The African Union (Rightly) Endorses Pure Sovereignty in Cyberspace

In a recent article in International Law Studies, I examined two competing positions concerning how sovereignty functions in cyberspace. The first position, “pure” sovereignty, holds that any low-intensity cyber operation that involves non-consensually penetrating a computer system located on another State’s territory violates the targeted State’s sovereignty. By contrast, the second position, “relative” sovereignty, rejects the idea that the mere penetration of a computer system violates the territorial State’s sovereignty. According to this position, a low-intensity cyber operation violate sovereignty only if it causes at least some kind of harm to the targeted state, such as physical damage or the equivalent loss of cyber-infrastructure functionality.

Until very recently, most states that had taken a position endorsed relative sovereignty (including the US, Germany, and New Zealand), while only three had endorsed pure sovereignty (France, Iran, and Switzerland). But that is no longer the case: on February 2, the African Union released a communique entitled the “Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace.” The communique leaves no doubt that the 55 states in the AU reject relative sovereignty in favour of pure sovereignty:

15. The African Union affirms that international law, as it applies to the use of ICTs in cyberspace, does not permit a State to exercise enforcement authority on the territory of a foreign State in response to unlawful cyber activities that emanate from the territory of that foreign State. This applies even if the exercise of such enforcement authority by a State does not have harmful effects, whether virtual or physical, on the territory of a foreign State.

16. The African Union affirms that, by virtue of territorial sovereignty, any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State is unlawful. Therefore, the African Union emphasises that the obligation to respect the territorial sovereignty of States, as it applies in cyberspace, does not include a de minimis threshold of harmful effects below which an unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State would not be unlawful.

I am not surprised that the AU has endorsed pure sovereignty, because nearly all of its members are far more likely to be targeted by low-intensity cyber-operations than to launch them. Indeed, the communique explicitly notes that “[g]iven the vast technical capabilities between States, such rules [as relative sovereignty] would, as noted by the International Court of Justice in the Corfu Channel Case, ‘from the nature of things, be reserved for the most powerful States’, which could give rise to serious abuses that would undermine the principles of the independence and sovereign equality of States.”

The most important consequence of pure sovereignty is that it prohibits states from engaging in extraterritorial cyber-espionage. The Tallinn Manual 2.0 claims that because international law does not regulate such espionage in the physical realm, it does not regulate it in the cyber one. Most scholars take the same position. Russell Buchan and I, however, have argued precisely the opposite — that international law prohibits extraterritorial espionage in both the physical and cyber realms. We now have 55 more states that agree with us.

The African Union’s communique is an incredibly important document — the most significant statement to date on how international law applies in cyberspace because of the size of the AU. I hope its views will be taken serious by Western states and scholars, who are all too willing to ignore Southern voices on international law when they don’t like what the South is saying.