There are generally four concepts in international law that describe a state’s wrongful acts: violation of sovereignty, prohibited intervention, use of force, and armed attack. These four concepts emerged in the pre-internet era, thus the application of them in cyberspace has caused many disagreements. However, notwithstanding the disagreements on the scope of any particular concepts, most scholars and states have implicitly or explicitly accepted a “spectrum model” to conceptualize the relationship between these four concepts. According to the spectrum model, the difference between these four concepts lies only in the severity of their violations. And the severity of a wrongful act is in turn connected to and depended upon the effects caused by it. Therefore, the four concepts operate by drawing four lines or “thresholds” measuring the effects of particular cyber operations. Accordingly, a cyber operation that violates a principle with a higher threshold must also violate a principle with a lower threshold.
This paper will argue that the spectrum model is problematic because it is incompatible with the usual understanding of the non-intervention principle. It does not correctly reflect the relationship between the non-intervention and the non-use of force principles. And it tends to improperly entangle the prohibition of armed attack and non-use of force principle. This paper will then propose an alternative “pyramid model” to conceptualize internationally wrongful acts.
I. Problematic Implications of the Spectrum Model in Cyberspace
1. The spectrum model and the principle of non-intervention
The principle of non-intervention is a well-established customary international law that prohibits states from coercively intervening in another state’s internal and external affairs. But there are two approaches to its application in cyberspace. The first view is that the non-intervention principle prohibits cyber operations that are “specifically designed to compel the victim State to change its behavior with respect to a matter within its domaine réservé.” This view is supported by states including the Netherlands and Germany. Under this approach, a prohibited intervention can be found if and only if (1) the acting state has the intent to influence the victim state’s behaviors or policies within its domaine réservé and (2) the acting state resorts to a coercive method. In contrast, the second approach argues that what’s important is not the victim state’s free will in deciding its affairs but its “ability to control or govern” such matters. Surprisingly, this view is not only supported by authoritarian states but also by liberal states like Australia and New Zealand as well as a minority of experts in Tallinn Manual 2.0.
It is not hard to understand the attractiveness of the second approach to many scholars, as this view is more compatible with the spectrum model of internationally wrongful acts. The spectrum model implies a pure effect-based logic, as it distinguishes different internationally wrongful acts only by the effects caused. The first approach’s inquiry into the victim state’s free will in deciding matters within its domaine réservé, however, requires more than such a logic. On one hand, such inquiries can be harder to objectivize compared to the second approach’s “ability to control” test as it depends on many factors that require case-specific inquiry like the victim state’s national power and leadership; but the effect-based logic necessarily requires a clear, objective, and universal standard. On the other hand, the effect-based logic emphasizes the direct impacts of cyber operations. Whereas a state’s “ability to control” matters within its domaine réservé can be directly harmed by another state’s cyber activities, its free will cannot. Instead, in situations short of using armed forces, a state can only influence another state’s policy choices or behaviors indirectly. In deciding whether a particular cyber operation coerced another state to change its policy, it is usually not enough to investigate simply the direct effects caused.
However, whereas the first approach is less compatible with the spectrum model, it better reflects the logic of the non-intervention principle and is more compatible with how such a principle is used to be interpreted by the international community. The principle of non-intervention is not written in the U.N. Charter. However, it is reflected in the 1970 Friendly Relations Declaration, which recognizes that all states have “an inalienable right to choose its political, economic, social and cultural systems” and it is prohibited to “coerce another state in order to obtain from it the subordination of the exercise of its sovereign rights.” It is worth noting that the Friendly Relations Declaration does not support the spectrum model because it does not say that the violation of the non-use of force principle per se constitutes a violation of the non-intervention principle. Instead, a more reasonable reading is that only some kinds of use of force are prohibited intervention – for example, the Declaration asserts that the use of force to “deprive peoples of their national identity” is also regarded as a violation of the principle of non-intervention. Besides the Declaration, the International Court of Justice (ICJ) in the 1986 Nicaragua case held that for an operation to constitute a prohibited intervention, it must satisfy two requirements: (1) it must “be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely” and (2) it must “uses methods of coercion in regard to such choices.” Apparently, the freedom to “choices” instead of “control” is the standard here. Moreover, the majority of experts in the Tallinn Manual 2.0 also accept this reading, and they explain that a prohibited intervention must “have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take).”
With the wide acceptance of the spectrum model and the pure effect-based logic, however, some have either accepted the second approach or argued that the traditional non-intervention rule needs to be substantially reformed. Specifically, for those advocating for the view that sovereignty is a principle but not a standalone rule that can be independently violated, it seems that as long as the spectrum model is adopted, only the second approach can be accepted. That is because the spectrum model requires a violation of the principle of non-use of force to cause more severe effects than that of non-intervention. As a result, without a standalone sovereignty rule, states must apply the principle of non-intervention to all below the threshold operations that they find problematic under international law. Since not all cyber operations are conducted to influence the victim state’s policy choices, and many of them are motivated simply by acquiring some faits accompli, the first approach’s free choice test will leave international law with too many loopholes and fail to protect a state’s valid national security interests here.
But to accept the spectrum model and to reform the non-intervention principle to make it more compatible with the spectrum model, both the requirement of coercion and the scope of domaine réservé need to be twisted. As for the coercion requirement, some scholars propose to simply abandon it. For example, Ido Kilovaty argued that the coercion test can be replaced with a “disruptive” test. Kilovaty claimed that “disruptive doxfare” (the public release of sensitive documents with the intent of disrupting legitimate domestic processes) constitutes a prohibited intervention notwithstanding the lack of coercion. A less radical approach is to replace the coercion test with a “control” test. What’s particularly noteworthy here is the U.K.’s position, as it is currently the only state that has explicitly adopted the “sovereignty is a principle” approach. Without a rule of sovereignty or being able to lower the threshold of use of force, however, a recent speech of the then-Attorney General Suella Braverman accepted the less liberal “control” test.
What’s more problematic is the domaine réservé requirement. Since all use of force must also constitute a prohibited intervention under the spectrum model, it must be accepted that there cannot be any use of force in cyberspace that does not deprive a state of control over a matter that it can decide freely by itself. However, such a conclusion can lead to many problems. To illustrate this, let’s consider Israel’s Stuxnet operation. Stuxnet was a cyber weapon developed to derail the Iranian program to develop nuclear weapons. It functioned by accelerating the spin rate of centrifuges that are used to separate different isotopes to cause physical damage to Iranian nuclear plants. The employment of Stuxnet was estimated to be overall successful as it set back Iran’s nuclear program by at least 2 years. However, from an international law perspective, many scholars and experts have expressed concerns about the legality of this operation. Certainly, depending on the scale and effects, such kinds of operations might constitute illegal use of force. Even if we regard the Stuxnet operation itself as below the threshold of use of force, it is not hard to imagine a similar operation causing more severe consequences that meet the use of force threshold. Ironically, however, whereas such an operation can be a prohibited use of force, it seems that it is not proper to classify it as a violation of the principle of non-intervention. While the operation clearly meets even the strictest standard of the coercion test, it simply does not target Iran’s domaine réservé. As explained above, domaine réservé only refers to affairs that a state can freely decide under international law, but Iran, by signing the Nuclear Non-Proliferation Treaty, had legally given up their sole control over its nuclear weapon policy.
My point here is not to argue that the Stuxnet operation itself is legal or illegal, instead, I think this operation indicates that the difference between the non-intervention and non-use of force principles is more than a matter of objective effects caused. It seems to be more proper to differentiate these two principles by the nature of wrongdoings that they are designed to address—while the principle of non-intervention is meant to protect a state’s free will in deciding affairs within its control, the principle of non-use of force is meant to protect a state’s “physical well-being” by securing its territory from being physically damaged by other states. Thus, if the Stuxnet operation is illegal, it is not illegal because Israel wanted to coercively subordinate Iran’s free will to develop nuclear weapons as Iran does not have such a right in the first place, rather, it is illegal because, notwithstanding Israel’s motives and targets, the operation caused an unacceptable degree of physical damages in Iran’s territory.
2. The spectrum model and the principle of non-use of force
The above discussion has indicated some problematic implications of the spectrum model. Before explaining my thoughts on a new “pyramid model,” this section will further examine the principle of non-use of force. On one hand, such an examination can further rebut the view that the only difference between the non-intervention principle and the non-use of force principle is a matter of effects caused or the view that it is impossible to find a particular cyber operation that constitutes a use of force but not a prohibited intervention. On the other hand, such an examination also indicates another problem of the spectrum model—it tends to cause improper entanglement of the rule of non-use of force and the prohibition of armed attacks.
Unlike the principle of non-intervention, the principle of non-use of force is clearly articulated in the U.N. Charter. Article 2(4) explicitly requires all states to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” The fact that the prohibition of using force is written in the U.N. Charter might render some to suspect that a violation of the use of force principle is more “severe” than a violation of the principle of non-intervention. However, from a legal perspective, such a view is not correct as both principles are recognized as customary international laws. Moreover, according to most states’ views, the violation of these two principles can be equally/similarly severe in the sense that the victim state will have the same remedy – a right to countermeasure but not self-defense.
That being said, it has to be admitted that a close read of the text of Article 2(4) can somewhat support the spectrum model and explain why it was widely accepted and was presumed to reflect the correct relationship between different kinds of internationally wrongful acts. Note that the plain text of Article 2(4) does not per se prohibit the use of force, instead, it only illegalizes the use of force that either (1) directs “against the territorial integrity or political independence of another state,” or (2) “in any other manner inconsistent with the Purposes of the United Nations.” It is not hard to see the similarity between such requirements and the “domaine réservé” requirement of the principle of non-intervention. For a long time, many states and scholars argued that the plain text of Article 2(4) means that the use of force for non-aggressive purposes does not constitute a violation of international law. And states including the U.K. have explicitly recognized a right to “humanitarian intervention”—the use of force against another state for human rights protection. If this is the correct interpretation of the principle of non-use of force, one can take a step further and reasonably argue that the only difference between the non-intervention principle and the non-use of force principle is that the former only requires the method employed by the acting state to be “coercive,” whereas the latter requires it to be more forceful as amount to use of force.
Unfortunately, it must be recognized that nowadays the vast majority of states and scholars have reached a consensus that the use of force in another state’s territories violates Article 2(4) no matter the underlying motives. This is especially the case in the discussion of the application of Article 2(4) in cyberspace as most scholars have recognized the scale and effects caused by cyber operations to be decisive in finding a violation of the principle of non-use of force. Considering that the “domaine réservé” requirement is still relevant in the discussion of the application of the non-intervention principle in cyberspace, we can more firmly conclude that the spectrum model of internationally wrongful acts can no longer reflect the correct relationship between the non-use of force principle and the non-intervention principle.
Besides the failure to precisely describe the relationship between different internationally wrongful acts, the spectrum model has another problematic implication—it tends to cause the improper entanglement of the non-use of force principle and the prohibition of armed attacks. The reason is that the non-use of force principle locates in an awkward position on the spectrum. Whereas international law recognizes three rules of internationally wrongful acts (non-intervention, non-use of force, and non-armed attacks), in most cases it only recognizes two self-help remedies – self-defense and countermeasure. It is well-recognized that a violation of the non-armed attack principle can trigger the right to self-defense, and a violation of the non-intervention principle can trigger the right to countermeasure. But how about the violation of the non-use of force principle? Since the spectrum model indicates that the violation of the non-use of force principle must be more severe than a violation of the non-intervention principle and less severe than an armed attack, a reasonable inference is that the victim state can respond in a way that’s not limited by the requirements of the countermeasure laws but at the same time cannot rise to the level of an armed attack. Unfortunately, international law does not recognize such a secondary rule. In light of this, many states choose to faithfully follow the plain text of Article 51 of the U.N. Charter, which limits the right to self-defense to respond to an armed attack. Other states including the U.S., however, choose to argue that the term “use of force” in Article 2(4) has no meaningful differences with the term “self-defense” in Article 51, thus international law recognizes a right to self-defense in responding to a prohibited use of force. This approach used to have the advantage of giving the policymakers more flexibility in deciding how to respond to another state’s forceful actions. However, in today’s cyber age, such an approach can tend to be counterproductive because it makes it harder to lower the threshold of the non-use of force principle. At present, many states are abandoning the view that a cyber operation can constitute a use of force only when it causes “kinetic equivalence” effects. Instead, they argue that certain disruptive cyber operations can constitute a prohibited use of force even with no physical effects. Considering that cyberattacks can lead to severe functional problems without causing physical damage, this approach clearly has its advantages – and this is especially the case if we adopt the more reasonable “free will” test of the non-intervention principle, as we can easily imagine an operation that is designed only to acquire fait accompli but caused large functional issues to the target state’s cyber infrastructure, where the resort to non-use of force principle is needed. However, if the concept of “use of force” is kept entangled with “armed attack,” and a violation thereof can give another state a right to use kinetic weapons in response as self-defense, it is harder for states to reach any consensus on the lowering of the use of force threshold.
II. From a “Spectrum Model” to a “Pyramid Model”
I have thus far explained why I think the spectrum model is problematic, and I’d like to conclude by proposing a new “pyramid model” of internationally wrongful acts here. The model has three layers. The first layer is the principle of sovereignty, which constitutes the foundation of the pyramid. It is a principle that other internationally wrongful acts are based upon but does not constitute a standalone rule that can be independently violated. Thus, a mere violation of it can only give the victim state a right to retorsion—the resort to unfriendly but otherwise legal acts. The second layer is the first floor of the pyramid and consists of the principles of non-intervention and non-use of force. They are not mutually exclusive, and it’s possible that an operation can be both a prohibited intervention and a use of force. However, they are different in nature because they are meant to protect a state’s different interests – the former protects a state’s “free will” in deciding its internal and external affairs by prohibiting measures that are specifically designed to compel it to change its behavior concerning a matter within its domaine réservé, and the latter protects a state’s “physical well-being” by prohibiting forceful actions causing physical damages in its territory. A right to countermeasure is triggered if either of them is violated, but the victim state cannot resort to self-defense. Lastly, the third layer is the prohibition of armed attacks, which constitutes the second floor of the pyramid. The employment of armed forces can threaten the “life” or the very existence of a state, thus it is more severe than the violation of the previous two principles and can trigger a right to self-defense.
I believe that this model can more precisely reflect the relationship between the non-use of force principle and the non-intervention principle. Besides, in this model, the principle of non-intervention can be properly interpreted as only prohibiting those operations specifically designed to deprive another state’s “freedom of choice” concerning its domaine réservé. Moreover, this model is more compatible with the view that sovereignty is merely a principle and not a rule. On one hand, it disentangles the principle of non-use of force and the prohibition of armed attack thus making it possible to lower the former’s threshold. On the other hand, with the flexibility to illegalize cyber operations causing severe functional damages with the non-use of force principle, there is less imperative to either recognize a rule of sovereignty or improperly and overbroadly construct the principle of non-intervention. At the end of the day, one of the biggest advantages of the “sovereignty is a principle” approach is that it is more compatible with an open and free instead of a state-centered and -censored internet. But if the approach must at the same time require us to read the non-intervention principle as granting states a very broad “domaine réservé” and a high level of “control” over such matters, such advantages will quickly diminish.