Collective countermeasures in cyberspace – Lex Lata, progressive development or a bad idea?

This paper analyses whether international law permits collective countermeasures against states responsible for cyberattacks. In her opening address at CyCon 2019, Estonia’s President Kersti Kaljulaid presented Estonia’s view that ‘States which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation’. This view was rejected by France in its declaration of 9 September 2019 on how international law applies to cyber operations. Discussing the International Law Commission’s treatment of the legality of third-party countermeasures in its Articles on State Responsibility, the paper finds that the question was ultimately left open, given the unsettled status of customary law at that time. However, the Articles are formulated in such a way as to allow the application of lawful measures by not directly injured States, thus leaving room for developments in international law. Based on recent scholarship and examples of State practice, the paper finds that international law has indeed evolved since 2001 to permit collective countermeasures, but only insofar as third-party countermeasures against violations of collective obligations are concerned. In consequence, collective action by non-injured States against cyberattacks violating the sovereignty of a State or constituting an intervention in its internal affairs are not permitted under international law as it stands today. Lastly, the paper discusses whether international law may recognise cyber-specific collective obligations and finds that the obligation to protect the ‘public core of the internet’ may be a good candidate for such a norm.