predates the development and rise of information and communication technologies – in the
cyber context. The paper also intends to foster transparency, comprehensibility and legal
certainty with regard to an important aspect of foreign affairs. The explanations take into
account, inter alia, the 2013 and 2015 reports of the United Nations Group of Governmental
Experts on Developments in the Field of Information and Telecommunications in the
Context of International Security.3 They are based on applicable international law and in this
regard consider, to a significant degree, the findings of independent international law experts
recorded in the Tallinn Manual 2.0.4
For the purpose of this paper, ‘cyber processes’ are events and sequences of events of data
creation, storage, processing, alteration or relocation through means of information
technology. The term ‘cyber infrastructure’ refers to all types of hardware and software
components, systems and networks which allow for the implementation of ‘cyber processes’.
This includes ‘[t]he communications, storage, and computing devices upon which
information systems are built and operate.’5 ‘Cyber activities’ are ‘cyber processes’ instigated
by users of cyber infrastructure. The term ‘cyber operation’ more narrowly refers to the
‘employment of cyber capabilities to achieve objectives in or through cyberspace.’6
‘Cyberspace’ itself is understood here as the conglomerate of (at least partly interconnected)
‘cyber infrastructures’ and ‘cyber processes’ in the above-mentioned sense. In this paper, the
adjective ‘malicious’, when used to describe certain activities in cyberspace, is not purported
to carry a technical legal meaning.
II. Obligations of States derived from the United Nations Charter
a) Sovereignty
The legal principle of State sovereignty 7 applies to States’ activities with regard to
cyberspace.8 State sovereignty implies, inter alia, that a State retains a right of regulation,
enforcement and adjudication (jurisdiction) with regard to both persons engaging in cyber
activities and cyber infrastructure on its territory.9 It is limited only by relevant rules of
international law, including international humanitarian law and international human rights
law. Germany recognizes that due to the high degree of cross-border interconnectedness of
3
4
5
6
7
8
9
See above, note 1.
Schmitt, M. (gen. ed.)/Vihul, L. (man. ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber
Operations, Prepared by the International Groups of Experts at the Invitation of the NATO Cooperative Cyber
Defence Centre of Excellence, 2nd edition, Cambridge University Press 2017. The Tallinn Manual 2.0 is a paper
created by independent experts and constitutes neither a document stating NATO positions nor a position paper
by States. In the following, references to the Tallinn Manual 2.0 are made for information purposes only and do
not necessarily constitute an endorsement of the referenced text by the German government.
Tallinn Manual 2.0 (note 4), Glossary (p. 564).
Ibid.
The legal principle of State sovereignty is enshrined – in conjunction with the notion of equality of States – in Art.
2 para. 1 of the UN Charter.
See also UN Group of Governmental Experts, reports of 2013 and 2015 (note 1), paras. 20 and 27, 28 (b)
respectively; Tallinn Manual 2.0 (note 4), rule 1.
A State’s jurisdiction may under certain conditions apply to situations beyond its borders, i.e. according to the
principles of active and of passive nationality as well as universality.
2