Throughout the history of wars, covert actions or broadly, all intelligence activities have been mostly territorial in nature. However, post the cyber revolution, there arise many unaddressed questions in the broad sphere of international law. Does the act of a state of penetrating from a computer in its own territory into a computer or server located in another country violate the latter’s sovereignty? Does this amount to extraterritorial enforcement jurisdiction?
The concept of “sovereignty” is a precept in international law, and includes among other things, the state’s “right to exercise jurisdiction over its territory and over all persons and things therein, subject to the immunities recognized by international law.”1 although this might again provoke contemporary debates citing the example of the United States’ intelligence branches spying on its own citizens, which led the United Nations General
Assembly to confirm its resolution of retaining the right of privacy in the digital age2, invoking Article 12 of the Global Declaration of Human Rights:
“Nobody shall be exposed to the intractable intervention in their private life, family affairs, their correspondence or home, and their honor reputation shall not be attacked. Everyone has the support of law against such interventions and attacks.”3
Cyber intervention is fairly unexplored or rather, still in its infancy when it comes to its legality and illegality with the current Russian intervention into the 2016 US Presidential Elections being one of the most recent major developments concerning the topic. The primary question of the “use of force” by a state within the meaning of jus ad bellum rules have been attempted to be answered before.4
Just like territorial intervention, which would involve physically carried out clandestine activities, and which will not necessarily involve a physical destruction but may also involve information collection and further analysis, cyber intervention also needs to answer about the circumstance when the intervention falls short of physical destruction but involves the more passive co-option of, for instance, foreign government communications networks to monitor communications or spread corrupted data.5 One of the main ingredients of the concept of “sovereignty” is the principle of non- intervention.6
In the landmark case of Nicaragua v. United States, the ICJ concluded that, at minimum, the principle of non-intervention:
“…forbids all States or groups of States to intervene directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy.”7
The case was regarding America’s intervention in the state of Nicaragua and its funding of its anti-government rebels, famously known as the CONTRA rebels.8 The ICJ was wise to add further that prohibited interventions included “methods of coercion”, even when these fell short of use of force,9thereby mandating the use of brute or dictatorial force, in effect depriving the state intervened against of control over the matter in question.10
Hence, we arrive at an adage: all coercive acts are not intervention, but all forms of interventions are coercive acts. Drawing upon the alleged Russian intervention into the 2016 US Presidential Elections, a contemporary example of intervention (if proven), coercive intervention includes manipulation of “elections or of public opinion on the eve of elections, as when online news services are altered in favour of a particular party, false news is spread, or the online services of one party are shut off.”11
The Canadian Federal Court’s decision regarding the Canadian Security Intelligence Service Act warrant to investigate Canadians overseas12 concluded that that intrusive surveillance (presumably involving electronic wiretaps) conducted by the CSIS on the territory of another state without its consent would violate that state’s sovereignty.13 More significantly, subsequent controversy stemmed from CSIS’s nonobservance of this Canadian territorial expectation. CSIS, in coordination with Canada’s signals-intelligence service, outsourced the intercept function to (unnamed) “Five Eyes” partner intelligence agencies, which include the U.S. National Security Agency.14 The CSIS had even outsourced the conduct that the Federal Judge had viewed as contrary to international law.
International law doesn’t address espionage per se and thereby on bleak grounds, declares that cyber espionage won’t be engaged as a matter of international law unless the aspects of the espionage violates specific international legal prohibitions.15 A cyber operation by a State directed against cyber infrastructure located in another State may violate the latter’s sovereignty. It certainly does so if it causes damage.16
But we also must keep in mind that the litmus test discussed above is the concept of coercion, has been permeated over the vast field of “intervention”, and hence is restricted to yet undecided by the virtual requirement of the violation of certain virtual barriers, such as invading firewalls or hacking passwords.17 Then, if the alleged Russian intervention does turn out to be true, and if it is proved that there was even the most minor intrusion, would it deprive the USA of enforcement jurisdiction? The doctrine discussed above clearly points out a cyber intrusion by hacking dose constitute an exercise of extraterritorial state power and hence a violation of sovereignty of another country. The transmission of electrical impulses to attempt to change or to change the status quo in a foreign state would definitely amount to intrusion. The question obviously would be then, what might be the consequences arising from such a case?
By Swagat Baruah, Gujarat National Law University