Countermeasures in Cyberspace: The International Legal Framework

The cyber domain is increasingly becoming a major arena for state-on-state interactions, and at the same time digital tools and infrastructures seem to generate more and more opportunities for individuals and groups, who want to influence states. These developments entail greater risk in the digital sphere. For the foreseeable future, however, Denmark is mainly expected to face challenges in the cyber domain that fall below the legal threshold of ‘armed attacks’ – which, under international law, would trigger a right to self-defence. Therefore, it seems prudent to focus more intently on the modes of action available to Denmark in response to scenarios where states, non-governmental groups, and/or individuals launch cyber operations against Denmark that do not constitute ‘armed attacks’ but nonetheless carry the potential of causing significant damage to core Danish interests. One of the central responses allowed for under international law in such cases are ‘countermeasures’. In light of recent developments in both the practice and theory of international law, this report aims to review and analyse the opportunities and limitations attached to the right to invoke countermeasures in connection with cyber operations against Denmark.

The report identifies several uncertainties about when, how, and against whom, states can legally invoke countermeasures. A number of important questions – concerning, for example, the legality of ‘collective countermeasures’ and the possibility of invoking countermeasures in relation to cyber operations emanating from non-state actors – remain difficult to answer. Nevertheless, these challenges must be addressed in order to ensure greater stability and predictability in the cyber domain.

Overall recommendation: Denmark should contribute to the debate

The report recommends that Denmark continue its active participation in relevant international fora and processes, e.g. under the auspices of the UN, which may help to solidify the law in this area. Moreover, Denmark should take further steps to contribute actively to the ongoing development by publishing ‘the Danish views on international law in cyberspace’, which inter alia should address the issues touched upon in the report. This recommendation is based not only on Denmark's general interest in maintaining a rule-based international order that includes cyberspace. It also reflects the authors’ impression that even small states, like Denmark, are currently able to influence the development of international law as it applies in cyberspace. So far, only a few states have – seemingly with good effect – been willing to present their views on the way that international law functions in cyberspace and further contributions are warranted. In other words, there is currently a window of opportunity to push these rules in a direction deemed desirable by Danish decision makers.