10 Aug Emerging Voices: Powers of the Security Council to Make Determinations Under Article 39 of the Charter in Case of Cyber Operations
[Janos Ferencz, LL.M., is a Visiting Research Fellow at The Minerva Center for the Rule of Law under Extreme Conditions at the Faculty of Law and Department of Geography and Environmental Studies, University of Haifa and a Legal consultant at Panteia, the Netherlands.]
The rapid proliferation of malicious cyber operations in recent years has underlined a growing concern about the risks presented by cyber space to international peace and security. The UN General Assembly noted in Resolution 69/28 (2014) the increasing concerns about the use of information technologies “for purposes that are inconsistent with the objectives of maintaining international stability and security” (UN Doc. A/Res/69/28, 2 December 2014, preambular para. 9). The importance of understanding when cyber operations represent a threat to international peace and security lies in the Security Council’s Chapter VII powers. Under Article 39 of the Charter, its powers to adopt non-forceful and forceful measures can only be activated once there is a determination that a cyber operation is a “threat to the peace, breach of the peace, or act of aggression.” The academia has paid only limited attention so far to analysing the conditions under which cyber operations can reach this level. This post aims to fill this gap by assessing whether, and if so, under what conditions can cyber operations trigger the applicability of Article 39 of the Charter.
Cyber operations and the threshold of Article 39
A cyber operation must be understood as a broad concept, incorporating “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace” (Tallinn Manual, para. 2, p. 15). The Tallinn Manual experts unanimously agreed that the Security Council possesses the authority to determine that a cyber operation constitutes a threat to the peace, breach of the peace, or act of aggression (Tallinn Manual, Rule 18). The question remains, however, what are the prerequisite circumstances for such an operation to attain the level of gravity required by Article 39?
A breach of the peace is generally characterized by armed hostilities between States, while an act of aggression manifests through the direct or indirect use of force. The concept of “threat to the peace” is the broadest and most frequently used one by the Security Council. From a cyber perspective, the two former scenarios, although theoretically possible, remain less likely to occur in practice since the Security Council has yet to make a determination that an event amounted to an act of aggression, and only a handful of situations were found to have breached the peace (e.g. the invasion of South Korea or Kuwait). For this reason (and taking into account also spatial limitations) this post focuses on the circumstances qualifying cyber operations as a threat to international peace and security.
The Security Council has broad discretion under Article 39 to conclude that any kind of conduct or situation amounts to a threat to international peace. Finding the lowest common denominator across the Council’s past practice falls beyond the scope of this post but suffice it to say that a “threat to the peace” is deemed a political concept (Tadić Decision on Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 29) that builds on the Council’s interpretation of the concept of “peace”. Although the early practice of the Council has shown a narrow interpretation of this concept, viewing “peace” as the absence of use of force between States (J. Frowein, ‘Article 39’ in B. Simma (ed.) The Charter of the United Nations: A Commentary (2nd edn., OUP, 2002), at p. 720), the recent practice of the Council indicates its willingness to broaden that interpretation. This is best evidenced by the Council’s acknowledgement that the HIV/AIDS pandemic can pose a security threat (SC Res. 1308, 17 July 2000) as well as the determination on the existence of a threat to international peace and security in West-Africa due to the outbreak of Ebola (SC Res. 2177, 18 September 2014). Nonetheless, the Council has always been careful to consider the impact of an internal situation upon regional or international stability. This criterion is common across all Article 39 determinations, and entails that any event or phenomena that undermines regional or international stability by creating a risk for unrest or hostilities in the short or medium term could fall within the purview of Article 39.
Thus, a cyber operation will amount to a threat to peace within the meaning of Article 39 when it creates the threat of jeopardizing regional or international stability. Cyber operations targeting the critical infrastructure of a State will likely fulfill this threshold. Similarly, the US DoD concluded that “computer network attacks that caused widespread damage, economic disruption, and loss of life could well precipitate action by the Security Council” under Article 39 (US DoD, An Assessment of International Legal Issues in Information Operations, May 1999, p. 15).
The cyber operation itself need not be a violation of international law per se for it to fall within the ambit of Article 39. This raises interesting questions about the exploitation of cyberspace for the purposes of espionage, which is, in principle, not prohibited by international law. This question is particularly relevant in the aftermath of Edward Snowden’s revelations regarding the NSA’s surveillance programme in 2013.
In my view, there are two main approaches to assessing cyber espionage under Article 39. Firstly, relying on the threshold set out above, cyber espionage could represent a threat to international peace and security when it creates destabilizing effects on regional or international stability to the extent that a potential risk of unrest and hostilities between States will arise. One example would be recourse to dual-use malwares that not only steal information but also produce widespread destructive or disruptive effects. However, it is unlikely that data breaches on their own would fall within the scope of Article 39 unless there is a prospect for hostilities as a result of the breaches. Furthermore, due to the threat of veto by any permanent member of the Security Council, it remains unlikely that in the near future cyber espionage incidents will be formally declared a threat to international security.
The alternative approach is to view cyber espionage as a threat amplifier (as opposed to a threat on its own) since it can jeopardize cooperation among States on matters that pertain to international security. This effect is achieved through undermining inter-State trust, and is best evidenced in cases where confidential information of high-ranking State officials is obtained (e.g., through eavesdropping on communications of Heads of States). In the aftermath of the revelation of the NSA’s interception of Chancellor Angela Merkel’s private communication for years, Chancellor Merkel called the NSA’s actions a ‘serious breach of confidence’ (The Guardian, 24 October 2013). In a similar vein, Brazilian President Dilma Rousseff cancelled a visit to the White House after it was revealed that the NSA was spying on her, too. She formally denounced the NSA’s activities before the General Assembly arguing that such practices are unacceptable from governments seeking true strategic partnerships (The Guardian, 24 September 2013). Thus, while cyber espionage incidents are unlikely to trigger an Article 39 determination, their indirect impact on jeopardizing international peace and security cannot be underestimated.
Cumulative effects of multiple low-intensity cyber operations
The Article 39 threshold outlined in the above section may prove too high to capture the full spectrum of threats represented by cyber operations, especially considering that majority of the incidents will be of low-intensity and, consequently, escape the purview of Article 39.
In such cases, I argue for the application of the “accumulation of events” doctrine, according to which a series of cyber incidents that emanate from the same source, show the same pattern and are linked in time, can cumulatively reach effects that are threatening the outbreak of an international conflict. For instance, multiple low-scale cyber operations that briefly but repeatedly disrupt the banking infrastructure of a State may collectively fall within the ambit of Article 39.
However, applying this doctrine for an Article 39 determination is not without difficulties. With low-intensity incursions, the authors’ identity can more easily remain shielded, and it may also prove difficult to find a connecting link between various different attacks.
The Security Council’s powers under Article 39 can clearly be triggered by cyber operations. Yet, the conclusion that can be reached at this point is somewhat disappointing. On the one hand, activating this provision carries a significant potential to address the ever-increasing incidents of malicious cyber operations by paving the way for adopting enforcement measures. On the other hand, as with most determinations under Article 39, the final decision whether or not to activate the provision will be a political issue rather than a legal one, continuously overshadowed by the threat of veto. Indeed, the Security Council has shown little interest so far in considering cyber operations as triggers to Article 39. In 2008, Georgia’s request to the Council to consider the cyber attacks that it just suffered was largely ignored, and no resolution was adopted on the matter (UN Doc. S/PV.5961, 19 August 2008). This ineffectiveness only further strengthens the growing need to better regulate cyber activities on the international level.