In 2019 Estonia adopted the position that states not directly impacted by a cyber attack could apply countermeasures to support the state victim to the cyber attack. This was a novel suggestion under international law in relation to the legal responses available to states victim to cyber attacks. Generally under international law, while a state that is victim to an extremely serious cyber attack that amounts to an 'armed attack' has the ability to obtain assistance from other states in its self-defensive effort (under the idea of 'collective self-defence'), a similar right does not exist under the law on countermeasures. This means that, traditionally, only the state victim to cyber attacks that violate international law could take countermeasures in response to the violation, but other 'non-injured' states could not. Estonia's position, however, particularly if adopted by more states, has the potential to develop into new legal rules applicable in this context. This is a welcome development and expands the remedies available to smaller or less technologically advanced states in particular.
The law on countermeasures is part of international law on state responsibility and allows a state to violate its international legal obligations in certain circumstances. For example, where state A conducts a cyber attack against state B which is in violation of an international legal obligation owed to that state, state B has the ability to respond with countermeasures - measures that would normally be violations of its own legal obligations to state A but the wrongfulness of which is precluded if that measure constitutes a 'countermeasure'. There are specific legal requirements on countermeasures - including that they must be proportionate, non-forceful, generally reversible, and taken with the purpose of inducing the state to comply with its legal obligations - that must be complied with to ensure they are lawful. And as mentioned, traditionally countermeasures are not available to so called 'non-injured' states. This means that state B which is victim to the cyber attack could not request the assistance of state C in taking cyber countermeasures against state A.
However, this is particularly problematic in the cyber context. For example, while state B may want to respond with cyber countermeasures to ensure the measures it takes are proportionate, it may lack the technical expertise to do so effectively against a more technologically advanced state A. Instead, allowing state B as the injured state to request the assistance of state C to take countermeasures against state A could provide a more effective remedy in this situation.
There are however risks associated with countermeasures that are particularly important to consider in the cyber context. These include issues around attribution and the possibility of escalation of the conflict. Given these, even if more states did adopt Estonia's position and the law developed into the direction to allow collective countermeasures, ensuring states only take these measures within the strict confines of the rules on countermeasures becomes even more important.
This blog post is based on my recent article in the Journal of Conflict and Security Law.
Dr Samuli Haataja