Old Habits Die Hard: Applying Existing International Law in Cyberspace and Beyond

In the past few years, a growing number of states have expressed their official positions on the applicability of international law in cyberspace. Most recently, New Zealand and Israel shared their own views on the topic to beef up the crowd. Initiatives of this kind are welcome and contribute to the gradual clarification of the extent to which international legal rules govern activities in the ever-evolving and still mysterious ‘cyber domain’ or ‘sphere’.

As things stand, there is widespread agreement that international law applies in cyberspace. This view can be confirmed not only on the basis of numerous position papers by individual states, but also by looking at the outputs of multi-lateral fora, such as the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE) and the UN Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG, see Revised Pre-Draft Report, § 7). Thus, it appears that the main focus of ongoing debates has now moved to understanding how existing international law applies in cyberspace — an effort which has been spearheaded by numerous civil society and academia-led initiatives like the Tallinn Manual 2.0 and the Oxford Process (see here and here).

However, despite the general acknowledgment that international law applies to cyberspace, doubts have been raised about the extent to which existing international rules or principles apply to this new area of state activity. In a non-negligible number of occasions, some governments and scholars have suggested that particular international legal obligations do not apply in cyberspace. This idea seems to be premised on two mutually reinforcing assumptions. First, that existing international law can only apply in cyberspace if substantiated by sufficient evidence of domain-specific state practice and opinio juris. This search for cyber-specific practice and opinio juris is then backed with calls for more national statements on how international law applies to cyber operations. Second, in some cases, standards of conduct which actually reflect existing international obligations under general international have been framed, in the context of cyberspace, as ‘voluntary, non-binding, norms of responsible state behaviour’. For example, the 2015  UN GGE Report (para. 13(c)) affirms that ‘States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’. This so-called ‘voluntary’ or ‘non-binding’ norm,  in fact, refers to what the International Court of Justice referred to in the Corfu Channel case (UK v Albania, p .22) as ‘every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.’ This obligation is one to act with due diligence and has come to be described as such. However, for some, the implication of putting a norm into the basket labelled ‘voluntary, non-binding’ is that the corresponding rules or principles have not yet developed or crystallised for cyberspace, or that this ‘domain’ has been carved out from the scope of said obligations. This blog post seeks to challenge these two assumptions.

Is it necessary to prove ‘new’ or specific state practice and opinio juris for existing international law to apply in cyberspace?

The first premise is commonly grounded in the idea that cyberspace is a ‘new (virtual) domain’ or field of activity and, as such, like the physical domains of air, land, sea and outer space, requires specifically-tailored rules. Israel’s Deputy Attorney General put the argument more subtly and more persuasively, when he stated that:

“It cannot be automatically presumed that a customary rule applicable in any of the physical domains is also applicable to the cyber domain. The key question in identifying State practice is whether the practice which arose in other domains is closely related to the activity envisaged in the cyber domain. Additionally, it must be ascertained that the opinio juris which gave rise to the customary rules applicable in other domains was not domain-specific. Given the unique characteristics of the cyber domain, such an analysis is to be made with particular prudence, as it is very often the case that relevant differences exist.”

It is correct that there are cases where practice or opinio juris indicates that the application of a rule is limited to a particular context or to a specific type of activity. For example, the practice or opinio juris relating to obligation of states to respect freedom of navigation in the high seas is restricted to the high seas. It does not guarantee freedom of navigation throughout the seas, nor does it oblige states to guarantee freedom of movement elsewhere.

However, in the absence of a limitation to a particular context or type of activity, or where the previous expression of a rule (including the opinio juris and the practice) is general, there is nothing in international law that suggests that one must seek to ascertain whether a rule applies across ‘domains’. For example, it is prohibited for states to arrest the serving head of another state. It matters not where the arrest takes place. To take another example, in the course of an armed conflict, it is prohibited for states to direct attacks against civilians. Again, it matters not where the civilians (or the attackers) are or what weapons are used.

The idea that international law applies to ‘domains’ seems to be derived from the context of armed conflict where the concept ‘serves as a fundamental organizing idea, reflecting the way we conceptualize the battlefield and categorize actions taking place during armed conflict.’ (McCosker, ‘Domains of Warfare, in Saul & Akande (eds.) Oxford Guide to International Humanitarian Law, 2020, p. 97). However, even in that context, it is important to recall that ‘much of IHL is not domain- specific and applies generally’ (McCosker, p. 78). The same is true of the law relating to the use of force. It is prohibited to use force against other states and no inquiry needs be made about the ‘domain’ in which a state using force is acting. In sum, we should be sceptical about a supposition that the application of international law rules is ‘domain’ specific.

In any event, there are good reasons to question that cyberspace is a new ‘domain’ requiring domain-specific state practice and opinio juris. The term ‘cyberspace’ is misleading in that cyber activities, whether carried out by states or non-state entities, do not occur in a new, virtual space. Rather, what we often call ‘cyberspace’ is nothing more than a set of information and communications technologies that enable individuals to exchange and process information more efficiently, such as the Internet and other networks. As much as software, code and data play a significant role in how these technologies operate, they are necessarily made up of physical components or hardware, such as cables, satellites, radio waves, computers and their millions of silicon circuits, as well as the individuals who build, control and use software, hardware and data. Likewise, even if these multifaceted physical components cross national borders to create an imaginary ‘global information space’, as encapsulated in terms such as ‘The Cloud’, ‘World Wide Web’, or ‘Virtual Reality’, these remain very much grounded in tangible physical infrastructure as well as human beings of flesh and bone that are located somewhere in the world. 

That cyberspace is nothing more than a set of technologies was already reflected in the language used in the various GGE reports as well as the OEWG’s mandate and documents, which refer precisely to ‘information and communication technologies (ICTs)’. Thus, when it comes to ‘cyberspace’ or ‘cyber operations’, it is more accurate and appropriate to frame questions of applicability of international law to new technological developments. After all, online resources and activities are not an end in themselves, but a means to achieve different aims or effects that will usually manifest themselves, in different ways, in one or more of the traditional physical domains.

In international as in domestic law, the fact that human beings have developed new technologies over time, such as trains, cars, telephones, televisions, and mobile phones, does not mean that these create new ‘domains’ or ‘spaces’ which cannot be subject to existing legal rules or principles, such as tort or criminal law. The International Court of Justice recognised as much in its Nuclear Weapons Advisory Opinion (§§ 39 and 86). Similarly,  in its Draft articles on Prevention of Transboundary Harm from Hazardous Activities (154, Commentary to Draft Article 3, para 11), the International Law Commission noted that new technologies are also subject to positive duties to prevent transboundary harm. In 2020, UN member states involved in the OEWG explicitly ‘confirmed that measures to promote responsible State behaviour should remain technology-neutral, underscoring that it is the misuse of such technologies, not the technologies themselves, that is of concern’ (§ 21). 

This ‘tech-neutrality’, in turn, means that existing international law writ large regulates state conduct carried out through ICTs, at least by default and to the extent relevant.  International legal rules or principles of general applicability, i.e., applicable under general international law to all types of state activity in the relevant circumstances, such as the prohibition on the use of force, non-intervention, the Corfu Channel rule of ‘due diligence’, international human rights law and international humanitarian law, thus, do not need further proof of applicability to ICTs or other new technologies via specific state practice and opinio juris ‘in cyberspace’. Their scope is sufficiently broad to be interpreted and applied to ICTs. It is the burden of those advocating for ICTs’ exclusion from their scope to present evidence that states, in their general practice accepted as law, have actively carved out ICTs.

This conclusion does not deny that, when applying general rules of existing international law to new technologies, some loose ends may need to be tied and adjusted with best implementation practices to account for certain specific features, such as the unprecedented speed, reach and transboundary nature of ICTs. That notwithstanding — and in line with the views expressed on the issue by an overwhelming majority of States — the starting point is the applicability of existing international law, rather than a legal vacuum. As the Czech Republic has recently pointed out, general international law’s full applicability and flexibility are particularly important vis-à-vis ICTs, given their rapid development and the difficulty for new and detailed treaty instruments to keep up to such speed (at page 2).

Do ‘voluntary non-binding norms’ replace established international rules?

This leads us to the second question outlined above: the relationship between the so-called ‘voluntary, non-binding norms’ of responsible state behaviour, especially those articulated in the 2015 GGE Report, and existing international law, subsequently endorsed by the UN General Assembly by consensus (§ 1-2(a)). The fact that the report distinguishes between the application of international law to ICTs and ‘voluntary, non-binding norms’ might at first glance be taken as an argument that none of the latter ‘norms’ are to be complied with as a matter of legal obligation. Indeed, some of those norms do not reflect binding international law obligations. However, some of them do use, explicitly or implicitly, the language of law. Reference has already been made to the norm that states ‘should not knowingly allow their territory to be used for internationally wrongful acts using ICTs’ — the due diligence obligation which derives from the rule of law set out by the ICJ in the Corfu Channel case. Even more explicit is the norm in para 13(f) of the 2015 GGE Report, affirming that ‘a State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure …’ This is a norm maintaining that states should not act contrary to their international obligations.

Could it be that certain well-established rules of international law have been demoted to non-binding recommendations by effect of the GGE work? Is it possible that though these rules are generally applicable, they do not survive as legal obligations in the cyber context because states have chosen to regard them, in that context, as only voluntary and non-binding? This may be the assumption that undergirds the recent statements mentioned at the beginning of this post, for instance as they relate to the concept of due diligence (see New Zealand, §§ 16-17; and the speech by Israel’s Deputy Attorney General Schondorf). However, this argument fails to observe that the articulation of these norms is without prejudice to states’ rights and obligations under international law (see Finland’s February 2020 OEWG Statement). Indeed, §10 of the 2015 GGE Report make is clear that these ‘norms do not seek to limit or prohibit action that is otherwise consistent with international law.’ As eloquently put in the latest OEWG Revised Pre-Draft Report:

‘Voluntary, non-binding norms reflect the expectations of the international community and set standards regarding the acceptable and unacceptable behaviour of States in their use of ICTs. They play an important role in increasing predictability and reducing risks of misperceptions, thus contributing to the prevention of conflict. Norms do not replace or alter States’ obligations under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible State behaviour in the use of ICTs. […] Alongside international law, voluntary non-binding norms complement confidence-building and capacity-building measures and related efforts to promote an open, secure, stable, accessible and peaceful ICT environment.’ (at page 7, Introduction to Section D)

and

‘In their discussions at the OEWG, States reiterated that voluntary, non-binding norms of responsible State behaviour are consistent with international law and with the purposes and principles of the United Nations, including to maintain international peace and security and the promotion of human rights.’ (§ 38).

Thus, the mere fact that states have decided, for whatever political reason, to mirror existing rules of international law in their policy recommendations cannot free the former of their binding legal force. Otherwise, recommendations such as the one in para 13(f) of the 2015 GGE Report, establishing that a ‘State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure’, would become a contradiction in terms. As noted by France, Australia, Germany, the United Kingdom, Poland, Brazil and the Dominican Republic, the voluntary, non-binding norms are complementary rather than alternative to existing international law. Thus, compliance with several norms of responsible state behaviour in cyberspace is not only expected on a voluntary basis, but also required as a matter of applicable international law. Where the norms correspond to established rules of international law, the wealth of state practice and attitudes expressed in their implementation (see, e.g. the documents released by the UK, Canada and Australia), serves not only to confirm the applicability of existing rules to ICTs, but also to mould their interpretation as these rules and technologies evolve over time.  

Conclusion

Unlike history, international law can be re-written, provided that states agree to new rules by treaty or customary international law. But what has been written or accepted remains there, until such time as new rules have been developed. General rules and principles of international law continue to govern state behaviour, irrespective of the technologies used.  For ICTs to be carved out or subjected to new rules, a new treaty or sufficient state practice and opinio juris would be necessary. Yet, not only have states reaffirmed the applicability of extant international law in ‘cyberspace’, but they continue to act upon it, whether they expressly admit it or not.