Current International Law Is Not an Adequate Regime for Cyberspace
States will struggle to find cyber relevance in international law until new instruments of international law—or adaptations of current law—account for the core features of the cyber strategic environment.
Published by The Lawfare Institute
in Cooperation With
States increasingly agree that international law, specifically the U.N. Charter and rules of customary international law (CIL) derived from the charter’s principles, applies to cyberspace. Yet both are a poor fit for cyber activities. The charter reflects a bias toward what has been termed the conventional strategic environment, and CIL has evolved in the shadow of both the conventional and nuclear environments. In these environments, states threaten international stability by seeking strategic gains through either coercion or brute force. The cyber strategic environment differs in that threats to stability derive from exploitation—that is, states unilaterally using code to take advantage of others’ cyber vulnerabilities for the purpose of realizing strategic gains.
It should be unsurprising, then, that states have struggled to offer comprehensive and in-depth opinio juris on how international law applies to the cyber context. States will struggle to find cyber relevance in international law until new instruments of international law—or adaptations of current law—account for the core features of the cyber strategic environment, the state behaviors they obligate, and how strategic advantage can be achieved lawfully and unlawfully through those behaviors. The rule of nonintervention is a good candidate for adaptation.
Strategic Environments
Cyber persistence theory, which informs U.S. Cyber Command’s doctrine of persistent engagement, is premised on the argument that cyberspace is not merely a domain but a strategic environment—and, importantly, one distinct from the nuclear and conventional strategic environments. Whereas U.S. warfighting domains—air, land, maritime, space and cyberspace—describe military operational “space,” strategic environments comprise core features that condition states’ security behaviors. Simply stated, the core features of the nuclear environment are segmentation, that is, a feature that manifests as territorial boundaries, and incontestable costs (that is, there is no valid defense against nuclear weapons), which lead to a dominant behavior of coercion in the form of a deterrence strategy (that is, mutually assured destruction). The conventional strategic environment also comprises segmentation but is coupled with contestable costs (conventional capabilities, unlike nuclear weapons, may be defended against). This leads to dominant, episodic behaviors of brute force or coercion, where the latter takes the form of a deterrence strategy threatening to impose costs or a compellence strategy imposing costs through conventional war.
Post-World War II international law, specifically the U.N. Charter and subsequent CIL interpretations of the charter, was conditioned by the weight of these core features. With the objective of saving “succeeding generations from the scourge of war,” these rules of state behavior are centered on sovereignty, nonintervention, coercion, threat or use of force, and armed attack.
The cyberspace strategic environment is distinct from the nuclear and conventional environments, which poses a challenge to the relevance of these rules. Cyber persistence theory argues that, simply stated, the core features of the cyber strategic environment comprise interconnectedness (not segmentation), a condition of constant contact (not the prospect of episodic action), an abundance of organic vulnerabilities, and macro-resilience (an ability to recover from exploitation of those vulnerabilities). Consequently, states face a security imperative to persist in seizing and maintaining the initiative to set the conditions of security in their favor in and through cyberspace. States can do so through various strategies, policies and activities that reduce the potential for exploitation of their own vulnerabilities and exploit the vulnerabilities of adversaries.
States may reduce their potential for exploitation through internal-facing measures, such as patching, firewalls and intrusion detection systems. External-facing measures will be based primarily on unilateral exploitation of vulnerabilities. Importantly, states are incentivized to exploit at-scale because doing so can lead to strategic advantage without necessarily degrading the environment. More importantly, states can achieve strategic advantage—and shift the international distribution of power—through persistent cyber operations or campaigns with cumulative effects or intent that are not coercive, do not represent a violation of the prohibition on threat or use of force, and are not equivalent to an armed attack under Article 51 of the U.N. Charter. Yet these operations or campaigns may still endanger international peace and security. In the cyber strategic environment, states achieve strategic advantage through exploitation, not through the brute force or coercion that they use in the conventional and nuclear strategic environments.
For this reason, the body of law conditioned by the nuclear and conventional strategic environments struggles to be relevant in the cyber strategic environment. If state behavior is to be regulated by international law, the law must reflect the behavioral space it seeks to regulate.
A few states have called for new instruments of international law for cyberspace. Such instruments may indeed be necessary, given the significant differences between the core features of the nuclear and conventional strategic environments as opposed to the cyber strategic environment. However, some argue that the prospects for new cyber treaty law are slim and that cyber-relevant law will most likely come through state practice, including opinio juris. Before considering lex ferenda—that is, the law as it ought to be for the cyber context—states must accept the inadequacy of current rules as applied to the cyber strategic environment.
Creating new legal instruments or developing cyber-relevant opinio juris will be challenging. Either approach should apply the perspective of cyber persistence theory. An initial application explored below focuses on the rule of nonintervention. Admittedly, it may be an act of fitting a square peg into a round hole given that the rule of nonintervention was conditioned by the nuclear and conventional environments. The effort is complicated further by somewhat different understandings of coercion in security studies as opposed to international law materials—as Harriet Moynihan notes, analogies with coercion outside the international law context need to be treated with care. Additionally, there are differences in understandings of coercion among states and scholars of international law. Nonetheless, this and other adaptations must be pursued because the status quo in the cyber strategic environment is untenable.
The Rule of Nonintervention
Intervention into the “internal or external affairs” of other states is a prohibited internationally wrongful act. Two conditions must be met to determine a violation of the prohibition. First, the prohibition applies only to matters that fall within another state’s domaine réservé. These are matters that international law leaves to the sole discretion of the state concerned, described in the Declaration on Principles of International Law, Friendly Relations and Co-operation Among States as the “choice of a political, economic, social and cultural system, and the formulation of foreign policy.” Second, an act must involve coercion. Stated simply, a coercive act as understood in international law is one designed to compel another state to take action it would otherwise not take or to refrain from taking action in which it would otherwise engage.
The government of the Netherlands notes, however, “The precise definition of coercion, and thus of unauthorized intervention, has not yet fully crystallized in international laws.” Participants in the Tallinn process described coercion as referring “to an affirmative act designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way.” Moynihan argues that states should, instead, understand coercive behavior “as pressure applied by one State to deprive the target State of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target State.” Others, meanwhile, advocate for lowering the threshold at which mere influence becomes unlawful coercion, claiming that a hostile cyber operation should not necessarily have to deprive a state of all reasonable choice, so long as it renders making the choice difficult.
These differing views can lead to differing interpretations of cyber campaigns. For example, opinions vary among international legal experts as to whether the 2016 Russian cyber campaign, including the compromise of Democratic National Committee servers, was coercive.
Gary Corn has argued that the rule of nonintervention should be understood as intended to prevent states from employing measures aimed at depriving a targeted state of the free exercise of its will over protected sovereign matters. If understood in this way, a condition of coercion would be met by states engaging in cyber-enabled “strategic covert deception” campaigns, as measures of deception are commonly recognized in domestic legal systems as cognizable harms because they are a means of undermining the exercise of free will. Corn links this back to coercion, arguing that states frequently regulate deception either directly in the form of fraud-based proscriptions, or indirectly by making deception a constructive substitute for force or coercion elements of other crimes.
Conceptualizing nonintervention and coercion in this manner is a novel and laudable effort. It highlights the level of effort required to apply a legal regime to a strategic environment against which it is misaligned. Corn accepts that his effort to “reinforce the existing international legal architecture” for the “modern information environment” is not a panacea and that what is required is a “far more holistic and concerted approach[.]” Notably, he addresses only a subset of state strategic cyber behavior. His reasoning would not necessarily support conclusions that, for example, China’s massive cyber-enabled intellectual property theft campaign—or Russia’s significant exploitation through the SolarWinds platform—constituted a coercive act.
An alternative approach would be to understand nonintervention through the lens of cyber persistence theory. Under this theory, states’ dominant behaviors are understood not as coercion under any of the various definitions presented above but, rather, as modes of exploitation—that is, unilateral behavior that takes advantage of others’ vulnerabilities in and through cyberspace. This reasoning is better aligned with the cyber strategic environment.
Exploitation in Cyberspace and in International Law
In the cyber lexicon, the National Institute of Standards and Technology defines a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Cybersecurity firms, such as TrendMicro, note that an exploit refers to computer “code that takes advantage of a software vulnerability or security flaw.”
What about exploitation? Herb Lin defines cyber exploitation in an espionage context as a “cyber offensive action conducted for the purpose of obtaining information.” Similarly, the U.S. Department of Defense’s cyber doctrine describes exploitation as “actions [that] include military intelligence activities, maneuver, information collection, and other enabling actions required to prepare for future military operations.”
Both of these definitions focus too narrowly. Cyber persistence theory argues that state exploitative behaviors in and through cyberspace are not merely an intelligence contest, but a strategic competition. In this context, cyber exploitation should be understood more generally as one state using code to take advantage of others’ cyber vulnerabilities for the purpose of gaining strategic advantage. According to cyber persistence theory, this exploitative behavior manifests primarily as the cyber fait accompli—a limited unilateral gain at a target’s expense where that gain is retained when the target is unaware of the loss or is unable or unwilling to respond. An initial exploitation could serve the objective of setting the conditions of security in the exploiter’s favor, or it may support follow-on objectives seeking additional political, economic or military advantage. These objectives might include, for example, exfiltration of confidential communications or intellectual property, illicit acquisition of international currency or, perhaps, potential future coercive actions. Indeed, Corn notes that Russia’s initial exploitation of Democratic National Committee servers was followed by an exfiltration of sensitive communications, which were then used in a strategic information campaign to undermine confidence in the U.S. electoral process.
Existing international law already contains a notion of exploitation, and it might seem best to suggest an adaptation of nonintervention based on those preexisting understandings. However, these concepts differ from the understanding of exploitation in cyber persistence theory—so further innovation is necessary. In international law, use of the term “exploitation” indicates two alternate meanings: one technical, the other normative. In reference to a “thing,” such as an economic resource, exploitation has a neutral, technical connotation. Thus, the U.N. Convention on the Law of the Sea notes:
[T]he area of the seabed and ocean floor and the subsoil thereof, beyond the limits of national jurisdiction, as well as its resources, are the common heritage of mankind, the exploration and exploitation of which shall be carried out for the benefit of mankind as a whole, irrespective of the geographical location of States[.]
Concerns about the negative impacts of exploitation understood in this manner are reflected in international law and international environmental law. But the issue in these arenas is almost never exploitation in the pejorative sense. Rather, the term refers to a condition of nonsustainability or environmental degradation. Clearly, this technical understanding of exploitation does not contribute to aligning international law with the cyber strategic environment.
There are, however, contexts in which exploitation is also used pejoratively in international legal materials, usually concerning an effort to secure the redress of something considered wrongful. The exploitation of children is prominent on the international legal agenda, as is the sexual exploitation of women and, more generally, human trafficking. There is also a long history of international law-making with regard to slavery and forced labor and child labor. While pejorative exploitation is not independently defined in international law, the first contextualized definition of exploitation appears in a treaty addressing human trafficking:
“Trafficking in persons” shall mean the recruitment, transportation, transfer, harboring or receipt of persons, by means of the threat or use of force or other forms of coercion, of abduction, of fraud, of deception, of the abuse of power or of a position of vulnerability or of the giving or receiving of payments or benefits to achieve the consent of a person having control over another person, for the purpose of exploitation. Exploitation shall include, at a minimum, the exploitation of the prostitution of others or other forms of sexual exploitation, forced labor or services, slavery or practices similar to slavery, servitude or the removal of organs.
Pejorative exploitation, no matter the context in these materials, is consistently framed in terms of “having control over another person.” Thus, it is notionally equivalent with many understandings of coercion in the context of the rule of nonintervention, which are framed as depriving a state of free exercise of will over sovereign matters. As such, like the technical understanding of exploitation, the pejorative understanding of exploitation in international legal materials diverges from how cyber persistence theory describes exploitation in cyber strategic competition. Therefore, this understanding offers little purchase for aligning international law with the cyber strategic environment.
Exploitation and Intervention
Adapting the rule of nonintervention to focus on exploitation rather than coercion does not require starting from scratch. The understandings of coercion by Tallinn experts, Moynihan and Corn, presented previously, serve as useful points of departure. While those understandings are not identical, they share the notion of depriving a state of freedom of choice or free will to exercise choice, or of making it difficult to make a choice. As noted previously, in the context of nonintervention this condition is applied against a state’s domaine réservé. Exploitation in cyber strategic competition diverges from these understandings in that it does not result in such deprivation or difficulty. Instead, exploitation affects the functioning of the political, economic, cultural, and foreign policy matters or systems that are freely chosen by a state by changing the circumstances under which those matters or systems operate. If it is to be cyber relevant, the current understanding of intervention must be adapted to account for this behavioral reality.
Just as all coercive acts may not be internationally wrongful, nor should all acts of exploitation be considered such. An effort to adopt exploitation as a condition must identify a de minimis threshold or limiting principles, the breaching of which would represent a violation of the rule of nonintervention. To put it another way, when does exploitation constitute unlawful behavior? The logic of this approach suggests an obligation would be breached when exploitation leads to freely chosen matters or systems not functioning as a state intended.
It is far easier to ascertain if cyber exploitation was unlawful after the fact—by assessing to what degree it impacted the functioning of a freely chosen matter or system—than it is to declare a priori, absent any context, how and when exploitation might be unlawful. China’s cyber-enabled intellectual property theft campaign serves as a good illustration of both. In the 2011 International Strategy for Cyberspace, the Obama administration noted that cyber-enabled exploitation of intellectual property can result in “unfair competition” and erode “competitiveness in the global economy, and businesses’ opportunities to innovate.” In early 2013, White House Press Secretary Jay Carney noted that the administration made clear to China “at the highest levels” that the scope and scale of its cyber-enabled intellectual property theft was unacceptable. Essentially, the administration argued that China was changing the circumstances under which the free-market economic system freely chosen by the U.S. government was operating—so the system was not functioning as intended due to China’s exploitative actions.
The scope of Russia’s 2016 cyber-enabled election interference campaign and the release of sensitive e-mails acquired from the same arguably impacted the functioning of the freely chosen U.S. government election system by changing the circumstances under which it was operating. Russia’s assessed objectives were “impairing, obstructing, and defeating the lawful functions of the government … for the purpose of interfering with the U.S. political and electoral processes.”
These examples suggest that the scope and scale of a cyber operation or campaign could serve as useful limiting principles for exploitation. Writing from an intelligence studies perspective, Michael Warner has noted that scale has given cyber operations a strategic character different from that of traditional intelligence activities. Richard Harknett and I argued the same from a security studies perspective. In addition to ascribing a strategic character to cyber operations, scale and scope may also change the character of cyber operations impacting domaine réservé from lawful to unlawful. But the key point is that if nonintervention is to be cyber relevant, unlawfulness should be a function of exploitation, not coercion.
Adopting an exploitation-based condition faces two challenges: one cultural, the other normative. The cultural hurdle is the need to recognize that states primarily seek lawful and unlawful advantage in and through cyberspace, through continuous, exploitative campaigns, not through episodic, coercive acts. With this in mind, states could argue that the breach of an international obligation by a state occurs through a series of exploitative actions or omissions defined in aggregate as wrongful.
This leads to the normative hurdle. Cyber persistence theory argues that states have a security imperative to persist in seizing the initiative, in part, by continuously engaging in campaigns that exploit adversary vulnerabilities. An exploitation-based rule of nonintervention would prohibit the pursuit of that imperative in ways that alter the functioning, as a state intended, of its freely chosen matters or systems. The hurdle is that states must accept that all states seeking security must act in and through cyberspace to do so. This raises at least one concern: One could easily foresee states with benign intentions abiding by this imperative and inadvertently violating a de minimis threshold for unlawfulness. Then again, the intention of the condition would be to prohibit nondiscriminant actions, so perhaps this concern is a welcome one.
Conclusion
Although states agree that international law should apply to cyberspace and, as the Open-ended Working Group on information and communications technologies noted recently, that “further common understandings need to be developed on how international law applies,” states should anticipate that common understandings around current law will be very difficult to come by unless they alter their strategic frame of reference. Novel legal instruments or adaptations to current law should be premised on the core features of the cyber strategic environment, the state behaviors they obligate, and how strategic advantage can be achieved lawfully and unlawfully through those behaviors. Exploitation, not coercion, is the dominant behavior in and through cyberspace through which states are currently endangering international peace and security. Adapting the rule of nonintervention to address exploitation would mark a step in the right direction.