from U.S. Foreign Policy Program and Digital and Cyberspace Policy Program

Cyber Strategy and Policy: International Law Dimensions

March 02, 2017

Testimony by CFR fellows and experts before Congress.

In testimony before the Senate Armed Services Committee on March 2, 2017, Matthew C. Waxman addressed some of the international law questions most relevant to cyber threats and U.S. strategy and made recommendations for U.S. leadership in the evolution of related international rules. Waxman argued that even though international law regarding cyber capabilities is not yet settled, existing rules can support a strong cyber defense strategy. Since many of the international law questions depend on specific, case-by-case facts, and are likely to be highly contested for a long time to come, the United States should continue to advance interpretations that support its strategic interests and effectively constrain other states’ behavior.


More on:


United States


International Law

International law is relevant to U.S. cyber strategy because it helps influence opinions and shape reactions among audiences abroad, and it may be useful in preserving international stability and setting, communicating, and reinforcing “red lines.” When the government agrees internally on rules and obligations, it can speed up decision-making, and when allies agree on them, it can provide a basis for cooperation and joint action.

Well-established international legal rules, such as the prohibitions on the use of force by states against each other and the right to self-defense against armed attacks, can effectively be applied to new technologies and can accommodate a strong cyber strategy. However, precise answers about the application of international law to cyberattacks are not likely to be worked out any time soon.

The U.S. government’s interpretation if the UN Charter as applied to cyberattacks leaves open how the United States would respond to an attack that does not cause physical destruction but nevertheless massive harm. The United States should therefore continue to establish specific mutual restraints on cyberattacks among other states, along with confidence-building measures.

In approaching legal questions, the United States should consider how the rules or interpretations it seeks to defend might constrain its own cyber operations as well as help justify other states’