This post has been contributed by Dr Samuli Haataja, Lecturer at Griffith Law School and Law Futures Centre member.
In December 2020, New Zealand published a statement on how it considers international law to apply to state activities in cyberspace.
New Zealand joins a number of other States that have already done so, and such statements are important as they can contribute to the development of customary international law in this context.
This in turn is important given that, while States have agreed at the United Nations (UN) level — including most recently in a consensus report of the UN Open Ended Working Group — that international law applies generally to their cyber activities, there continues to be debate about the specifics.
Clarifying and developing shared understandings about how the law applies in this context is important in shedding light on existing ‘grey zones’ of the law in which it is unclear or contested.
New Zealand’s statement outlined its official position on various areas of international law including the use of force, intervention, and responses to malicious cyber operations.
It also adopted a position on sovereignty — an area of law that has been hotly debated since the United Kingdom (UK) outlined its controversial position on the topic in 2016. This debate has largely centred on whether and to what extent sovereignty applies in the cyber context to limit States from engaging in cyber operations that involve intrusions into computer systems and networks within another State’s territory.
While a large number of States and academic commentators have adopted the conventional approach that sovereignty operates as a rule of international law that can be violated (despite ongoing debate about the threshold at which this occurs), the UK’s position (and potentially that of the United States) is that sovereignty is a principle (not a rule) and thus cannot be violated in itself by a cyber operation unless it rises to the threshold of a use of force or a unlawful intervention.
In essence, there continues to be debate about the types of low-level malicious cyber activities that States can engage in without violating the legal obligations owed to other States under international law.
New Zealand’s position is unique as it maintains that sovereignty is both a principle (underpinning the prohibition on the use of force and non-intervention) but also a standalone rule capable of being violated.
As such, unlike the UK position, it adopts the view that a cyber operation that causes effects in another State is capable of violating sovereignty.
This is similar to what a number of other States adopting the rule approach to sovereignty have maintained.
However, as to when New Zealand considers sovereignty to be violated, it maintains that not all cyber intrusions or even those with effects in another State violate their sovereignty.
There is a range of circumstances — in addition to pure espionage activity — in which an unauthorised cyber intrusion, including one causing effects on the territory of another state, would not be internationally wrongful.
For example, New Zealand considers that the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors.
In other words, New Zealand does not consider that unauthorised cyber intrusions into another State’s computer systems or networks violates international law on sovereignty.
Further, it considers that States can, in certain circumstances, lawfully engage cyber operations that cause destructive effects in another State’s territory.
While New Zealand expressing its position on the law is useful for the clarification and development of international law in the cyber context, the implications of its position (which ultimately is not too dissimilar than most States that have outlined their positions) are concerning.
Essentially, under New Zealand’s position, States can engage in various types of cyber operations without being in violation of their legal obligations to other States.
These include espionage activities that involve compromising the cyber security of computer systems and networks in another State, and even the installation of malicious software (for example, software that gives the responsible State backdoor access to those systems or networks) provided it does not cause disruptive or destructive effects.
Further, New Zealand even considers that under certain circumstances it (and other States) can cause ‘minimally destructive effects’ without violating the law.
With recent unease surrounding revelations of a supply chain attack through SolarWinds’ products affecting various organisations including US government agencies and critical infrastructure operators — activities that would arguably not be specifically prohibited by New Zealand’s position unless and until the cyber operation was used to cause disruptive or destructive effects — the limits of international law in this context become evident.
Essentially, while States have agreed that at least seriously disruptive and destructive cyber operations should be off-limits, low-level cyber activities including the installation of backdoors onto another State’s systems and networks continue to take place in the grey areas of the law.
This is problematic as it allows States to engage in a range of activities that undermine the cyber security of systems and networks that modern societies depend on.