This article is the latest in our Fog of Law series that examines the gray zones in international law and conflict that can be exploited by states. The series comes in advance of an expert workshop on the topic at the US Naval War College’s Stockton Center that Just Security is cosponsoring with the Naval War College and the International Committee of the Red Cross.
Next week, the US Naval War College’s Stockton Center, in collaboration with New York University Law School, Just Security and the International Committee of the Red Cross, will host an experts workshop on the “Fog of Law.” There is no issue concerning the application of international law to cyberspace for which the “fog of law” is thicker than that of sovereignty. It is one with existential consequences for application of the principle and it has caught the international community somewhat by surprise.
Two Tallinn Manual groups of experts explored applicability of the principle to cyber operations between 2009 and 2017. The first concluded in Rule 1 of the 2013 Tallinn Manual that “A State may exercise control over cyber infrastructure and activities within its sovereign territory.” It explained,
A cyber operation by a State directed against cyber infrastructure located in another State may violate the latter’s sovereignty. It certainly does so if it causes damage. The International Group of Experts could achieve no consensus as to whether the placement of malware that causes no physical damage (as with malware used to monitor activities) constitutes a violation of sovereignty.
In other words, a cyber operation causing physical damage to either governmental or private cyber infrastructure violates the sovereignty of the state into which it is conducted and accordingly amounts to a breach of international law. As such, it opens the door to the taking of countermeasures in response. Countermeasures are proportionate actions by the “injured” state that would be unlawful but for the fact that they are designed to put an end to the “responsible” state’s unlawful conduct, in this case a sovereignty violation. The experts agreed that only cyber operations conducted by, or attributable to, states violate the prohibition, although they acknowledged that there is an “embryonic view” that non-state actors may do so as well.
The first group of experts only scratched the surface of the subject. Therefore, the experts who prepared Tallinn Manual 2.0 between 2013 and 2017 examined it with greater granularity. This group, more geographically diverse in composition than its predecessor, agreed unanimously with their Tallinn Manual counterparts. Rule 4 of Tallinn Manual 2.0 thus provides, “A State must not conduct cyber operations that violate the sovereignty of another State.” With respect to remotely conducted cyber operations, they concurred that whether sovereignty has been violated depends on
(1) the degree of infringement upon the target State’s territorial integrity; and (2) whether there has been an interference with or usurpation of inherently governmental functions. The first is based on the premise that a State controls access to its sovereign territory… and the second on the sovereign right of a State to exercise within its territory ‘to the exclusion of any other State, the functions of a State’.
With no opposition to treatment of sovereignty as a primary rule of international law, the “grey zone,” in their estimation, lay in its parameters. As to the first basis for violation, a majority of the experts were of the view that damaging cyber operations, including those that interfere in a relatively permanent way with the functionality of the targeted cyber infrastructure, qualify as a violation, although agreement could not be reached on the precise scope of the concept of loss of functionality. Beyond these situations, they could achieve no consensus.
The Experts who were willing to characterize as violations of sovereignty cyber operations falling below the threshold of loss of functionality proffered a number of possibilities. These included, but were not limited to, a cyber operation causing cyber infrastructure or programs to operate differently; altering or deleting data stored in cyber infrastructure without causing physical or functional consequences, as described above; emplacing malware into a system; installing backdoors; and causing a temporary, but significant, loss of functionality, as in the case of a major DDoS operation.
As to the second ground, a grey zone exists with regard to the notion of “inherently governmental function.” Some functions are obviously inherently governmental in nature, such as conducting elections, collecting taxes, and national defense. But beyond these self-evident examples, the universe of inherently governmental functions becomes less clear. Interestingly, all of the various interpretations of the sovereignty rule looked to the same justification – “the object and purpose of the principle of sovereignty that affords States the full control over access to and activities on their territory.”
In short, the Tallinn Manual and Tallinn Manual 2.0 experts agreed that sovereignty is both a principle of international law from which certain rules, such as the prohibition of intervention into the external or internal affairs of other states, derive, and a primary rule of international law susceptible to violation. For them, the challenge is to identify the sorts of cyber operations that cross the violation line. While there was agreement that cyber espionage, in light of extensive state practice to the contrary, does not, per se, violate sovereignty and that damaging cyber operations do, between these extremes the law remains unsettled.
This approach was vetted with many expert peer reviewers, as well as delegations from over 50 states and international organizations that participated in “the Hague Process,” a Dutch Ministry of Foreign Affairs initiative to bring officials dealing with cyber affairs together to comment on draft text of Tallinn Manual 2.0. With minor exceptions, no meaningful objection to the aforementioned approach was voiced.
Tallinn Manual 2.0 was released in February 2017. Soon thereafter, the fog of law rolled in. A memo issued to the U.S. Combatant Commands’ Staff Judge Advocates and The Judge Advocate Generals of the services appeared to question the treatment of sovereignty as a primary rule of international law. However, after circulating widely internationally, it was designated “For Internal Use” and therefore cannot be discussed here. Fortunately, the Staff Judge Advocate of US Cyber Command, Colonel Gary Corn and former DoD OGC attorney Robert Taylor addressed the matter in an important contribution to AJIL Unbound (but see the response here). Speaking in their private capacities, they laid out an alternative approach that has sparked a lively ongoing discussion among practitioners and academics. For them,
law and state practice instead indicate that sovereignty serves as a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law. While this principle of sovereignty, including territorial sovereignty, should factor into the conduct of every cyber operation, it does not establish an absolute bar against individual or collective state cyber operations that affect cyberinfrastructure within another state, provided that the effects do not rise to the level of an unlawful use of force or an unlawful intervention.
Corn and Taylor noted that “Since the rise of the modern nation-state, countries have applied the doctrine of sovereignty in different ways, at times developing specific international law regimes tailored to the particular circumstances.” But they argued that, as yet, rules of international law that address remotely conducted cyber intrusions have yet to emerge from the principle of sovereignty, as has happened, for instance, in the air and space domains.
To my knowledge, the U.S. government has not formally adopted the “sovereignty as principle but not rule” approach; it remains the subject of inter-departmental and interagency discussion. Nevertheless, the fog appears to be spreading. A number of governments are actively assessing the stance they will take on the matter.
Those who dismiss the contention that sovereignty is not a primary rule of international as a counter-normative fringe position designed to afford its proponents the legal basis for conducting various types of offensive cyber operations are badly mistaken. It is a serious approach, proffered by first-rate lawyers and apparently championed by a number of government agencies, including some abroad, that wield significant power in cyber operational and policy circles. And, in fairness, a rule of sovereignty, as distinct from a principle, has the potential for sometimes being an obstacle to achieving vital national security interests, such as defence against terrorism, stopping the spread of weapons of mass destruction, and ensuring adequate intelligence as to the capabilities and intentions of hostile states.
But what is the law? In a Texas Law Review article responding to the sovereignty as principle only approach, Liis Vihul of Cyber Law International and I catalogued the long and dense practice and opinio juris of states, positions of international organizations, and views of scholars. We also outline contemporary assessments of sovereignty as applied to cyberspace. There is ample evidence that the prevailing view is that sovereignty is a primary rule of law and one applicable to cyber activities. This being so, it seemingly would have made more sense for the other side of the debate to take one of two alternative approaches in order to keep the rule of sovereignty from acting as an unacceptable barrier to cyber operations that might be necessary to safeguard a state’s national security interests.
First, the Tallinn Manual 2.0 approach analogizes the remote causation of physical damage to physical entry. Their response could have been that there is a significant qualitative difference between the two such that it is inappropriate to apply the sovereignty rule to cyberspace. I would not agree and would be concerned that it would render cyberspace sui generis more broadly with respect to such prohibitions as the intervention and the use of force. Yet, the legal foundation for this argument would have been firmer than they offer for their position. Second, the proponents could simply have taken the mainstream approach. This would have allowed them to optimize the existing uncertainty as to when a cyber operation violates sovereignty by adopting a stance that takes advantage of sovereignty’s defensive qualities, while permitting those cyber operations they view as indispensable options. In other words, we are having a suboptimal debate by quarrelling about whether, instead of when, sovereignty can be violated. Be that as it may, the question of the operational and strategic costs and benefits of the respective positions remains.
Most significantly, the sovereignty as principle only approach would generally allow for cyber operations that do not qualify as a use of force or prohibited intervention (or other breach of international law), thereby affording states a greater margin of appreciation within which to conduct operations they deem crucial. Yet, this is a double-edged sword, for pursuant to the principle of sovereign equality, the approach would permit other states to conduct similar operations against them. In such cases, the target state would be denied the benefit of condemning the operations as unlawful, and the resulting opportunity to ostracize the state that launched them.
Additionally, if the cyber operations in question are not unlawful, the target state would be unable to avail itself of countermeasures. When faced with this concern, advocates of the sovereignty as principle only approach typically reply that the target state could nevertheless respond in kind because it would not have to justify its response as a countermeasure (since the target state’s response would not itself be unlawful). In simple terms, a state conducting a cyber response could hack back proportionally, either against the entity that launched the cyber operation or against other cyber targets, at least so long as its response did not rise to the level of intervention or another internationally wrongful act.
This is true, but the argument neglects the fact that countermeasures need not be in kind. To take a simple example, consider a cyber operation targeting a state that does not have the capability to respond with its own cyber operations. If the offending cyber operation qualifies as a violation of sovereignty, the target state would have the countermeasure option of, for instance, denying the state launching them overflight or landing rights provided for in a respective treaty. Thus, the sovereignty as principle only approach actually closes the door on many response options that would be available as countermeasures.
Advocates of the approach also sometimes point out that states are not left completely defenceless because cyber operations amounting to an unlawful intervention or use of force are still barred and would allow for countermeasures by the targeted state. The problem is that these prohibitions set relatively high thresholds. Intervention requires that the offending cyber operation be both “coercive” and directed at the “domaine réservé” (areas of activity that are left to states) of the target state, two criteria that themselves are both highly limiting and somewhat vague. For instance, intervention would be unlikely to encompass many operations targeting private cyber infrastructure because their functions fall outside a state’s domaine réservé.
Moreover, coercion requires that the cyber operation in question be designed to compel the target state to take an action it would not normally take or to refrain from one in which it would otherwise engage. Merely malicious, disruptive or criminal cyber operations generally would not satisfy this criterion. Such operations therefore would have to rise to the level of a cyber use of force under Article 2(4) of the UN Charter (and customary law) to constitute an unlawful act. Unfortunately, the only consensus regarding the use of force threshold is that destructive operations qualify. This is problematic because, at least for the present, the fog of law encompassing the notion of the use of force has been persistent with respect to cyber operations below that consequential threshold.
At the end of the day, what one sees depends on where one stands. States that wish to conduct offensive operations will probably see high thresholds and ambiguity as beneficial. For those that do not and are instead likely to be the victim of hostile cyber operations, the sovereignty as a rule approach is preferable. Of course, for states that both conduct cyber operations and are the target of them, we can expect robust internal deliberations over the best position to take.
Finally, it must be remembered that the international community’s objective in identifying norms for cyberspace through such processes as the UN GGE is to achieve greater global stability. States contemplating adoption of the “sovereignty as principle only” approach would be well served to consider how doing so is likely to be perceived by other states. After all, States that do not intend to conduct offensive cyber operations or see themselves as likely victims will understandably perceive the approach as threatening, particularly if espoused by states wielding substantial cyber capability. Additionally, the approach foregoes the potential deterrent effect the rule of sovereignty might have on states contemplating hostile cyber operations. Problematically, its adoption by the broader international community would seem to justify characterization of cyberspace as a “Wild West,” a depiction that, albeit part hyperbole, the international community has worked hard to put to rest.