Last Thursday, State Department Legal Adviser Brian Egan, delivered an important speech at Berkeley Law School on the relationship between international law and cyber activities.  It was significant in two regards. First, it added granularity to the US positions regarding how international law in such areas as IHL, sovereignty, and State responsibility applies in cyberspace. Second, and perhaps more importantly, Mr. Egan came out strongly in favor of transparency vis-à-vis State legal views on the matter. His stance has the potential to engender greater, and desperately needed, transparency on the part of other States.

In this post, I first briefly trace the maturation of the US perspective on whether and how international law applies to cyber activities.  I then discuss what I believe to be the three highlights of the Egan speech.  In both cases, I will make comparative reference to the work of the experts involved in the Tallinn Manual Process. That process began in 2009 in the aftermath of widespread transborder cyber attacks against Estonia two years earlier and the use of cyber operations during the 2008 international armed conflict between Georgia and Russia.  The events caught States and the academic community flatfooted as they were forced to grapple with such threshold issues as whether international law applied at all to this “fifth domain.” In response, the newly established NATO Cooperative Cyber Defence Centre of Excellence undertook a multi-year project to assist States in understanding whether and how international law affects their cyber operations, and those directed against them.  The resulting 2013 Tallinn Manual dealt with conflict law and cyber warfare, while Tallinn 2.0, due out in next January, analyses how peacetime legal regimes apply to activities in cyberspace.

I. Evolution of US position on international law and cyber activities

Although the Tallinn Manual experts were able to identify 95 rules of international law applicable to cyber warfare by 2012, States were slower to take a stand, presumably out of concern that doing so might limit their own freedom of action in cyberspace’s uncertain future.  For instance, while US Cyber Command was established in 2009, it was only in late 2012 that the United States began to disclose its key legal positions, most notably in a speech by then State Department Legal Adviser Harold Koh affirming that cyberspace is not a “law free zone.”

Despite its slow start, the United States fast became a thought leader in the field. Much of its work was accomplished in the context of the United Nations Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security.  Initially, the GGE moved cautiously in identifying legal norms for cyberspace.  In its 2013 report, it merely confirmed the applicability of the UN Charter and stated that “State sovereignty and international norms and principles that flow from sovereignty [apply] to State conduct of ICT [information and communications technology]–related activities.” Reportedly, and remarkably, the GGE was even unable to achieve consensus on the applicability of IHL to cyber operations conducted during armed conflicts.

Following issuance of the report, a reconfigured GGE continued the work of identifying legal norms for cyberspace.  In a 2015 report, it provided greater depth, agreeing, inter alia, that:

(a) States have jurisdiction over the ICT infrastructure located within their territory;
(b) In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States. Existing obligations under international law are applicable to State use of ICTs. States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms;

(d) The Group notes the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction;
(e) States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts;
(f) States must meet their international obligations regarding internationally wrongful acts attributable to them under international law.…

The GGE’s 2015 report still displayed some degree of trepidation in committing to legal positions. For instance, subparagraph (d) seems to suggest the applicability of, but curiously omits any direct reference to, IHL, while subparagraph (e) hints at a due diligence obligation for States from which non-State actors mount hostile cyber operations, but is expressed in purely hortatory terms. Moreover, although citing the prohibition on the threat or use of force, the report makes no mention of the right to self-defence against cyber armed attacks.

Lying in stark contrast to the report was the October 2014 US submission to the GGE.  It represents the most significant statement by a major global cyber player as to whether and how international law applies. It is especially noteworthy that the submission was made public, thereby enhancing its import and impact in a field in which State practice is often highly classified.

Although the submission began by acknowledging the unique challenges posed by cyber activities, it pointed out that “similar challenges have been confronted when applying existing international law to other new technologies and situations. But the challenge is not whether existing international law applies to State behaviour in cyberspace…. The challenge is providing decision-makers with considerations that may be taken into account when determining how existing international law applies ….”  This was precisely the operating principle that animated the Tallinn Manual Process from its first days.

The US submission went on to build on its previously acknowledged positions. Interestingly, in nearly every case its conclusions and those of the majority of the Tallinn Manual experts were essentially identical. For instance, the United States contended that the determination of whether a cyber operation amounts to a use of force or armed attack is contextual, although those that “result in death, injury, or significant destruction, or represent an imminent threat thereof, would likely be viewed as a use of force/armed attack.”  Factors cited as meriting consideration in non-destructive or non-injurious cases included the perpetrator, the target, the intent of the perpetrator, and, the effects of the cyber activity.  As the Tallinn Manual does, the submission observed that a response in self-defense need not be in kind; cyber use of force is permissible against a kinetic armed attack and vice versa. Further, defensive responses are subject to the requirements of proportionality and necessity. Therefore, before resorting to self-defense, “States should consider whether passive cyber defenses or active defenses below the threshold of the use of force would be sufficient to neutralize the armed attack or imminent threat thereof.”  Of particular significance is the treatment of situations in which non-state actors conduct hostile operations from the territory of another State.   Like the Tallinn Manual’s majority, the United States has adopted the “unwilling/unable” approach, including the various limitations thereon that had been articulated earlier in the Manual.

As to “below the threshold” cyber operations (those not rising to the level of either a use of force or armed conflict), the US submission emphasized the centrality of the principle of sovereignty and the resulting requirement to take the sovereignty of other States into account when conducting cyber operations. It further stressed that international human rights obligations may limit the exercise of sovereignty, citing both the Universal Declaration of Human Rights and the ICCPR.

The submission went on to highlight various aspects of the law of State Responsibility, including the attribution of non-State actor cyber operations to States. Both the submission and the Tallinn Manual adopted the standard set forth by the International Law Commission in its Articles on State Responsibility – acting on “the State’s instructions or under its direction or control.” Reading between the lines, the submission seemed to reject the notion of forcible countermeasures, as did the majority of the Tallinn Manual’s experts. It also highlighted limitations on the exercise of countermeasures, such as the requirement of the injured State to call on the responsible State to comply with its international obligations before launching cyber countermeasures, except in the case of urgent countermeasures that are “necessary to preserve the injured States’ rights.”

By setting forth its views with unprecedented specificity, the United States signaled its commitment to transparency. Mr. Egan’s speech continues to push the envelope in this regard.   He and his team have grasped, as many in this and other countries have not, that an essential means of maintaining cyber stability is compliance with international law. In particular, he laments the “relative vacuum of public State practice and opinio juris concerning cyber activities.” Accordingly, “States should publicly state their views on how existing international law applies to state conduct in cyberspace to the greatest extent possible in international and domestic forums.” As director of the Tallinn Manual group, I am encouraged by this attitude, for one of our key purposes was to assist States in crafting and accurately articulating their legal positions.

II. Three highlights in the Egan speech

Three aspects of the Egan speech merit particular attention. First, Mr. Egan confirms the US commitment to compliance with IHL during cyber operations in armed conflict. For example, he states that cyber attacks on military objectives must comply with the principle of distinction, the rule of proportionality, and the requirement to take feasible precautions in attack. He also highlights the continuing debate over the meaning of the term “attack” in the cyber context. This is a critical discussion because many IHL prohibitions are framed in terms of “attack”: do not attack civilians or civilian objects, take precautions in attack, and so forth. Unfortunately, Mr. Egan sheds little light on the US position as to the legal meaning to be attributed to the term, which is somewhat disappointing in light of the commitment expressed in the speech to legal clarity and transparency. But for that matter the DoD Law of War Manual also sidestepped this foundational conduct of hostilities issue.  My own view is that any cyber operation that affects the functionality of cyber infrastructure in a meaningful way qualifies. In other words, if the cyber infrastructure does not perform the function for which it was intended, it has been “attacked.”

Another key IHL topic left unaddressed thus far is the legal status of data. There is a fervent debate as to whether data constitutes an object, such that a cyber operation that destroys or alters civilian data is an unlawful attack on a civilian object. The issue is highly problematic because styling data as an object would make for an over-inclusive rule (e.g., would rule out cyber psyops), whereas concluding that data is not an object, as the majority did in the Tallinn Manual, under-protects the civilian population. In light of this dilemma, I have suggested elsewhere that States consider a policy of prohibiting cyber operations that negatively affect “essential civilian services and data,” one that could eventually crystallize into a customary norm.

Second, Mr. Egan takes on sovereignty in cyberspace, a hot legal policy topic in Washington and abroad. Disagreement exists as to whether sovereignty is merely a foundational principle of international law undergirding such primary norms as non-intervention or instead is a primary norm in itself that can be violated.  A majority of the Tallinn Manual 1.0 and 2.0 experts took the latter approach.

Although the speech lacks the surgical precision one would hope for in this regard, it seems to adopt the same position as the experts. Mr. Egan contends, correctly in my view, that remote cyber operations do not constitute a per se violation of international law, pointing to the extensive State practice of espionage by remote means. Nevertheless, he notes that “[p]recisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris.” This issue of when (albeit not if) a cyber operation violates the sovereignty of another State was an issue with which the Tallinn Manual experts struggled mightily and on which consensus proved unachievable. My own view is that a cyber operation launched from outside a State’s territory resulting in any damage or injury in that State is clearly a breach of its sovereignty when conducted by or attributable to another State. Moreover, any such operation that causes cyber infrastructure to function in a manner in which it was not intended to operate is likewise a breach of sovereignty, as is any damage or alteration of data by remote means.

Related to sovereignty is the prohibition on unlawful intervention, which renders unlawful a cyber operation that is coercive nature and intrudes on the domaine réservé of another State.  As Mr. Egan observes, more work needs to be done by States to refine the concept in the context of cyberspace. Consider the DNC hack by the Russian government. Clearly, elections fall within a State’s domaine réservé. Yet, does exfiltration and posting of material suffice, that is, does it somehow compel a State to do something it would not do otherwise or refrain from an action in which it would otherwise engage? [See Sean Watts’ Just Security post here].

Mr. Egan importantly confirms the US view that although sovereignty gives States the right to control cyber infrastructure and activities on their territory, the exercise of that right is subject to international human rights law. Although the Tallinn Manual group unanimously agreed, they learned quickly that applying this principle to concrete situations is exceptionally difficult. Doing so necessitates identifying those international human rights that are customary in nature. Then, in light of the fact that many cyber operations are conducted remotely into other States, it requires identifying to whom States owe the human rights obligations in question. And, in that regard, what is effective control in the cyber context and can it be exercised virtually?

I will note, with a degree of disappointment, that the United States has failed to address the unsettled issue of due diligence head-on. The Tallinn Manual experts concluded that States have a due diligence obligation to ensure that hostile cyber operations, including those by non-State actors, are not launched from or through their territory against another State. The issue is extraordinarily complex and occupies a major section of the forthcoming Tallinn Manual 2.0. The issue would benefit from clarification by States as to whether they believe the norm is lex lata, and, if so, the extent of harm that must be caused for the obligation to attach, as well as whether transit States are subject to it.

Third, Mr. Egan addresses the law of State responsibility. Beginning with an issue that is inevitably raised in discussions of international law in cyberspace–attribution—he usefully distinguishes between technical, political, and legal attribution. As the Tallinn Manual experts did, Mr. Egan seems to rely on the standards set forth by the International Law Commission, for example by restating the US position outlined in the 2014 submission regarding attribution of cyber operations by non-State actors. Of course, the devil is in the detail; how the United States will interpret the notion of instructions or direction or control (effective control) in the cyber context remains to be seen.

During the Tallinn Manual Process, a few of the experts met with States as part of the “Hague Process” that was sponsored by the Dutch Ministry of Foreign Affairs.  The Hague Process brought together 50 nations in a series of three meetings to discuss the Manual in a closed, non-attribution environment. Persistent questions surrounded the burden and standard of proof for attribution. The Tallinn Manual group was of the view that States must act reasonably under the circumstances, as did Mr. Egan in his speech. Further, the group generally took the position that there is no legal obligation to publicly provide the evidence upon which attribution is based despite claims to the contrary by a few States.  Again, this is the stance articulated in the Egan speech.

Mr. Egan makes an important contribution regarding the legal options available to States facing hostile cyber operations by, or attributable to, other States. In doing so, he takes the same approach that will be developed fully in Tallinn Manual 2.0.

To begin with, a State may always reply by means of retorsion, that is, a cyber or other action that is unfriendly, but lawful. For instance, a State, in the exercise of its sovereign prerogative, may deny access by another State to infrastructure located on its territory. Next, another State’s hostile cyber operations that violate international law open the door to countermeasures. Countermeasures are acts by an “injured State” that would be unlawful but for the fact that they are designed to cause the “responsible State” to cease its unlawful conduct. Mr. Egan and the majority of the Tallinn Manual experts concur on certain legal restrictions on countermeasures. For example, he notes that they must be proportionate, generally may occur only after notification to the responsible State (he would, like the experts, presumably subject the requirement to a condition of feasibility in the circumstances), and may only be designed to cause the responsible State to comply with its international law obligations.  Additionally, he makes the fine, and very important albeit oft forgotten, point that States take countermeasures at their own risk. A State that takes countermeasures against another State after incorrectly attributing a cyber operation to the latter is responsible for internationally wrongful act.

Finally, Mr. Egan highlights the plea of necessity, which is seldom discussed in the context of cyber activities.  The Tallinn Manual group identified the issue in the 1st edition and Tallinn Manual 2.0 pays particular attention to it.  This is because the plea of necessity does not require that the harmful cyber operation be conducted by, or attributable to, a State. Thus, it is available in response to operations conducted by non-State actors or in situations in which the author of a cyber operation is unknown. It must be cautioned that responses based on the plea are only permissible when the hostile cyber operations in question place an “essential interest” of the State in “grave peril.” Nevertheless, it is significant that the United States has acknowledged, and highlighted, existence of the plea.

As should be apparent, I applaud Mr. Egan for his emphasis on the need for greater transparency of State positions vis-à-vis international law in cyberspace. I hope his speech reflects a trend among States more broadly of seeking to ascertain the boundaries international law sets with regard to cyber activities before deciding what cyber policies and practices to adopt in their international relations.

The views expressed in this article are those of the author in his personal capacity and do not reflect the views of his employers.

Editor’s Note: For more on this general topic, see Sean Watts’ piece from last month, International Law and Proposed U.S. Responses to the D.N.C. Hack,  and our coverage of related legal and policy issues.