Wheatley: Election hacking, the rule of sovereignty, and deductive reasoning in customary international law

Steven Wheatley (Univ. of Lancaster - Law) has posted Election hacking, the rule of sovereignty, and deductive reasoning in customary international law (Leiden Journal of International Law, forthcoming). Here's the abstract:

This article considers the international laws applicable to irresponsible state behaviour in cyberspace through the lens of the problem of election hacking. The rule of sovereignty has taken centre stage in these discussions and is said to be preferred to the non-intervention rule because it evades the problem of coercion. Proponents of the cyber rule of sovereignty contend that there is such a rule; opponents reject the existence of the rule as a matter of existing law. The objective here is to explore the methodologies involved in the identification of the cyber rule of sovereignty under customary international law. The work first frames the debate in the language of regulative and constitutive rules, allowing us to show that a regulative rule of sovereignty can, logically, and necessarily, be deduced from the constitutive rule of sovereignty. The content of the regulative rule can also be deduced from the constitutive rule of sovereignty, but it has a more limited scope than claimed by the proponents of the rule, notably the Tallinn Manual 2.0. The rule of sovereignty prohibits state cyber operations carried out on the territory of the target state and remote cyber operations which involve the exercise of sovereign authority on that territory, e.g., police evidence-gathering operations. The rule of sovereignty does not, however, prohibit other remote, ex situ state cyber operations, even those targeting ICTs used for governmental functions, including the conduct of elections. The rule of sovereignty is not, then, the solution to the problem of election hacking.

Dothan: Facing Up to Internet Giants

Shai Dothan (Univ. of Copenhagen - Law) has posted Facing Up to Internet Giants (Duke Journal of Comparative & International Law, forthcoming). Here's the abstract:

Mancur Olson claimed that concentrated interests win against diffuse interests even in advanced democracies. Multinational companies, for example, work well in unison to suit their interests. The rest of the public is not motivated or informed enough to resist them. In contrast, other scholars argued that diffuse interests may be able to fight back, but only when certain conditions prevail. One of the conditions for the success of diffuse interests is the intervention of national and international courts. Courts are able to fix problems affecting diffuse interests. Courts can also initiate deliberation that can indirectly empower diffuse interests by getting them informed. This paper investigates the jurisprudence of the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU). It argues that these international courts help consumers, a diffuse interest group, to succeed in their struggle against internet companies, a concentrated interest group.

Call for Papers: CyCon 2023

The NATO Cooperative Cyber Defence Centre of Excellence has issued a call for papers for the legal track of the 15th International Conference on Cyber Conflict (CyCon), to be held May 30-June 2, 2023 in Tallinn. CyCon is a multidisciplinary conference, combining academic research with high-level policy and strategy perspectives on cyber defence and security. The deadline is October 15, 2022. The call is here.

Eichensehr: Not Illegal: The SolarWinds Incident and International Law

Kristen Eichensehr (Univ. of Virginia - Law) has posted Not Illegal: The SolarWinds Incident and International Law (European Journal of International Law, forthcoming). Here's the abstract:

In 2021, the United States and other governments formally blamed Russia for a wide-ranging hacking campaign that breached the update process for SolarWinds Orion network monitoring software and used that access to compromise numerous government agencies, companies, and other entities. Despite denouncing Russia’s cyberespionage and imposing sanctions, the United States did not call Russia’s actions illegal as a matter of international law—and for good reason. Based on the publicly available facts, this article argues that the SolarWinds incident likely did not run afoul of international law as it currently stands. The article considers the prohibitions on the use of force and intervention, emerging rules with respect to cyber operations and violations of sovereign and due diligence, and international human rights law, and it concludes with some reflections on the role of states and scholars in decisions about whether to close gaps in international law.

Hollis, van Benthem, & Dias: Information Operations under International Law

Duncan B. Hollis (Temple Univ. - Law), Tsvetelina J van Benthem (Univ. of Oxford), & Talita Dias (Univ. of Oxford) have posted Information Operations under International Law (Vanderbilt Journal of Transnational Law, forthcoming). Here's the abstract:

Information operations (IOs) can be defined as the deployment of digital resources for cognitive purposes to change or reinforce attitudes or behaviors of the targeted audience in ways that align with the authors’ interests. While not a new phenomenon, these operations have become increasingly prominent and pervasive in today’s digital age, a trend that the ongoing war in Ukraine and the use of the internet for terrorist purposes tragically demonstrate. Against this backdrop, this paper critically assesses the existing international legal framework applicable to IOs. It makes three overarching claims. First, IOs can cause real and tangible harms to individual and state interests protected by international law. To prevent and remedy such harms, a robust and comprehensive legal framework constraining the use of IOs by both state and non-state actors becomes a necessity. Second, existing international law regulates IOs through a system of prohibitions, permissions, and requirements. In particular, the paper analyzes the extent to which international human rights law, the principles of non-intervention and sovereignty, and due diligence obligations apply to state and non-state uses of IOs. Third, the fact that existing international law captures some of the harms of IOs does not mean that this framework is sufficient or adequate. In fact, we argue that, in their current form, international rules on IOs are only partially effective given challenges relating to their (i) application; (ii) orientation; (iii) complexity; and (iv) enforcement in the context of information and communications technologies. While accepting that international law, both conventional and customary, already contains important protections against harmful IOs, our analysis aims to reignite a much-needed discussion of the merits and shortcomings that adopting a new regime tailored to IOs might produce.

Call for Papers: Nordic perspectives on the international legal regulation of cyberspace

A call for papers has been issued for a conference on "Nordic perspectives on the international legal regulation of cyberspace," to be held September 28-29, 2022, at the University of Copenhagen. The call is here.

Symposium: The Evolving Face of Cyber Conflict and International Law: A Futurespective

On June 15-17, 2022, the American University Washington College of Law will host an in-person symposium on "The Evolving Face of Cyber Conflict and International Law: A Futurespective." Program and registration are here.

Shany & Mimran: International Regulation of Cyber Operations

Yuval Shany (Hebrew Univ. of Jerusalem - Law) & Tal Mimran (Hebrew Univ. of Jerusalem - Law) have posted International Regulation of Cyber Operations (in Oxford Handbook on the Regulatory Governance of Technology, D. Levi-Faur, ed., forthcoming). Here's the abstract:

Advertisement

Cyberspace constitutes an unstable environment, featuring rapid changes in the nature of the actors using it, the technologies applied and the inter-personal, governmental and commercial interactions facilitated thereby. The global COVID-19 pandemic exponentially accelerated the trend of digitalization in various fields of life, increasing even more the dependency on cyber-infrastructure and with it the potential for harmful cyber-attacks.

Advertisement

Traditionally, states have been cautious in invoking international law in the context of cyber-attacks, and they tended to refrain from denouncing attacks against them as violations of international law, or attributing it to other states. This state of affairs appears to be changing, however. While there are of disagreements as to the way that international law applies in the cyberspace, a common understanding had emerged about some key international law norms that apply in this field. States like Australia, France, Germany, Israel, the United Kingdom, and the Netherlands have recently articulated their legal positions on how international law applies in cyberspace. In the same vein, states who fell victim to cyber-attacks are increasingly attributing them, as an international law matter, to other states, or non-state actors. Arguably, the increased role played by international law in cyberspace constitutes a reaction to the fact that cyber-attacks become more and more frequent, and dangerous, capable of shutting down critical infrastructure, including nuclear centrifuges and water pumping facilities.

Advertisement

This chapter will describe and critically evaluate the norms of international law which regulate cyber-operations, and discuss some of the policy considerations underlying them. Part I offers a short history of cyber-attacks. Part II presents the current international law framework governing cyber-attacks. Part III delves into the attribution challenge in cyberspace. Part IV concludes and suggests a way forward.

Akande, Coco, & de Souza Dias: Drawing the Cyber Baseline: The Applicability of Existing International Law to the Governance of Information and Communication Technologies

Dapo Akande (Univ. of Oxford - Law), Antonio Coco (Univ. of Esse - Law), & Talita de Souza Dias (Univ. of Oxford) have posted Drawing the Cyber Baseline: The Applicability of Existing International Law to the Governance of Information and Communication Technologies (International Law Studies, Vol. 99, 2022). Here's the abstract:

"Cyberspace" is often treated as a new domain of State activity in international legal discourse. This has led to the assumption that for international law to apply to cyber operations carried out by States or non-State actors, "cyber-specific" State practice and opinio juris must be demonstrated. This article challenges that assumption on five different bases. First, it argues that rules of general international law are generally applicable to all domains, areas, or types of State activity. In their interpretation and application to purported new domains, limitations to their scope of application cannot be presumed. Second, this article demonstrates that the concept of "domain" is not aimed at excluding certain domains from international law’s scope of application. Third, in any event, cyberspace is not a domain or a space, in the way that land, air, sea, or outer space are. Rather, it is a combination of multilayered information and communications technologies operating across different domains. Fourth, and relatedly, international law is technology-neutral, in that it applies to all technology unless stated otherwise. Fifth, the framing of certain international legal rules as policy recommendations cannot displace existing international law. On those bases, we conclude that existing international law applies as a whole and by default to States’ use of information and communications technologies.

Boer: International Law As We Know It: Cyberwar Discourse and the Construction of Knowledge in International Legal Scholarship

Lianne J. M. Boer (Vrije Universiteit - Law) has published International Law As We Know It: Cyberwar Discourse and the Construction of Knowledge in International Legal Scholarship (Cambridge Univ. Press 2021). Here's the abstract:

International legal scholars tend to think of their work as the interpretation of rules: the application of a law 'out there' to concrete situations. This book takes a different approach to that scholarship: it views doctrine as a socio-linguistic practice. In other words, this book views legal scholars not as law-appliers, but as constructing knowledge within a particular academic discipline. By means of three close-ups of the discourse on cyberwar and international law, this book shows how international legal knowledge is constructed in ways usually overlooked: by means of footnotes, for example, or conference presentations. In so doing, this book aims to present a new way of seeing international legal scholarship: one that pays attention to the mundane parts of international legal texts and provides a different understanding of how international law as we know it comes about.

Tsagourias & Buchan: Research Handbook on International Law and Cyberspace (2nd ed.)

Nicholas Tsagourias (Univ. of Sheffield - Law) & Russell Buchan (Univ. of Sheffield - Law) have published Research Handbook on International Law and Cyberspace (2nd ed., Edward Elgar Publishing 2021). The table of contents is here. Here's the abstract:

This revised and expanded edition of the Research Handbook on International Law and Cyberspace brings together leading scholars and practitioners to examine how international legal rules, concepts and principles apply to cyberspace and the activities occurring within it. In doing so, contributors highlight the difficulties in applying international law to cyberspace, assess the regulatory efficacy of these rules and, where necessary, suggest adjustments and revisions.

More specifically, contributors explore the application of general concepts and principles to cyberspace such as those of sovereignty, power, norms, non-intervention, jurisdiction, State responsibility, human rights, individual criminal responsibility and international investment law and arbitration. Contributors also examine how international law applies to cyber terrorism, cyber espionage, cyber crime, cyber attacks and cyber war as well as the meaning of cyber operations, cyber deterrence and the ethics of cyber operations. In addition, contributors consider how international and regional institutions such as the United Nations, the European Union, NATO and Asia-Pacific institutions and States such as China and Russia approach cyber security and regulation.

Hollis & van Benthem: Threatening Force in Cyberspace

Duncan B. Hollis (Temple Univ. - Law) & Tsvetelina J van Benthem have posted Threatening Force in Cyberspace (in Big Data and Armed Conflict: Legal Issues Above and Below the Armed Conflict Threshold, Laura Dickinson & Edward Berg eds., forthcoming). Here's the abstract:

Threats have long been endemic in inter-State relations with diverse goals, communicative values and means of signaling. Yet, international law explicitly focuses on just one type of threat – threats of force. Under the jus ad bellum, States must refrain from threats of force in their international relations. As we explain, this prohibition has received limited attention from States unlike its companion – the prohibition on uses of force. Yet, existing doctrine establishes that States can violate it by threatening force implicitly as well as explicitly, with the legal threshold measured via an objective methodology. This chapter aims to update and extend the international legal prohibition on threats of force to cyberspace. The idiosyncrasies of information and communications technologies provide fertile ground for cyber-specific threatening behavior. The ubiquity of unauthorized access means that a compromise for one purpose – e.g., espionage – could, under the right circumstances, simultaneously (and implicitly) threaten a future use of force. Our chapter aims to offers an initial analytical frame for identifying when this may (or may not) be a credible possibility. In particular, we highlight the potential of “Big Data” to change the nature of cyber threats of force as well as its capacity to improve States’ ability to identify them. We argue that advancements in digital technologies are likely to put the viability and sufficiency of existing legal standards and methodologies to the test.

Our chapter concludes with a call for States to recognize and accommodate the prohibition on threats of force in all their cyber operations. Applying this prohibition to cyberspace may offer a new and meaningful way to enhance the stability and security of international relations in cyberspace. At the same time, a greater appreciation of Big Data’s potential may itself evolve States’ general understanding of the jus ad bellum in this digital age.

Call for Papers: CyCon 2022

The NATO Cooperative Cyber Defence Centre of Excellence has issued a call for papers for the legal track of the 14th International Conference on Cyber Conflict (CyCon), to be held May 31-June 3, 2022 in Tallinn. CyCon is a multidisciplinary conference, combining academic research with high-level policy and strategy perspectives on cyber defence and security. The extended deadline is October 24, 2021. The call is here.

Call for Submissions: Cyber Law Toolkit

A call for submissions has been issued for the 2022 update of the Cyber Law Toolkit, a dynamic interactive web-based resource for legal practitioners and scholars working on international law and cyber operations. Here's the call:

Call for Submissions: Cyber Law Toolkit. Cyber Law Toolkit, the leading online resource on international law and cyber operations, is inviting submissions for its next general update in September 2022. Successful authors will be awarded an honorarium. The Toolkit consists of a growing number of hypothetical scenarios, each of which contains a description of cyber incidents inspired by real-world examples and accompanied by detailed legal analysis. To keep pace with the recent developments in the cyber security domain and remain a relevant resource for practitioners and scholars alike, the Toolkit is regularly updated. The project team welcomes proposals for new scenarios to be included in the 2022 Toolkit update. This call for submissions is open until 1 November 2021. For more information, please see the full text of the call.

Moulin: Le cyber espionnage en droit international

Thibault Moulin has published Le cyber espionnage en droit international (Pedone 2021). Here's the abstract:

Faut-il, dès lors, considérer que « tout ce qui n’est pas interdit est permis », y compris en matière de cyber-espionnage ? Il convient de répondre par la négative, et souligner que le cyber-espionnage est sujet à un évitement normatif. Il n’est, en effet, ni interdit ni permis. D’une part, il n’est pas « interdit », car la commission de tels actes ne saurait constituer un fait internationalement illicite. D’autre part, il n’est pas « permis », « autorisé » ou ne constitue pas un « droit », car les Etats peuvent tout à fait prendre des mesures pour empêcher d’autres Etats d’exercer des activités de cyber-espionnage à leur encontre. D’un côté, les Etats souhaitent profiter de cette absence de règlementation internationale et ne sont pas favorables à une prohibition expresse de l’espionnage. D’un autre côté, ils ne souhaitent pas pour autant consacrer un « droit » à l’espionnage, dans la mesure où l’activité peut aller à l’encontre de leurs intérêts. C’est bien le cas en matière de cyber-espionnage, et ce phénomène d’évitement normatif se manifeste tant à l’égard des règles connectées à l’intégrité territoriale (Première partie), dont l’application est nécessairement perturbée par les caractéristiques uniques du cyber-espace, qu’à l’égard des règles déconnectées de l’intégrité territoriale (Deuxième partie).

Coco & de Souza Dias: 'Cyber Due Diligence': A Patchwork of Protective Obligations in International Law

Antonio Coco (Univ. of Essex - Law) & Talita de Souza Dias (Univ. of Oxford - Jesus College) have posted 'Cyber Due Diligence': A Patchwork of Protective Obligations in International Law (European Journal of International Law, forthcoming). Here's abstract:

With a long history in international law, the concept of due diligence has recently gained traction in the cyber context, as a promising avenue to hold states accountable for harmful cyber operations originating from, or transiting through, their territory, in the absence of attribution. Nonetheless, confusion surrounds the nature, content and scope of due diligence. It remains unclear whether it is a general principle of international law, a self-standing obligation or a standard of conduct, and whether there is a specific rule requiring diligent behaviour in cyberspace. This has created an ‘all-or-nothing’ discourse: either states have agreed to a rule or principle of ‘cyber due diligence’, or no obligation to behave diligently would exist in cyberspace. We propose to shift the debate from label to substance, asking whether states have duties to protect other states and individuals from cyber harms. By revisiting traditional cases, as well as surveying recent state practice, we contend that – whether or not there is consensus on ‘cyber due diligence’ – a patchwork of different protective obligations already applies, by default, in cyberspace. At their core is a flexible standard of diligent behaviour requiring states to take reasonable steps to prevent, halt and/or redress a range of online harms.

Heller: In Defense of Pure Sovereignty in Cyberspace

Kevin Jon Heller (Univ. of Copenhagen; Australian National Univ.) has posted In Defense of Pure Sovereignty in Cyberspace (International Law Studies, forthcoming). Here's the abstract:

The final report of the United Nations Open-Ended Working Group (OEWG), adopted by consensus in March 2021, affirms that international law applies to cyberspace and calls upon states “to avoid and refrain from taking any measures not in accordance with international law.” Significant differences nevertheless remain concerning how international law applies to cyberspace, because states have been unable to agree on what kinds of cyber-operations international law prohibits. Instead, the OEWG’s final report simply – and rather tepidly – articulates 11 “voluntary, non-binding norms of responsible State behaviour.”

States are particularly divided over the international wrongfulness of cyber-operations that penetrate computer systems located on the territory of another state but do not rise to the level of a use of force or prohibited intervention – what are often referred to as “low intensity” cyber-operations. Low-intensity cyber-operations, which include most acts of extraterritorial law-enforcement (including counterterrorism) and espionage, are the most common form of cyber-operation and are likely to become even more common over time, given their relative lack of expense and their significant utility for states.

States have adopted three very different positions concerning whether low-intensity cyber-operations are internationally wrongful, all of which turn on whether such operations violate the sovereignty of the territorial state. The first position, endorsed by the UK and the US, is that low-intensity cyber-operations are never wrongful, because sovereignty is a principle of international law, not a primary rule that can be independently violated. The second position, defended most vigorously by France, is that low-intensity cyber-operations are always wrongful, because sovereignty is a primary rule of international law that is violated by any non-consensual penetration of a computer system located on the territory of another state – what has been called the “pure sovereigntist” approach. And the third position, adopted by states such as the Netherlands and the Czech Republic, is that although sovereignty is a primary rule of international law, only low-intensity cyber-operations that cause some kind of physical damage to the territorial state or render its cyber-infrastructure inoperable are wrongful – what has been called the “relative sovereigntist” approach.

This article has two purposes: to explain the different positions that states have taken on whether low-intensity cyber-operations violate sovereignty, and to provide a comprehensive analysis of which position is the strongest both legally and in terms of cyber policy. The article is divided into five sections. Section I briefly explains why sovereignty is a primary rule of international law, not simply a principle from which specific primary rules can be derived. Section II asks whether sovereignty applies in cyberspace as a rule, agreeing with the vast majority of states that it does. Section III explains and assesses the two positions that states have taken concerning how sovereignty applies in cyberspace as a rule: pure sovereignty and relative sovereignty. It concludes that the pure-sovereigntist position has a much stronger foundation in general international law than the relative-sovereigntist position. Section IV then analyses and rejects the most common legal objection to that conclusion: the supposed permissibility of espionage. Finally, Section V argues that a variety of policy considerations also favour pure sovereignty over relative sovereignty.

Ponta: Responsible State Behavior in Cyberspace: Two New Reports from Parallel UN Processes

Adina Ponta (Babeș-Bolyai Univ.) has posted an ASIL Insight on Responsible State Behavior in Cyberspace: Two New Reports from Parallel UN Processes.

Conference: The Challenge of Global Cybersecurity

On September 16-17, 2021, the University of Grenada will host a conference on "The Challenge of Global Cybersecurity." Program and registration are here.

Conference: The Peaceful Settlement of Cyber Disputes

On March 4-5, 2021, the Sheffield Centre for International and European Law at the University of Sheffield will host an online conference on "The Peaceful Settlement of Cyber Disputes." Registration is free but prior registration is required. The program and registration details can be found here.