July 2014

Emerging Voices: Responsibility of the Netherlands for the Genocide in Srebrenica–The Nuhanović and Mothers of Srebrenica Cases Compared

[Otto Spijkers is an Assistant Professor of Public International Law at Utrecht University.] Introduction This post compares the recent judgment of the District Court in The Hague in the case of the “Mothers of Srebrenica” with the judgment of the Dutch Supreme Court of last year in the Nuhanović case. I will try not to repeat what Kristen Boon wrote about the case in an earlier post. Facts Both judgments deal with the legal responsibility of the Netherlands for the death of (some of) the Bosnian Muslims in Srebrenica in 1995. When the so-called “safe area” of Srebrenica fell into the hands of the Bosnian Serbs, the Dutch UN peacekeepers all left the area. Hasan Nuhanović was permitted to leave with them, because he had worked for the UN, but the UN peacekeepers refused to take the relatives of Hasan Nuhanović as well. Hasan’s brother and father were subsequently killed, together with thousands of other Bosnian Muslims. Most of the victims were situated outside the compound over which the Dutch peacekeepers exercised effective control. Even those Bosnian Muslims that managed to enter the compound, just before the fall of Srebrenica was a fact, were later surrendered by the Dutch peacekeepers to the Bosnian Serbs. Almost all of them were killed. Legal Question Nuhanović argued that the refusal of the Dutch UN peacekeepers to save his relatives constituted a wrongful act, attributable to the State of the Netherlands. The Mothers of Srebrenica argued that the refusal of the Dutch UN peacekeepers to save all Bosnian Muslims within the so-called “mini safe area” constituted a wrongful act, attributable to the Netherlands. This is the area where most people fled to after the city of Srebrenica had fallen into the hands of the Bosnian Serbs. This mini safe area consisted of the compound in Potočari and the surrounding area, where deserted factories and a bus depot were located (para. 2.35 of Mothers of Srebrenica judgment). Attribution In Nuhanović, The Dutch Supreme Court held that the same conduct could in principle be attributed both to the Netherlands and to the United Nations. In reaching this decision, the Court referred to Article 48 of the ILC’s Articles on the Responsibility of International Organizations (2011, DARIO). In the Mothers of Srebrenica case, the District Court reached the same conclusion (para. 4.34) Since the UN was not party to the Nuhanović-proceedings, the Supreme Court could look only at the rights and responsibilities of the Netherlands. The Mothers of Srebrenica initially involved the UN in the proceedings as well, but the Organization effectively relied on its immunity (this led to some landmark judgments by the Dutch Supreme Court and the European Court of Human Rights), and thus the case continued without the UN. In Mothers of Srebrenica, the District Court explicitly rejected the position of the Mothers that, given the immunity of the UN, the rules on attribution should be interpreted more “broadly,” as otherwise the Dutch UN peacekeepers would be placed “above the law” (para. 4.35). At the same time, one cannot help get the feeling that it played a role. With regard to attribution, the Supreme Court in Nuhanović based its decision primarily on Article 7 DARIO. This provision states that the conduct of an organ placed at the disposal of an international organization by a State must be considered to be the conduct of that international organization, when the organization has effective control over the conduct. The Netherlands argued that Article 6 DARIO was the relevant provision, and not Article 7. Article 6 DARIO states that the conduct of an organ of an international organization is attributable to that international organization. The argument of the State was thus that the peacekeepers were a UN organ. This is also the view of the UN itself. But the Supreme Court followed the ILC Commentary to DARIO, according to which a battalion of peacekeepers is not a UN organ, because the battalion to a certain extent still acts as an organ of the State supplying the soldiers. Important in this assessment is the fact that the troop-contributing State retains disciplinary powers and criminal jurisdiction over its peacekeepers. Interestingly, the Dutch Supreme Court also referred to Article 8 of the ILC’s Articles on the Responsibility of States for Internationally Wrongful Acts (2001, ARS). Strictly speaking, Article 7 DARIO says nothing about the attribution of conduct of an organ placed at the disposal of an international organization by a State to that State. The Article deals exclusively with the responsibility of international organizations, such as the UN. All it says is that, if the international organization does not have effective control over the conduct of the organ, then it is not responsible for that conduct. But that does not mean that, by definition, this makes the State responsible in such cases. In theory, it could very well be that neither of the two is responsible. And so to complete the picture, the Dutch Supreme Court relied on Article 8 ARS. According to this provision, the conduct of a group of persons shall be considered an act of a State if the group is in fact acting under the effective control of that State in carrying out the conduct. This provision was meant to make it possible to attribute acts of persons not formally part of the State system to the State in exceptional circumstances. One may wonder why the Supreme Court did not instead make use of Article 4 ARS, according to which the conduct of any State organ shall be considered an act of that State. If peacekeepers are not UN organs, then it would be logical to consider the peacekeeping force as a State organ instead. Peacekeepers are not the mercenaries, militants or bands of irregulars for which Article 8 ARS has been designed. But if we follow the Dutch Supreme Court, the peacekeepers are nobody’s organ; and whoever happens to be in effective control of them at the relevant time, is responsible for their actions.

Emerging Voices: Cyber Operations and the Prohibition of the Threat of Force

[François Delerue is Ph.D. researcher in International Law at the European University Institute (EUI - Florence, Italy) and visiting scholar at Columbia University (fall term 2014)] Article 2(4) of the UN Charter was revolutionary in its extension to the explicit prohibition of the threat of force, alongside the prohibition of the use of force. No cyber operation has ever been qualified as a threat or use of force by any States or international organizations; commentators are more nuanced and some consider certain cyber operations as likely to qualify as actual uses of force (see generally: Tallinn Manual p. 45; Marco Roscini pp. 53-55; Duncan Hollis). Most of the literature applying Article 2(4) to cyber operations focuses on the use of force and, therefore, the threat of cyber force remains understudied. In this blog post I endeavor to fill this gap by analyzing inter-state cyber operations according to the prohibition of threat of force. My main argument is that for most inter-state cyber operations the qualification as the threat of force is arguably more suitable than trying to qualify them as an actual use of force at any cost. I will develop successively the two main forms of threat of force: open threat of prohibited force and demonstration of force. A Threat of Prohibited Cyber Force As a Prohibited Threat of Force The International Court of Justice, in its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, confined the prohibition of the threat of force to the prohibition of the threat of the use of the prohibited force (para. 47). In other words, an unlawful threat is a conditional promise to resort to force in circumstances in which use of force would itself be unlawful. This form of threat of force is the most obvious one and can be implied directly from the wording of the UN Charter. Formulated by Ian Brownlie in 1963 (p. 364), this approach is nowadays the prevailing one on the threat of force. Applied to cyber operations, a threat of cyber force will violate the prohibition of Article 2(4) only if the threatened cyber force amounts to an unlawful use of force in the same circumstances. This is the contemporary leading approach among scholars and is, for instance, the approach followed by rule 12 of the Tallinn Manual: A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force. Is a general threat to resort to force enough to constitute a violation of the prohibition of Article 2(4)? The answer is unequivocally yes. Most verbal or written threats of force constitute a general threat of force, without specification on which kind of force might be use. It seems most likely that threat of force will remain mainly general, and cyber force will be one of the possible options to be used by the threatening State. Demonstration of Cyber Force As a Prohibited Threat of Force Demonstration of cyber force constitutes the second form of threat of force. In contrast to an open threat of force, a demonstration of force is constituted by acts instead of words performed by a State. Force may be demonstrated in many ways: notably in military acts – such as deployment of troops, manoeuvres, nuclear arms build-ups or testing – showing the readiness of a State to resort to force against another. In the literature on the threat of cyber force, demonstration of force is sometimes analyzed but remains for the most part neglected and understudied. Most cyber operations fail to qualify as an actual use of force; however, could they constitute a demonstration of force amounting to a prohibited threat of force? I will use recent examples of cyber operations to answer this question. Large-Scale Distributed Denial of Service Attacks As a Demonstration of Force A distributed denial of service (DDoS) attack is a cyber attack, which aims to make a machine or network resource unavailable by flooding it with requests from compromised systems. Could such a large-scale DDoS attack amount to a demonstration of force? The answer seems to be positive under certain conditions. In April 2007, Estonia faced violent street protests by a minority group of Russian descent objecting to the removal of World War II bronze statue of a Soviet soldier. Simultaneously, the country experienced multiple cyber operations, notably large-scale DDoS attacks on the websites and servers of private and public institutions. The Estonian government accused Russia of the cyber attacks; Russia, however, denied any involvement. As Estonia is highly connected and extremely dependent on its computer infrastructure, these cyber operations were able to paralyze a large part of the Estonian economy, media and government. Could these cyber operations constitute a use of force? Estonia explored initially the possibility to invoke Article 5 of the North Atlantic Treaty and thus to treat these cyber operations as an ‘armed attack’[1] triggering ‘the right of individual or collective self-defence’; however, this solution was quickly ruled out (see e.g. Mary E. O’Connell pp. 192-193; see also: here and here). While neither Estonia nor other States considered those cyber operations as a use or threat of force, could these cyber operations constitute a credible threat of force? Their consequences resulted in the partial paralysis of the State, limiting the ability of the country to respond in case of military action. Moreover, they occurred in fractured relations between the targeted State and the presumed threatening State, rendering any threat of force more credible. It seems, as a result, that those cyber operations could be considered as potential preluding measures to a use of force. They could thus be considered as a demonstration of force violating the prohibition of threat of force of Article 2(4). The Estonian example demonstrates that a large-scale DDoS attack against an Internet-dependent State could constitute a threat of force. However, not all DDoS attacks might be that easy to qualify as a demonstration of force. In the case of similar cyber operations faced by Georgia before the 2008 Russo-Georgian War, the conclusion might be more nuanced. Unlike Estonia, Georgia is not highly dependent on the Internet; therefore the consequences of cyber operations were limited and resulted mainly in the inability for the Georgian Government to access its websites and use them to communicate. As a result, the qualification of a threat of force seems difficult and probably excessive for this situation.