For more than two decades, states and scholars have wrestled with questions of when and how international law applies to cyberspace. How, for example, did international law regulate the U.S. National Security Agency’s cyber surveillance practices disclosed by Edward Snowden in 2013, Russia’s cyber influence operation on the U.S. presidential election in 2016, or the WannaCry malware’s 2017 distribution through hundreds of thousands of computers across over 150 States? To date, there is no consensus. Indeed, international lawyers have struggled to convey – both to each other and, more importantly, to policy-experts and decision-makers – even the most basic reasons why the availability and operation of international law in the cyber domain has proven so elusive.
In this climate of uncertainty, we propose a “mind map” to both simplify and differentiate among the challenges international law faces in cyberspace. Over a series of two posts, we explain how the current relationship between international law and the cyber domain may be encapsulated by four things: Jean Paul Sartre, baby carriages, horses, and Simon & Garfunkel. Map these things together in your mind (the imagery alone makes for a fun exercise) and you have a short-hand reference for the most significant issues facing international law in the ever-expanding (and indispensable) technological ecosystem.
We begin in this post by examining existential and interpretative challenges symbolized by Sartre and baby carriages. Our second post will review the procedural and transparency challenges represented by horses and Simon & Garfunkel.
Jean Paul Sartre and Existential Challenges
Our point of departure is Jean Paul Sartre – one of the leading thinkers in the philosophy of existentialism. We choose him to symbolize existential challenges to international law in cyberspace. This is the question of whether international law even applies in cyberspace.
For a time, some states participated in an existential debate about whether international law in its entirety applies to cyber operations. In 2013, however, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) issued a consensus report that concluded “international law […] is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.” The 2015 UN GGE built on that consensus and the UN General Assembly recently endorsed it in Resolution 73/266 (2018).
Nonetheless, questions about the applicability of specific international legal regimes and particular international legal rules to cyber operations remain. In 2017, the latest round of UN GGE talks collapsed amidst existential divisions between states concerning the applicability of the right of self-defense as enshrined in Article 51 of the UN Charter, the right to take countermeasures, and the entire body of international humanitarian law to cyber operations. More recently, the UK Attorney General made clear that although the principle of sovereignty is “fundamental to the international rules-based system,” the UK is not persuaded “that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention.” This made public a long-rumored conflict among states as to whether sovereignty exists as a rule that a state’s cyber operations may violate or merely a principle that informs the contents of other international legal rules.
Resolving these existential questions is vital – only if specific international legal rules are applicable to cyber operations can they operate to regulate the conduct of their subjects.
Baby Carriages and Interpretative Challenges
Even where states agree on the relevant international law rule(s), we still need to consider the interpretative challenges that arise in applying international law to cyber operations. We use baby carriages to symbolize these challenges, drawing on an example that arose in the famous debate between legal philosophers H.L.A. Hart and Lon Fuller.
In a much-discussed article, Hart posited a legal rule that forbids taking “a vehicle” into a public park. While Hart assumed that such a rule was drafted to keep out things with wheels like cars, he questioned how the policy applied to bicycles, roller skates, or toy automobiles? Do these qualify as “vehicles” for the purposes of the rule? Fuller, in reply, went further and asked what the rule meant for baby carriages.
Thus, the baby carriages debate demonstrates how, even when there is agreement that a legal rule applies – whether it be that vehicles are prohibited in public parks or states are prohibited from conducting cyber operations that intervene in another state’s reserved domain – challenges may remain in determining what such rules actually mean in practice.
There are many unsettled interpretative questions concerning how particular rules of international law apply to cyber operations. Examples include the precise threshold that must be crossed for a cyber operation to violate another state’s territorial integrity, the particular threshold that must be crossed for a cyber operation to constitute a prohibited use of force under Article 2(4) of the UN Charter, and the specific criteria that must be met for a cyber operation to qualify as an “attack” under international humanitarian law.
In many cases, interpretative disputes end up being a debate over default rules. In other words, when we have novel behavior, which is neither clearly prohibited nor clearly permitted by international law, do we characterize it as implicitly prohibited or implicitly permitted?
This quandary brings us to horses, and the question of using new or old legal processes to elaborate international law in cyberspace. We’ll discuss this and—with a nod to Simon & Garfunkel—the challenge of transparency (or lack thereof) with respect to state views on international law and cyberspace in our next post.