This article considers how States affected by malicious cyber activity may seek a remedy before international tribunals in circumstances where they cannot convincingly identify the specific perpetrator. It reviews relevant evidentiary difficulties, considers cases regarding the failure of States to exercise due diligence to prevent inter-State harm, and proposes that States affected by malicious cyber activity may argue a breach of the maxim sic utere tuo ut alienum non laedas: in essence, that a State of origin allowed its territory or jurisdiction to be used contrary to the rights of another State.
This is Part 1 of 2 of an article exploring State responsibility for cyberattacks based on the sic utere maxim. Part 1 sets out the evidentiary difficulties and principles relevant to the topic. Part 2 explores how the principles described in Part 1 might apply in the context of specific case examples, including what might be forensically necessary to establish a claim based on a breach of the maxim.
On 22 September 2022, Optus, an Australian telecommunications company, was the subject of a massive data breach which affected over 9 million of its customers. Unfortunately, the Optus breach is only the latest major example of an increasing list of malicious cyber activity affecting States, companies, and individuals. The recent Medibank cyberattack and publication of individuals’ private health information is another pertinent example. While the attack on Optus was likely conducted by a lone actor, other incidents, like a cyberattack on the Australian Parliament’s computer systems, are likely sponsored or conducted by other States. But what recourse under international law does Australia have in either scenario?
Obtaining sufficient evidence to convincingly establish the identity of a perpetrator of malicious cyber activity is a difficult process. Perpetrators can and often do operate with a significant degree of anonymity online through various available software, and even utilise computers belonging to innocent third parties. For example, publicly available encryption services like Virtual Private Networks (VPNs) or ‘onion’ routing can help users anonymise their data profile online by allowing them to surf the web through single or multiple private servers respectively. IP spoofing is a means by which a user can impersonate another computer, often with the intent of illegally gaining access to additional secure computer systems. Once access is gained, innocent computers (sometimes called ‘zombies’) can then be used as a platform to conduct further malicious activity. The nature of cyber infrastructure therefore means there are multiple effective methods available to perpetrators to create reasonable doubt about their identity.
States affected by malicious cyber activity may wish to seek a remedy against other States (whether as perpetrators or sponsors) before the International Court of Justice (ICJ) or an international arbitral tribunal. While States may simply seek to ‘name and shame’ alleged perpetrators, such accusations cannot provide the kinds of legal remedies that a tribunal can. Depending on the circumstances, such remedies can include (as examples) the award of compensation or restitution for material loss, an order for cessation and guarantee of non-repetition, or a declaration of wrongdoing. Further, there are remarkably few expressions of the boundaries imposed by international law on the cyber activities of States (leaving aside the use of cyberattacks in armed conflicts, and certain efforts to encourage the criminalisation of cybercrime). Without the legal certainty afforded by litigating the matter before a tribunal, these ambiguities in the law provide States with ample opportunity to operate in a legal penumbra and deny responsibility for, or the unlawfulness of, their conduct.
However, a State seeking to litigate a claim arising out of malicious cyber activity must bear in mind certain obstacles to establishing the legal responsibility of a perpetrator. Foremost, such an allegation must likely be supported by ’convincing’ evidence (see Nicaragua v USA (Merits) [1986] ICJ Rep 14 (‘Nicaragua v USA’) at [29]), though there is yet to be a pronouncement by an international tribunal on the standard of proof applicable to alleged activities in cyberspace. Further, the categories of actors whose conduct will entail direct responsibility of a State are strictly defined and limited in number, namely: organs of the State as designated by the State’s national law; actors empowered by the State’s national law as functionaries; and actors acting on the instructions of, or under the direction or control of, the State (see the Draft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries, articles 4, 5, and 8).
Holding another State liable for perpetrating or sponsoring malicious inter-State cyber activity is therefore a near-insuperable task, due to both evidentiary issues inherent to cyberspace and the narrow legal bases upon which State responsibility can be established. While the former concept is unavoidable, the latter can possibly be mitigated by resorting to the less onerous fault standard of an alternative cause of action recognised by early international legal decisions.
The maxim sic utere tuo ut alienum non laedas (broadly, the duty of States to use their territory and jurisdiction in such a manner that respects other States, including protecting other States against injurious acts by individuals within their territory or jurisdiction) has been referred to as a general principle of international law for over a century.
Most notably, the 1941 Trail Smelter award considered the legal implications of Canada failing to prevent smoke emanating from smelters within its territory to the territory of the United States (see United States of America v Canada (Award) (1941) 3 RIAA 1905 (‘Trail Smelter’)). After recognising the existence of, and obligations imposed by, the sic utere principle, the Tribunal considered the question of whether an ‘injurious act’ had occurred to which the principle might respond. The Tribunal first noted that it was not aware of any case of air or water pollution dealt with by an international tribunal. Accordingly, the Tribunal turned to a number of United States judgments on the topic that concerned injurious conduct perpetrated or experienced by states of the Union. The Tribunal reasoned that such judgments provided guidance since they dealt with inter-state disputes or disputes concerning the quasi-sovereign rights of such states (at 1964).
Having considered these decisions, the Tribunal in Trail Smelter concluded as follows (at 1965):
‘…under the principles of international law … no State has the right to use or permit the use of its territory in such a manner as to cause injury by fumes in or to the territory of another or the properties or persons therein, when the case is of serious consequence and the injury is established by clear and convincing evidence.’
The ICJ delivered a further exposition of the sic utere principle eight years later in the Corfu Channel decision (see United Kingdom v Albania (Merits) [1949] ICJ Rep 4 (‘Corfu Channel’)). The case concerned harm caused by mines in Albania’s territorial waters to warships and personnel of the United Kingdom. The majority of the Court held that the Albanian authorities were obligated to provide notice of the existence of a minefield in Albanian territorial waters and warn the British warships of the imminent danger to which the minefield exposed them. The majority further opined that such obligations were based on ‘certain general and well-recognized principles, namely: elementary considerations of humanity, even more exacting in peace than in war; the principle of the freedom of maritime communication; and every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’ (at 22, emphasis added).
The concept that States are not to knowingly allow their territory ‘to be used for acts contrary to the rights of other States’ reflects the sic utere principle. The words ‘not … allow’ rather than, for instance, ‘ensure against’ (compare Responsibilities and obligations of States sponsoring persons and entities with respect to activities in the Area (Advisory Opinion) [2011] ITLOS Rep 17 (‘Activities in the Area’) at [110]), suggest that the majority had in mind a standard of absolute liability whereby, no matter the countervailing circumstances or effort exerted by a State to prevent harm, the mere occurrence of acts contrary to the rights of other States would engender State responsibility. However, because the ICJ considered that the concept manifested in an obligation to notify other States of the harm within Albania’s territory, rather than prevent such harm entirely, one may infer from the Court’s decision that the sic utere principle only gives rise to relative, rather than absolute, liability for the occurrence of injurious acts. This inference is reinforced by the statement of the majority in the 2010 Pulp Mills on the River Uruguay decision (see Argentina v Uruguay (Judgment) [2010] ICJ Rep 14) that the Court in Corfu Channel had described ‘the due diligence that is required of a State in its territory’ (at [101]). It is further reinforced by Judge Alvarez’s reference to a duty of ‘vigilance’ in his Excellency’s Separate Opinion in Corfu Channel (see the Separate Opinion at 44).
The standard of ‘due diligence’ is a basis of liability imposed by a primary rule of international law, breach of which gives rise to State responsibility without any additional requirements (see J. Crawford, The International Law Commission’s Articles on State Responsibility: Introduction, Text and Commentaries (Cambridge University Press, 2002) at 13). Satisfaction of a duty requiring a State to exercise due diligence does not require that State to actually prevent harm (see the commentaries to the Draft articles on Prevention of Transboundary Harm from Hazardous Activities at 154, [7]). Rather, a State fails to exercise due diligence if it has the opportunity through available measures to prevent harm but does not exercise sufficient effort to do so.
Satisfaction of the standard of due diligence is based in reasonableness. This follows from Judge Alvarez’s statement that the scope of the duty to exercise ‘proper vigilance’ varies according to the geographical conditions of, or means available to, the relevant State (Corfu Channel, Separate Opinion at 44). In Nicaragua v USA, the majority also considered geographical complications and the secrecy of perpetrators as factors that mitigated against finding that Nicaragua failed to diligently prevent arms traffic through its territory. They reasoned at [157] that if ‘the exceptionally extensive resources deployed by the United States have been powerless to prevent this traffic … this suggests even more clearly how powerless Nicaragua must be with the much smaller resources at its disposal…’. A similar pronouncement, albeit in the more specific context of the United Nations Convention on the Law of the Sea and international environmental law, was made in Activities in the Area at [117], where it was opined that:
‘The content of “due diligence” obligations may not easily be described in precise terms. Among the factors that make such a description difficult is the fact that “due diligence” is a variable concept. It may change over time as measures considered sufficiently diligent at a certain moment may become not diligent enough in light, for instance, of new scientific or technological knowledge.’
Accordingly, while there is little doubt that the ordinary rules of international law apply with equal force to cyberspace (see, e.g., the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations at 31), the fact that any violation of a requirement to act with due diligence is assessed according to reasonableness means that certain accommodation must be made of the fact that a State may not have the capacity to know of, and in act in response to, every potential cyber threat from within its territory. A distinction could be drawn between the covert operations of a group of hackers and the presence of land mines in a State’s territorial waters (as in Corfu Channel), or fumes produced by a large physical structure close to its border (as in Trail Smelter). Further, the means by which a State could monitor and prevent cyberattacks may also risk intruding on the right to privacy of its citizens. The need to prevent cyber-harm cannot and should not be used as an artifice to justify human rights violations. Ultimately, the right balance to be achieved between these concepts is likely to depend heavily on the facts of a specific case; it may be that a State’s obligations thus only arise once a cyberattack is in motion, or has partially taken effect.
In the context of malicious cyber activity, an affected State such as Australia may refer to Corfu Channel and allege that the State from whose territory or jurisdiction such activity originated failed to exercise due diligence in preventing an act contrary to the affected States’ rights. Such a cause of action is an alternative to seeking to meet the higher evidentiary threshold of identifying the actors within the State of origin responsible for the malicious cyber activity, and articulating the details of their relationship with the State in question. In alleging a failure to exercise due diligence, an affected State may only need to factually establish that the malicious cyber activity originated from another State, that such a State of origin had means available to prevent such activity, that the State of origin knew or ought to have known of such activity taking place, and that the State of origin failed to exercise with best efforts those means available to it (likely circumstantially by inference from the foregoing) (Corfu Channel at 18).
This concludes Part 1 of 2 of an article exploring State responsibility for cyberattacks based on the sic utere maxim. Part 2 continues the analysis in Part 1 by considering how the principles described in that Part might apply in the context of reported cyberattacks on Optus and the Australian parliament.
Angus Fraser is an Australia-based lawyer practising in commercial litigation. He graduated from the University of Queensland in 2018 with First Class Honours and has previously published on public international law and information technology and the law.