constitutes a use of force at international law. Such effects may include death, serious injury to persons, or
significant damage to the victim state’s objects and/or state functioning. In assessing the scale and effects of
malicious state cyber activity, states may take into account both the immediate impacts and the intended or
reasonably expected consequential impacts.
8. Cyber activity that amounts to a use of force will also constitute an armed attack for the purposes of Article
51 of the UN Charter if it results in effects of a scale and nature equivalent to those caused by a kinetic armed
attack. As an example, cyber activity that disables the cooling process in a nuclear reactor, resulting in serious
damage and loss of life, would constitute an armed attack.
Non-intervention
9. Malicious state cyber activity may be inconsistent with the rule of non-intervention. Such activity will violate the
rule of non-intervention if it:
a.
has significant effects on a matter which falls within the target state’s inherently sovereign functions /
domaine réservé (e.g. the right freely to choose its political, economic, social and cultural system, or
matters such as taxation, national security, policing, border control, and the formulation of foreign policy);
and
b.
is coercive (i.e. there is an intention to deprive the target state of control over matters falling within the
scope of its inherently sovereign functions). Coercion can be direct or indirect and may range from dictatorial threats to more subtle means of control. While the coercive intention of the state actor is a critical
element of the rule, intention may in some circumstances be inferred from the effects of cyber activity.
10. Examples of malicious cyber activity that might violate the non-intervention rule include: a cyber operation that
deliberately manipulates the vote tally in an election or deprives a significant part of the electorate of the ability
to vote; a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s
public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of
functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system,
or its electricity or telecommunications network.
Sovereignty
11. The principle of sovereignty prohibits the interference by one state in the inherently governmental functions of
another and prohibits the exercise of state power or authority on the territory of another state. In the physical
realm, the principle has legal effect through the prohibition on the use of force, through the rule of non-intervention
and also through a standalone rule of territorial sovereignty. Subject to limited exceptions (e.g. authorisation by
the United Nations Security Council, self-defence, consent), that standalone rule prohibits a state from sending its
troops or police forces into or through, or its aircraft over, foreign territory, and prohibits a state from carrying out
official investigations or otherwise exercising jurisdiction on foreign territory.
12. In the cyber realm, the principle of sovereignty is given effect through the prohibition on the use of force and
the rule of non-intervention. New Zealand considers that the standalone rule of territorial sovereignty also applies in the cyber context but acknowledges that further state practice is required for the precise boundaries of
its application to crystallise.
13. In New Zealand’s view, the application of the rule of territorial sovereignty in cyberspace must take into account
some critical features that distinguish cyberspace from the physical realm. In particular: i) cyberspace contains
a virtual element which has no clear territorial link; ii) cyber activity may involve cyber infrastructure operating
simultaneously in multiple territories and diffuse jurisdictions; and iii) the lack of physical distance in cyberspace
means malicious actors can apply instantaneous effects on targets without warning. These features present
unique opportunities for malicious actors and significant defensive challenges for states. They also make it
difficult for states to prevent malicious cyber activity being conducted from or routed through their territory.
14. Bearing those factors in mind, and having regard to developing state practice, New Zealand considers that
territorial sovereignty prohibits states from using cyber means to cause significant harmful effects manifesting
on the territory of another state. However, New Zealand does not consider that territorial sovereignty prohibits