In remarks last week, the Chief of Naval Operations, Admiral Mike Gilday, claimed, “We’re not fighting an enemy that people can see… And we’re not fighting a war where international norms exist. But make no mistake, we are in conflict day-in and day-out in the cyber realm.” The remarks were quickly followed by a tweet from the U.S. Cyber Command zeroing in on the Admiral’s observation as to the purported absence of international norms.
Admiral Gilday’s comments came on the heels of U.N. Secretary-General António Guterres’ own remarks last month in which he urged, “We also must usher in order to the Wild West of cyberspace,” a characterization of cyberspace most famously put forth by President Obama in a 2015 speech at Stanford University. Of course, neither Guterres nor Obama were suggesting that cyberspace is a legal void, for both the U.N. and United States have emphasized international law’s applicability for many years. Yet, reading between the lines, they seemed to be suggesting that international law somehow is not currently up to the task of governing cyberspace.
Compounding such apparent norm-skepticism is the unfortunate practice by some States of cherry-picking among international law rules when it comes to cyberspace. In 2017, for instance, the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) failed to reach agreement on including references to such basic international law rules as the right to “self-defense” and “international humanitarian law” in the consensus report that was supposed to have been issued by the group. Opposition came from Russia, China, Cuba, and several other States (see the U.S. reaction here).
A year later, the United Kingdom, although endorsing international law’s applicability generally, rejected the existence of a rule of international law prohibiting the violation of another State’s sovereignty. Thus, remote cyber operations from outside a target State would never violate that State’s sovereignty, although they might amount, for instance, to a violation of the prohibition on intervention. To date, the British government has offered no principled legal explanation of this position. Tellingly, the country found itself on the horns of a dilemma when the following year it labeled numerous Russian cyber operations as unlawful, but was unable to offer a justification for that characterization in light of its refutation of a rule requiring respect for the sovereignty of other States.
Considering these troubling developments, it is an appropriate moment to recall the significant progress made by the international community in terms of endorsing the applicability of international law in cyberspace, as well as identifying and interpreting its individual rules. Doing so will help arm those involved in that effort to rebuff the periodic “sky is falling” warnings that international law is either nonexistent or devoid of meaningful substance when applied to cyber operations.
Taming the Wild West
As the twentieth century came to a close, cyberspace was seen as a “lawless wild west,” a new borderless domain of competition and malicious activities bereft of normative rules defining impermissible behavior. Although the U.S. Department of Defense (DoD) General Counsel had tentatively begun to consider the matter late in the decade, and despite the convening of a first international conference on the issue at the Naval War College in 1998, many States and commentators questioned whether the extant rules of international law applied to what were then labeled “computer network attack” and “computer network exploitation” operations.
Indeed, in 1998, the U.N. General Assembly adopted a Russian-sponsored resolution inviting States to inform the Secretary General as to the “advisability of developing international principles that would enhance the security of global information and telecommunication systems and help to combat information terrorism and criminality.” In its report the following year, Russia claimed “contemporary international law has virtually no means of regulating the development and application of [an ‘information weapon’].” For its part, the United States observed that the “international community needs to do a substantial amount of systematic thinking before going further” with respect to identifying “principles pertaining to information security.” Neither it nor the United Kingdom mentioned international law in their own reports.
In the aftermath of the 9/11 attacks, the nascent attention being paid to the question of whether, and if so how, international law applies in cyberspace faded as the international law community turned its attention to issues of transnational terrorism and armed conflict. In the U.N., for instance, the first GGE convened in 2004 but no mention of international law appeared in its final report. This normative neglect ended abruptly with the 2007 cyber attacks launched from sites in over 175 countries (mostly Russia) against new NATO member Estonia and the use of cyber operations during the international armed conflict between Russia and Georgia the following year. These and other cyber incidents shocked the international community back into consideration of the role international law might play in constraining hostile cyber operations.
2013 was undoubtedly the watershed year in this regard, for it was in that year that the third GGE, which included all five permanent members of the Security Council, released a consensus report acknowledging that “international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT [information and communications technology] environment.” Subsequently endorsed by the General Assembly, the GGE’s report specifically cited international law provisions addressing sovereignty, human rights, and State responsibility.
The events of 2007 and 2008 also led to establishment of the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) and the launching of a project (for which I served as the director) to examine how the law governing the use of force and international humanitarian law applied in cyberspace. The resulting Tallinn Manual on the International Law Applicable to Cyber Warfare, prepared by 20 international law experts, was published in 2013. The manual set forth 95 rules drawn from customary law that the international group of experts that drafted the document agreed applied in in the cyber context. It quickly became the “go to” source for cyber practitioners around the world.
The Current Legal Landscape of Cyberspace
Suggestions that cyberspace is a lawless void became no longer tenable after 2013, as that year initiated a flurry of activity regarding norms in cyberspace that continues today. The common thread running through all such efforts is that international law unquestionably applies in that domain; the question is now how it applies exactly. As noted in a 2019 letter from the Netherlands Ministry of Foreign Affairs to the Dutch Parliament,
“[I]nternational law is applicable in cyberspace. This is also recognised internationally. Nevertheless, there are still many unanswered questions concerning the precise manner in which international law should be applied in cyberspace. This is due to the unique characteristics of the digital world in comparison with the physical world. Digital data generally moves rapidly and is therefore often difficult to localise. It can be transferred to another country in a matter of seconds, and can be stored across a range of different countries. What is more, undesirable activity in cyberspace does not necessarily always have an immediate physical impact, even though its effects may nonetheless be serious. It is not yet entirely clear how these and other unique characteristics should be dealt with in the application of international law.”
At the U.N., a fourth GGE successfully produced a consensus report in 2015 that built upon its predecessor’s work; it too was endorsed by the General Assembly. The report not only expanded on the applicability of international law, but also set forth 11 voluntary, non-binding norms of responsible State behavior and proposed confidence-building measures to strengthen security and stability in cyberspace.
Although a fifth GGE was unable to reach consensus, in late 2018 the General Assembly approved the convening of a sixth GGE upon the recommendation of the United States and its key partners. This sixth GGE, which will conclude its work in 2021, was tasked with continuing the earlier efforts to identify, and craft agreements regarding, both binding and non-binding norms for cyberspace. At the same time, on the recommendation of Russia, an Open-Ended Working Group (OEWG) was formed for the same purpose. The underlying General Assembly resolution confirmed “the international rules, norms and principles of responsible behavior of States” identified in 2013 and 2015, restating the 2015 version verbatim.
The key difference between the groups is that whereas the GGE consists of 25 States (including the P5) selected by the Secretary-General on the basis of equitable geographical distribution, the OEWG is open to all States and is being informed by a multi-stakeholder process. Although the wisdom of having two parallel U.N. processes with the same mission has been questioned, at the very least they signal the extent to which U.N. member States share the view that international law plays a central role in shaping the behavior of States and non-State actors in cyberspace.
Other international organizations have taken the same stance. For instance, in its 2013 Cyber Strategy, the European Union noted that “[t]he same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain,” and therefore “[i]n its international cyberspace policy, the EU will … apply existing international laws in cyberspace.” In 2018 its Council reaffirmed that “[t]he EU will continue strongly to uphold that existing international law is applicable to cyberspace and emphasises that respect for international law, in particular the U.N. Charter is essential to maintaining peace and stability.” NATO took precisely the same position in its 2014 Wales Summit Declaration, 2016 Warsaw Summit Declaration and Cyber Defence Pledge, highlighting the applicability of international humanitarian law to cyber aspects of armed conflicts. In 2017, the Organization for Security and Cooperation in Europe “[r]eaffirm[ed] that efforts by OSCE participating States to reduce the risks of conflict stemming from the use of information and communication technologies will be consistent with: international law, including, inter alia, the U.N. Charter and the International Covenant on Civil and Political Rights; the Helsinki Final Act; and their responsibilities to respect human rights and fundamental freedoms.” The 57 OSCE “participating States” span North America, Europe, and Central Asia. Among the P5 States, only China does not participate in the OSCE.
Outside the Euro-Atlantic space, other international organizations have taken similar stands on the issue. The BRICS (Brazil, Russia, India, China, and South Africa) heads of state, in their 2017 Leaders Xiamen Declaration, with respect to ICTs, “emphasize[d] the paramount importance of the principles of international law enshrined in the Charter of the United Nations, particularly the state sovereignty, the political independence, territorial integrity and sovereign equality of states, non-interference in internal affairs of other states and respect for human rights and fundamental freedoms.” Clearly, the BRICS countries see international law as a shield against interference by other States, an approach that some other countries view as an effort to avoid condemnation of their compliance with human rights norms. However, this is a dispute over how to interpret international law when balancing some of its specific rules, not the applicability of international law.
Other noteworthy statements through which member States of international organizations and groupings have confirmed the applicability of international law include the 2018 Association of Southeast Asian Nations Leaders’ Statement on Cybersecurity Cooperation, the ASEAN-Russia and ASEAN-United States joint statements of the same year, and the 2019 ASEAN-EU joint statement. In Latin America, the Organization of American States’ Inter-American Committee against Terrorism, in its 2015 Declaration on Protection of Critical Infrastructure, affirmed the commitment of member States “with full respect for national sovereignty, the rule of law, and international law, including international humanitarian law, international human rights law, and international refugee law” when dealing with terrorism.
In that they are consensus documents, the statements of international organizations regarding international law and cyberspace tend to be broadly crafted. Individual states, however, do not operate under the same constraint. In the past few years, the United Kingdom, France (see also here, here, and here), and the Netherlands (see also here) have produced granular statements outlining their positions on important aspects of international cyber law. In 2017 and 2019 annexes to its International Cyber Engagement Strategy, Australia did likewise. Moreover, during the GGEs, numerous States made submissions that are contained in the various reports of the Secretary-General. A number of states have also recently submitted working papers to the OEWG setting forth their positions on the matter, including Canada, China, Iran, Japan, the Netherlands, Switzerland, and the United Kingdom.
The United States has long confirmed the applicability of international law to cyber operations during both peacetime and armed conflict. Especially noteworthy in this regard are speeches by State Department Legal Advisers Harold Koh (2012) (see also here) and Brian Egan (2016). The professed U.S. commitment to applying international law in cyberspace is further reflected in Trump Administration’s 2018 National Cyber Strategy, which provides, “International law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace.”
Military doctrine and policy confirm this commitment. Chairman of the Joint Chiefs of Staff (CJCS) Joint Publication 3-13, entitled Information Operations, provides that “The U.S. Constitution, laws, regulations, and policy, and international law set boundaries for all military activity, to include IO [information operations]. Whether physically operating from locations outside the U.S. or virtually from any location in the information environment, U.S. forces are required by law and policy to act in accordance with U.S. law and the law of war.” Although the unclassified summary of the 2018 DoD Cyber Strategy and the U.S. Cyber Command’s Command Vision document make no mention of international law, the DoD Law of War Manual devotes an entire chapter to the legal aspects of cyber operations. It is crystal clear that U.S. military policy requires compliance with international law in cyberspace when executing the strategy of “persistent engagement” and the operational concept of “defending forward” set forth in the DoD cyber strategy and U.S. Cyber Command Vision. This is a position echoed by other countries (see, e.g., Denmark and New Zealand) and championed by the ICRC.
The effort to identify the applicable international law and appropriate norms of behavior for cyberspace is an unprecedented multi-stakeholder endeavor. The academic community has been extremely active, most notably in producing Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations in 2017. The manual, which builds upon its predecessor by dealing with peacetime international cyber law, is highly granular, consisting of 154 rules with over 550 pages of commentary. Additionally, Chatham House has recently become active in the field, convening expert meetings of government officials, academics, and representatives of non-governmental organizations.
Other parts of the private sector have also been deeply involved in the effort to identify applicable norms, often in cooperation with States, academia, and broader civil society. Prominent examples of multi-stakeholder programs include the Global Commission on the Security of Cyberspace, Paris Call for Trust and Security in Cyberspace, and the Cyber Peace Institute, while Microsoft’s Digital Geneva Convention, the Cyber Security Tech Accord, and the Cybersecurity Charter of Trust.
The Devil is in the Details
While there is now near universal acceptance of international law’s applicability in cyberspace among States, robust debates surround numerous specific rules. The British rejection of sovereignty as a rule of international law, for instance, has been opposed by both France and the Netherlands. To date, no State has publicly followed the U.K. lead. This is understandable, for the U.K.’s sovereignty stance is not a challenge specific to cyber. Rather, it is an antecedent question of the content of international law that the U.K. is contesting. Should its view prevail, there would be negative ramifications well beyond the issue of remotely conducted hostile cyber operations by other States.
Interestingly, last week the U.K. condemned, along with numerous other States, Russia’s October 2019 “cyber-attacks in an attempt to undermine Georgia’s sovereignty,” stating that “[t]he Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.” Whether this signals a return to acceptance of sovereignty as a rule of law in cyberspace remains to be seen. If so, discussion can move back to where it should be – over the nature of cyber operations that violate the rule rather than its existence. So far, only France has opined on that matter, asserting that cyber operations causing “effects” on French territory violate its sovereignty.
Enjoyment of the right of sovereignty come with corresponding legal obligations. A number of nations, including the Netherlands and France, have taken the position that there is a rule of due diligence applicable in cyberspace requiring States to take feasible measures to put an end to hostile cyber operations from or through their sovereign territory that cause serious adverse consequences with respect to the rights of other countries. However, consensus on this matter has unfortunately proven elusive and therefore the notion of due diligence appears in the guise of a voluntary, non-binding norm, rather than a binding rule of law, in the 2015 GGE report.
Also unsettled is the threshold for the prohibition on the use of force found in Article 2(4) of the U.N .Charter and customary international law in the context of cyber operations. There appears to be agreement that that those causing physical damage or injury beyond a de minimis level qualify, and there has been little opposition to the suggestion in Tallinn Manual 2.0 that cyber operations interfering in a permanent manner with the functionality of cyber infrastructure also amount to a use of force. However, no consensus has emerged as to cyber operations generating consequences below that level.
In this regard, the Netherlands has noted, “At this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force,” while France has asserted, “In the absence of physical damage, a cyber-operation can be considered use of force in the light of several criteria,…such as the origin of the operation and the nature of the instigator (military or non-military), the degree of intrusion, the effects caused or sought by the operation, or the nature of the target. These criteria are, of course, not exhaustive.” The French approach mirrors that proposed in Tallinn Manual 2.0.
Other issues likewise remain ambiguous. As with the use of force question, the threshold for an armed attack permitting a State to resort to force in self-defense pursuant to Article 51 of the U.N. Charter and customary international law is unclear, especially when the cyber operation does not cause significant death or damage. Although a few states have hinted that such damage may not be a criterion for an armed attack, only France has openly taken the view that “[a] cyberattack could be categorised as an armed attack if it caused substantial loss of life or considerable physical or economic damage.”
Should the conditions for self-defense not be met, States may sometimes resort to countermeasures pursuant to the law of State responsibility. However, agreement is lacking with respect to whether collective countermeasures, in the sense of a third-party State conducting the countermeasure on behalf of the injured State or providing that State assistance in taking the countermeasure, are permissible. Estonia has taken a firm position that collective countermeasures are available (see here), while France has taken the view that they are not. To some extent, this difference may be explained by the relative cyber capacity wielded by the two nations.
Election meddling is also a matter of current contention. A cyber operation altering voting returns or disabling or otherwise manipulating voting machinery would undeniably qualify as a prohibited intervention into the internal affairs of another State. However, it is unclear where the line between the unlawful act of intervention, which requires a coercive element, and influence, which is generally deemed lawful, lies. In this regard the Netherlands has suggested that “[t]he development of advanced digital technologies has given states more opportunities to exert influence outside their own borders and to interfere in the affairs of other states. Attempts to influence election outcomes via social media are an example of this phenomenon. International law sets boundaries on this kind of activity by means of the non-intervention principle.”.
And although the greatest degree of consensus may have been reached with respect to the application of international humanitarian law rules to cyber operations during an armed conflict, some issues remain disputed. Prominent among these are the exact threshold at which cyber operations alone may initiate an international armed conflict, the meaning of the term “attack” in the cyber context, and whether data is an object that enjoys the protection resident in the prohibition on attacking civilian objects, the rule of proportionality, and the requirement to take precautions in attack (see here). But let’s also be clear. These debates are generally of the same character as other debates about specific legal questions in the kinetic domain. It would be extraordinary if cyber somehow escaped those kinds of academic discussions, disagreements, and efforts to reach a consensus or identify prevailing views.
With all due respect to the norm-skeptics, international law is alive and well in cyberspace. What’s more, aggressive efforts to mature the global community’s understanding of how international law applies to cyberspace are underway in multinational, national, multi-stakeholder, academic, and private sector fora. While it is no doubt true that further clarity is needed, and that compliance and enforcement must be improved, the trend is very positive overall. In this regard, U.N. efforts are particularly noteworthy, coming as they do so quickly on the heels of the unsuccessful 2016–2017 GGE. The increased willingness of States to name and shame offenders, as occurred last week with respect to cyber attacks against Georgia, is likewise encouraging. Other positive signs include the readiness of States to discuss voluntary, non-binding norms of responsible behavior when they cannot reach agreement over the legal status of a purported rule, as well as effort to craft confidence building measures in regional fora such as the OSCE, Organization of American States, and ASEAN. We need to encourage this normative journey in cyberspace, not overlook, belittle, or exploit it.
All such efforts are to be applauded because while normative ambiguity in cyberspace is destabilizing, normative clarity can help deter harmful cyber operations and lower the risk of escalation. The alternative is a return to the Wild West of the last century.
Image: Cyber operations on mission in the 780th Military Intelligence Brigade operations center at Fort Meade, Md. U.S. Army Cyber Command.