As the incidence of maligned cyber operations increases, there is a burgeoning need for an international code of conduct between states – a “cyber relations manual.” Given the novel and preeminently intangible characteristics of cyber, the application of laws designed for kinetic activity to this domain presents several challenges that have impeded further development of legal frameworks. Fundamental principles of international law – thresholds, sovereignty, and attribution – prove particularly challenging to translate to the cyber environment, as demonstrated by the expert opinions set forth in the Tallinn Manual.
Thresholds - International law would come into play when a cyber operation conducted within the context of an international armed conflict breaches a threshold that qualifies it as a “use of force” equal to kinetic activity. According to Rule 30 of the Tallinn Manual, a cyber operation would be a cyber attack if “reasonably expected to cause injury or death to persons or damage or destruction to objects.” Considering the intangible nature of a cyber operation, physical damage is a tall, but certainly not impossible, order. Interestingly, the more pressing concerns of surveillance malware, cyber espionage, and financial crimes would likely be relegated to the domestic arena as cyber crime.
Sovereignty - International law is grounded in state sovereignty, a somewhat abstract concept that has underpinned the architecture of world order since Westphalia: the independent authority of a government exercised over a discrete geographic area. Conversely, it would seem that the architecture of the cyber environment has developed outside modern notions of geopolitics, especially given that its end product, information, transcends all geopolitical and social boundaries.
However, a physical infrastructure underlies the cyber environment, from one nation’s servers to undersea cables linking continents to satellites bouncing signals overhead. This infrastructure is owned piecemeal by individual nations and is therefore subject to international law. As such, a nation exercises sovereign control over the cyber infrastructure inside its territory or in its possession; a nation also has jurisdiction over any cyber activities conducted within itsterritory as well as those that use its infrastructure, whether such activities originate within its territory or are simply passing through.
Attribution - Cyber activity lends itself to anonymity via multiple layers of abstraction. To oversimplify, a cyber operation can be launched by a citizen of State A from the territory of State B and target State C. The citizen of State A can use various techniques at the point of origin to obscure his identity as well as route the operation through any number of nations and infrastructures between the operation’s launch in State B, and its target, State C.
Determining responsibility for a cyber operation requires both the technical ability to trace the operation back to its creator – an effort that fails more often that it succeeds – and a legal framework by which to assign responsibility. If the perpetrator of a cyber attack were to be found, assigning responsibility remains a complicated matter because it is not relegated solely to the perpetrator. The operation’s point of origin, the infrastructures through which it passed, its target, resulting damage, and jurisdiction at each node in the attack would also factor into any determinations on state-level culpability.
Technology has historically preceded the law. Cyber operations have already far outpaced the development of legal frameworks, which face challenges in translating fundamental principles of international law to the cyber domain. While a cyber operation that unequivocally breaches international law may have yet to occur, the current absence of a legal framework enables actors deserving of punitive action to operate without accountability. It also leaves open the future potential for false-positives (incorrect assignments of responsibility) and unintended consequences. Koh’s address was well-timed. There is a growing demand to understand how international law applies in the cyber environment, and it is essential that the U.S. have a leading role in the discussion.
Boyle is an adjunct fellow at the non-partisan American Security Project
International law takes on cyber: significant challenges ahead
In his speech, Koh outlined ten principles guiding U.S. efforts on cyber engagement in the international space, most of which align with key provisions of the Tallinn Manual on the International Law Applicable to Cyber Warfare. Released in early September by NATO's Cooperative Cyber Defense Center of Excellence (CCD COE), the draft unofficial document was compiled from the opinions of legal and technical experts, and examines how existing international law, jus ad bellum and jus in bello, applies to the cyber environment.