Countermeasures in international law and their role in cyberspace

With the development of information and communication technologies, there has been an ongoing debate about how and when countermeasures can be used in cyberspace, particularly in response to cyberthreats. Countermeasures are a well-established response mechanism available to states against violations of international law. They involve measures that would otherwise be unlawful, such as breaches of treaty obligations, but are allowed under certain strict conditions to address a prior breach of international law by another state. Countermeasures exist alongside other response mechanisms, many of which do not involve any act contrary to international law.Under customary international law – unwritten rules that are based on the generally accepted practice of states – any state injured by a breach of international law has the right to take countermeasures against the state responsible for the breach (the ‘responsible state’). The aim of countermeasures is to induce the responsible state to stop and/or repair the breach – not to punish the responsible state. Countermeasures are subject to a number of substantive and procedural conditions, which are intended to prevent escalation of conflicts. These are mostly reflected in the International Law Commission’s Articles on State Responsibility.At present, both the right of injured states to take countermeasures and the conditions for resorting to such measures apply in cyberspace, as in other contexts. Operational considerations in cyberspace – such as the speed, scale and covert nature of cyber operations – have prompted debates about whether the conditions for taking countermeasures should be adapted to the cyber context. Nevertheless, the existing rules on countermeasures are sufficiently flexible to accommodate cyber-specific concerns, including the need for covert, rapid and direct responses to unlawful cyber operations.While it is clear that injured states may take countermeasures, there is also some support for the view that states indirectly injured by a serious breach of obligations protecting community or collective interests (erga omnes or erga omnes partes obligations) may take ‘general interest countermeasures’ in support of the injured state or affected individuals.At present, there seems to be insufficient evidence that indirectly injured states have a right to take general interest countermeasures. Nevertheless, support for these measures is growing, prompted by serious violations such as Russia’s full-scale invasion of Ukraine.International law does not allow third states that are neither directly nor indirectly injured by a breach to take countermeasures in support of the injured state. Third states may nonetheless aid or assist the injured state in taking its own cyber or non-cyber countermeasures, provided that the assistance does not otherwise breach international law.States should continue to express their views on the law of countermeasures, and do so in a clear and transparent manner to avoid misunderstandings. In the cyber context, this can be done by publishing national positions on international law in cyberspace. States should base their national positions on general international law and consider their implications for other areas of state activity beyond cyberspace.By unpacking the law on countermeasures generally and in cyberspace, this paper seeks to bring greater clarity, legal certainty and predictability regarding the application of international law to cyber operations and what it means for states to behave responsibly in this and other contexts.