- ABA Groups
- Resources for Lawyers
- Career Center
- About Us
Melinda J. Brown is general counsel at Draper Laboratory in Cambridge, MA, and is Draper’s legal and policy representative in its work with the Advanced Cyber Security Center, a cross-sector, public-private collaboration addressing the most critical cybersecurity challenges. Matthew J. Kleiman is corporate counsel at Draper and is the chair of the Space Law Committee of the ABA Section of Science & Technology Law.
Most countries don’t even have a legal framework that really governs cyber. It is such a new phenomenon in that regard so the legal systems—both domestic and international—have not kept pace with the technological advances we have seen.
—US Homeland Security Secretary Janet Napolitano1
Cyberspace operates without regard to national borders.2 In that respect, cyberspace joins the high seas, international airspace and outer space as a “global commons,” a domain that is beyond the territorial jurisdiction of any one nation and open to use by all nations.
The global commons play a crucial role in the world economy. The US Joint Chiefs of Staff’s 2011 National Military Strategy notes that the global commons “constitute the connective tissue upon which all nations’ security and prosperity depend.”3 In his recent book, Securing Freedom in the Global Commons, Scott Jasper argues that “securing freedom of access to, transit through, and use of the global commons is fundamental to safeguarding the globalized system.”4
Global access to the space and cybercommons is under serious threat. The 2011 National Military Strategy warns that “the United States faces persistent, widespread, and growing threats from state and nonstate actors in space and cyberspace.”5 Threats to cyberspace come from a variety of sources and employ a variety of tools. Bad actors in cyberspace range from “low-level vandalism by bored teens or disgruntled employees to serious invasions by terrorists, criminals, and formal state-sponsored entities.”6 Some of the most common are insider threats, advanced persistent threats, malicious software, spear phishing, and denial-of-service attacks. In outer space, threats include the growing cloud of space debris in Earth orbit, which could eventually render outer space unusable for all practical purposes; the overcrowding of slots in geostationary orbit, which is the narrow region of Earth orbit used by telecommunication satellites; and antisatellite weapons targeted at dual-use communication and navigation satellites.
Loss of access to all or part of either the space or cybercommons would have a devastating global economic impact. The threat to users of the Internet and communication networks goes far beyond the annoyance of spam. It is also poses as great a risk to emerging economies as to developed nations: there are now more Internet users in developing countries than in developed countries. A significant cyberattack could “bring globalized nations to the edge of collapse as communication systems, financial markets, transportation, power generation facilities, medical services, and so on would simply fail as they became isolated or corrupted without access to cyberspace.”7 Governments and their defense agencies are not immune from attack, and the repercussions from disrupting or reorienting government functions would imperil lives. Indeed, our daily life is now so dependent upon access to the Internet that even modest disruptions will have far-reaching effects.
The inability to access space-based resources would also have dramatic repercussions. As recently framed by the New York Times: “Think of how much our day-to-day lives depend on the herds of satellites occupying orbital space, the world community’s commons. They are integral to communications, social media, business transactions, military operations and surveillance, surveys for charting world resources and climate and the G.P.S. devices that help us keep track of ourselves and others.”8 In 1998, for example, the temporary loss of a single communications satellite affected more than 45 million users, ranging from medical workers, who could not be contacted via their pagers, to gas stations owners who lost pay-at-the-pump functions. Due to their interconnected nature, the loss of either the space or cybercommons would also lead to the significant degradation of the other.
Preventing disruptions to the space and cybercommons is largely a technological problem. Nevertheless, securing the commons also requires a robust legal regime to bring bad actors to justice. International legal regimes have evolved to address threats to the air and maritime commons, but the space and cybercommons add new conceptual and operational dimensions that are not adequately addressed by current legal structures. In particular, the borderless nature of the space and cyberdomains renders many traditional legal constructs obsolete.
Establishing new international legal frameworks for space and cybersecurity will unfortunately take time. This article will explore how states could utilize traditional concepts of extraterritorial jurisdiction under international law to regulate nonstate bad actors in the space and cybercommons until a comprehensive international legal framework is implemented. It will first discuss the global commons and the development of extraterritorial jurisdiction over piracy at sea. The article will then discuss the current legal regimes applicable to cyberspace and outer space and how traditional concepts of extraterritorial jurisdiction can be applied to bad actors in the space and cyberdomains.
Protecting common resources has been a difficult problem since the earliest human communities were formed. Aristotle lamented, “that which is common to the greatest number has the least care bestowed upon it.”9 In 1968, Garrett Hardin famously coined the term “tragedy of the commons” to describe Aristotle’s dilemma.
The “commons” paradigm is now used to describe regulatory problems associated with many shared resources, such as public facilities, natural resources, and the body of knowledge in the public domain. National governments control the portion of these commons over which they have jurisdiction, and they enter into international agreements to regulate commons that are outside of their national jurisdiction.
The seas were the first truly global commons. From the time of the first ocean-going vessels, states have attempted to control portions of the seas for economic and strategic advantage. Disputes over control of the seas have been the cause of countless wars. The concept of “freedom of the seas” is first attributed to Dutch jurist Hugo Grotius. In his 1609 book, Mare Liberum, Grotius argued that the seas were for use by all nations, not only those with the power to exclude others. He contended that nations should be permitted to control only that portion of the sea that can be defended from their coastline. Waters beyond the territorial control of coastal nations was a commons free for use by all nations. This concept was eventually codified in the 1958 Geneva Convention on the High Seas, and expanded upon in the 1982 United Nations Convention on the Law of the Sea (UNCLOS).
UNCLOS was the first international agreement to formalize collaborative approaches to maritime security. The Convention delineates the rights and responsibilities of nations in their use of the world’s oceans, establishing guidelines for navigation, resource exploitation, environmental protection, and dispute resolution. According to James Kraska of the US Naval War College, UNCLOS “contributes directly to international peace, prosperity, and security by replacing abundant conflicting maritime claims with universally accepted limits on coastal state sovereignty and jurisdiction.”10 To date, 161 countries and the European Community have joined the Convention. The United States has not yet ratified the Convention, but it generally recognizes the Convention as the codification of customary international law.
The greatest threat to maritime commerce today is piracy, particularly in the vital sea lanes off the coast of Somalia. International law has long treated piracy as different from other land-based crimes. Since the early seventeenth century, any nation could try any pirates it caught, regardless of the pirates’ nationality or where they were captured. Any nation that caught a pirate could also summarily execute him at sea. The rational for this special treatment was that piracy cannot be countered by traditional sovereignty principles because it takes place on nonsovereign territory (i.e., the sea). Moreover, states felt a need to fight jointly against piracy due to its adverse impact on all states. This jurisdictional principle is now codified in UNCLOS article 105, which provides that “every State may seize a pirate ship” on the high seas, and the pirates may be prosecuted by “the courts of the state which carried out the seizure.”
Before exploring how principles of extraterritorial jurisdiction could be applied to the space and cybercommons, it is important to understand how each domain is currently regulated.
One of the greatest challenges to regulating cyberspace is that, unlike the other commons, cyberspace is not a physical location. An Internet transaction takes place in at least three different locations: (1) the location of the initiator; (2) the location(s) of the Internet server(s) through which the transaction is routed; and (3) the location of the recipient. Therefore, a single Internet transaction might be subject to the laws of three or more different countries, some of which may be conflicting, and investigating and prosecuting cybercrimes requires coordination with each country’s national justice system.
There is no uniform law for regulating cyberspace across national boundaries. Currently, the leading international convention on cybercrime is the Council of Europe’s 2001 Convention on Cybercrime. To date, 46 countries, including the United States, have either signed or ratified the Convention. The Convention aims to harmonize national cybercrime laws and provide for effective international cooperation in cybercrime investigations. It establishes standard definitions for the crimes of illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, online child pornography, and online copyright infringement. The Convention also requires that countries adopt laws establishing jurisdiction over any of the foregoing offenses when the offense is committed: (1) in its territory; (2) on board a ship flying its flag; (3) on board an aircraft registered under its laws; or (4) by one of its nationals, if the offense is punishable under the criminal law where the offense was committed or if the offense is committed outside the territorial jurisdiction of any country.
Critics of the Convention note that it was drafted mostly by and for European states and is somewhat outdated in its coverage of the forms of cybercrimes and attacks. Consequently, there are no provisions that address, for example, large-scale botnet attacks and phishing. Although signature of the Convention is open to nonmembers of the Council of Europe, only four nonmembers have signed it (the United States, Canada, Japan, and South Africa), and only one nonmember has ratified the Convention (the United States). Neither Russia nor China have signed the Convention. Unless the number and pace of signatures and ratification increases, the Convention will not attain the status of a global standard.
The foundational instrument of the outer space legal regime is the 1967 Outer Space Treaty (OST). The OST established broad principles that have been elaborated upon and implemented in a series of subsequent international treaties and national laws. These principles include:
• Outer space is the “province of all mankind” and is free for exploration and use by all States;
• Outer space is not subject to national appropriation;
• No Weapons of Mass Destruction are permitted in outer space;
• The Moon and other celestial bodies shall be used exclusively for peaceful purposes;
• States shall be responsible for national space activities;
• States shall retain jurisdiction and control over their space objects;
• States shall be liable for damage caused by their space objects; and
• States shall avoid harmful contamination of outer space.
Thus far, the OST regime has been only marginally effective at protecting the space commons. On the one hand, the OST codified outer space’s status as a commons free for use by all states (more than 50 countries and international organizations have satellites in orbit) and has helped prevent conflict in outer space by establishing standards for state responsibility for space operations. On the other hand, space debris has been allowed to accumulate to a disturbing level despite the OST’s environmental mandates, and the OST does not address the responsibility of private entities for their conduct in outer space.
Public international law generally recognizes, to one extent or another, five bases upon which a state may assert jurisdiction over the perpetrator of a crime. Territorial jurisdiction is the most common basis of jurisdiction exercised by national governments and is exercised over actions having occurred within the territory of a state. The forms of extraterritorial jurisdiction include: (1) nationality jurisdiction; (2) protective jurisdiction; (3) passive personality jurisdiction; and (4) universal jurisdiction. The remainder of this article will explore how each of these four forms of extraterritorial jurisdiction might be applied to regulate nonstate actors in the borderless outer space and cybercommons.
Nationality jurisdiction allows a state to exercise jurisdiction over its nationals abroad. Nationality jurisdiction also includes “flag jurisdiction,” which derives from the principle that ships, aircraft, and spacecraft are “floating islands” under the jurisdiction of the state whose flag they fly. It is the most widely accepted form of extraterritorial jurisdiction.
The use of nationality jurisdiction to counter cybercrimes is expressly endorsed by the 2001 Convention on Cybercrime. By enabling states to regulate the actions of their nationals abroad, nationality jurisdiction broadens the government’s reach into the cybercommons. The nationality of the victim of a cybercrime is another approach to consider, especially if the notion of a “victim” is expanded to include governments along with private citizens and corporations.
The nationality principle plays a critical role in regulating space activities. All spacecraft are subject to the laws of their country of registration. In fact, the US Commercial Space Launch Act uses nationality jurisdiction to mandate that all US citizens and US corporations must obtain a license from the Federal Aviation Administration prior to launching a spacecraft, even if the spacecraft is launched from outside of the United States. However, nationality jurisdiction does not permit the United States to regulate spacecraft operated by foreign persons and companies. Relying on nationality jurisdiction may also incentivize companies to operate their spacecraft under “flags-of-convenience” in order to choose a governing jurisdiction with the most favorable laws or the weakest enforcement mechanisms.
Protective jurisdiction allows the state to prosecute foreigners when the primary effect or the intent of the alleged crime is to threaten the essential governmental functions of a state. Traditionally, the protective principle is applied to offenses such as espionage, counterfeiting, falsification of official documents, perjury before counselor offices, and conspiracy to violate immigration or customs laws. Recently, however, the protective principle has been extended to terrorist cells that operate outside the borders of a state.
As with terrorism, protective jurisdiction can be very useful in prosecuting the many cybercriminals who target critical government networks from foreign soil. Protective jurisdiction would not, however, permit a country to target cybercriminals who target critical nongovernmental networks, such as those used by power companies and financial institutions.
Except for the case where a bad actor directly targets a government satellite, such as with an antisatellite weapon, it is unlikely that the protective principle could be used to address threats to the outer space commons. By their very nature, threats to the outer space commons, such as space debris, affect the entire global community. Generators of space debris would therefore be unlikely to have the intent to specifically target any particular country necessary to invoke the protective principle.
Passive personality jurisdiction, perhaps the most controversial of the five bases of jurisdiction, is exercised over any act, particularly criminal acts committed outside a state’s territory by a foreigner that substantially affects the person or property of a citizen of that state. Passive personality jurisdiction differs from protective jurisdiction because protective jurisdiction permits jurisdiction when the state itself is threatened, whereas passive personality only requires that the offending act be committed against the state’s nationals. This type of jurisdiction has traditionally been rejected by the English-speaking world, but it is gaining wider acceptance for use against terrorism.
Passive personality jurisdiction would be helpful in regulating the space and cybercommons because it would permit a state to prosecute bad actors who cause harm to its nongovernmental computer networks and spacecraft. Like protective jurisdiction, wider acceptance of this form of jurisdiction in the terrorism context could help it gain wider acceptance in the regulation of the space and cybercommons. Nevertheless, the traditional reluctance of the United States, United Kingdom, and other western countries to recognize this form of jurisdiction would be a difficult diplomatic hurdle to overcome were one of these nations to try to exercise this form of jurisdiction to protect the space or cybercommons.
Universal jurisdiction may be exercised by any nation over any person, regardless of that person’s or the alleged crime’s connection to the nation asserting jurisdiction. This jurisdiction is asserted on the grounds that the crime committed is considered a crime against all, which any state is authorized to punish, as it is too serious to tolerate typical jurisdictional constraints. As discussed above, universal jurisdiction was originally applied to maritime piracy. Following World War II, it has been extended to certain types of war crimes and human rights violations.
In many respects, universal jurisdiction appears to be a perfect mechanism for prosecuting bad actors in domains without traditional national borders. Disabling access to any global commons could be considered a crime against all humanity. Just as piracy threatens the critical arteries of maritime commerce, cyberattacks and loss of communication satellites threaten the critical arteries of electronic commerce.
However, there are also strong arguments against the use of universal jurisdiction in this context. Asserting universal jurisdiction is an extraordinary measure that disregards principles of national sovereignty that have been the foundation of international law for hundreds of years. Attacks in outer space and cyberspace, while potentially devastating economically, are not the sort of violent crimes that ordinarily justify disregarding established international norms. Moreover, whereas piracy often takes place on the high seas outside of any obvious national jurisdiction, cyberattacks touch many national jurisdictions, including the locations of the attacker, the victim, and the servers and transmission lines used to carry out the attack. Any of these touch points could conceivably claim jurisdiction under one or more of the other jurisdictional principles.
The borderless nature of cyberspace and outer space presents many challenges to regulating nonstate actors in these domains. Like piracy on the high seas and stateless terrorist cells, threats to the space and cybercommons endanger global economic security, and established legal structures do not provide all of the tools necessary to control them. Until new international legal frameworks are established, countries that depend on computer networks and space-based assets can consider utilizing expanded concepts of extraterritorial jurisdiction to bring bad actors to justice. u
1. Tom Jowitt, U.S. Highlights Need for Global Cyber Security Strategy, eWeek Europe, July 1, 2011, available at www.eweekeurope.co.uk/news/us-warns-of-need-for-global-response-to-cyber-attacks-33137.
2. There is no universally agreed upon definition of cyberspace. In this article, we use the terms cyber and cyberspace to denote access to the Internet and the ability to communicate via large area networks using tools such as email.
3. Joint Chiefs of Staff, The National Military Strategy of the United States of America 2011: Redefining America’s Military Leadership 9, Feb. 8, 2011, available at www.jcs.mil//content/files/2011-02/020811084800_2011_NMS_-_08_FEB_2011.pdf.
4. Scott Jasper and Paul Giara, Disruptions in the Commons, in Securing Freedom in the Global Commons 3 (Scott Jasper ed., Stanford Security Studies 2010).
5. Joint Chiefs of Staff, supra note 3, at 9.
6. Steven H. McPherson and Glenn Zimmerman, Cyberspace Control, in Jasper, supra note 4, at 92.
8. John Noble Wilford, 3, 2, 1, and the Last Shuttle Leaves an Era Behind, N.Y. Times, July 8, 2011, available at www.nytimes.com/2011/07/09/science/space/09wilford.html.
9. Aristotle, Politics, Book II, Part III (Benjamin Jowett trans., Dover Thrift, 2000), available at http://classics.mit.edu./Aristotle/politis.2.two.html.
10. James Kraska, Indistinct Legal Regimes, in Jasper, supra note 4, at 51.