Current International Law Is Not an Adequate Regime for Cyberspace

The United Nations building in Vienna, Austria. (R Boed, https://tinyurl.com/prksbmrc; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/) States increasingly agree that international law, specifically the U.N. Charter and rules of customary international law (CIL) derived from the charter’s principles, applies to cyberspace. Yet both are a poor fit for cyber activities. The charter reflects a bias toward what has been termed the conventional strategic environment, and CIL has evolved in the shadow of both the conventional and nuclear environments. In these environments, states threaten international stability by seeking strategic gains through either coercion or brute force. The cyber strategic environment differs in that threats to stability derive from exploitation—that is, states unilaterally using code to take advantage of others’ cyber vulnerabilities for the purpose of realizing strategic gains. It should be unsurprising, then, that states have struggled to offer comprehensive and in-depth opinio juris on how international law applies to the cyber context. States will struggle to find cyber relevance in international law until new instruments of international law—or adaptations of current law—account for the core features of the cyber strategic environment, the state behaviors they obligate, and how strategic advantage can be achieved lawfully and unlawfully through those behaviors. The rule of nonintervention is a good candidate for adaptation. Strategic Environments Cyber persistence theory , which informs U.S. Cyber Command’s doctrine of persistent engagement , is premised on the argument that cyberspace is not merely a domain but a strategic environment—and, importantly, one distinct from the nuclear and conventional strategic environments. Whereas U.S. warfighting domains —air, land, maritime, space and cyberspace—describe military operational “space,” strategic environments comprise core features that condition states’ security behaviors. Simply stated, the core features of the nuclear environment are segmentation, that is, a feature that manifests as territorial boundaries, and incontestable costs (that is, there is no valid defense against nuclear weapons), which lead to a dominant behavior of coercion in the form of a deterrence strategy (that is, mutually assured destruction). The conventional strategic environment also comprises segmentation but is coupled with contestable costs (conventional capabilities, unlike nuclear weapons, may be defended against). This leads to dominant, episodic behaviors of brute force or coercion, where the latter takes the form of a deterrence strategy threatening to impose costs or a compellence strategy imposing costs through conventional war.  Post-World War II international law, specifically the U.N. Charter and subsequent CIL interpretations of the charter, was conditioned by the weight of these core features. With the objective of saving “succeeding generations from the scourge of war,” these rules of state behavior are centered on sovereignty, nonintervention, coercion, threat or use of force, and armed attack.  The cyberspace strategic environment is distinct from the nuclear and conventional environments, which poses a challenge to the relevance of these rules. Cyber persistence theory argues that, simply stated, the core features of the cyber strategic environment comprise interconnectedness (not segmentation), a condition of constant contact (not the prospect of episodic action), an abundance of organic vulnerabilities, and macro-resilience (an ability to recover from exploitation of those vulnerabilities). Consequently, states face a security imperative to persist in seizing and maintaining the initiative to set the conditions of security in their favor in and through cyberspace. States can do so through various strategies, policies and activities that reduce the potential for exploitation of their own vulnerabilities and exploit the vulnerabilities of adversaries.  States may reduce their potential for exploitation through internal-facing measures, such as patching, firewalls and intrusion detection systems. External-facing measures will be based primarily on unilateral exploitation of vulnerabilities. Importantly, states are incentivized to exploit at-scale because doing so can lead to strategic advantage without necessarily degrading the environment. More importantly, states can achieve strategic advantage—and shift the international distribution of power—through persistent cyber operations or campaigns with cumulative effects or intent that are not coercive, do not represent a violation of the prohibition on threat or use of force, and are not equivalent to an armed attack under Article 51 of the U.N. Charter. Yet these operations or campaigns may still endanger international peace and security. In the cyber strategic environment, states achieve strategic advantage through exploitation, not through the brute force or coercion that they use in the conventional and nuclear strategic environments.  For this reason, the body of law conditioned by the nuclear and conventional strategic environments struggles to be relevant in the cyber strategic environment. If state behavior is to be regulated by international law, the law must reflect the behavioral space it seeks to regulate. A few states have called for new instruments of international law for cyberspace. Such instruments may indeed be necessary, given the significant differences between the core features of the nuclear and conventional strategic environments as opposed to the cyber strategic environment. However, some argue that the prospects for new cyber treaty law are slim and that cyber-relevant law will most likely come through state practice, including opinio juris . Before considering lex ferenda —that is, the law as it ought to be for the cyber context—states must accept the inadequacy of current rules as applied to the cyber strategic environment.  Creating new legal instruments or developing cyber-relevant opinio juris will be challenging. Either approach should apply the perspective of cyber persistence theory. An initial application explored below focuses on the rule of nonintervention. Admittedly, it may be an act of fitting a square peg into a round hole given that the rule of nonintervention was conditioned by the nuclear and conventional environments. The effort is complicated further by somewhat different understandings of coercion in security studies as opposed to international law materials—as Harriet Moynihan notes , analogies with coercion outside the international law context need to be treated with care. Additionally, there are differences in understandings of coercion among states and scholars of international law. Nonetheless, this and other adaptations must be pursued because the status quo in the cyber strategic environment is untenable.  The Rule of Nonintervention Intervention into the “internal or external affairs” of other states is a prohibited internationally wrongful act. Two conditions must be met to determine a violation of the prohibition. First, the prohibition applies only to matters that fall within another state’s domaine réservé . These are matters that international law leaves to the sole discretion of the state concerned, described in the Declaration on Principles of International Law, Friendly Relations and Co-operation Among States as the “choice of a political, economic, social and cultural system, and the formulation of foreign policy.” Second, an act must involve coercion. Stated simply, a coercive act as understood in international law is one designed to compel another state to take action it would otherwise not take or to refrain from taking action in which it would otherwise engage.  The government of the Netherlands notes , however, “The precise definition of coercion, and thus of unauthorized intervention, has not yet fully crystallized in international laws.” Participants in the Tallinn process described coercion as referring “to an affirmative act designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way.” Moynihan argues that states should, instead, understand coercive behavior “as pressure applied by one State to deprive the target State of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target State.” Others, meanwhile, advocate for lowering the threshold at which mere influence becomes unlawful coercion, claiming that a hostile cyber operation should not necessarily have to deprive a state of all reasonable choice, so long as it renders making the choice difficult.   These differing views can lead to differing interpretations of cyber campaigns. For example, opinions vary
Current International Law Is Not an Adequate Regime for Cyberspace posted first on http://realempcol.tumblr.com/rss