27 July 2022

THE LAW OF CYBER CONFLICT: QUO VADIS?

Michael N. Schmitt

Using the Latin term quo vadis (“where are you going”) as a fulcrum, my contribution to The Future Law of Armed Conflict in 2040 deals with trends in, and the vectors of, the international law governing cyber operations that fall below the threshold of armed conflict but that risk triggering hostilities. It is in this space that most hostile cyber operations occur and, therefore, where most of the legal maneuvering among States is taking place.

In a relative sense, cyberspace is a new domain of conflict for States. Initially, it was wrongly viewed as a normative void. And admittedly, what we see in cyberspace today still sometimes confirms the “Melian Dialogue,” in which the strong are said to do what they can, while the weak do what they must.

But characterizing cyberspace as the new “wild west,” as President Obama once did, would be badly mistaken. There is a great deal of international law – ranging from general primary rules like non-intervention and the secondary rules of State responsibility to lex specialis such as space law and international humanitarian law – that governs cyber activities. What is often forgotten in discussions of cyber operations is that this existing law applies to new technologies, a point the International Court of Justice made in its Nuclear Weapons advisory opinion (¶ 86, confirming that existing IHL applies to future weapons).

Nevertheless, because cyber operations differ from the non-cyber activities that this pre-existing law addresses, there will be times when the extant law as applied in the cyber context: 1) does not make sense; 2) fails to advance its original object and purpose well; or 3) must be reinterpreted to account for the unique characteristics of cyber operations. The most obvious example is the ability of cyber operations to generate harmful, even horrific, effects without causing physical damage, destruction, injury, or death. The challenge is that many international law rules have traditionally been understood as applying when these physical effects manifest, as with the prohibition on the use of force, even though the underlying concern is the consequence of the effects (see my original thoughts on the matter here).

Because of these difficulties, applying extant international law in the cyber context is a work in progress. States have been considering the issue since 2004 using UN Groups of Governmental Experts and Open-Ended Working Groups (see 2013, 2015, and 2021 GGE reports). Additionally, States are increasingly setting forth their individual views on how international law applies in cyberspace, most notably in a series of 15 statements that were annexed to the 2021 GGE report. Finally, the work of non-State actors is informing the application of international law in cyberspace, particularly through the Tallinn Manual project sponsored by the NATO Cooperative Cyber Defence Centre of Excellence, the third iteration of which (Tallinn Manual 3.0) is currently being written.

In my contribution to The Future Law of Armed Conflict in 2040, I examine three issues regarding international cyber law – the likely means of normative evolution, the strategic options available to States, and the substantive rules. Since I have addressed the last subject elsewhere on many occasions, I shall focus on the first two in this post.

Normative Evolution

The opening premise of the chapter, and indeed of all my work, is that

International law necessarily evolves over time in order to ensure that the applicable normative architecture remains responsive to the context in which it applies. That dynamic occurs in three ways – through new treaty law, through the crystallization of new norms of international customary law, and by means of interpretation of existing treaty or customary law.

Except in regional settings, I am pessimistic about the prospect of new treaty law to address cyber operations. For instance, Russia’s proposal, which China supports, for a new instrument on cybercrime (even though the Budapest Convention already addresses the subject) is dead in the water in light of Russia’s aggression against Ukraine.

But even beyond the impact of that aggression, many States have long been opposed to a new treaty for cyberspace. For example, in a submission to the 2013 GGE, the United Kingdom noted, “[e]xperience in concluding these agreements on other subjects shows that they can be meaningful and effective only as the culmination of diplomatic attempts to develop shared understandings and approaches, not as their starting point.” During the February 2020 proceedings of the OEWG, the United States similarly observed that “the argument that there are gaps in international law is substantially premature – if we don’t understand how each of us actually views its applicability, whether international law should evolve over time is a question that will take time for States to answer.” And Australia pointed out that “a legally binding instrument in this space would take years to negotiate; it would likely end up with the lowest common denominator result and offer less protection than we currently have with the existing framework; having a treaty also would not solve the question of how it would apply, we’d still be left with the question of how to interpret it.” In other words, before the international community gathers to decide the contents of any comprehensive multi-national treaty for cyberspace, States must first achieve some degree of consensus over how existing customary and treaty law operates in the cyber context.

And besides the illogic of adopting a new treaty instead of working to clarify the application of existing law, there are practical obstacles. For instance, the NGO community is skeptical about Russia’s and other States’ motives for pursuing a cybercrime treaty, fearing that it will be used as a subterfuge for exerting greater control over their people’s exercise and enjoyment of human rights. Additionally, the current political landscape is forbidding. First, nationalism appears increasingly influential in many countries, including the United States and United Kingdom; nationalism tends to find multilateralism objectionable. Second, the conflict in Ukraine and China’s actions in the Indo-Pacific region have split the key players in the cyber norms discussion. As a result, the prospect of an agreement between the two sides will continue to be bleak for some time.

I am also pessimistic about the crystallization of new customary international law rules. Crystallization requires the confluence of State practice and opinio juris, that is, a sense by States that they are engaging in or refraining from certain cyber activities out of a sense of legal obligation. As to State practice, we see only the tip of the iceberg. State practice that is not visible to the global community does not contribute to the crystallization of a new norm. And I am unaware of any statements by States that purport to recognize a new norm of customary international law applicable to cyber operations. This situation is unlikely to change anytime soon.

Therefore, we can expect almost all normative evolution to occur in the guise of the interpretation of existing customary and treaty law. But even here, the progress has been slow. For instance, while individual State pronouncements and GGE consensus reports represent progress in identifying how international law applies in cyberspace, they tend to be limited to affirmations of particular rules and broad comments on how they apply. To take one example, consider the prohibition on the use of force found in Article 2(4) of the UN Charter and customary international law. There is widespread acceptance of the rule’s applicability to cyber operations that cause significant physical destruction or injury. However, the number of States that have directly addressed the fraught issue of whether and how that rule applies to non-destructive and non-injurious cyber operations can be counted on one hand.

The same is true with respect to the characterization of actual hostile cyber operations. It has become common for States to condemn other States or non-State actors for their misbehavior in cyberspace. But it is less common to do so on the basis that the cyber activity in question violated international law. And statements that not only condemn cyber operations as an internationally wrongful act but point to the specific rule of law that has been violated are scarce.

This reluctance to take a firm and granular stand is understandable. The obstacle is the principle of sovereign equality, by which an interpretive position that limits the hostile activities of other States also restrains the State that adopts it from employing cyber means in pursuit of its own national interests.

Of course, this dynamic affects all international law rules. But the situation is different in the cyber context due to uncertainty about the development of cyber technology. Unsure what cyber operations will look like in the future, States understandably hesitate to express legal views, fearing that they might unintentionally tie their own hands in the future. The result has been a tendency to limit meaningful coordination and collaboration to like-minded States, as with the “Five Eyes” (but see sovereignty, in which the United Kingdom rejects such a rule, Canada embraces, and the US, Australia, and New Zealand have yet to express a firm position).

The result of this interpretive hesitancy is that certain non-State normative endeavors have exerted outsized influence on the interpretive process. Most significant among these is the Tallinn Manual project. Whatever one’s position on the project, there is no doubt that the team’s work has significantly influenced how the international community views cyber operations from a legal perspective. Indeed, references by States to the Tallinn Manual in their statements on international law are common (see, e.g. Germany). Of course, States and only States make and authoritatively interpret international law. Still, until they begin to do so in a granular fashion, others, like the Tallinn Manual experts, will inevitably act to fill the void.

Strategic Options

Because interpretation is how the international law governing cyberspace will be identified and evolve for the foreseeable future, States are facing a fork in the road. The direction they take depends on their strategic perspective on international law.

Some States see international law as an effective tool in countering hostile cyber operations. For them, the international law rules as applied in the cyber context should be clear and restrictive. They need to be clear because international rules have a deterrent effect; States do not like to be seen to violate international law. As evidence, we need look no further than Russia’s condemnatory efforts to style its “special military operation” as a lawful response to allegedly unlawful behavior by Ukraine. Straightforward rules make it easier to identify violations and condemn them.

Straightforward rules also help clarify when States may engage in responses, such as countermeasures (actions that would be unlawful but for the fact that they are designed to end another State’s unlawful conduct or secure reparations) and acts of self-defense, that depend on the underlying unlawfulness of the cyber operation to which they respond. Clarity renders such responses more defensible.

Relatedly, clarity contributes to the avoidance of escalation. For example, consider a cyber operation by one State against another. If the latter sees the operation as unlawful, it will conclude that it is entitled to take countermeasures. But if the former does not, it will view the countermeasure as the first unlawful cyber operation in the exchange, which in turn entitles it to take countermeasures. As this example illustrates, differing understandings of the law risk triggering a difficult-to-control escalatory cycle.

Finally, States in this camp tend to restrictively interpret rules in the cyber context because they believe those rules will effectively protect them. Thus, they interpret thresholds, such as the threshold at which sovereignty or use of force violations occur, as low. The paradigmatic examples are France’s assertions that causation of effects on French territory violates its sovereignty and that an economic cyber attack against France could, in certain circumstances, qualify not only as an unlawful use of force but also an armed attack triggering France’s right to use force in self-defense.

The competing strategic option is to view international law as relatively ineffective in deterring hostile cyber operations by bad actors. By this approach, restrictive rules only hinder cyber operations by rule of law States. And those operations may be necessary to protect and advance national interests. Viewed from this perspective, the normative firewalls must be kept low, lest the bad actors enjoy a de facto asymmetrical advantage. The paradigmatic example of embracing this option is the rejection by the United Kingdom of a rule of sovereignty that limits cyber operations.

Advocates of the approach also tend to embrace ambiguity in the law. Their logic is that if an adversary is not going to follow the law, and the State does not wish to ignore international law altogether, an ambiguous interpretation will afford it the operational flexibility to respond as it deems appropriate in the attendant circumstances. But, of course, normative ambiguity is a double-edged sword. It equally invites bad actors to operate in that ambiguous space to complicate response options that depend on the unlawfulness of the cyber operation to which they respond.

Conclusion

For my part, I share the perspective of the United States and numerous other countries that the time is not ripe for new treaty law. If you do not know what you have, you cannot possibly understand what you need. I also believe that the emergence of entirely new rules of customary international law, as distinct from the interpretation of existing ones, is improbable for practical reasons. Instead, it is through the interpretation of the current international law that normative evolution will continue to take place.

In that regard, I support the first of the strategic options discussed above. However, there are downsides to moving too quickly and too deeply into the interpretive space, especially since it is difficult to predict what cyberspace will look like in the future. Nevertheless, in my estimation, international law effectively serves a deterrent purpose, can help prevent the escalation of instability, and generally proves beneficial to most States over time.

Finally, as a contributor to The Future Law of Armed Conflict in 2040 and General Editor of the Lieber Studies series, I am delighted to congratulate my friends and colleagues, Professor Matt Waxman and Lieutenant Colonel Tom Oakley, on the publication of this fine work and thank the contributors for their insightful analysis. In two decades, we will know if they were right!

No comments: