January 27, 2023
International Law in Cyberspace
By: Lauren M. Cherry and Peter P. Pascucci
The first cyber attack occurred in 1834 when a pair of thieves hacked the French telegraph system to steal money. Tom Standage & Seth Stevenson, Human Insecurity, Slate, Oct. 3, 2018. A century and a half later, in 1988, Robert Tappan Morris conducted the first denial-of-service attack when he hacked a computer at the Massachusetts Institute of Technology (MIT) and released a “worm” into the MIT network. Within 24 hours, it had spread across 6,000 of the approximately 60,000 computers that were thought to be connected to the Internet at the time. Federal Bureau of Investigation, The Morris Worm, Nov. 2, 2018.
While cyber technologies advanced in the late 1980s and early 1990s, cyberspace became a medium of business and a warfare domain in the early 2000s when broadband internet access became mainstream. Broadband allowed for the fast transmission of large amounts of data and led to technological advances and applications by individuals, businesses, and governments. The ubiquity of broadband access, the growth of the Internet of Things, and the spread of smartphones all put computer technology into the hands of businesses and people around the world. As with other technological advances throughout history, law and policy governing cyberspace have lagged far behind the technology. The early 2000s saw modest developments in international law regarding cybercrime with the Convention on Cybercrime (also known as the Budapest Convention), Nov. 23, 2001, ETS No. 185, and the Additional Protocol to the Convention on Cybercrime Concerning the Criminalization of Acts of a Racist or Xenophobic Nature Committed Through Computer Systems, Jan. 28, 2003, ETS No. 189. But the big unanswered question was — and largely remains — the extent, scope, and manner to which international law applied to the cyber domain, and specifically to the cyber activities of State actors.
While the past decade has seen advances in understanding how international law applies to State activity in the cyber domain, there remains significant ambiguity. There is a myriad of reasons why ambiguity is so prevalent. States may not wish to articulate specific positions because they are concerned that establishing clear positions could limit their own freedom of action or because they may not have formally adopted a national position on a particular matter. Additionally, States are often deliberately opaque about their cyber activities, complicating determinations whether a State took an action or refrained from taking an action out of a sense of legal obligation or because of its national security interests. Nevertheless, the past decade has seen substantial developments in international law pertaining to State cyber activity and those developments are summarized in this article.
Developments of the Last Decade
On September 18, 2012, Harold Koh, the Legal Advisor to the United States Department of State, delivered a speech at the U.S. Cyber Command legal conference. Harold Hongju Koh, International Law in Cyberspace, 54 Harvard Int’l L. J. Online 1 (Dec. 2012). It marked the first time the United States publicly announced its view that existing international law applies in cyberspace. While seemingly uncontroversial today, the announcement was a ground-breaking step at the time. Ten years later, this position is accepted by the majority of the international community.
The 2012 U.N. Group of Governmental Experts (GGE), comprised of representatives from 15 States, echoed the U.S. conclusion that international law, and in particular the U.N. Charter, applies to State activity in cyberspace. Rep. of the Group of Gov’tal Experts on Developments in the Field of Info. and Telecomm. in the Context of Int’l Sec., U.N. Doc. A/68/98* (June 24, 2013). The 2012 GGE further concluded that “State sovereignty and the international norms and principles that flow from sovereignty apply to State conduct” in cyberspace; that a State has jurisdiction over cyber infrastructure located within its territory; that “States must meet their international obligations regarding internationally wrongful acts attributable to them”; and that States must not use proxies to commit internationally wrongful acts. Id. at 8. The 2012 GGE report also identified sovereignty as the foundation on which States rights and obligations regarding cyber operations are built, but the GGE did not identify how, precisely, sovereignty binds States to take or not take specific actions. Id.
After the pronouncements of 2012, there was some agreement that international law applied in cyberspace, but the precise manner in which it applied remained largely uncertain. Recognizing the significance of State activity in cyberspace and the lack of public positions by States regarding the application of international law to cyberspace, the Cooperative Cyber Defence Centre of Excellence (CCDCOE) of the North Atlantic Treaty Organization (NATO) convened a group of experts to consider the issue. The three-year effort of 20 international law scholars produced the Tallinn Manual on International Law Applicable to Cyber Warfare, or Tallinn Manual 1.0. Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013). Tallinn Manual 1.0 contains 95 rules which the experts posited reflect existing conventional or customary international law and describe how those legal regimes apply to State actions in cyber warfare. While this seminal work provides an outstanding framework, it is important for practitioners to note, as the Manual itself does, that the work is a collection of the views of individuals acting in their personal capacities and does not necessarily reflect the positions of NATO, any organization, or any State. Nevertheless, the Tallinn Manual 1.0 provides an excellent starting point from which one may begin to understand how international law applies in cyberspace.
Three years after Tallinn Manual 1.0, the United Nations’ 2015 Group of Governmental Experts (2015 GGE) affirmed many of the conclusions of the 2012 GGE, including the application of the U.N. Charter to State activity in cyberspace as well as the jurisdiction of States over cyberspace infrastructure within their territory and the limitation on States’ use of proxies to commit internationally wrongful acts. Rep. of Group of Gov’tal Experts on Developments in the Field of Info. and Telecomm. in the Context of Int’l Sec., U.N. Doc. A/70/174 (July 22, 2015). The 2015 GGE report also recognized the inherent right of States to act consistent with their U.N. Charter obligations and took the position that State sovereignty and its corresponding norms and principles apply to cyberspace. Id. at 12. The 2015 report went on to state that the established legal principles governing armed conflict — humanity, necessity, proportionality, and distinction — apply to State actions in cyberspace but did not elaborate on the application of these principles to cyber activities. Id. at 13. Most importantly, the 2015 GGE recognized that a common understanding of “how international law applies to State use of [cyberspace is] important for promoting an open, secure, stable, accessible and peaceful [cyber] environment.” Id.
The next major speech from a U.S. official on international law in cyberspace was made on November 10, 2016 by Brian Egan, Legal Advisor to the Department of State. Egan’s speech expanded on the U.S. positions articulated by Harold Koh in 2012. Brian J. Egan, International Law and Stability in Cyberspace, 35 Berkeley J. Int'l L. 169 (2017). It acknowledged the work of the experts who wrote Tallinn Manual 1.0 but highlighted the fact that States, through state practice and opinio juris, make customary international law and therefore emphasized the need for States to make known their views on how international law applies in cyberspace. Egan went on to articulate the U.S. positions with respect to three key issues. First, in the context of an armed conflict, any State cyber operation constituting an attack must comport with international humanitarian law (IHL), or the law of armed conflict, but not all cyber operations rise to the level of an “attack” within the meaning of IHL. To determine whether a cyber operation constitutes an attack, it is necessary to consider the resulting kinetic or non-kinetic effects of the operation, the nature and scope of those effects, and the connection, if any, between the operation and the particular armed conflict in question. Id. at 173. Second, regarding sovereignty and cyberspace, “remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects.” Id. at 174. Third, Egan explained the circumstances under which a State might avail itself of the doctrine of countermeasures. As a foundational matter, before a State may employ countermeasures, it must identify an internationally wrongful act attributable to that other State. Id. at 178. Any countermeasures must be directed only against the State that committed the internationally wrongful act and must satisfy the principles of necessity and proportionality. Before a State may use countermeasures, it must issue a “prior demand” that the offending State cease its internationally wrongful act. Id. While Egan articulated the general requirement for a prior demand, he did not specify when such a demand might not be required.
In 2017, the NATO CCDCOE convened a larger group of experts that produced Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., 2d ed. 2017). It contains 154 rules and, most importantly, expands the scope of its analysis to include State activities in cyberspace during peacetime. Tallinn Manual 2.0 also addresses intersecting legal regimes (e.g., State cyber operations and the U.N. Convention on the Law of the Sea). As with Tallinn Manual 1.0, the 2.0 version reflects the views of individuals and not necessarily the views of States, although some States have expressed their agreement with the Manual’s position on sovereignty. There are two views on sovereignty. The first is, generally, that sovereignty is a rule of international law and the violation of a State’s sovereignty amounts to a breach of an international obligation. This is the view of Tallinn Manual 2.0. The second view is that sovereignty is a legal principle that is reflected in international law but is not itself a rule. Under this view, to find a breach of an international obligation, one must first find the principle of sovereignty implemented in international law. The debate over sovereignty as rule or principle, which has implications for State cyber operations and international relations, is ongoing.
One of the most significant speeches on international law in cyberspace came on May 23, 2018, when U.K. Attorney General Jeremy Wright spoke at the Chatham House Royal Institute. Jeremy Wright, Att’y Gen., Cyber and International Law in the 21st Century (May 23, 2018). The speech marked the first time a U.K. official publicly stated the country’s positions on a number of issues. On the issue of sovereignty, Wright articulated the position that while sovereignty is fundamental to the international rules-based system, the United Kingdom does not recognize a specific rule of sovereignty in international law applicable in cyberspace. In describing cyber operations that might constitute a prohibited intervention, Wright’s examples include cyber operations that “manipulate the electoral system to alter the results of an election in another state, [or that intervene] in the fundamental operation of Parliament, or in the stability of” a state’s financial system. Id. Third, countermeasures are available to a State that is the victim of an internationally wrongful act provided they are both necessary and proportional, and designed to induce the hostile State to comply with its obligations under international law. Wright added that the United Kingdom does not understand international law to require prior notification of countermeasures because such a requirement might force a State to reveal intelligence sources and operational methods.
On May 29, 2019, Estonian President Kersti Kaljulaid spoke at the CCDCOE’s International Conference on Cyber Conflict, or CyCon, and introduced Estonia’s views on the application of international law in cyberspace. Kersti Kaljulaid, President of the Republic of Estonia, Remarks at the Opening of CyCon 2019 (May 29, 2019). Kaljulaid acknowledged that international law applies in cyberspace and that States are legally responsible for their cyber activities. She also laid out Estonia’s view that States have a responsibility to strengthen their resilience to cyber threats. She asserted that States have a right to “attribute” cyber operations in accordance with international law; that States have the right to respond to malicious cyber operations; and that States can employ countermeasures, including collective countermeasures, and invoke the inherent right of self-defense. In citing the right to self-defense, Kaljulaid tacitly acknowledged that cyber operations may, under some circumstances, amount to a use of force or armed attack. It is worth noting that the purported doctrine of collective countermeasures has received little attention in the discussions of how international law applies in cyberspace, and Kaljulaid’s speech may have been the first time a State took a position on the issue.
In September 2019, the French Ministry of the Armies (formerly the French Ministry of Defense) released a detailed statement regarding France’s views of international law applicable to State actions in cyberspace. Ministry of Defence of France, International Law Applied to Operations in Cyberspace, Sept. 9, 2019. This comprehensive document outlines French views on numerous issues, including sovereignty, intervention, use of force, self-defense, due diligence, and international humanitarian law. Of perhaps greatest importance is France’s position that sovereignty is a primary rule of international law and that one State’s actions in cyberspace generating physical effects in another State’s territory is a violation of State sovereignty. (France’s views on other issues of international law and cyberspace are too extensive to be described in this article.)
In March 2020, Paul Ney, General Counsel to the U.S. Department of Defense, delivered remarks at the annual U.S. Cyber Command legal conference. Paul C. Ney, Jr., Some Considerations for Conducting Legal Reviews of U.S. Military Cyber Operations, 62 Harvard Int’l L. J. Online 22 (2020). Ney affirmed the U.S. position that international law, particularly the law of armed conflict and the law of state responsibility, apply to cyber operations, and he reiterated the importance of looking to State practice and opinio juris to determine how international law regarding cyber operations is evolving. Id. at 35. Though Ney did not discuss sovereignty, he did refer to it as a principle, rather than a rule. Id. at 39. Regarding the law of state responsibility, Ney explained that the principle of non-intervention prohibits coercive intervention into the affairs of another State but noted that there is no consensus on what constitutes a prohibited intervention. Id. at 37.
Also in 2020, Roy Schöndorf, Israel’s Deputy Attorney General for International Law, delivered a speech articulating his country’s views on international law in cyberspace. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 97 Int’l L. Studies 395 (2021). Schöndorf outlined Israel’s view that a cyber operation may amount to a use of force if it is expected to result in physical damage or injury, just as if the operation were conducted by kinetic means. Id. at 398-99. Where that use of force can be considered an actual or imminent armed attack, then the aggrieved State has the right to act in self-defense. Id. at 399. On the issue of sovereignty, Schöndorf did not articulate a position but instead provided some considerations for evaluating why sovereignty matters, such as a State’s need to protect infrastructure located in its territory. Id. at 402. Schöndorf posited that it may be “that our understanding of territorial sovereignty in cyberspace is substantively different from its meaning in the physical world.” Id. at 403.
On July 13, 2021, the U.N. General Assembly published the Official Compendium of Voluntary Nat’l Contributions on the Subject of How Int’l Law Applies to the Use of Info. and Comm. Technologies by States Submitted by Participating Gov’tal Experts in the Group of Gov’tal Experts (2021 GGE Compendium Report), U.N. Doc. A/76/136 (July 13, 2021). The 2021 GGE was established pursuant to a 2018 General Assembly Resolution, which asked States to submit their views on how international law applies to State cyber activities. G.A. Res. 73/266. The goal was to advance a common understanding of international law in cyberspace and promote norms and confidence-building measures. The result was the 2021 GGE Compendium Report, a compilation of submissions from 15 States, namely, Australia, Brazil, Estonia, Germany, Japan, Kazakhstan, Kenya, the Netherlands, Norway, Romania, Russia, Singapore, Switzerland, the United Kingdom, and the United States.
On April 22, 2022, Canada published a statement articulating its views on a number of topics regarding international law in cyberspace. Gov’t of Canada, International Law in Cyberspace. Canada took the position that “[t]erritorial sovereignty is a rule under international law” but explained that “[t]he rule of territorial sovereignty does not require consent for every cyber activity that has effects, including some loss of functionality, in another State.” Id. Contrary to the position Estonia took in 2019, Canada concluded that there is not sufficient State practice or opinio juris to conclude that international law allows for collective countermeasures.
Most recently, on May 19, 2022, Suella Braverman, the U.K. Attorney General, reaffirmed the U.K.’s position that international law does not recognize a rule of sovereignty. Suella Braverman, Att’y Gen., International Law in Future Frontiers (May 19, 2022). Braverman also tread new ground by proposing that cyber activities that are disruptive to a State might be coercive and thus constitute a prohibited intervention. This view of coercion seems to push the boundaries of how a State might understand the principle of non-intervention. In practice, it might have the effect of characterizing as internationally wrongful activities that violate the principle of sovereignty but that do not reach the traditional threshold for coercion such that they might violate the rule of non-intervention. Braverman described activities that might constitute a prohibited intervention, including covert cyber operations that “coercively restrict or prevent the provision of essential medical services or essential energy supplies”; “coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system”; and “coercively interfere with free and fair electoral processes.” Id. Braverman provides examples of activities that might violate the rule of non-intervention include disrupting supply chains for essential medical services, disrupting the networks a State uses to raise and distribute revenue, and causing to malfunction the systems that a State uses to register voters. The examples are noteworthy in that they are not activities traditionally considered “coercive” in the context of prohibited interventions. Instead, they seem to expand the scope of coercion.
Possibilities for the Next Decade
As more States develop and employ cyber capabilities, the next decade will likely see development of both State practice and opinio juris regarding international law and cyber activities. Perhaps chief among them will be answers to the question of sovereignty as a rule or a principle of international law. Other matters demanding further clarification are the status of data as a protected object under international humanitarian law; whether an attack on financial systems constitutes a prohibited intervention or a use of force; to what extent an information or disinformation campaign rises to the level of a prohibited intervention; and whether collective countermeasures are lawful in a cyberspace context. A group of experts is already working on Tallinn Manual 3.0, and, with the increase of State positions as to how international law applies in cyberspace, further understanding is on the horizon. While the next decade is certain to bring more clarity on States’ views, rapidly advancing technology will likely continue to outpace international law and policy regarding State actions in cyberspace. All States and their vested interests in national security will benefit by working to catch up.
The views expressed herein are those of the authors and do not represent the official position of the U.S. Navy, Department of Defense, or U.S. Government.
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.
The views expressed herein represent the opinions of the authors. They have not been approved by the House of Delegates or the Board of Governors of the American Bar Association and, accordingly, should not be construed as representing the position of the Association or any of its entities. Nothing contained in this publication is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This publication is intended for educational and informational purposes only.