🎯(How) Does international law apply to cyberspace?
According to the Framework, states agree that existing international law and the UN Charter apply to cyberspace. Established international law regulates the conduct of armed conflict and seeks to limit its effects.
It is, however, less clear how it applies in practice and in particular circumstances. The UN Charter, as the foundation of the body of international law that provides grounds to justify entry into a conflict, grants (Article 51) the right of individual or collective self-defence if an armed attack occurs against a member state. Yet, what exactly is an armed attack and use of force in cyberspace – and what is its threshold? Is it limited to attacks that cause physical damage and injury, or would other effects (e.g. financial, environmental, economic, or political) of a cyberattack fall under it as well? When (and if) does a cyberattack violate another state’s sovereignty? Should the attacked state be allowed to respond by any and all means, including all out military options with traditional warfare methods?
It is equally hard to understand how the international humanitarian law (IHL) governing the use of force in armed conflicts, such as protecting civilian populations and infrastructure, will apply. For years, states failed to reach an agreement about whether the IHL applies at all or whether its application would actually militarise cyberspace. It was only in 2021 that the GGE confirmed that the IHL applies only in situations of armed conflict, thus, not in peacetime. The GGE also says that applying the core IHL principles to the use of ICTs needs further study.
One of the main challenges is how to hold states accountable for their operations, from reliably attributing the attack, to responding without risking the escalation of political tensions. Invoking international law provisions, and using elements of the Framework, is of relevance when raising the responsibility of certain states for a cyberattack, and holding states accountable for their cyber operations. The 2021 GGE report, in particular, provides space for progress since it prescribes elements for the attribution of cyberattacks, i.e. ‘the incident’s technical attributes; its scope, scale, and impact; the wider context, including the incident’s bearing on international peace and security; and the results of consultations between the States concerned’ (UN GGE, 2021, Par. 24). The most authoritative and comprehensive research that discusses the applicability of international law to cyberspace and the related challenges is the Tallinn Manual on the International Law Applicable to Cyber Warfare, developed in 2013 by an independent international group of experts who were invited by the NATO CCDCOE. It was updated in 2017 – dubbed the Tallinn Manual 2.0.
Contribute and engage
The CCDCOE invites experts to contribute to the development of the Tallinn Manual 3.0. Your country experts may seek options to engage and contribute.
The UN GA resolutions of 2021 related to the reports of the GGE and the OEWG invite states to share their own positions on how international law applies to cyberspace. Indeed, an increasing number of states are developing and publishing their national positions. A good overview of open issues and general positions of states on the applicability of international law is available at the Digital Watch Observatory.
Resources
The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilised in a number of different ways. At its core, it presently consists of 25 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise.
Reflection point
Is there awareness about the existing framework and the related processes in your Ministry of Foreign Affairs, and in your government more generally? Are there already discussions about a national position related to the applicability of international law to cyberspace, as invited by the UN GA?Â