When More is Less: The US Department of Defense’s Statement on Cyberspace

On 2 March 2020 Paul Ney, General Counsel to the US Department of Defense (DoD), gave a speech at the US Cyber Command Legal Conference setting out the DoD’s position on the application of national and international law to cyberspace. Robert Chesney (at Lawfare) and Michael Schmitt (at Just Security) have provided a panoramic assessment of the legal issues arising from this statement. This post focuses on one particular aspect of the DoD’s statement: its treatment of the rule of sovereignty under international law. Two questions are addressed: does the DoD view sovereignty as a rule of international law applicable to cyberspace and, if so, what types of malicious cyber activity does the DoD regard this rule as prohibiting.

The Rule of Sovereignty

In May 2018, the UK Attorney General took the position that sovereignty is not a stand-alone rule of international law. For the UK, it is only those cyber operations that rise to the level of coercive intervention or a use of force that are internationally wrongful. It has long been rumoured that the US endorses this approach, and the DoD General Counsel appears to confirm this when he states that the DoD’s stance on sovereignty ‘shares similarities with the view expressed by the U.K. Government in 2018’. Moreover, the DoD statement explains:

For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory.

Intriguingly, as the statement develops there appears to be a softening in the DoD’s approach:

[E]stablishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations.

As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty … The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.

The key feature of this quotation is that, for the DoD, it ‘does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law’ (my emphasis). The implication is that there are some cyber operations that infringe state sovereignty and are internationally wrongful.

How can we explain the DoD’s prevarication on sovereignty? It seems that the DoD is hedging its bets. On the one hand, and as the statement explains, the DoD wants to preserve its ability under international law to ‘defend forward’ and conduct non-coercive cyber operations against other states. On the other hand, the DoD is obviously aware that states such as Australia, France and the Netherlands expressly support sovereignty as a rule of international law. As the above quotation reveals, the DoD recognises that state practice is evolving and it wants to leave room for manoeuvre in the event that other states coalesce around the view that sovereignty is a rule of international law.

Cyber Sovereignty: Cyber Intrusion and Cyber Espionage

The DoD statement provides no guidance on what types of cyber operations infringe state sovereignty. Yet, it clearly determines that ‘non-consensual cyber intrusions into another State’s territory’ are not prohibited by international law. The statement gives two reasons to support this conclusion.

First, the statement points to ‘many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks.’ State silence can qualify as opinio juris and inform the content of customary law (Fisheries, p. 139). However, this methodology must be employed cautiously because there may be many reasons why states choose to remain silent even when they fall victim to conduct that they regard to be internationally wrongful. Thus, silence can contribute to the formation of custom only when ‘the circumstances called for some reaction’ (International Law Commission, Draft Conclusion 10(3)). Whether a situation calls for a reaction is an important yet under-researched question, and its analysis falls beyond the scope of this post (on this see here). But the problem with the DoD’s position is its automatic assumption that state silence in the face of cyber intrusion equals legal acceptance.

Moreover, there is state practice to support the proposition that the rule of sovereignty prohibits non-consensual cyber intrusions. For France:

Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ … constitutes a breach of sovereignty (p. 7).

Focusing on the term ‘effects’, Schmitt concludes that ‘the French would reject the premise that any remotely conducted cyber operation into its territory violates French sovereignty’. I disagree with this interpretation. The French statement explains that ‘[a]ny cyberattack against French digital systems or any effects produced on French territory’ amounts to a violation of sovereignty. The use of the disjunctive ‘or’ in this sentence indicates that a cyberattack against digital systems is sufficient to violate sovereignty, independent of its effects. Moreover, the French statement uses the term cyberattack to describe cyber operations that violate the rule of sovereignty. While it is correct that the concept of ‘cyberattack’ is generally used to refer to cyber operations that produce destructive effects, ‘cyberattack’ is a descriptive rather than a legal term and has different meanings to different actors. The French statement contains a glossary for key terms and it defines ‘cyberattack’ as:

A deliberate offensive or malicious action carried out via cyberspace and intended to cause damage (in terms of availability, integrity or confidentiality) to data or the systems that treat them, which may consequently harm the activities for which they are the medium (p. 18).

‘Cyberattack’ is defined as a cyber operation that causes damage to data or systems. Critically, ‘damage’ is defined broadly as operations affecting the availability, integrity or confidentiality of data or systems. For me, the French statement regards all non-consensual cyber operations that intrude into computer systems as compromising their integrity and thus causing damage, even if the availability of those systems (that is, their functionality) is unaffected.  

Second, the DoD statement uses espionage as an ‘analogue’ to support its claim that cyber intrusions are not unlawful. The DoD is correct that international law does not per se prohibit espionage. But what is surprising is that the DoD considers espionage to be compatible with the rule of sovereignty ‘even when it involves some degree of physical or virtual intrusion into foreign territory’.  The statement justifies this conclusion on the basis of the ‘many concrete examples of States’ practicing it’. However, the DoD fails to recognise that espionage is – almost by definition – a secret activity. As I have argued elsewhere, secret state practice cannot influence the development of customary law and, as a result, states have not successfully carved out a permissive espionage exception to the rule of sovereignty (Navarrete and Buchan, 2019).

Furthermore, there is evidence within state practice and the jurisprudence of national and international tribunals which rejects the DoD’s claim that intrusive espionage operations are lawful. In the case of espionage involving a physical intrusion into foreign territory, in 2008 the Federal Court of Canada refused to issue a warrant authorising the Canadian Security Intelligence Service to conduct surveillance within the territory of other states:

The intrusive activities that are contemplated in the warrant sought are activities that clearly impinge upon the above-stated principles of territorial sovereign equality and non-intervention (para 50).

In the international context, in 1986 the International Court of Justice determined that the US’s use of reconnaissance aircraft within Nicaragua’s airspace was unlawful:

The principle of respect for territorial sovereignty is also directly infringed by the unauthorized overflight of a State’s territory by aircraft belonging to or under the control of the government of another State (para 251).

In relation to espionage involving a virtual intrusion into computer networks, my argument is that states regard the rule of sovereignty as providing their cyber infrastructure with the same degree of protection as it does their physical territory. The reaction of a number of states to the 2013 Snowden revelations supports this approach. For example, the Pro-Tempore President of MERCOSUR submitted a Note Verbale to the UN Secretary-General ‘[c]ondemning the acts of espionage carried out by intelligence agencies of the United States of America … [which] constitute unacceptable behaviour that violates our sovereignty’ (p. 2). Separately, the Foreign Minister of Venezuela explained before the Security Council that ‘we reject the actions of global espionage carried out by the Government of the United States, which undermine the sovereignty of States’ and called upon the UN to ‘punish and condemn this violation of international law’ (p. 8).

Conclusion

State practice is critical to understanding how international law applies to cyberspace. This is the US’s third major statement on the application of international law to this domain. Yet, as with the 2012 and 2016 statements by the Department of State, the DoD’s statement does little to clarify the US’s position on sovereignty. First, it is deliberately ambiguous on the important question of whether sovereignty is a rule of international law. Second, its bold assertion that penetrative espionage operations do not violate the rule of sovereignty is unconvincing given its failure to substantiate this conclusion with reference to state practice and the jurisprudence of national and international tribunals.