Read on Twitter
Today, New Zealand 
has published its views on how international law applies to cyber operations. It contains some hot stuff on:
sovereignty
due diligence
collective countermeasures
So read on for a brief summary. *THREAD*
has published its views on how international law applies to cyber operations. It contains some hot stuff on: sovereignty due diligence collective countermeasuresSo read on for a brief summary. *THREAD*
But before we come to the juicy bits, let's start with something uncontroversial: use of force. Here, NZ
endorses the scale-and-effects test
gives disabling the cooling process in a nuclear reactor as an example of an armed attack. /2
endorses the scale-and-effects test gives disabling the cooling process in a nuclear reactor as an example of an armed attack. /2
On non-intervention, NZ uses the ICJ's definition in Nicaragua, but with a twist. A prohibited intervention requires
interference with the domaine réservé
which produces significant effects on that right and
is coercive /3
interference with the domaine réservé which produces significant effects on that right and is coercive /3
So, the significant effects requirement seems an addition to the ICJ's definition in Nicaragua para 205, which did not mention any threshold of effect. /4
Moreover, NZ addresses the question of coercive intent: "While the coercive intention of the state actor is a critical element of the rule, intention may in some circumstances be inferred from the effects of cyber activity." And gives some examples of intervention (below) /5
Now comes the big one: sovereignty. First, NZ clarifies that the principle of sovereignty is given effect through:
the prohibition of the use of force
the prohibition of intervention
a standalone rule of territorial sovereignty.
/6
sovereignty. First, NZ clarifies that the principle of sovereignty is given effect through: the prohibition of the use of force the prohibition of intervention a standalone rule of territorial sovereignty./6
BUT: New Zealand "acknowledges that further state practice is required for the precise boundaries of its application to crystallise". /7
Now, given the uniqueness of cyberspace, the rule of sovereignty needs to take into account:
lack of a territorial link of "the virtual element"
lack of physical distance
involvement of ICT infrastructure in different jurisdictions /8
lack of a territorial link of "the virtual element" lack of physical distance involvement of ICT infrastructure in different jurisdictions /8
In consequence, sovereignty prohibits cyber activity causing significant harmful effects on the territory of another State, BUT /9
/9
"NZ does not consider that territorial sovereignty prohibits every unauthorised intrusion into a foreign ICT system or prohibits all cyber activity which has effects on the territory of another state." /10
And more : "New Zealand considers that the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors." /11
: "New Zealand considers that the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors." /11
To my knowledge, this is the first open acknowledgement and justification of state enforcement actions on foreign servers without the consent of the territorial state.
I'd like to put this to a test: would NZ be OK with Chinese or Russian enforcement on NZ servers? /12
I'd like to put this to a test: would NZ be OK with Chinese or Russian enforcement on NZ servers? /12
Next, due diligence and another shocker:
"New Zealand is not yet convinced that a cyber-specific 'due diligence' obligation has crystallised in international law." 
Is this an after-effect of putting DD in the GGE 2015 Report's norms section? /13
"New Zealand is not yet convinced that a cyber-specific 'due diligence' obligation has crystallised in international law." Is this an after-effect of putting DD in the GGE 2015 Report's norms section? /13
I have strong methodological reservations regarding this argument: if international law - as it stands today - "applies online as it does offline", why should DD "crystallise" for cyberspace if it is already here (albeit offline) since the ICJ's Corfu Channel decision? 
/14
/14
Or did norm 13(c) of the GGE 2015 Report modify the applicability of DD in cyberspace (an issue which has been raised during the last Oxford workshop)? In any case, other states (
) find DD applicable as a matter of law. /15
CC @EnekenTikk
) find DD applicable as a matter of law. /15CC @EnekenTikk
If DD were to apply, considers that it:
requires actual rather than constructive knowledge
does not require active monitoring of ICT infrastructure
should only require states to take reasonable steps within their capacity (
agree). /16
considers that it: requires actual rather than constructive knowledge does not require active monitoring of ICT infrastructure should only require states to take reasonable steps within their capacity ( agree). /16
On responses:
political attribution always allowed regardless of wrongfulness of the act
good faith in attributing conduct
no universal standard of evidence, but states must be "sufficiently confident" and prepared to defend in court
no duty to present evidence /17
political attribution always allowed regardless of wrongfulness of the act good faith in attributing conduct no universal standard of evidence, but states must be "sufficiently confident" and prepared to defend in court no duty to present evidence /17
More . NZ open to coll. countermeasures in limited circumstances, due to
potential asymmetry between malicious and victim state and
"the collective interest in the observance of international law in cyberspace" /18
. NZ open to coll. countermeasures in limited circumstances, due to potential asymmetry between malicious and victim state and "the collective interest in the observance of international law in cyberspace" /18
My take: NZ's interpretation of "collective interests" is very creative, but ultimately wrong as a matter of law. As I explain here ( https://ccdcoe.org/uploads/2020/05/CyCon_2020_2_Roguski.pdf), coll. interests refers to erga omnes (partes) obligations and "observance of Int'l L" is not one of them. /19
This would lead the whole concept of collective interests and erga omnes oblig. ad absurdum, because every obligation would become one of collective interest due to the general interest in observance of the law. IMO, this is a dud, but interested in your thoughts @brunnerisi /20
Well, this was something! I disagree with NZ on sovereignty, DD and coll. countermeasures and I'll definitely put my thoughts into writing, but it's very refreshing to see NZ join the debate with such thought-provoking arguments. Full text here: https://www.mfat.govt.nz/en/media-and-resources/ministry-statements-and-speeches/cyber-il
