Whistleblowing, Mass Surveillance and Cyber Attacks – Current Challenges Faced by International Law

Case Brief of the 2015/16 Jessup Compromis

Fabian Eichberger, Magdalena Göbel, Alexander Wagner*

A. The Facts

This year’s Jessup problem (in Jessupspeak: the Compromis) concerned the case of the ‘Frost Files’, a dispute between the fictional states Riesland and Amestonia. In December 2014, Frederico Frost (note: FrostSnowden), a former intelligence analyst of Riesland’s foreign intelligence service (the Bureau) travelled to Amestonia and handed over a USB drive containing some 100.000 documents marked “top secret” to the law firm Chester & Walsingham and The Ames Post, Amestonia’s most widely-circulated newspaper. According to Frost, these documents were downloaded from the Bureau’s computers. After an authentication process conducted by reporters and lawyers, a significant number of these documents was published on the The Ames Post’s website.

One of the documents, bearing the signature of the Bureau’s director, described the Verismo program. In the course of this operation a pod was installed on an undersea cable to access Amestonia’s internet communications. Each day 1,2 million gigabytes (which, translated into books, would roughly be enough to stock 50 Libraries of Congress1 each and every day) were collected and stored on the Bureau’s servers. Another document detailed the Carmen program, describing intelligence operations undertaken on the premises of a Rieslandic TV station in Amestonia’s territory. Bureau engineers installed malware on the devices of numerous economic and political leaders interviewed in the station, enabling the remote access to these devices – Angela Merkel will know how that feels.

Shortly afterwards, the computer networks at both The Ames Post and Chester & Walsingham were hacked and disabled. The Amestonian Institute of Technology back-traced the attack to Riesland’s governmental IP addresses and revealed that parts of the utilized malware were an exact replica of a malware program used by the Bureau.

B. The Legal Issues

This Compromis perfectly illustrates five major issues deriving from new technological developments in the digital age:

First, whether leaked documents such as the ‘Frost Files’ are admissible in proceedings before international tribunals, in particular the International Court of Justice (ICJ) (I.).

Second, whether the International Covenant on Civil and Political Rights (ICCPR)2 applies to the relationship of a surveilling state – in our case: Riesland – to the affected individuals (II.).

Third, under what circumstances, if any, does espionage violate international law (III.)?

Fourth, do cyber-attacks generally constitute a use of force prohibited by Art. 2(4) of the United Nations Charter (UNC) (IV.)?

And fifth, how is it possible to attribute them to a certain state in order to trigger this state’s international responsibility (V.)?

I. Evidentiary Issues

Since the Compromis does not clarify the issue whether Amestonia is able to prove its claims without the ‘Frost Files’, their admissibility as evidence is of critical importance to both parties to the dispute. Riesland bases its objection on the fact that Frost – in a Snowden-like fashion – leaked the files in contravention of its national law, thereby disclosing sensitive information to the general public. In this regard, there are three issues to consider which could provide a basis for the inadmissibility of the ‘Frost Files’: their potentially unreliable source (a), the method by which they were acquired (b) and their confidential content (c).

1. Reliability

First, the documents were only authenticated by a newspaper. Apart from the journalists’ statements, the Court can only rely on the testimony of a single individual, namely Frederico Frost, which calls into question the documents’ reliability. Reliability of documentary evidence is an issue the ICJ has addressed before: In its Genocide decision it recognized the possibility of rejecting unreliable evidence and cited several previous judgments in support.3

Further, the Special Tribunal for Lebanon has dealt with similar files – U.S. diplomatic cables – downloaded from the Wikileaks platform in 2015.4 It refused to admit

* Along with Julia Bartos, Jannik Maas and Christoph Saake the authors Fabian Eichberger, Magdalena Göbel and Alexander Wagner formed Bucerius Law School’s team in the 2015/2016 Philip C. Jessup Interna- tional Law Moot Court Competition, the largest and oldest international moot court in the world. The team won the German National Rounds and went on to finish in 13th place worldwide out of over 550 universities.

1 The United States’ Library of Congress is the largest library in the world by collection size.

2 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171.

3 Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzi- govina v. Serbia and Montenegro) (Judgment) ICJ Rep 2007, 43, 130.

4 STL-11- 01/T/TC, Prosecutor v. Ayyash, Badreddine, Merhi, Oneissi and Sabra, Decision on the Admissibility of Documents published on the Wikileaks website, 21 May 2015.

Jessup, Case Brief52

them into evidence on the grounds that the defense had not provided evidence to prove their authenticity and that the U.S. government had not acknowledged them: the mere assertion that they were downloaded from Wikileaks did not suffice to substantiate their reliability.5

Besides, the ICJ was particularly reluctant to use press information as evidence in the past. In the infamous Nicaragua case 6 it stated that it “has been careful to treat [press reports] with great caution; even if they seem to meet high standards of objectivity, the Court regards them not as evidence capable of proving facts”,7 and further, that “press information should not be treated in itself as evidence for judicial purposes”.8 Certainly the ‘Frost Files’ are not mere press reports. Nonetheless if the Court were to take the ‘Frost Files’ into account, it would indirectly rely on press information as they were only authenticated by the newspaper. Given the caution the Court has expressed in that regard, there are considerable doubts as to whether this would wholly convince the Court of the documents’ reliability. On the other hand, there is no reason why Amestonia could not prove the documents’ authenticity by means of other circumstantial evidence.9 While addressing these issues, it should be borne in mind that the ICJ has never addressed the problem of reliability as one of admissibility, but rather specifically referred to the evidentiary weight given to certain pieces of evidence being affected by their reliability in Genocide.10

2. Illegally Obtained

Second, Frost violated Riesland’s domestic law in obtaining the files. Even though the ICJ Statute does not contain a rule that excludes illegally obtained evidence from proceedings, there might still exist a “general principle of law” within the meaning of Art. 38(1)(c) ICJ Statute which does.11

The first option would be the recognized principle ex turpi causa non oritur action or “a right cannot stem from a wrong”. However, the party who committed the “wrong” is usually the whistleblower and not the benefitting state. The principle of ex turpi therefore does neither apply here nor in most other whistleblower cases.12

Apart from ex turpi and its relatives13 there does not seem to exist a generally accepted rule in municipal law which could form the basis of a general principle that illegally obtained evidence is inadmissible.14 In fact the only absolute rule of that kind is found in the United States where it is applied in a restrictive manner and only in criminal cases.15 This seems to be reflected also in the ICJ’s jurisprudence, as in its Corfu Channel decision, the Court admitted evidence which was obtained by the United Kingdom in breach of Albania’s sovereignty and therefore in violation of international law.16

3. State Secrets Privilege

A third and final consideration would be that resulting from the sensitive nature of the documents, and their contents most likely being directly related to Riesland’s national security, they could enjoy a state secret privilege. Such privileges for evidence containing matters of national security are recognized in various jurisdictions around the world.17 The ICJ and the Permanent Court of International Justice (PCIJ) have both shown sensitivity with regards to these kinds of materials. In Genocide the Court was asked by Bosnia to request from Serbia the production of unredacted documents containing matters of national security. While the Court does have the authority to make such requests under Art. 49 of its Statute, it declined Bosnia’s demand.18Further, in Corfu Channel the United Kingdom refused to produce certain documents pleading “naval secrecy” and the Court did not draw any negative inferences from that refusal.19 The PCIJ also has refrained from asking a party to produce confidential documents in The Diversion of Waters from the Meuse20 and refused to take into account the travaux préparatoires of the Treaty of Versailles in the European Commission of the Danube since they were confidential and had not been placed before it “by or with the consent of the competent authorities”.21 Furthermore, the importance of the protection of confidential matters is recognized in international agreements 22 and in the International Bar Association Rules on the Taking of Evidence.23 Lastly, from a policy perspective it seems important to grant States a mechanism to protect the confidentiality of their national security matters in order to encourage the reference of politically sensitive disputes to the Court.Benzing in: The Statute of the International Court of Justice: A Commentary (2nd Edition), Ch.III Procedure, Evidentiary Issues, para. 28. Considering all these factors, there is a possibility that the ICJ would recognize a rule

5 Ibid, para. 40.

6 Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States of America) (Mer- its) ICJ Rep 1986, 4.

7 Nicaragua (n6) 40.

8 Nicaragua (n6) 40, 41.

9 Cf. ICC-01/04-01/07, Trial Chamber II, Situation in the Democratic Republic of Congo, The Prosecutor v. Germain Katanga and Mathieu Ngudjolo Chui, Decision on the Prosecutor’s Bar Table Motions, para. 23.

10 Genocide (n3) 130.

11 Wolfram, MPEPIL, International Courts and Tribunals, Evidence, para. 60.

12 Worster, The Effect of Leaked Information on the Rules of International Law, Am. U. Int’l. L. Rev., 2013, 443, 447.

13 E.g. commodom ex injuris sua nemo habere debet (wrongdoer cannot take advantage of his actions) and crimen omnia ex se nata vitiat (property obtained by crime is vitiated).

14 Cf. Thirlway, Dilemma or Chimera? – Admissibility of Evidence in International Adjudication, Am. J. Int’l. L., 1984, 622, 640f.

15 The so called “fruit of the poisonous tree” rule, cf. Worster, (n13), 459f.

16 Corfu Channel Case (United Kingdom v Albania) (Merits) ICJ Rep 1949, 4, 35, however Albania did not dispute the admissibility, which could make this decision just a result of the implicit application of ne ultra petita.

17 Cf. for the U.S.: Reynolds v. United States, 98 U.S. (8 Otto.) 145 (1878) and Al-Haramain Islamic Found. v. Bush, 507 F.3d 1190, 1205 (9th Cir. 2007); for the U.K.: Mohamed v. Secretary of State for Foreign and Commonwealth Affairs, [2009] EWHC (Admin) 152, [14] (Eng.) for Scotland: Conway v. Rimmer, [1968] A.C. 910; for Israel: Vanunu v.Head of the Home Front 29 Command, 2004 Isr. HCJ 5211/04; for India: Shri Dinesh Trivedi, M.P. & Ors. v. Union of India & Ors., (1997) 4 S.C.C. 306.

18 Genocide (n3) 128-129.

19 Cf. Corfu Channel (n16) 32.

20 PCIJ, Series E, No. 14, Fourteenth Annual Report, 148.

21 Jurisdiction of the European Commission of the Danube (Advisory Opinion), PCIJ, 1927, Ser B, No. 14, 32.

22 Art. XXI (a) GATT; Art. 346, para. 1 (a) TFEU.

23 Art. 9(2)(f) IBA Rules on the Taking of Evidence.

Jessup, Case Brief53

of international law, according to which sensitive materials enjoy a state secret privilege under appropriate circumstances.

Therefore, in our case there are substantial legal arguments in favor of Riesland’s position. However factually it cannot be ignored that all the relevant documents were already public, leaving no confidentiality to protect. That point could be overcome by making an argument on how countries could then circumvent the state secret privilege by publishing sensitive materials and subsequently introducing them in legal proceedings. Then again, it was not Amestonia but a newspaper which published the files, and that seems to be exactly what a free press should be doing. Possible counter-arguments could also target the notion of “public knowledge” – have the ‘Frost Files’ really lost their confidential nature just because they were published for a couple weeks on a newspapers website? Or is “extensive news coverage” as in the Tehran Hostage case24required in order to establish public knowledge? Such questions would need to be taken into consideration by the Court.

4. Evaluation

The admissibility of leaked documents will keep international tribunals, especially investment tribunals, busy in the future. 25 Given the past practice of the Court it is unlikely that the ICJ will follow the approach of criminal tribunals and consider the reliability of documents an issue of admissibility. With regard to illegally obtained evidence, the status quo allows states to violate national or international law in order to obtain evidence without having to fear the sanction of inadmissibility, which may encourage undesirable behavior. Whilst this is a “dilemma” that might have to be resolved, 26 for the moment there does not seem to exist any binding legal rule that would address this issue. 27 The most promising line of argument lies in granting certain privileges to sensitive information, for which there seems to be some common understanding in international law. The ICJ would however have to clarify the parameters of such privileges.28

It should finally be mentioned, that, at a discussion panel in Washington D.C., one of the Compromis authors admitted, that the evidence part of the case was not an issue Riesland could pursue to win the point. It was rather a strategic one, where one could demonstrate that Amestonia’s case is not as sound as it may prima facie seem.

II. The Extraterritorial Application of the ICCPR

As stated, Riesland conducted comprehensive surveillance programs targeting the internet activities of Amestonian nationals, which bear similarities to measures conducted by the Five Eyes.29 The first issue to determine, was whether the ICCPR provides protection to the affected Amestonians, even though they were at no point of time located within Riesland’s territory.

Whether the ICCPR can apply extraterritorially at all, has been an issue of vivid discussion in the past. Following the rules of interpretation laid down in Art. 31(1) of the Vienna Convention on the Law of Treaties, the first point of reference would naturally be the wording of the ICCPR.30 The personal and territorial scope of the Covenant is laid down in its Art. 2(1), according to which the ICCPR applies to all individuals within a state’s territory or subject to its jurisdiction. At a first reading, the word and suggests that the two prerequisites of (1) being located within the state territory and (2) being subject to the respective state’s jurisdiction, need to be established cumulatively.31 However, this issue was addressed by the Human Rights Committee (HRC) as well as the ICJ, which both came to the conclusion that it suffices for one of these requirements to be fulfilled to trigger the ICCPR’s application.32 In cases such as the one at hand, where the interference with the individuals only occurs within the digital realm and the individual never enters the territory of the interfering state, this draws attention to the issue of whether digital surveillance can be classified as an exercise of jurisdiction within the meaning of Art. 2(1) ICCPR.

The first difficulty in this regard is posed by defining jurisdiction. However, the interpretation of the respective authoritative legal bodies points to the conclusion that jurisdiction within the meaning of Art. 2(1) ICCPR can only be understood as the exercise of factual power.33 While the Office of the High Commissioner for Human Rights contends that digital power over data suffices to establish such jurisdiction,34 current state practice as well as jurisprudence lead to a different conclusion. Only in cases of either physical power over the individual in question or effective control – meaning a certain degree of power – over a specific area, did the ICJ or the European Court of Human Rights (ECtHR) assume an extraterritorial application of human rights treaties in the past.35 The same is true for the HRC’s interpretation of the ICCPR as of now.36 Further, various states led by Germany

24 Cf. United States Diplomatic and Consular Staff in Tehran (United States of America v Iran), ICJ Rep 1980, 3, 9-10.

25 Ireton, The Admissibility of Evidence in ICSID Arbitration: Considering the Validity of WikiLeaks Cables as Evidence, ICSID Review, 2014, 1, 8.

26 Cf. Reisman/Freedman, The Plaintiff’s Dilemma: Illegally Obtained Evidence and Admissibility in International Adjudication, Am. J. Int’l L., 1982, 737, 753.

27 Cf. Thirlway (n13) 640f, where it is even argued that an exclusionary rule is not needed at all.

28 Benzing, The Statute of the International Court of Justice: A Commentary, para. 28.

29 The Guardian, GCHQ taps fibre-optic cables for secret access to world’s communications, 21 June 2013.

30If the ordinary meaning makes sense in its context, this is an end of the matter“, Competence of the General Assembly for the Admission of a State to the United Nations (Advisory Opinion) ICJ Rep 1950, 4, 8.

31 United States of America: Office of the Legal Advisor United States Department of State, Digest of United States Practice in International Law, 2006, 348; Bankovic/Belgium (2001) ECtHR No 52207/99, para. 78.

32 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) ICJ Rep 2004, 136, 178; Armed Activities in the Territory of the Congo (Democratic Republic of the Congo v Uganda) (Merits) ICJ Rep 2005, 168, 242f.; Human Rights Committee,General Comment 31 (26 May 2004) CCPR/C/21/Rev.1/Add.13 para. 10.

33 Milanovic, From Compromise to Principle: Clarifying the Concept of State Jurisdiction in Human Rights Treaties, Human Rights Law Review, 2008, 411, 446.

34 The Right to Privacy in the Digital Age, Report of the United Nations High Commissioner for Human Rights, 30 June 2014, A/27/37, para. 34.

35 Israeli Wall (n32) 178; Al-Skeini/UK (2011) ECtHR No 55721/07, para. 131.

36 See Lopez Burgos v Uruguay (1981) Human Rights Committee, Communication No 52/1979 para. 12.3; HRC General Comment 31 (n32) para. 10.

Jessup, Case Brief54

tried to amend the Covenant with regard to its application in cyberspace, but failed to achieve a necessary backing by other states.37 This suggests that the limits of expansive judicial interpretation of the wording of Art. 2(1) ICCPR to provide comprehensive protection to individuals have been reached. As dissatisfying as it may be, as of now, individuals affected by extraterritorial surveillance programs do not seem to enjoy the protection of Art. 17 ICCPR regarding their right to privacy.

III. Can Espionage Violate International Law?

The second major problem was whether espionage violates international law. While there is no customary rule of international law prohibiting espionage as such,38 engaging in such activities might contravene the principle of non-intervention, which prohibits states from interfering through coercive means with matters solely within the domestic jurisdiction of other states (domaine réservé).39

Consequently, the issue at the heart of the question is whether espionage can be categorized as such a coercive activity. Even though coercion does not necessarily require the use of military power,40 extending the scope of the principle of non-intervention to espionage seems questionable at first. While espionage can undoubtedly be construed as an unfriendly act,41 it lacks the element of interfering with the decision-making of another state against its will, as the targeted state will hardly ever be aware of the measures. When regarding the bigger picture however, the issue is not that clear. By gathering confidential information states obtain leverage in negotiations and are able to draw inferences concerning future decisions. As the use of such confidential information can be just as effective as pressuring a state into the preferred direction, a violation of the prohibition of intervention does not seem too far fetched. In addition, espionage will often coincide with other internationally wrongful acts: Even though digital surveillance is gaining importance rapidly, the activities were often conducted within the territory of another state in the past, amounting to a violation of the targeted state’s territorial sovereignty.42 Also in cases where ambassadors (for example to the UN) are targeted, special regimes are in place prohibiting such actions.43 However, the matter appears to be a rather academic one: While spies are regularly prosecuted under national law, official statements condemning espionage as unlawful under international law are more than scarce.44 Therefore, diplomacy seems to be blocking a coherent development of international law in this regard.

IV. Are Cyber-Attacks Generally Prohibited by Art. 2(4) UNC?

Turning to cyber-warfare, it is important to first define the two fundamental terms of the issue: “cyber-attack” and “force”. A cyber-attack is any action taken through the use of computer networks to disrupt, deny, degrade or destroy information resident in computers or networks.45 With regard to the term “force”, the ICJ has repeatedly stated, that it comprises all uses of force, regardless of the weapons employed.46 Therefore, the effects are decisive and must be comparable to those of kinetic weapons to qualify the act as a use of force.47 Combining these two definitions, cyber-attacks constitute a use of force if the destruction of computers or information results in physical damage equating that of conventional weapons.48 Such was the case in the Stuxnet incident in Iran which resulted in the destruction of centrifuges within an uranium enrichment plant, i.e. physical damage.49 Scholars who rigorously follow this line of argument conclude that only cyber-attacks achieving such kinetic effects can be considered a prohibited use of force.50 This is persuasive for multiple reasons: When drafting the Charter states clarified they did not perceive coercion lacking physical effects as being within the meaning of the term “force”, but what they aimed at prohibiting under all circumstances was the destruction of physical property and lives.51 However, by including Art. 2(1) UNC they aimed at prohibiting other 52 coercive measures

37 Deeks, An International Legal Framework for Surveillance, 55 Virginia JournIntLaw, 2015, 291, 308.

38 Kirchner, Beyond Privacy Rights: Cross-Border Cyber-Espionage and International Law, J. Marshall Journal of InfTech and PrivacyL, 2014, 369,372; Schaller, Spies, MPEPIL, 2009, para. 3.

39 Art. 2(1) UNC; Nicaragua (n6), 108.

40 Joyner, Coercion, MPEPIL, 2006, para. 1; Kunig, Prohibition of Intervention, MPEPIL, 2008, para. 5.

41 Pelican, Peacetime Cyber-Espionage, 20 CommLaw Conspectus 2011-12, 363, 365; Demarest, Espionage in International Law, 24 Denver JournIntLaw 1995-96, 321, 347.

42 See Memorandum of the Government of the French Republic to the Secretary-General of the United Nations in Rainbow Warrior (New Zealand v France) Ruling by the UN Secretary-General (1986) 19 RIAA 207, 209 also ILC, Kolodkin, Second report of the Special Rapporteur on immunity of State officials from foreign criminal jurisdiction (10 June 2010) A/CN.4/631 para. 84.

43 See Art. 105(2) UNC and Section 11 Convention on the Privileges and Immunities of the United Nations (adopted 13 February 1946, entered into force 17 September 1946) 1 UNTS 15.

44 A rare example – though only by the judiciary – is Canadian Security Intelligence Service Act, Canadian Federal Court, 14 June 2007, SCRS-10-07, 2008 CF 301.

45 NATO Standardization Agency, NATO Glossary of Terms and Definitions (AAP-6) at 2-C-12, 2012.

46 Cf. Nicaragua (n6) 118; Cf. Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) ICJ Rep 1996, 2, 226, 244.

47 Nicaragua (n6) 103; Armed Activities (n32) 227; CCDCOE, Schmitt, Tallinn Manual On The International Law Applicable To Cyber Warfare, Cambridge University Press 2013, Rule 11; Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, Columbia Journal of Transnational Law 1999, 885, 914; Dinstein, Armed Attack and Self-Defense in: Schmitt/O’Donell, Computer Network Attack and International Law, 99, 103.

48 This approach is supported by state practice: United States of America, U.S. Department of Defence, An Assessment of International Legal Issues in Information Operations, 1999, 18;The Russian Federation, P.A. Johnson, Is it Time for a Treaty on Information Warfare? in: Schmitt/O’Donnell, Computer Network Attack and International Law, 2001, 443; United Kingdom, Under-Secretary for security and counter-terrorism of the United Kingdom cited in: Britain fends off flood of foreign cyber-attacks, The Observer (7 March 2010)); Estonia, Defense Minister of Estonia cited in: NATO Parliamentary Assembly, NATO and Cyber Defense, 173 DSCFC 09 E, 2009, para. 59.

49 Casey-Maslen, Weapons under International Human Rights Law, 316 – Iran however never confirmed the destruction.

50 Brownlie, International Law and the Use of Force (Clarendon 1963), 362; Buchan, Cyber War and International Law, Journal of Conflict & Security Law 2012, Issue 2, 211, 213.

51 Nicaragua (n6) 103, 119; cf. travaux préparatoires concerning Art. 2(4) UNC, UNCIO VI, 334, 609.

52 5cm

Jessup, Case Brief55

intervening in a state’s domaine reservé.53 Bearing this in mind, there is no need to bend the rules of the Charter and categorize cyber-attacks as a use of force indiscriminately. Having two distinct prohibitions, the intention of the drafting states is better served by differentiating between cyber-attacks having forceful effects and those having coercive effects.54

In the case at hand the sole intention of the cyber-attacks was to coerce Amestonia to cooperate with Riesland and refrain from pursuing any legal action against it. By applying the outlined standards such cases should be categorized as an intervention and not a use of force.55

V. How can Cyber-Attacks Be Attributed to a State?

The rules on attribution reflected in Art. 4 – 11 of the Draft Articles on the Responsibility of States for Internationally Wrongful Acts (DARS) are relatively clear: Mainly governmental conduct and conduct over which the government exercised effective control is attributable.56 However, in cyberspace the issue of attribution becomes increasingly difficult due to new technical developments, as the main obstacle is to prove where the attack came from. In that regard the established rules of attribution hardly live up to today’s challenges – in fact, they are practically useless. Whereas the origin of conventional attacks was easy to determine, back-tracing malware codes proved to be extremely difficult.57 Additionally, even if the origin of the cyber-attack is traced to a governmental IP address, it appears questionable whether this suffices as evidence for the actual involvement of that state. Through techniques such as IP address spoofing58 and watering-hole attacks59 hackers can effectively mask their own identity and camouflage themselves as someone else.60 Attribution based solely on back-tracing therefore leaves accused states unable to prove their innocence. On the other hand, if the victim state would be obliged to additionally prove an active involvement of the other state, attribution could hardly ever be established as the victim state is lacking the possibility to unilaterally investigate within another state’s territory and IT infrastructure.61 In international environmental law – where a similar issues arises – a duty of due diligence was established to solve this catch-22 situation.62 This duty obliges states not to allow their territories to be used for acts contrary to the rights of other states and to take preventive measures.63 Applied to the realm of cyberspace this would require states to secure their networks, ensure prosecution and cooperate with victim states when receiving knowledge of their networks being misused.64 Such an approach would live up to the challenges of cyberspace as it provides a fair balance between the rights of the victim state and the potential attacker state: The victim state would not be obliged to prove the impossible and the attacker state would have the chance to demonstrate it had sufficient safeguards in place.65 Surely, active state involvement in a cyber-attack would remain difficult to prove, however there will rarely be the necessity to do so if international responsibility can be achieved through a breach of a duty of due diligence just as effectively.66

Especially the above presented issues show that thinking outside the box permits international law to be adapted to new phenomena in order to achieve the desired result: cyber-attacks should be prohibited – the responsible state should be held accountable. Codifying the rules of cyber warfare, which documents such as the Tallinn Manual could serve as a point of reference for, would certainly contribute to a more secure application of the law. However, as long as no consensus in this regard is achieved among states, today’s international law mechanisms are able to adequately deal with cyber-attacks.

C. Conclusion

Participants of the Jessup Competition are supposed to tackle the current challenges of international law, which have not yet been comprehensively resolved. This year’s Compromis demonstrated the distinct obstacles international law faces due to technological developments occurring at an ever increasing pace. While some of the related issues, such as the admission of illegally obtained documents, surfaced in the past, others are new in their extent or quality. To provide a legal framework, especially for wholly new challenges, well-established rules of international law can and must serve as the starting point. However, a few problems, such as mass surveillance, might only be effectively addressed by creating new rules from scratch, suited for the digital age.


53 Nicaragua (n6) 103, 205.

54 Ziolkowski, General Principles of International Law as Applicable in Cyberspace, NATO Peacetime Regime for State Activities in Cyberspace, 135, 156f., 165; Ziolkowski, Computer Network Operations and the Law of Armed Conflict, Military Law and the Law of War Review, 2010, 47, 69ff.

55 Cf. The Estonian cyber incident: Pirker, Territorial Sovereignty and Integrity and the Challenges of Cyberspace, NATO Peacetime (n53) 189, 203; Casey-Maslen (n49) 316.

56 ILC, Draft Articles on Responsibility of States for Internationally Wrongful Acts with Commentaries in: (2001) 2 Yearbook of the International Law Commission 31, Art. 4-11; Tehran Hostage (n24), 44f; Nicaragua (n6) 149.

57 Pihelgas, Back-Tracing and Anonymity in Cyberspace, NATO Peacetime (n53) 31, 51; Pirker (n54) 210f.

58 Pirker (n54) 212; Pihelgas (n56) 35.

59 Pirker (n54) 212.

60 Ibid; Pihelgas (n56) 46.

61 Gill, Non-Intervention in the Cyber Context, NATO Peacetime (n53) 217, 228; cf. Pirker (n54) 212.

62 Trail Smelter Case (United States v Canada), 1941, 3 RIAA 1911, 1963.; ILC, Commentary on the Draft Articles on Prevention of Transboundary Harm from Hazardous Activities in: Report of the ILC on its 53rd Session, 2001, A/56/10, 392.

63 Corfu Channel (n16),18.

64 Tallinn Manual (n47) Rule 5; Pirker (n54) 207.

65 Tallinn Manual (n47) Rule 5; Marauhn, Customary Rules of International Environmental Law, NATO Peacetime (n53) 465, 473f.

66 Cf. Pirker (n54) 210.