'Defend Forward' and Sovereignty

Among the most discussed provisions of the Tallinn Manual 2.0 is Rule 4: “Violation of sovereignty.” Rule 4 provides: “A State must not conduct cyber operations that violate the sovereignty of another State.” Considered alone, Rule 4 is banal and unobjectionable, since there are many established sovereignty-based international-law rules that cyber operations might violate. For example, the UN Charter’s prohibition on certain uses of force and the customary international-law rule of nonintervention constrains cyber operations by one state in another. The hard question is whether international law related to sovereignty prohibits anything more. Here the commentary to Rule 4 is quite ambitious. It argues that a stand-alone customary international-law concept of state sovereignty operates to regulate and render illegal certain cyber operations that would not otherwise be illegal under any of the specific and acknowledged sovereignty-based rules of international law. This paper argues that the discrete rules articulated in the Rule 4 commentary do not reflect customary international law. The Rule 4 commentary cites very little legal authority in support of its bold conclusions and lacks any practical connection to the complex interplay of extensive state practice and opinio juris that constitutes customary international law.