In our opening post, we explained how Jean Paul Sartre and baby carriages provide short-hand references for the existential and interpretative challenges facing international law in cyberspace. In this post, we examine how horses and Simon & Garfunkel reflect two additional challenges confronting international lawyers wrestling with questions of when and how international law applies to the cyber domain.
Horses and Procedural Challenges
In 1996 U.S. jurist Frank Easterbrook famously critiqued the need for a new law of cyberspace. Easterbrook claimed that while many legal cases involve horses, such as the sale of horses or injury by a horse, law schools do not teach a class entitled “the Law of the Horse” – instead applying general rules of contract, tort and other areas of law to this specialised endeavour. He argued that the same approach should hold in cyberspace, that is, that we should focus on figuring out how general rules apply to cyberspace in lieu of developing new cyber-specific rules.
Harvard Law Professor Larry Lessig later responded to Easterbrook claiming that cyberspace is unique such that it requires new, tailor-made rules. Lessig famously coined the phrase, “Code is Law,” to express the idea that code regulates behaviour in cyberspace in the way the laws of physics regulate the natural world. Unlike physics, however, code is malleable, which raises the question of when governments should alter it and when they should leave it alone.
As such, horses symbolize the procedural challenges that confront the relationship between international law and cyberspace. Assuming a desire exists to resolve the existential and interpretative divisions outlined in our opening post, the question arises as to how this should be done in practice.
For some, the way forward is not to devise a law of the horse for cyberspace, but to articulate how existing international legal rules already apply to cyber operations – an approach exemplified by the Tallinn Manuals. Allied to this position is a “wait and see” perspective, which suggests that if we simply allow states to interact for long enough, then eventually further state practice and opinio juris will materialise.
For others, a law of the horse is paramount – a specific set of international legal rules for cyberspace, tailored to the potential and perils of this space. While examples of cyber-specific international rules remain rare, nascent efforts are pushing in that direction, including, for example, the Paris Call for Trust and Security in Cyberspace.
There are, moreover, debates within these debates about whether new tailor-made rules require a truly global effort or whether progress may proceed regionally or bilaterally. In this vein, recent years have witnessed efforts to adopt tailor-made rules for cyberspace at the bilateral level (e.g. the Russia-China cybersecurity agreement), regional level (e.g. the African Union Convention on Cyber Security and Personal Data Protection), and global level (e.g. Microsoft’s proposal for a Digital Geneva Convention).
Going forward, an important question for international lawyers is whether existing international legal rules are adequate to regulate behaviour in cyberspace, whether we need some affirmative process to tailor new rules to govern cyber operations, or, indeed, if some combination of both may be preferable.
Simon & Garfunkel and Transparency Challenges
Which brings us to one of the greatest musical duos of all time – Simon & Garfunkel. We mention them because of their most famous song – the Sounds of Silence – as transparency constitutes the fourth and final challenge for international law in cyberspace today.
According to conventional wisdom, states have generally declined to invoke international law in response to specific cyber incidents in favor of a policy of silence and ambiguity seemingly designed to preserve high levels of operational flexibility. In general, state silence presents significant normative questions for international lawyers. State silence makes it hard to know whether and how states understand the law, adding a layer of uncertainty as to whether international legal rules actually apply to cyber operations at all, as well as what they mean in practice.
Significantly, the extent to which states have been silent concerning cyber operations has tended to vary depending on the security threat and international legal rules in question. In the context of cyber espionage threats, for example, states have generally been silent about the applicability of state-focused norms of international law in contrast to a greater openness to discussing individual-focused norms. For instance, only a small minority of states alleged that the cyber surveillance programs of the U.S. National Security Agency and its allies breached state-focused norms such as the principle of state sovereignty. By contrast, a much larger number of states have raised concerns about the dangers that such programs pose to individual human rights in a series of resolutions adopted by the UN General Assembly and the Human Rights Council concerning the right to privacy in the digital age.
In addition, the rationales behind states’ silences have also varied – ranging from silences that stem from technical difficulties and geopolitical sensitivities concerning the attribution of cyber operations, to silences that reflect an inclination towards a “wait and see” approach for clarifying the applicability and contours of international law. Importantly, in certain contexts, state silences may even be constructive. For example, the silence of the United States regarding international regulation of online content—including an unwillingness to support efforts by the Shanghai Cooperation Organization to establish an international treaty to tackle information security threats—appears to be driven primarily by a concern not to legitimize the intrusive online censorship practices implemented at the domestic level by China and Russia respectively.
Given the stakes, an important task for international lawyers going forward lies in probing the extent to which states have actually been silent regarding the applicability and meaning of international legal rules in cyberspace, as well as the legal significance and different rationales that may motivate their silences.
In recent months, the UN General Assembly authorized the establishment of two new diplomatic mechanisms to tackle global cybersecurity. Among these, a new Group of Governmental Experts on Information Security will focus (again) on the question of how international law applies in cyberspace. As they embark on their work, we hope the Governmental Experts recognize that the questions they are likely to confront – and the divergent positions we expect to emerge – differ in important ways.
Simply put, there is no unitary response to the question of how international law applies to cyberspace. Interpretative debates are narrower – and perhaps easier to resolve – than existential ones. But even where existential and interpretative issues are resolvable, questions are likely to remain concerning the adequacy of applying existing international legal rules in cyberspace. At the very least, greater candor from states about how they understand the legal landscape would help break the sounds of silence that currently permeate various questions of whether and how international law applies in cyberspace.
Taken together, we hope that using Sartre, baby carriages, horses, and Simon and Garfunkel can help international lawyers and policy-makers devise a common framework for approaching the manifold challenges facing the law’s application to this complex, but increasingly, integral part of human existence.