On 23 May
2018, the UK Attorney General, the Rt Hon Jeremy Wright QC MP, gave a speech at
the Royal Institute of International Affairs (RIIA) to inform on the UK
interpretation of international law with regard to cyber-attacks. This expands upon a speech at the
International Institute of Strategic Studies (IISS) on 11 January 2017
regarding the UK application of international law on self-defence. The following are extracts of these speeches.
Let’s
look at the IISS speech first:
·
“Under
the UN Charter, armed force may be used both pursuant to a Chapter VII
authorisation by the UN Security Council and in individual or collective
self-defence under Article 51 of the UN Charter.” Comment:
The UK position is that to trigger collective self-defence there does not need
to be a direct threat to the assisting state.
However, the state subject to the threat must have sought the assistance
of the assisting state(s). The UK also
recognizes humanitarian intervention as a possible legal basis for the use of
force in certain exceptional circumstances.
·
“…
Article 51 of the UN Charter does not require a state passively to await an
attack but includes the “inherent right” … to use force in self-defence against
an “imminent” armed attack …” Comment: there is no accepted UN
definition of “imminent”.
·
“Following the [9/11] attacks, the UN Security
Council … confirmed that self-defence could be justified in relation to
non-state actors.” “… self-defence is
available as a legal basis where the state from whose territory the actual or
imminent armed attack emanates is unable or unwilling to prevent the attack or
is not in effective control of the relevant part of its territory.” Comment:
the UK formally notified the UN Security Council (03 December 2015) that
Article 51 is the legal basis for UK military action in Syria against Daesh.
·
“Where
there is an identified direct and imminent threat to the UK or British interests
abroad, the UK has always maintained it will take action to counter that
threat.”
·
“The absence of specific evidence of where an
attack will take place or of the precise nature of an attack does not preclude
a conclusion that an armed attack is imminent for the purposes of the exercise
of a right of self-defence …”
Turning
to the recent RIIA speech:
·
“Cyber
space is not – and must never be – a lawless world. It is the UK’s view that when states and
individuals engage in hostile cyber operations, they are governed by law just
like activities in any other domain.”
·
“On
26 June 2015, the UN Expert Group, including not just the UK and the US, but
also Russia and China, recognized that the UN Charter applies in its entirety
to cyberspace. The Group affirmed the
relevance of a state’s inherent right to act in self-defence in response to a
cyber operation meeting the threshold of an armed attack.”
·
“…
the UK considers it is clear that cyber operations that result in, or present
an imminent threat of, death and destruction on an equivalent scale to an armed
attack will give rise to an inherent right to take action in self-defence …”
o
“If
a hostile state interferes with the operation of one of our nuclear reactors,
resulting in widespread loss of life, the fact that the act is carried out by
the way of a cyber operation does not prevent it from being viewed as an
unlawful use of force or an armed attack against us.”
·
“When
states are engaged in an armed conflict, this means that cyber operations can
be used to hinder the ability of hostile groups such as Daesh to coordinate
attacks, and in order to protect coalition forces on the battlefield.” Comment:
see paragraph below.
·
“In
addition, it is also worth stating that, as a matter of law, there is no
requirement in the doctrine of countermeasures for a response to be symmetrical
to the underlying unlawful act.” Comment: The UK National Cyber Security
Strategy 2016-2021 states that, “… respond to cyber-attacks in the same way we
respond to any other attack, using whichever capability is most appropriate,
including an offensive capability.
·
“…
attribution of conduct … require a state to bear responsibility in
international law for its internationally wrongful acts, and also for the acts
of individuals acting under its instruction, direction or control.
·
“… our National Offensive Cyber Programme (NOCP)
is building a dedicated capability allowing the UK to act in cyberspace. Comment:
the NOCP is a joint Government Communications Headquarters (GCHQ and Ministry
of Defence (MoD) partnership. Detailed
liaison with close Allies is critical to ensure deconfliction of cyber
operations, and that there is no adverse effect on intelligence collection
operations.
On 12 April
2018, Jeremy Fleming, Director of GCHQ, revealed at the CyberUK2018 conference
that the UK had conducted a “major offensive cyber campaign” against Daesh. “These
operations have made a significant contribution to coalition efforts to
suppress Daesh propaganda, hindered their ability to coordinate attacks, and
protected coalition forces on the battlefield."
As well
as informing the British public of the legal basis of government policy, the
RIIA speech was clearly intended to convey a message to potential hostile
actors in order to deter malicious cyber activity.
No comments:
Post a Comment