Austria's Progressive Stance on Cyber Operations and International Law

OrganizationsOther ♦ Published: June 27, 2024; 10:36 ♦ (Vindobona)

The United Nations Office for Disarmament Affairs published a national declaration by Austria on the application of international law to the cyber activities of states. This declaration complements a list of more than 30 national positions and comprehensively addresses issues such as state sovereignty, non-interference and due diligence, diplomatic and consular law, international humanitarian law, and neutrality.

Austria's statement on international law on state cyber activities, published by the UN Office for Disarmament Affairs, addresses state sovereignty, non-intervention, due diligence, diplomatic law, humanitarian law, and neutrality. / Picture: © Wikimedia Commons / Gugerell / CC0

Austria often takes a progressive stance and proposes solutions to issues that have received little attention to date. The following article highlights four selected areas - sovereignty, non-interference, countermeasures, and diplomatic and consular law - where Austria's position either brings new perspectives to ongoing discussions or addresses issues where discussions and consensus-building are just beginning.

Austria's comprehensive view on sovereignty, espionage, and pre-installation of malware

The Austrian position paper begins with a discussion of sovereignty, with Austria reiterating its previous view that the obligation to respect the sovereignty of other states is a distinct principle of international law, separate from the use of force and the prohibition of intervention. According to Austria, cyber activity violates the sovereignty of another state if it disrupts or usurps its territorial integrity or a state function.

Austria supports the view of the Tallinn Manual 2.0 that the legality of remote cyber operations that take place on the territory of a state depends on the severity of the interference with territorial integrity and the question of whether a state's function has been impaired or usurped. Cyber activities that cause physical damage or injury certainly constitute a violation of state sovereignty, while other, more limited intrusions, such as the temporary loss of functionality of critical infrastructure or access to government services, can also be considered violations of sovereignty.

However, Austria goes further and considers cyber espionage, including industrial espionage against companies, as a potential violation of state sovereignty. This represents a departure from the usual treatment of cyber espionage, which is often considered not to violate international law as long as there is no further impact on the system. States such as Canada, New Zealand, and the USA argue that pure espionage activities are not regulated per se by international law. Austria, on the other hand, believes that such activities, if they take place within the territory of a state, can violate its sovereignty.

Non-interference and disinformation campaigns

Austria directly confronts the challenge of foreign cyber interference in electoral processes through disinformation campaigns. With the increasing use of social media and artificial intelligence by foreign actors to spread disinformation, the question arises whether such campaigns, when conducted by another state, violate international law. Before the publication of the Austrian position paper, only four states (Costa Rica, Germany, New Zealand, and Poland) had taken the view that disinformation campaigns can violate the non-interference principle under certain conditions.

The Austrian national paper supports the view that disinformation campaigns aimed at coercing or changing the behavior of a state may constitute a violation of the non-interference principle. Austria emphasizes that such campaigns, if large-scale and conducted by or attributable to a state, could be classified as coercion if they aim to involuntarily change the governmental policy of another state. The difference between permissible public criticism and a disinformation campaign is that the latter aims to force a change in behavior through coercion, while the former is merely an opinion or criticism.

Support for collective countermeasures

If a malicious cyber operation violates an international obligation and thus constitutes an act contrary to international law, the affected state may take countermeasures to compel the responsible state to cease its actions and make reparations. While international law normally grants the right to countermeasures only to the violating state, some states have argued in favor of allowing collective countermeasures against cyber threats.

In 2019, Estonia was the first state to argue in favor of the admissibility of collective countermeasures. This view initially found little support, but several states, including Costa Rica, Ireland, and Poland, have since expressed similar views. Austria agrees with this position and takes the view that states may take collective countermeasures against a state that violates erga omnes obligations. These obligations are obligations to the international community as a whole, such as the prohibition of genocide.

Austria's position supports the idea that states not directly affected can take countermeasures in support of the directly affected state, especially in cases of violations of universally recognized norms of international law such as the prohibition of genocide. This view could strengthen international cooperation in the area of cyber security and enable a coordinated response to global threats.

Inviolability of the ICT infrastructure of diplomatic or consular missions and international organizations

As the seat of many international organizations, Austria pays particular attention to protecting the ICT infrastructure of diplomatic and consular missions and international organizations from malicious cyber activities. Austria emphasizes that the ICT infrastructure on the premises of such missions and organizations is inviolable and must also be protected against remote access. This means that remote access to the ICT infrastructure within the mission is also prohibited without explicit consent.

In addition, the archives, documents, and official correspondence of the mission, including in electronic form, are inviolable, regardless of where they are located. Austria works closely with international organizations to ensure their protection against malicious cyber activities. One example of this is "data embassies", which are operated under bilateral agreements between states and guarantee the inviolability of the government data stored in them.

Human rights in the cyber context

Austria emphasizes that the same human rights that apply offline must also be protected online. These include the right to privacy, freedom of expression, and freedom of assembly. States are obliged to respect and guarantee human rights concerning cyber activities. This includes protection against mass surveillance and other invasive cyber measures that could violate human rights.

Austria calls for the promotion of a secure, open, and free internet and emphasizes that restrictions on human rights in the cyber context can only be justified based on the same rules that apply in other contexts. These rules require a legal basis, a legitimate purpose, and the proportionality of the measure.

Austria's national declaration offers a detailed and nuanced perspective on the application of international law in cyberspace. It argues for a strict interpretation of sovereignty and a proactive stance against cyber espionage and other malicious cyber activities. Despite some open questions, the Austrian position is notable for the breadth of topics covered and its progressive approach. By taking a detailed look at disinformation campaigns and supporting collective countermeasures, Austria contributes significantly to the development of the discourse on the behavior of states in cyberspace.

Just Security

United Nations Office for Disarmament Affairs