The African Union’s Statement on the Application of International Law to Cyberspace: An Assessment of the Principles of Territorial Sovereignty, Non-Intervention, and Non-Use of Force

Written by and

A growing number of States have published statements examining the application of international law to cyberspace (for an overview see the Cyber Law Toolkit). On 29 January 2024, the African Union (AU) Peace and Security Council adopted the ‘Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace’, and on 18 February 2024 the Assembly of the AU endorsed it. For an overview of the Common African Position (CAP) and its process of adoption see the post by Mohamed Helal, the AU’s Special Rapporteur on the CAP.

The CAP reflects the views of the AU’s 55 member States and therefore represents a significant contribution to the development of international cyber law. The CAP examines the application of a range of international legal rules and regimes to cyberspace. This includes general principles of international law such as the peaceful settlement of disputes, territorial sovereignty, non-intervention, and due diligence, as well as various specialised regimes of international law such as international human rights law, the jus ad bellum, and jus in bello.

Space constraints preclude a comprehensive analysis of the international legal issues raised by the CAP. Instead, this post focuses on the CAP’s application of the principles of territorial sovereignty, non-intervention, and non-use of force to cyberspace. These principles are examined because, first, they are general principles of international law that play a particularly important role in regulating cyberspace and, second, their application to cyberspace has given rise to many legal debates with the CAP making some highly significant claims about how they apply to this domain.

The Principle of Sovereignty

States have advanced different views on the status and content of the principle of sovereignty and in particular how it applies to cyberspace. The UK published its first statement on the application of international law to cyberspace in May 2018 and made the controversial claim that sovereignty is a political principle of international relations rather than an operative rule of international law. The UK’s statement triggered an intense debate over the status of the principle of territorial sovereignty in international law. The US Department of Defense appeared to countenance the UK’s position when it said that its own approach to sovereignty ‘shares similarities with the view expressed by the UK government in 2018’ even if it went on to say:

As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory.  The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.

As one of the current authors has shown, a careful consideration of the US’s statement indicates that its backing of the UK’s approach is far from unambiguous and categorical.

In fact, the overwhelming majority of States opining on the application of international law to cyberspace have rejected the UK’s position and determined that sovereignty is a primary rule of customary international law. These developments notwithstanding, in May 2022 the UK doubled-down on its 2018 approach when it reaffirmed that sovereignty is a political principle rather than a legal rule.

The CAP affirms that sovereignty is an attribute of States and that in international law it refers to territorial sovereignty and supremacy over internal and external affairs (para 12). The CAP rejects the UK’s position and adds its (loud) voice to the growing chorus of States who characterise the principle of territorial sovereignty as a primary rule of international law that is legally consequential:

The obligation to respect the territorial sovereignty of States is a primary rule that is firmly established in international law, which applies to State conduct in cyberspace (para. 13).

The CAP explains that the principle of territorial sovereignty affords States exclusive control and jurisdiction over their territory and people, which includes ‘the components of cyberspace that are located on their territory’ (para. 14). Importantly, the CAP adopts what Heller refers to as a ‘pure’ approach to cyber sovereignty – which has long been advocated by the present authors (see Buchan, chapter 3; Buchan and Tsagourias, pp. 1194-1197; Tsagourias, chapter 1) – according to which any unauthorised intrusion into a State’s sovereign cyberspace is a violation of its territorial sovereignty. As the CAP states:

The African Union affirms that by virtue of territorial sovereignty, any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State is unlawful (para. 16).

The CAP also explains that cyber operations undertaken by States against individuals in foreign territory may breach international human rights law (such as the right to privacy) ‘in addition to potentially violating the territorial sovereignty of States on the territory’ in which the operations occur (para. 55).

This view is consistent with international jurisprudence (Nicaragua, para. 251) and aligns with a growing number of States such as France, Switzerland, Brazil, and China as well as the position of the Organization of American States (for a review of this practice see Buchan and Navarette, chapter 11).

The other implication of this all-inclusive approach to sovereignty is that it rejects the de minimis approach which maintains that the principle of territorial sovereignty only prohibits cyber operations that produce substantial harmful effects within another State’s cyberspace. Some States have advocated for a de minimis threshold even though they take a sovereigntist view because they find the pure sovereignty approach too restrictive. The genesis of  the de minimis approach seems to be the Tallinn Manual 2.0, with the majority of its experts holding that – for a breach of the principle of territorial sovereignty to occur – cyber operations must at least interfere with the functionality of computer networks and systems falling under the jurisdiction of a foreign State (pp. 20-21). In rejecting the existence of a de minimis threshold, the CAP explains:

[T]he African Union emphasizes that the obligation to respect the territorial sovereignty of States, as it applies in cyberspace, does not include a de minimis threshold of harmful effects below which an unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State would not be unlawful (para. 16).

The CAP goes even further by explaining that the principle of territorial sovereignty prohibits States from exercising their:

enforcement authority on the territory of a foreign State … even if the exercise of such enforcement authority by a State does not have harmful effects, whether virtual or physical, on the territory of a foreign State (para. 15).

This is an important statement. At least in part, the reason why certain States have integrated a de minimis threshold into the principle of territorial sovereignty is because they do not want this principle to limit their ability to carry out low-level law enforcement operations in cyberspace. By raising the level at which a breach of sovereignty occurs in cyberspace, States can avoid the potentially difficult task of having to justify such prima facie unlawful cyber operations as lawful countermeasures, which as we know is a doctrine circumscribed by a number of significant limitations.

The CAP, however, rejects this approach and makes it clear that even State-backed cyber operations undertaken for law enforcement purposes run into conflict with the principle of territorial sovereignty. For the CAP, then, the purpose of a cyber operation is irrelevant to determining whether it is consistent with the principle of territorial sovereignty – simply put, any State-sponsored cyber operation that penetrates the cyberspace of a foreign State without consent (or any other lawful justification) occasions a breach of this principle.

In short, the CAP adopts the ‘pure’ approach to cyber sovereignty by considering any non-consensual cyber operation into another State’s cyber infrastructure as amounting to a breach of the principle of territorial sovereignty irrespective of the nature or scale of its effects, its purpose, or the target of the intrusion.

The CAP’s strict interpretation of the principle of territorial sovereignty is in line with African States’ strong political and legal attachment to sovereignty. It is also a consequence of the AU’s view that cyberspace does not constitute a different domain where international law applies in a circumscribed fashion. We have advanced this argument in the past because there is no principled reason for why a State’s sovereign physical territory (land, sea, and air) should be afforded less protection than its sovereign cyber infrastructure. Furthermore, the argument that a State’s cyber domain should be protected to the same extent as its physical domain is particularly compelling given the critical function that cyberspace performs in modern society – and which is a function that will only grow in importance as society becomes ever more dependent on cyber technologies. The CAP adopts this line of argument by saying:

The African Union underscores that seeking to codify rules of international law that apply in cyberspace that purport to permit States to exercise enforcement authority on the territory of a foreign State or that establish a threshold of harm that reduces the protective scope of the rule of the inviolability of the territorial sovereignty of States poses significant risks from a policy perspective (para. 17).

The CAP’s determination that a State’s sovereign cyber infrastructure should be and is accorded the same protection as its sovereign physical territory is a highly significant development that will go a long way to ensuring that cyberspace is a safe, secure, and peaceful domain.

The Principle of Non-Intervention

According to the CAP, ‘the prohibition on intervention in the internal and external affairs of States is a principle of general international law’ (para. 26) that applies to cyberspace (para. 29).  Following the ICJ’s definition in the Nicaragua case, the CAP explains that the principle of non-intervention prohibits ‘coercion’ in the ‘domaine réservé’ of States (Nicaragua, para. 205).

What constitutes ‘coercion’ is a contested question (Wheatley). A number of States define it narrowly as prohibiting cyber operations that compel States to act or abstain from acting in a way that international law permits them to freely decide (Netherlands, Appendix: International Law in Cyberspace, p. 3; Germany, p. 5). Understood in this way, the principle of non-intervention protects a State’s ‘freedom of choice’.

The UK has adopted a different approach. For the UK, coercion extends beyond the deprivation of choice and means ‘depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty’ (for academic support for this approach see Tsagourias). The UK’s ‘freedom of control’ definition is evidently broader than the ‘freedom of choice’ formulation (Buchan and Devenney). Arguably, the UK has sought to (re)define coercion in this way because it wants to widen the principle of non-intervention and ensure that it catches a broader range of malicious cyber operations to compensate for its rejection of the principle of territorial sovereignty as a rule of international law. By contrast, other States have maintained the narrower definition of coercion as ‘freedom of choice’ because malicious cyber operations interfering in a State’s freedom of control breach the principle of territorial sovereignty as a legal rule.

The CAP defines coercion ‘as a policy that is designed to impose restraints on the will of a foreign State’ (para. 31) and explains that:  

it is not necessary, in order to constitute coercion, that the conduct of a State must rise to the level of completely depriving a foreign State of its freedom of choice or to compel that State to either act or refrain from acting involuntarily (para. 32).

Although the CAP does not elaborate on what constitutes ‘restraints’ on the will of a State and explains that the concept of coercion requires ‘further study and deliberation’ (para. 32), its definition of coercion is clearly set below the deprivation of choice threshold. The CAP also pushes for a broader definition of coercion when it states that it is policies rather than actions that are coercive (para. 31) and that it is the aim of the policies rather than their success that counts (para. 32).

This expanded definition of coercion brings the CAP’s position closer to the ‘freedom of control’ approach outlined above. For example, if a State takes control over the decision-making processes of another State, it restricts its will and thus exercises coercion. For the CAP, whether the use of ‘ICTs in cyberspace to influence the conduct of a foreign State amounts to coercion is a determination that should be undertaken on a case-by-case basis (para. 31). It transpires that influence operations are not in themselves coercive, but they can be if they amount to a restraint on the will of another State, for instance, by taking control of the electoral process.

Again, the CAP’s broad interpretation of the principle of non-intervention is not surprising given that African States are strong supporters of the principles of the sovereign equality of States and non-interference in domestic affairs.

The Principle of Non-Use of Force

The CAP recognises that the international legal rules regulating the use of force in the UN Charter and customary law apply to cyberspace (para. 39).

It is widely accepted that the principle of non-use of force applies to armed force regardless of the means used. As the ICJ explained in its Nuclear Weapons advisory opinion, the principle applies ‘to any use of force, regardless of the weapons employed’ (Nuclear Weapons, para. 39). The CAP concurs with this view and, in its words, the principle covers ‘cyber operations’ (para. 39). The CAP also adopts the effects-based approach to the use of  force when it says that:

cyber operations would fall within the scope of the prohibition of the use of force when the scale and effects of the operation are comparable to those of a conventional act of violence covered by the prohibition. In particular, a cyber operation, depending on its scale and effect, would amount to a use of force if it is expected to cause physical damage, injury, or death, that is comparable to the use of force by an act covered by the prohibition (para. 39). 

At present, it is unclear whether the principle of non-use of force can be extended to cover cyber operations that do not produce death or injury to people or damage to physical property but nevertheless incapacitate computer networks and systems supporting critical national infrastructure. Some States have been reluctant (Brazil, p. 19; Denmark, p. 6) and even unwilling (Israel, 2020, p. 399) to broaden the principle of non-use of force beyond cyber operations producing physical damage. Presumably, this approach is driven by the belief that these types of cyber operations are more appropriately regulated by other rules of international law, such as the principles of territorial sovereignty and non-intervention (Buchan, 2012). 

Certain States, however, have recognised that the concept of force must evolve to meet the changing needs of the international society and that cyber operations can cause serious adverse effects even if they do not result in physical damage. Accordingly, these States have extended the prohibition to cover cyber operations that disable critical computer networks and systems (e.g., Costa Rica, p. 11; New Zealand; para. 7; Norway, p. 11). The CAP firmly locates itself in this camp but raises the bar to permanent incapacitation which seems to equate to destruction. As it explains:

For example, a cyber operation that destroys, inflicts damage, or permanently disables critical infrastructure or civilian objects within a State, may be considered as amounting to a use of force under international law. Similarly, a cyber operation that targets a military asset by destroying, damaging, or deactivating a missile defense system, could constitute a violation of the prohibition on the use of force (para. 40, emphasis added).  

Regarding the right of self-defence, the CAP adopts the traditional view that self-defence can be exercised only where an armed attack occurs and that an armed attack is a grave use of force (para. 41). It does not express a firm opinion on the use of defensive force against imminent attacks but says:

The African Union is of the view that this matter requires further study and deliberation between States taking into consideration both the unique characteristics of cyberspace and cyber-operations and the implications that any rules that may emerge in relation to this question may have for the integrity of the prohibitions on the threat or use of force (para. 42).

It seems that the CAP takes a rather restrictive view on this matter and actually back-paddles on the consensus reached in the 2004 A More Secure World document, which says that:

a threatened State, according to long-established customary international law, can take military action as long as the threatened attack is imminent, no other means would deflect it, and the action is proportionate (para. 188).

The CAP also rejects the use of force by way of self-defence against non-State actors and allows self-defence only if their acts are attributed to a State according to the law of State responsibility (para. 43). The main fear seems to be that allowing for such a use of force will invite more unilateral uses of force. 

Conclusion

The CAP is a welcome contribution to the current process of identifying and clarifying the application of international law to cyberspace. As a bloc of 55 States, the AU’s CAP contributes to a body of emerging opinio juris which may not settle all the problems but, at least, it amplifies the debate and contributes to the normalisation and normativisation of cyberspace. As with all position statements, it will be used to highlight similarities or differences with other statements but this is a healthy exercise. It should be recalled, however, that the position of African States as well as the position of any State is informed by their history, experiences, interests, and views about the regulation of cyberspace and the role of international law. What thus emerges from the CAP and the three rules that we have considered in this post is a strong sovereignist approach which reflects African States’ legal and political culture.

Leave a Comment

Comments for this post are closed

Comments