Cyber operations and the application of rights inherent in sovereignty to new domains of operation
In a post earlier this year on EJIL Talk!, Dapo Akande, Antonio Coco and Talita Dias argued that cyber operations do not constitute a unique ‘domain’ of operations based on their characteristics because they physically manifest on computer systems and are mere ‘technological developments’, ‘nothing more than a set of technologies’ equivalent to ‘trains, cars, telephones, televisions, and mobile phones’ which did not themselves ‘create new ‘domains’ or ‘spaces’ which cannot be subject to existing legal rules or principles’. Existing rules of international law therefore apply without the need to develop domain specific state practice or opinio juris, albeit with ‘some loose ends may need to be tied…’.
This post hopes to offer a response and some thoughts in relation to these points. I argue that cyber operations have unique characteristics that pose significant problems in interpreting existing rules of international law to apply to them, and as such they constitute a unique area of operations comparable to the domains of air, sea and space. If existing rules of international law, such as the rights inherent in sovereignty, are to apply with any specificity to cyber operations as a domain or area of operations with unique characteristics, states must develop specific rules either through forming customary international law or by negotiating rules in the form of a treaty. To demonstrate this, I examine how the rights inherent in sovereignty have been developed by states to apply to unique domains or areas of operations in the past. This overview focuses exclusively on the rights inherent in sovereignty, for the sake of brevity, but also because they occupy a central and critical function in the application of existing rules of international law to unique domains or areas of operation. From this overview I identify a common trend of interests that need to be balanced by states that are of direct relevance for the debate on sovereignty and cyber operations, namely ‘absolute sovereignty’ and ‘absolute freedom’.
The significance and status of cyberspace as a new ‘domain’ of operations
There is widespread agreement among states that existing international law, in particular the UN Charter, applies in cyberspace (see 2013 and 2015 Reports of the UN GGE, Final Report of the UN OEWG). Even the UK position that expressly denies the existence of a ‘cyber specific rule of a “violation of territorial sovereignty”’ recognises that ‘[t]he question is not whether or not international law applies, but rather how it applies…’ [emphasis added].
But what is the significance of identifying cyber operations as a new ‘domain’ of operations, and what is a ‘domain’? In 2016 NATO allies recognised cyber operations as a fifth domain of operations in addition to land, air, sea and space, and many states including the US refer to cyber as such. While in practice armed conflicts often involve ‘multi’ or even ‘all-domain’ operations, there is no traditional guidance in relation to what would constitute a ‘domain’ in relation to general international law. Israel’s Deputy Attorney General recently touched on the application of rules of customary international law in relation to ‘physical domains’ in the cyber context:
‘It cannot be automatically presumed that a customary rule applicable in any of the physical domains is also applicable to the cyber domain. The key question in identifying State practice is whether the practice which arose in other domains is closely related to the activity envisaged in the cyber domain. Additionally, it must be ascertained that the opinio juris which gave rise to the customary rules applicable in other domains was not domain-specific. Given the unique characteristics of the cyber domain, such an analysis is to be made with particular prudence, as it is very often the case that relevant differences exist.’
In response, it has been argued that since cyber operations manifest themselves physically on computer systems, they are not sufficiently different than traditional operations and as such somehow do not qualify as a new domain of operations, and that ‘cyberspace is nothing more than a set of technologies'. Similarly, Delerue, whose monograph is dedicated to the difficulties cyber operations pose for international law, has also argued against recognising cyberspace as a fifth domain, in part from a different direction, because we cannot manifest ourselves physically into the domain (here, p. 302).
These arguments do not adequately capture the inherent difficulties presented by the unique characteristics of cyber operations for existing rules of international law. The unique characteristics of cyber operations relate to their ability to remotely affect multiple targets in numerous states simultaneously and continuously from any geographic location. The physical manifestation of domains of operation in the past has borne no relation to their classification as new domains of operation (air, sea, space). Neither the ‘technology neutral’ status of international law (Nuclear Weapons), their man-made nature, nor the reframing of cyber operations as mere ‘technological developments’ preclude cyber operations from presenting unique challenges. As with previous ‘domains’, it is the fact that cyber operations involve unique characteristics which require states to formulate and agree upon a particular interpretation of existing rules of international law that apply to govern them which makes them distinct.
The motivation behind arguing cyber is not a domain and therefore rules of international law apply without the need to develop domain specific state practice or opinio juris appears to stem from two points. First, a will to confirm that all rules of international law apply to cyberspace following contested phrasing in the drafting process of the UN OEWG report and comments by some states about domain specific rules. While 193 participating states recently adopted the UN OEWG Final Report by consensus that confirms ‘international law, and in particular the Charter of the UN’ applies to cyber operations, the report has been criticised for not including stronger references to the applicability of IHL and international human rights law. Second, confusion over what Schmitt refers to as two ways in which statements by states may ‘clarify the grey zone issues’:
‘First, when sufficient State practice and opinio juris exist to constitute “a general practice accepted as law,” a new norm of customary international law crystallizes. Yet, because the threshold for crystallization is high, it is more likely that grey zones will be narrowed through State expressions of opinio juris that clarify uncertainties or disagreements over the extant law. In this regard, opinio juris serves an interpretive function, rather than a law-creating one. Such expressions can also contribute to the interpretation of ambiguous treaty provisions, such as the meaning of the terms “use of force” and “armed attack” in Articles 2(4) and 51, respectively, of the U.N. Charter.’ [emphasis added]
Schmitt’s quote citing the Vienna Convention on the Law of Treaties addresses ambiguous treaty provisions such as use of force and armed attack, but would such an ‘interpretive function’ developing agreement by states that sovereignty is a rule that is capable of being violated by cyber operations, setting a cyber specific threshold for a violation of sovereignty, not in itself be ‘law-creating’, as its specific applicability to cyber would crystallise into customary international law?
The broader debate among states and the establishment and mandates of the UN GGE and UN OEWG as forums for states to develop agreement on how rules of international law apply to cyber operations alone reflects that they are unique enough in character to pose problems as a distinct area of operations, without reference to classic case studies such as Stuxnet to demonstrate the damaging capabilities of cyber. Questioning the subjective status of cyber operations as a ‘domain’ misses the point. It is unclear how a cyber specific threshold for existing rules, such as a rule of sovereignty, could be developed or agreed upon by states without developing domain specific state practice or opinio juris. Is it not more pertinent to examine how states develop existing rules of international law to apply to a new domain or area of operations that possess unique characteristics?
Sovereignty and previously emerging domains of operation
Three core rights are traditionally understood to be inherent in the principle of sovereignty: territorial sovereignty; the right to independence of state powers; and sovereignty equality. For a discussion of sovereignty and its corollary rules, see Moynihan. A growing number of states and scholars assert that cyber operations can violate the sovereignty of a state as a rule of customary international law, resulting in an internationally wrongful act (see statements of Austria, the Czech Republic, Finland, France, Germany, the Netherlands and Iran, though there are significant differences in the positions of these states on how a rule of sovereignty applies). Alternatively, Corn and Taylor assert that states having developed different regimes to govern the domains of air, space and sea demonstrates that sovereignty is an underlying principle of international law from which binding rules emanate and develop (also see position of the UK).
Territorial sovereignty, or internal sovereignty, was originally established in relation to kinetic operations on land. An examination of emerging domains of operation including air, sea and space reveals debates among states and academics over operational tensions that existed between ‘absolute sovereignty’ and ‘absolute freedom’.
When states were grappling with sovereignty and the aerial domain, debate formed between two approaches: One contended that airspace was free and sovereignty did not apply to regulate the aerial domain, the other that a state was sovereign not only over land and waters within its boundaries but also airspace over its territory. This debate matured as states accepted that an intermediary approach was required to balance both the interests of protection of the subject state and the need for unimpeded navigation. In the end, states agreed that air space above a state’s land and territorial waters was subject to ‘the complete and exclusive sovereignty’ of the respective state (Article 1, Convention on International Civil Aviation), while by signing the Chicago Convention and other international treaties most states subscribed to certain international standards and practices permitting specific cross-border aviation operations.
In the law of the sea, maritime states advanced claims based on the freedom of navigation and coastal states advanced claims based on sovereignty. The origins of this tension reflecting the competing interests of states can be traced back to Grotius’s Mare Liberium (1608), which advocated the unrestricted right of all ships to all waters, and Selden’s response in Mare Clausum (1631) which argued that portions of the sea that were contiguous to the coastline had naturally been subjected to territorial ownership and dominion by states. Over time, the balancing of these competing interests resulted in agreement among states on certain rules e.g., that coastal waters are subject to the sovereign jurisdiction of a state as an extension of the state’s territory (Article 2, UNCLOS). This jurisdiction is subject to the right of innocent passage (Article 17, UNCLOS; Also see Corfu Channel), whereby a vessel is permitted to pass through the archipelagic and territorial waters of another state, subject to certain restrictions. Elsewhere, the balancing of interests resulted in zones and areas of enumerated rights and freedoms. For example, in the EEZ coastal states only enjoy sovereign rights (Article 56 UNCLOS), while the high seas were proclaimed incapable of occupation and free from claims of sovereignty (Article 87, UNCLOS).
Whereas airspace above a state’s land and territorial waters is subject to ‘the complete and exclusive sovereignty’ of the respective state (Article 1, Convention on International Civil Aviation), outer space, like the high seas, is excluded from claims of sovereignty. In the debate over the application of sovereignty to space, two main approaches can be discerned. The ‘spatial’ approach argued that geometrical criteria should be used to set the boundary between air space and outer space, whereas the ‘functional’ approach argued that a boundary between air space and outer space was not necessary and that activities in both regions of space should be regulated according to their objectives and missions rather than a geographical location of where activities take place. While territorial sovereignty of airspace primarily developed to balance the national security concerns of states and their commercial interests relating to freedom of air navigation, these same interests were not as immediately apparent to states in relation to outer space during the beginning of the space era. This led to the affirmation by states that territorial sovereignty should not be extended to outer space, which has since crystallised into customary international law.
What does this mean for cyber operations?
The development by states of the rights inherent in sovereignty, in particular territorial sovereignty, to apply to emerging unique domain of operations in the past reveals commonalities in balancing particular state interests. The cyber debate features the same tensions between ‘absolute freedom’ and ‘absolute sovereignty’. On the one hand, there are those who deny a primary rule of sovereignty applies to cyber operations below the threshold of a prohibited intervention in a position that favours operational freedom (e.g. the UK). On the other, there are those who argue a purist catch-all rule of sovereignty applies to regulate state cyber operations against systems on the territory of another state (exemplified by the French position). I have argued elsewhere that it is not possible for states to enjoy both the protection of a purist rule of sovereignty as a catch-all ‘normative firewall’ and the unfettered operational flexibility to conduct low-level offensive cyber operations.
Despite the analogies presented above, it is not possible to assume that any specific rules of international law as developed by states in relation to each of these domains, and rules associated with those specific interpretations, e.g. right of innocent passage, would be directly transposable to cyber operations with any practical specificity to identify threshold at which a rule of sovereignty may be violated. This is largely my understanding of what Israel’s Deputy Attorney General is referring to in the quote above. Nonetheless, the process of developing the rights inherent in sovereignty to apply to cyber operations requires a similar approach, balancing the interests of ‘absolute sovereignty’ and ‘absolute freedom’, protecting critical national infrastructure on the territory of states while maintaining the freedom of states to engage in low-level cyber operations which are essential for national security and to achieve policy objectives.
Over time, in the absence of a treaty, statements by states on how they interpret existing international law to apply to cyber operations and corresponding state practice may contribute to the formation of specific customary international law that may focus or rule out the application of such rules: Space is an example of a domain in which states agreed territorial sovereignty was not applicable, forming customary international law. As such, what remains to be decided by states is far more than ‘some loose ends [that] may need to be tied and adjusted with best implementation practices to account for certain specific features’: Until states move towards agreement on practical thresholds of rules and the scope of their application, the specific application of certain fundamental rules of international law to cyber operations, including the rights inherent in sovereignty, remain uncertain.
Conclusion
That cyber operations manifest themselves on physical components of computer systems or that they exist as result of advances in technology does not negate the fact that they have characteristics which distinguish them as a unique domain or area of operations. Indeed, the divergent positions of states and the larger academic debate over the application of existing rules of international law to cyber operations is evidence of their uniqueness and of the fundamental problems they present. The position that states may somehow decide a cyber specific threshold at which a violation of sovereignty occurs without the need to develop domain specific state practice or opinio juris is not consistent with the development of international law to unique areas or domains of operation in the past.
The rights inherent in sovereignty play a fundamental role in developing the application of existing international law to unique domains or areas of operation. A ‘rule’ of sovereignty as discussed by states in the cyber context is potentially the most directly applicable and relevant rule in relation to recent cyber-attacks that have brought these issues into sharp relief (see discussion in EJIL: The Podcast! Episode 3), such as scenarios addressed by the Oxford Statements (health care sector targets, COVID-19 vaccine research, foreign electoral interference). However, without engaging with the debate on sovereignty, the elephant in the room, can civil society and academia-led initiatives such as the Oxford Statements really make significant progress in ‘spearhead[ing]’ the understanding of how existing international law applies to cyber operations? By comparison, see the substantial treatment of sovereignty in the Tallinn Manual 2.0 and its significant influence on the positions adopted by some states, e.g. Finland, Germany.
The debate over the status of sovereignty as a primary rule or an underlying principle from which binding rules emanate and develop is not as important as it would seem. Both positions ultimately accept that any rule of sovereignty that applies with specificity to regulate the unique characterictics of cyber operations is for states to determine or clarify through the formation of customary international law or by negotiating treaty rules. Far from ‘re-writing’ existing international law, the current situation follows a natural process whereby states are engaging to decide how existing international law applies to a unique domain or area of operations. As for the rights inherent in sovereignty, history determines this will be achieved by states finding a balance between ‘absolute sovereignty’ and ‘absolute freedom’.
* Jack is a DPhil Candidate in public international law at the University of Oxford and a Research Fellow at the Hebrew University of Jerusalem.