected to cause injury or death to persons or damage or destruction to objects,” alongside:
The disabling—temporary or permanent, reversible or not—of the targeted computer, system, or network. For the avoidance of doubt, this means that the existence of physical damage to objects or injury or death to persons is not required for an operation to constitute an attack under IHL. (Emphasis added.)
The implications of this position are significant. A number of other states have been reluctant to treat a loss of functionality alone as an attack (some states, such as Poland, simply do not include loss of functionality as an attack, while other states, such as Canada, Germany, and Israel, are much more qualifying in their language). These qualifiers matter, since only “attacks” trigger IHL fundamental principles like distinction and proportionality. If an operation is not an attack, the argument goes, there is no need to discriminate among civilian and military objects. If, however, a loss of functionality can, as Costa Rica submits, comprise an attack, it widens the aperture significantly as to which cyber operations will be attacks that trigger the principle of distinction. From this position, Costa Rica returns to its own situation, asserting that the kind of ransomware attack it suffered in 2022 “would be considered an attack under IHL and therefore must not be directed against civilian systems.”
Finally, Costa Rica takes a position long advocated by the International Committee of the Red Cross, but that few (if any) states have endorsed previously: the idea of data as an object. Costa Rica takes the view that “civilian data constitute civilian objects under IHL,” reasoning that, “[b]efore the digital revolution, such data was stored in the form of paper files that were protected under IHL. Therefore, in Costa Rica’s view, the protection of civilian objects under IHL extends to civilian data.” This means that “[c]ivilian datasets, including medical data, social security data, tax records, corporate and financial data, or electoral lists,” are all considered unlawful targets under IHL that cannot be attacked without violating the principle of distinction.
Human Rights
Like other states, Costa Rica asserts that human rights apply online the same way they do offline. It also repeatedly highlights the gendered impact of cyber harms, noting that women have suffered disproportionately from cyber harms (from electronic surveillance to hate speech to doxxing to cyber bullying to harassment). Where its statement is likely to engender the most controversy is in where these obligations apply. The U.S., for example, has long contended that its human rights obligations under the International Covenant on Civil and Political Rights (ICCPR) apply only within U.S. territory—that is, it has no obligation to respect human rights outside its territory. Costa Rica’s position can be said to occupy the opposite pole. It claims that a state’s obligations to respect, protect, and ensure human rights under the ICCPR and the American Convention on Human Rights go beyond:
[A] State’s territory, areas, or persons under its physical control. It extends to all human rights over whose enjoyment the State exercises power or effective control, regardless of physical proximity. This means that, under those treaties, States must respect, protect and ensure human rights that are exercised online or via ICTs and over whose enjoyment a State exercises effective control.
This position may align with the Inter-American Court of Human Rights, but it is not one many states have endorsed themselves. Hence, it will be interesting to gauge other states’ reactions to Costa Rica’s position on where online states must afford human rights protections.
Conclusion
Costa Rica’s statement appears to be the longest and most sophisticated national statement issued to date on the application of international law in cyberspace. Although not traditionally recognized as a cyber power in either a military or an industrial sense, Costa Rica’s experiences with ransomware may elevate its voice among the dozens of states now speaking out on how to achieve global governance for states’ online behaviors. Of course, this is no guarantee that Costa Rica’s positions will set a new standard for others, whether in requiring states that have already spoken out to update their more cursory existing statements or in providing a proof of concept for other states that have yet to issue any statements.
But Costa Rica’s position paper highlights just how much priority many states are now affording the role of international law online. The question of what to make of these statements themselves also warrants more attention. How do these national statements relate to international law—what legal relevance do they have if, as states generally assert, existing rules already apply? Are they merely efforts at interpretation and application, or do they go further by serving as evidence of some new opinio juris and evolving the law’s content in the process? As Russia and others call for a cybersecurity treaty, it may be particularly important to look to these statements as a signal on those areas where consensus appears most likely, and those where positions diverge (often quite substantially), suggesting that further clarifications and dialogues are sorely needed.
Duncan B. Hollis is Laura H. Carnell Professor of Law at Temple University Law School. He recently co-edited Defending Democracies: Combating Foreign Election Interference in a Digital Age (Oxford University Press, 2021) and is editor of the award-winning Oxford Guide to Treaties (Oxford University Press, 2nd, ed., 2020). He regularly writes on issues of international law, norms, and global cybersecurity. Professor Hollis is a Non-Resident Scholar at the Carnegie Endowment for International Peace, an elected member of the American Law Institute, and a regular consultant for the Microsoft Corporation’s Digital Diplomacy team.