How does the Law of Neutrality Operate in Cyberspace?

Introduction

Existing Scope of Law of Neutrality

The law of neutrality governs the relationship between belligerent and neutral states during an international armed conflict. These laws are encapsulated in the Hague Convention V¹Convention (V) Respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, The Hague, 18 October 1907 and XIII²Convention (XIII) Concerning the Rights and Duties of Neutral in Naval War, The Hague, 18 October 1907 of 1907. The law of neutrality protects the civilians, territory, and commercial interests of a neutral state by forcing belligerents to respect the territorial sovereignty and inviolability of neutral states.³Hague Convention V, Article 2-4 However, neutral states are bound by the principles of non-participation and impartiality towards all belligerents. This is to prevent any detriment to one belligerent in favour of the other.⁴Hague Convention V, Article 5 & 10 Although the validity of the law of neutrality has been questioned, it is still largely accepted and forms a part of customary international law.⁵State Practice
1. United States’ The Commander’s Handbook on the Law of Naval Operations, NWP 1-14M, Chapter 7 (Newport 1997).<br>

2. The Federal Ministry of Defence of the Federal Republic of Germany, Humanitarian Law in Armed Conflicts – Manual, Chapter 11 (Bonn 1992).
Program on Humanitarian Policy and Conflict Research at Harvard University, Manual on International Law Applicable to Air and Missile Warfare, Section X (Bern 2009). However, in the past few decades the international community has witnessed the emergence of cyberspace and warfare through cyber operations. An inspection of the Hague Conventions shows that the law of neutrality is limited to the protection of the physical territorial, aerial and naval space of a neutral territory. It does not address the issue of cyberspace, which is different from the physical nature of land, air and water. Cyberspace is something which “defies measurement in any physical dimension or time space continuum”.⁶Thomas Wingfield, The Law of Information Conflict: National Security Law in Cyberspace, at 17 (Aegis Research Corp. 2000). Yet, cyberspace is becoming crucial in modern warfare, so it is pertinent to analyze how the law of neutrality applies to cyberspace; what obligations it creates; and what its limitations are.

Cyberspace

Definition

The term ‘cyberspace’ has been defined as “the environment formed by physical and non-physical components to store, modify, and exchange data using computer networks”.⁷Tallinn Manual 2.0 On the International Law Applicable to Cyber Operations 553 (Michael N. Schmitt gen. ed., 2017) at 564

The U.S. DoD Manual, for instance, provides the following definition: “[a] global domain within the information environment consisting of interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” Its main characteristics include intangibility, limited supervision, and decentralized mode of governance.

Difficulty in Applying Traditional Law of Neutrality to Cyberspace

Firstly, cyberspace is interconnected and is not bound by territorial borders or restrictions. It also does not exist in a tangible form, apart from its constitutive physical infrastructure, i.e., cables, servers, computers, devices and transmitters. Most of this infrastructure is spread out over different States’ territories and jurisdictions. Furthermore, there are unlimited routes which information might take to travel through potentially multiple servers. It is very difficult to identify a particular part of this massive infrastructure as the source of a cyber operation.

For example, a belligerent state might be sending an encrypted message which may be divided in ‘packets’⁸In networking, a packet is a small segment of a larger message. Data sent over computer networks, such as the Internet, is divided into packets. These packets are then recombined by the computer or device that receives them. and might travel through various different servers. It would be impossible to know that a particular information packet formed a part of a bigger cyber operation and should be stopped. Thus, a state might be unknowingly contributing to a malicious activity or cyberattack, which is a breach of its obligation to not allow its territory to be used for any conflict-related activities. It may make the neutral state a participant in the armed conflict, after which it loses its neutral status and becomes a belligerent party.

Secondly, states are capable of very limited supervision of cyberspace because of technical limitations as mentioned previously and legal limitations. If a data packet is merely passing through a state, it might be considered an extraterritorial issue. Similarly, even within a state, cyber infrastructure is mostly owned by private entities who may not provide access to the state. So, although a state might be contributing to a cyber activity, the state might be unaware and unable to eliminate it. This is because under the law of neutrality a state is only obligated to regulate the actions on its own territory⁹Article 5, Hague Convention V and the obligation does not extend to private individuals.¹⁰Article 8. Hague Convention V

Thirdly, the infrastructure is built in a way that no single entity can practice control over it. Making it more difficult to levy responsibility on an actor. Some ways in which cyberspace can be used by the parties to the conflict are: State A uses the servers located in a neutral state to transfer malware to State B and causes damage. A neutral state may unintentionally relay information regarding cyber threats and thus indirectly provide a belligerent state of military intelligence and an advantage which is prohibited under the article 6 of Hague Convention XIII.¹¹The supply, in any manner, directly or indirectly, by a neutral Power to a belligerent Power, of warships, ammunition, or war material of any kind whatever, is forbidden. International law, scholars and states have been molding and extending the law of neutrality for it to govern the dimension of cyberspace as well.

What Sort of Cyber Activity Would the Law of Neutrality Prohibit?

First, it is crucial to understand what sort of cyber communication is prohibited under international law, and what degree of a cyber operation gives rise to belligerent rights and neutral state obligations. As per Article 8 of the Hague Convention V, a neutral power is not obliged to forbid or restrict the use of already existing telegraph, telephone cables or wireless telegraphy apparatus belonging to it or to companies or private individuals. This implies that certain activities through cyberspace, even if by belligerents, do not breach the neutral obligations of neutral or belligerent states. This is logical as certain acts might also constitute espionage which is not prohibited under international law.¹²Rule 24, Customary International Law, https://ihl-databases.icrc.org/en/customary-ihl/v1/rule57 Hague Convention V prohibits States from “moving munitions of war”¹³Article 2, Hague Convention V, 1907. through the territory of a neutral State. Here, the issue is what sort of data constitutes the ‘munitions of war’. The HPCR manual,¹⁴HPCR is an authoritative restatement of the existing laws applicable to air and missile warfare. During its drafting various international law experts came together to summarize various interpretations of blackletter law. The manual was supported by Switzerland, Belgium, Germany, Canada, Australia, Netherlands and Norway.

It may be considered a reflection of customary international law. an authoritative restatement of international laws applicable to air and missile warfare,  holds that the use of internationally and openly accessible networks like the Internet by the belligerents for military purposes does not constitute a violation of neutrality on part of the neutral state. However, the manual does not differentiate between mere military communication and malicious activity/ cyber-attack. Although it is agreeable that the former does not constitute a violation of neutrality, there is no consensus on whether states should be held liable for malicious cyber activity. Furthermore, there is no consensus on the definition of malicious activity and whether it is different from a cyber attack. This is a grey area with inconsistent state practice and poses a hurdle in properly determining the state responsibilities under international law, including the applicability of the law of neutrality.

What Responsibility would a Neutral State entail?

In the case of cyberspace, although intangible, cyberspace requires physical architecture to exist.¹⁵Patrick W. Franzese, ‘Sovereignty in Cyberspace: Can It Exist?’, 64 AFLR 1-42, at 33 (2009) A neutral state is obligated to prohibit the exercise of belligerent rights, and eliminate any violations of neutrality, from any infrastructure that is either located within its territory, or is under its exclusive/effective control. As per article 5 of the Hague Convention V, a “neutral Power must not allow any of the acts referred to in Articles 2 to 4 to occur in its territory.” These articles put an obligation on a neutral state to prevent belligerents from moving munitions of war from its territory,¹⁶Hague Convention V,  Article 2 to erect installations for military purposes¹⁷Hague Convention V, Article 3 and to recruit corps from the neutral territory.¹⁸Hague Convention V, Article 4 As per these articles,¹⁹Article 2, 3,4, 5 of Hague Convention V the transmission of a cyberattack through a neutral state’s territory would constitute a breach of its obligations. However, the term ‘allow’ indicates actual knowledge by the neutral state or its organs. This is reiterated in the Corfu Channel judgment in which the ICJ states that every state had an obligation to “not to allow knowingly its territory to be used for acts contrary to the rights of other States.”²⁰Corfu Channel Case, Judgement April 9^th 1949, Page 22 Hence, a neutral state will only be liable if it has been sufficiently informed beforehand regarding any malicious activity through its cyber-structure, or if the malicious activity continues after the State has become aware of it and it fails to stop the activity.

However, this is highly unlikely, since no one other than the belligerent will have knowledge of the upcoming cyber-attack and most attacks will occur at extreme high speed. Perhaps a presumption of knowledge can be made if the attack originates from a neutral state’s territory and is used solely for non-commercial governmental purposes. But this presumption is also rebuttable since the cyber-structure may easily be usurped by another belligerent. Perhaps the only circumstance in which responsibility can definitely be allocated to a neutral state is when a malicious cyber activity continues to exist and the neutral state becomes aware of it. In this case the neutral state will have a responsibility to eliminate it or else it surely loses its status as a neutral state.

What Remedies Does a Victim Belligerent State Have?

In case a neutral state fails to prevent or terminate the use of its infrastructure (territory) for malicious purposes or attacks against a belligerent, the victim belligerent state has a right to take necessary measures to terminate the violation and force compliance with the law of neutrality.²¹120. Commander’s Handbook, supra note 5, ¶ 7.3; SAN REMO MANUAL, supra note 12, ¶ 22; HPCR MANUAL, supra note 5, rule 168(b).

For those who believe there is also an obligation to prevent a violation, the other belligerent would also have the right to act if the neutral State fails to do so This right stems from Article 9 of the Hague Convention V, which states that the neutral state must be impartial to all belligerents. Hence, by not eliminating a harmful cyber activity, the neutral state may be providing one of the belligerents with an advantage. But this right to apply countermeasures comes with certain restrictions. A countermeasure can only be taken if a) the particular breach resulted in harm to the belligerent’s legitimate security interests; b) only if it gives the belligerent state a military advantage over its co belligerent and c) only if it has originated from the territory of a neutral state. It would be unlawful unless it were in response to a breach of international obligations by the neutral state.²²Draft Articles on Responsibility of States for Internationally Wrongful Acts, Rep. of the Int’l L. Comm’n, 53d Sess., UN GAOR 56th Sess., Supp. No. 10, U.N. Doc. A/56/10 (2001), arts. 22, 49–54

However, before taking the countermeasure, the victim must notify the neutral state and allow it reasonable time to terminate the cause of breach. The victim state may take immediate measures only if

1. The violation constitutes a serious and immediate threat to the security of that belligerent,
2. There is no feasible and timely alternative and
3. The enforcement measure taken is necessary to respond to the threat posed by the violation.²³HPCR Manual supra note 5 rule 168(b)

Considering the difficulties in surveillance of cyberspace, the victim belligerent state may only act within the territory of the neutral state if the malicious activity continues to happen. Since customary international law does not consider every unforeseen and instantaneous malicious activity a breach of neutrality on behalf of the neutral state, it does not create a right on behalf of the victim state to breach the territory and sovereignty of the neutral state.

Conclusion

In conclusion, although there has been no modification to the Hague Conventions to adapt them to cyberspace, IHL’s application in cyberspace is a project that has been commenced by states and academics. The customary obligations applicable to cyberspace include those of taking due care and not letting the infrastructure of a state’s territory be used to harm other states and the duty to terminate any activity if it emerges from the state’s infrastructure. However, there are huge gaps regarding what type and level of activity can be labelled a violation of law of neutrality by the neutral state. State practice is not uniform in this regard and unless there is legal development in this area, the law of neutrality will remain in a state of slumber.