Published: December 26^th, 2017 at LAWFARE

It’s not often that we come away from international law workshops impressed and inspired by the methodological debates. But that was how we all felt after the HUJ Cyber Security Research Center event on the Tallinn Manuals on Cyber Operations. Before sharing our thoughts, we’d should add that Yuval Shany is the director of the HUJI Cyber Security Research Center and Matt Waxman is an external advisor.

The workshop – which was conducted under Chatham House rules and included current and former officials as well as academics from Israel and NATO members – explored important and substantive questions of international law and cyber operations, including the rules and thresholds regarding sovereignty, force, countermeasures, and self-defense. Some of the most heated and productive debates, however, centered not on the answers to these questions but on the best way to approach them.

For starters, most of the participants seemed to accept that new cyber treaties are unlikely, but that existing international legal frameworks are applicable and should be adapted to deal with cybersecurity and cyberconflict. From this starting point a significant methodological split emerged, with many participants falling somewhere in between.

One approach, reflected to a large extent in the Tallinn Manuals, relies heavily on analogical reasoning. International law doctrine for kinetic operations or actions traditionally taking place in physical space regulates activities on the territory of non-consenting states, appropriate responses to hostile actions, countermeasures, states’ duties to mitigate threats to others, and so on. These rules are not always clear and uncontested, but to the extent they are, international rules for cyber can best – or at least presumptively – be derived by analogy. What do various cyber-activities or responses to cyber-activities most resemble in physical space, and what would their rules dictate? Advantages of this deductive approach include clarity, consistency of legal rules across various domains, and the legitimacy that comes from prior state consent and consensus. Many states therefore gravitate naturally toward this approach.

An alternative approach, whose precise contours have yet to be clearly spelled out, starts not with existing doctrines from physical space but with their purpose: international stability, self-protection of states’ core interests, responsibility for protecting individual rights, and so on. It asks what rules would best contribute to those purposes and what legal principles might underlie them. Critics argue that this tends to reduce law to policy and that the purposes are ill-defined, but this principle-based approach may produce legal interpretations that are more effective and lasting if states find that they serve their common interests.

These competing approaches – and, again, there are also middle-ground or hybrid positions –represent a familiar debate between legal formalism and instrumentalism, but cybersecurity and cyberconflict add some special twists, especially for the United States and Israel. Most significantly, technology is changing rapidly, as are cyber capabilities and vulnerabilities. Accordingly, it is a tricky task to predict in advance how effectively rules may work and serve their interests. States are still developing their strategies and counterstrategies, and much of the planning and operations take place in secret and under conditions of uncertainty regarding future technology and the degree to which other actors can be induced to “play by the rules.”

As top-tier cyber-powers as well as military powers (regionally, in Israel’s case), the United States and Israel may have much to gain from the second functional approach, especially if they combine it with a prudent wait-and-see strategy of legal diplomacy that emphasizes pragmatic responses to real-world contingencies (e.g. public as well as back-channel diplomatic responses to cyberattacks, cyber-intelligence operations, cyber operations against non-state actors, etc.).

A problem, however, is that there is a race between real-world events, spurred by fast changes in technology, and the adaptation of international law. In this race, the latter may be at risk of losing or have a hard time keeping up. Government officials and outside experts are therefore wrestling with ways of accelerating legal adaptation. Against this background, the following were some of the more interesting questions we heard being debated at this workshop:

• Should states be taking a more active role in explaining publicly their general approach to international law and cyber-operations, including how legal regulation fits with their broader cyber strategy?
• Are some states miscalculating the relative costs and benefits of secrecy and transparency of specific cyber-operations or responses to them, given a desire to shape international rules through actual practice and justification?
• With little likelihood of broad multilateral breakthroughs, should small groups of states try to develop and promote diplomatically some common interpretive approaches?
• What role does the technology industry have to play in international legal adaptation, given that while international law remains the province of states, private companies have extensive influence over this area?
• Should new institutions be created in order to provide common security solutions, to attribute legal responsibility for cyberattacks, and to engage, where necessary, in collective reaction to large-scale cyberattacks affecting a multiplicity of jurisdictions?