The Nature of International Law Cyber Norms
Michael N Schmitt and Liis Vihul
Executive Summary
The Nature and Place of International Legal
Norms
International law is typically described
as prohibitory in nature: any activity that is not disallowed is generally
permitted. But even when law does exist, it may prove lacking when meeting
unanticipated circumstances and thus is occasionally breached as part of the
process of creating a new norm. Indeed, it is often said that customary law
norms are “made in the breach”. By way of illustration, it may be that
pre-existing human rights law would, if logically applied in the cyber context,
prohibit intrusions into certain forms of cyber communications between
individuals. However, if states treat this customary norm as inconsistent with
their need to ensure, for instance, the security of their cyber systems, they
may begin to act contrary to the norm. Over time, their state practice, could,
as will be explained, be viewed by states as legal, such that the original
human rights norm will have been modified. Given the novelty of cyber
activities, they are particularly vulnerable to this dynamic of customary law.
Once the international law boundaries of conduct are demarcated, domestic
legal, political (policy), ethical and other norms can operate to further
restrict or require particular conduct in cyberspace. For instance, while it is
unclear precisely how international human rights norms in the realm of privacy
restrict state monitoring of personal cyber communications, monitoring may
constitute a violation of domestic constitutional law or be contrary to state
policy or the ethical benchmarks that a state has adopted. Thus, international
legal norms merely define the space within which states may engage in normative
construction. Of course, states may act to transform these non-legal norms into
those with legal authority by adopting a treaty incorporating them or engaging
in state practice that crystallises over time, as described below, into
customary law.
Terminological
Precision
It is clear that when cyber operations accompany
kinetic hostilities qualifying as armed conflict (as with the conflict between
Russia and Georgia in 2008 or that taking place in Syria at the time of
writing), IHL applies fully to all the cyber operations that have a nexus to
the conflict, whether they are launched by states, non-state groups or
individual hackers. For instance, in the same way that IHL prohibits injurious
or destructive kinetic attacks against civilians and civilian objects, it
likewise prohibits cyber attacks against them having the same effects.17
For international lawyers the term
“cyber war” is better rendered as “cyber armed conflict”. When non-lawyers
speak of the norms applicable in cyber war, the lawyer will accordingly insist
on examining the attendant circumstances, because only if they qualify as armed
conflict will the specific international law norms applicable therein attach.
Otherwise, the situation will be subject to those aspects of international law
that apply during peacetime, such as the law of state responsibility and human
rights law.
The second term that causes confusion
between the normative communities is, again, “attack”. As noted, “armed attack”
is a legal term of art in the jus ad bellum. Yet, “attack” is also a
legal term of art in IHL. The term does not simply refer to military operations
directed by one belligerent against another during an armed conflict. Rather,
it is defined in Article 49 of Additional Protocol I to the Geneva Conventions
as “acts of violence against the adversary, whether in offence or in
defence.”18 The Tallinn Manual accordingly defines a cyber attack as “a
cyber operation, whether offensive or defensive, that is reasonably expected to
cause injury or death to persons or damage or destruction to objects.”19
The definition of an “attack” lies at
the core of IHL, because many of its prohibitions are framed in terms of
prohibition of attacks, the paradigmatic examples being those on directing
attacks against civilians and civilian objects.20 To the extent that a cyber
operation does not qualify as an attack in the IHL regime, the prohibitions are
inapplicable. Consequently, when a non-lawyer uses the term “cyber attack”,
clarification must be sought (in addition to the jus ad bellum issue
outlined above) not only as to whether the operation occurred during an armed
conflict such that IHL applies, but also whether the operation constitutes an
attack such that IHL prohibitions and restrictions come into play.
Clearly, terminological indistinctness
and imprecision have long hobbled interdisciplinary
understanding between the legal and non-legal communities; they continue to do
so today. A proper grasp of the international law governing cyber operations,
and its likely future evolution, demands terminological fastidiousness. It is to that law that we now turn.
General Rules Governing Treaty Law
In addition to reservations, states may
issue interpretative declarations that clarify their position with regard to a
particular provision of the treaty or to how the treaty will be applied by the
states concerned. Declarations have no technical legal effect on the state’s
rights or obligations. However, states sometimes make interpretative
declarations that de facto amount to reservations. For example, the
United Kingdom has issued a statement concerning the prohibitions on reprisals
set forth in Additional Protocol I to the 1949 Geneva Conventions.33 The
declaration arguably denudes certain provisions of their effect. Thus, declarations,
like reservations, must always be carefully surveyed when evaluating the actual
normative reach of a treaty.
Perhaps the most important aspect of treaty law deals
with interpretation, as a treaty’s text may be vague or ambiguous. Such
ambiguity is often the only way the parties involved were able to achieve
sufficient consensus to adopt the instrument. The Vienna Convention on the Law
of Treaties provides that treaties “shall be interpreted in good faith in
accordance with the ordinary meaning to be given to the terms of the treaty in
their context and in light of its object and purpose.”34 The term “context”
refers to the other text of the treaty, as well as to any agreement between the
parties made at the conclusion of the treaty.35 In addition to context,
interpretation of a treaty’s provision should take account of any subsequent
express agreement between parties as to its meaning, as well as “subsequent
practice in its application that establishes the agreement of the parties
regarding its interpretation.”36 If the meaning of a provision remains
ambiguous, reference may be made to the “preparatory work of the treaty and the
circumstances of its conclusion.”37 In other words, it is appropriate to
explore what was in the mind of the parties at the time when the agreement was
negotiated and adopted.
Treaty Law in the Cyber Context
Given that cyber activities are
relatively new, very few treaties deal directly with them. Prominent
contemporary examples include the Convention on Cybercrime,38 its 2006
Additional Protocol,39 the Shanghai Cooperation Organisation’s International
Information Security Agreement,40 and the ITU Constitution and Convention41 and
International Telecommunication Regulations.42 The rules regarding treaties
apply fully to each of these instruments and others that exist or are to be
adopted in the future. Since it is not the purpose here to examine their
substantive content, it suffices to recall that when considering the formation,
interpretation and application of cyber treaty norms, the key guidance is to be
found in the Vienna Convention on the Law of Treaties and in the customary law
of treaties.
In
light of the paucity of cyber-specific treaties, the threshold question is, of
course, whether non-cyber-specific instruments even apply to cyber activities.
A number of states, including Russia and China, have previously expressed some
reluctance to acknowledge that existing international agreements extend to
cyberspace.43 This disinclination seems to have been partially overcome in
Considering the broad acceptance of the premise that non-cyber-specific treaty
law can apply to cyberspace, an array of international agreements that govern
state activities in general also constrain cyber activities. As an example, the
1982 Law of the Sea Convention delineates the type of activities that the
vessels of one state may engage in while in the territorial sea of another
state.48 Although the vessels have a
right of passage though the territorial sea, the passage must be “innocent”,
that is, not be contrary to the interests of the coastal nation. Conducting
cyber operations against the coastal state from aboard naval vessels would
consequently violate the innocent passage regime for states party to the
Convention, even though that treaty was adopted well before the advent of sea-based cyber operations. Similarly, the 1963 Moon Treaty
provides that the Moon and other celestial bodies are to be used for
“exclusively peaceful purposes”.49 Therefore, military cyber operations may not be launched from the
moon or other celestial bodies, again despite the fact that the treaty predates
the technical capability to do so. In Europe, the 1950 European Convention on
Human Rights (in effect since 1953) is playing a prominent role in privacy and
data protection debates involving cyber communications that its drafters could
not have envisaged. well as its shortcomings, in the cyber
context. The first deals with the meaning of the term “use of force” in the UN
Charter’s Article 2(4) prohibition thereof. The object and purpose of the
provision was self-evidently to limit the circumstances in which states might
resort to force to resolve their differences. All of the Tallinn Manual experts
agreed that a cyber operation by one state against another that causes injury
or death to individuals, or damage or destruction to property, qualifies as a
use of force. However, no consensus could be reached on the exact threshold at
which a cyber activity crosses into the use of force. The International Group
of Experts could only offer indicative factors that states are likely to
consider when deciding how to legally characterise a cyber operation in this
respect.53 Delineations of factors should prove useful as states estimate how
their activities will be seen by other states, as well as when they assess the
actions of other states against the norm, but they are not legal criteria per
se. The object and purpose of Article 2(4) provided a guide to
interpretation in the cyber context, but not a fully comprehensive one.
Second, Article 51 of the UN Charter provides that
states may use force in response to an “armed attack”. Here, the object and
purpose was to ensure that states did not remain normatively defenceless should
the enforcement regime established in the Charter fail to operate as planned.
But the interpretation of this article remains a source of some uncertainty and
controversy because it is unclear whether the right of self-defence extends to
attacks conducted by non-state actors, or whether states are limited to law
enforcement measures in responding to such hostile acts. This is an issue that
was brought to the forefront of international law debate in the aftermath of
the 9/11 attacks against the United States by al Qaeda. It is a central one
with respect to cyberspace, because a non-state group’s or individual’s
capability to launch a hostile cyber operation at a state at the armed attack
level is much more likely in the cyber context than the kinetic, due to the
relative ease of acquiring the expertise and equipment for a cyber armed attack
compared to a kinetic one.54
Recently, both the United States and the
Netherlands have taken the position that defensive use of force in the cyber
context is permissible under Article 51 even if a cyber-attack by a non-state
actor cannot be attributed to another state.55 Those states and commentators
who take the more restrictive approach in applying Article 51 to terrorist
strikes would likely be at least as restrictive when considering cyber
operations mounted by non-state actors. This illustrates that difficulties in
interpreting treaty law in the non-cyber context are highly likely to resurface
in the cyber context.
It is also unclear when a cyber operation is severe
enough to be regarded as an armed attack in the sense of Article 51. According
to the Tallinn Manual, operations causing significant damage,
destruction, injury or death do qualify. Inclusion of such consequences is
consistent with the UN Charter’s object and purpose of limiting the use of
force in international relations, but consensus among the International Group
of Experts stopped there; the group could not agree on any “bright line test”
for determining when such harm is sufficiently “grave” to cross the armed
attack threshold.56 Some experts took the position that the term should include
operations that cause severe non-physical harm, such as cyber operations
directed at crippling a state’s economy.57 Others resisted such a broad
interpretation on the grounds that it ran counter to the Charter’s presumption
in favour of non-forceful resolution of international disputes. Again, a
reliable interpretation of a treaty provision in the cyber context proved
elusive because multiple reasonable interpretations were possible.
The third and fourth examples derive
from IHL. The paradigmatic interpretive hurdle in IHL is that cited above, the
meaning of the word “attack”, which is found in various prohibitions set forth
in Additional Protocol I. For instance, pursuant to express provisions of that
treaty, it is unlawful to attack civilians, civilian objects, and certain other
protected persons and objects.58 Additionally, states are required to consider
expected collateral damage at the attack level when assessing the
proportionality of their operations,59 and must take precautions to minimise
such damage whenever they conduct attacks.60 Interpretation of the term
“attack” in the cyber context is essential because, to the extent to which a
cyber operation fails to qualify as an attack, these and related IHL provisions
do not apply.
Recall the Article 49 of Additional Protocol I
definition of attack as an act of violence and the definition of cyber attack
found in the Tallinn Manual as “a cyber operation, whether offensive or
defensive, that is reasonably expected to cause injury or death to persons or
damage or destruction to objects.” All members of the International Group of
Experts agreed that Additional Protocol I’s provisions referring to attacks
included such cyber operations because they were violent in the sense of
Article 49. However, members of the group differed on whether, and if so how
far, the notion of violence should be stretched to include operations having
non-kinetic effects. Some experts were of the view that the notion is strictly
limited to cyber operations that cause physical damage or injury; other
operations were not violent and therefore did not qualify as attacks. But a
majority of them looked to the object and purpose of the Protocol and its
relevant provisions to interpret the term more liberally as applying to a
situation in which the functionality of an object is affected by a cyber
operation without physical damage having occurred. Illustrating the difficulties
that attend the application of treaty provisions to situations that were not
envisaged by the drafters, there were differences of opinion within the
majority as to how “functionality” should be interpreted.61 As this example
illustrates, layers of interpretation can exist.
Finally, a similar IHL-based debate is
underway as to whether the term “civilian object” extends to data.62 If so
interpreted, a cyber operation designed to destroy civilian data would be
prohibited by Article 52 of Additional Protocol I, which bans direct attacks
against civilian objects. If not, civilian data is a lawful object of attack,
except in those circumstances where its loss might cause physical damage to
objects or injury to persons. The critical and unresolved fault line in the
debate lies between interpretations that limit the term to entities that are
tangible, which is arguably the plain meaning of the term “object”, and those
based on the argument that in contemporary understanding the ordinary meaning
of “object” includes data.63
These examples illustrate that even strict application
of the rules of treaty interpretation set out above fails to fully suffice in
adding the requisite clarity when extant treaty provisions are applied to cyber
activities. Such interpretive dilemmas are only likely to be resolved over
time. Interpretive clarity will be fostered through the recurrent practice of
states in application of the provisions in question, including when those
states are acting in their capacity as members of international organisations
like the United Nations, European Union and NATO. Also relevant will be state
expressions of opinion as to proper interpretation of the terms and provisions
in question. Recent examples include those proffered by former US Department of
State legal adviser Harold Koh64 and by the Dutch Government in response to the
AIV report, both of which set forth state positions on the meaning of key
aspects of relevant treaty law.65 Judicial interpretation could potentially
also shape the meaning of uncertain treaty norms in the cyber context, much as
the judgments of the International Second, in the early days of a new
technology, states will be reluctant to bind themselves to particular rules
until they fully understand how those rules may play out as the technology
continues to develop. In particular, there is presently little support for
proactively addressing cyber weaponry and cyber military operations. As with
all other methods and means of warfare, states are hesitant to restrict the use
of weapons that may afford them an advantage on the battlefield until they have
sufficient experience to allow them to weigh the costs and benefits of
prohibitions and limitations on their use.68
Third, to the extent that states wield
cyber capabilities that are strategically or operationally useful, they have an
incentive to retain the option of employing them. But those same states may be
vulnerable to hostile operations by other states using similar capabilities.
Therefore, it may be difficult for a state’s political and legal organs to
agree on how the state should characterise a particular practice, as they may
view the state’s national interests from different perspectives.
A fourth factor rendering cyber treaties
unlikely in the near term is the difficulty of verifying compliance with their
terms and effectively enforcing them. To begin with, it is sometimes difficult
to even ascertain that harm is the result of a cyber operation. Not only are
the technical challenges posed by attribution perplexing, but the law of
attribution is complex.69 In other words, even when the originator of a cyber
operation is known, it may be unclear whether his or her actions can be deemed
to be those of a state as a matter of law such that the state is in violation
of a treaty obligation.
Customary
International Law in the Cyber Context
Many obstacles lie in the path of
customary norm emergence vis-à-vis cyberspace. The requirement of
practice over time hinders this process to an extent, but is not fatal because
contemporary customary international law appears to countenance relatively
rapid crystallisation. A much greater impediment is the visibility of cyber
activities. It is difficult to “see” what goes on in cyberspace. Instead, the
effects of cyber operations are often all that is publicly observed; in fact,
sometimes even the effects are not apparent to the general public. Therefore,
it can be difficult to point to a particular state’s cyber practice to support
an argument that a norm has emerged. States, including victim states, may be
reticent in revealing their knowledge of a cyber operation, because doing so
may disclose capabilities that they deem essential to their security.
Undisclosed acts cannot, as a practical matter, amount to state practice
contributing to the emergence of customary international law.99
Similarly, states will frequently
hesitate to offer opinions.
General Principles of Law in the Cyber
Context
The third formal source of international
legal norms cited in Article 38 of the International Court of Justice’s Statute
is general principles of law. A complicating factor with respect to this source
is that its nature is the subject of some controversy.108 Generally, the term
is said to refer to a number of types of legal principles that are: common
across domestic legal systems, such as the use of circumstantial evidence;109
evident from the nature of law itself, for instance res judicata (final
judgments of a court are conclusive);110 derive from the nature of
international law, such as pacta sunt sevanda (“agreements must be
kept”);111 and based on fairness, prominent examples being equity112 and
estoppel.113
General principles are most likely to
become relevant when disputes between states over cyber matters arise. As an
example, in the celebrated Chorzow Factory case, the Permanent Court of
International Justice held that the breach of an obligation in international
law necessarily gives rise to the obligation to make reparations,114 a
principle echoed in the International Law Commission’s Articles of State
Responsibility.115 Thus, if a state’s cyber operations violate the sovereignty
of another state and cause harm, the former will be obligated to make
reparations to the latter. Similarly, courts may decide cases in part based on
equitable considerations. Such a decision might be appropriate, for instance,
in the case of cyber infrastructure which is shared by states.
However, at times a general principle of law may
reflect a substantive obligation. The classic example is the International
Court of Justice’s identification of the principle that every State shoulders
an “obligation not to allow knowingly its territory to be used for acts
contrary to the rights of other States.”116 This Manual Rule 5: “A State
shall not knowingly allow the cyber infrastructure located in its territory or
under its exclusive governmental control to be used for acts that adversely and
unlawfully affect other States.”117
Conclusion
Legal norms are but one facet of the
normative environment in which cyber operations exist. To suggest that they
alone suffice would be folly. After all, there is a scarcity of cyber-specific
treaty law and a near total void of cyber-specific customary law on the
subject. As a result, recourse must be had to general international law and the
interpretation thereof in the cyber context. Of course, any interpretive
endeavour is plagued with uncertainty and ambiguity, especially when engaged in
with respect to novel activities such as cyber operations. This lack of legal
normative clarity invites states to take differing interpretive positions. A
state’s objective view of the law may drive the legal position it adopts;
however, it would be naïve to deny that policy and ethical influences have an
effect on such determinations.
Controversy and inexactitude will surely
characterise this process, which will be neither linear nor logical. The
weakening of the early Russian and Chinese objections to the application of
extant international law to cyberspace is a milestone in this regard. Yet,
while both states have backed away from their opening stance on the issue, it
remains unclear where they stand today. Other states such as the United States
and the Netherlands are beginning to show a willingness to articulate their
positions on how current international law applies in cyberspace. Nonetheless,
the public pronouncements to date have been vague, probably intentionally so.
Despite the attention that cyber activities have drawn
in the past decade, the conclusion of new treaties or the crystallisation of
new customary law norms to govern them is doubtful. Opposition from western
states is particularly marked to the former, at least.118 Instead, the
application and interpretative evolution of existing international law is the
most likely near-term prospect. As to customary law, although it may sometimes
develop rapidly, “usually customary law is too slow a means of adapting the law
to fast-changing circumstances.”119
Consequently, the work of scholars such
as the International Group of Experts who prepared the Tallinn Manual,
and those who are engaged in the follow-on “Tallinn 2.0” project, is likely to
prove especially influential. This dynamic is appropriate since, as noted in
Article 38 of the International Court of Justice’s Statute, the work of
scholars is a secondary source of law that informs identification and
application of primary sources. But this reality is certainly less than
optimal, because states, and only states, enjoy the formal authority to make
international law. Unless they wish to surrender their interpretive prerogative
to academia, it is incumbent upon them to engage with cyber issues more openly
and more aggressively.
In this patchwork and nebulous
environment, the role of other normative regimes looms large. Only in
exceptional circumstances may their dictates cross the international law
border. However, where those boundaries are indistinct, common policy or
ethical norms may operate to define the outer boundaries of acceptable conduct
in cyber space. Because cyber activities are a relatively new phenomenon,
policy and ethical norms may serve to carve out more restrictive boundaries
than international laws which are designed to constrain the other activities of
states. Over time, these non-legal norms may mature through codification into
treaty law or crystallise into customary law, such that they formally define
the limits of cyber activities. In the meantime, cyberspace will remain an
environment of fervent, and often multi-directional, normative development
Keine Kommentare:
Kommentar veröffentlichen