The cyber domain has been a focus of US-China relations since the start of the Xi Era a decade ago. While there were agreements signed (not necessarily upheld by Beijing) by the US and PRC during the Obama administration, very little progress has been made since in limiting the scale of cyber operations both below the threshold of war and in the event the cold war turns hot. Just recently, the NSA publicly commented on the worrying scale of PRC intrusions into US critical infrastructure that often have little to do with direct military operations. In other words, when it comes to buying time and deterring US response in the Pacific, the CCP very much believes the US populace must suffer and be held at risk. In the first Breaking Beijing guest post: US Army CPT Trevor J. Potter provides some thoughts on how the US can lead on cyber norms and craft an effects-based approach to cyber statecraft.
There are two philosophies about how sovereignty should apply to state-sponsored cyber activities. This first view states that sovereignty is a principle of international law that may guide decisions in cyberspace, but it does not amount to a stand-alone primary rule in cyber operations. The alternative majority view holds that low-intensity cyber operations that fall below the non-intervention threshold [A1] are in fact unlawful violations of sovereignty. International law includes two legal regimes relating to war and the use of force: the jus ad bellum, or the law governing the resort to force, and the law of armed conflict (LOAC), the law governing the conduct of hostilities and the protection of persons during armed conflict. The former forbids the use of force by one state against another, except by invitation, in self-defense, or with authorization by the United Nations Security Council, in pursuit of the UN’s central goal of “saving succeeding generations from the scourge of war.”[1] The latter seeks to minimize suffering in war by protecting those who are not participating in hostilities and by constraining the means and approaches of warfare. The Tallinn Manual 2.0 adopted this view by taking preexisting rules of sovereignty and non-intervention and applying them to operations in cyberspace.
I. Sovereignty as it applies to Cyberspace Operations
Sovereignty includes a bundle of rights. The Corfu Channel case defined sovereignty as ‘[a] body of rights and attributes, which a State possesses in its territory, to the exclusion of all other states, and in its relations with other States’.[2] Violation of territorial sovereignty usually involves some physical intrusion into a state’s territory. While a states’ cyber activities do possess some physical features (i.e., computer hardware and infrastructure), most state-to-state cyber operations involve persistent, low-level disturbances that do not escalate to the of use of force. Cyber operations mostly rely on the spread of data and content through and between physical devices. Because cyberspace doesn't have territorial boundaries, the network architecture that data is stored in often crosses numerous territorial boundaries in seconds. Network frontiers do not map directly to geographic borders. All these facts make traditional sovereignty analyses more difficult to apply to cyberspace operations, making a new legal interpretation necessary.
To understand why a new analytical approach is needed comes with understanding how layered cyberspace really is. First, there is the physical aspect, consisting of computers, circuits, and cables. Then, there is the logical layer, consisting of software, data, and electronics. Lastly, there is a social layer, consisting of human beings using the networks themselves. The physical aspect is often located in the territory of a state, meaning that cyberspace does not exist independently from the physical world – it is rooted in and through it. Cyberspace relies on real people in one nation transacting with real people in other nations. Thus, States have the right to exercise their sovereign powers over cyber infrastructure and regulate the activities taking place in their territory and on their systems in their territory exclusively, as in the non-cyber context.[3] These powers over cyber infrastructure are subject to states’ obligations under international human rights law.
II. Pure Sovereignty and its problems.
The myriad interpretations of how sovereignty should apply in cyber operations only illustrate that sovereignty should guide as a principle; allowing for adjustments to be made based on a state’s interests. In this regard, there ought to be a more flexible approach as to when sovereignty should be treated as a law. Many states make the argument that a nation’s sovereignty can be violated without referring to international law, and that would have legal consequences[4]. Were we to take this understanding to its logical conclusion, it would follow that any unauthorized use of authority in another state would be a violation of sovereignty. This position makes the possibility of violating sovereignty very large indeed. For instance, it would be a violation of sovereignty and thus an internationally for a state to look for weaknesses in the system of another state that could be useful for future attacks.
This open-ended, everything-is-a-violation-of-sovereignty approach (often called “pure sovereignty”) in the cyber world[5] is at odds with the typical day to day interactions in cyberspace. As Egan has observed, ‘the very design of the internet may lead to some encroachment on other sovereign jurisdictions’[6]. The reality is that states regularly move through each other’s networks without authorization every day. Under the ‘pure sovereigntist’ view, the sovereignty of a nation would be in a constant state of violation, with violations taking place with little to no response by the affected nations. Indeed, this approach would increase the risk of conflict and escalation by giving the affected state the right to take countermeasures. We can also assume that states like China and Russia could take a ‘pure sovereignty’ approach and claim violations of sovereignty as often as they wish. Pure sovereignty will then become another tool waged in lawfare.
International law must be applied objectively. If states can interpret sovereignty subjectively, then sovereignty can mean whatever a state wants it to in accordance with its own interests. Lacking any specific criteria of what an actual violation is, needless escalation by nefarious nations seeking a confrontation would accelerate. Conversely, saying that violations of sovereignty (anything falling below the threshold of the non-intervention principle) in cyber operations has no legal effects does not follow the judgments of international courts[A2] which have been applying sovereignty to all unauthorized exercises of state authority, cyber or not. Understanding what cyber activities rise to the level of a use of force – making that operation a violation of sovereignty -[A3] is of utmost importance now and in the future.
III. Criteria to determine what a violation of cyber sovereignty is.
Recognizing how unworkable a ‘purist’ approach to sovereignty is, a middle way has now developed. In this view, certain cyber activity can violate another nations’ sovereignty, but only if that activity’s reaches a certain effect level. The question then becomes what the minimum damage standard – is it a de minimis threshold based on factors like the scale of harm created, the number of citizens affected, etc.; or is it based on factors such as the nature of the impact – or both?
The Tallinn Manual 2.0 explored criteria for this threshold. They did so by referring to various situations:
- Kinetic damage or injury (e.g., malware that causes the malfunctioning of equipment).
- Disabling cyber infrastructures (e.g., hacking into a computer and spreading a powerful virus that disables functionality), and
- Activity below the loss of functionality, (e.g., the slowing down of a computer; causing the cyber infrastructure to operate differently; altering data without physical or functional consequences, and so forth.)
Kinetic damage to cyber infrastructure by a cyber operation is rare. A loss of functionality or other more de minimis effects is more common and likely in most cyber operations. Given that, the last two criteria above are the most important in a low-level cyber operations analysis. Even so, trying to determine what makes a cyber operation de minimis [A4] is fraught with challenges[7]. At first blush, the list above implies a downward scale of severity. But in practice a scale this simple is impractical. Consider the deletion of one nations’ government data by another nation - this may not result in direct kinetic effects or loss of functionality, but it does cripple the target nation’s government from functioning normally, if at all[8]. In many instances, kinetic responses are often too escalatory, making them less attractive in many circumstances. Cyber-attacks are typically seen as separate and distinct from kinetic attacks, nevertheless cyber-attacks can be seen as escalatory, even if the actual effects of the kinetic and cyber-attacks are indistinguishable. Thus, the question remains: how should the ‘harm’ caused by cyber operations be measured?
IV. An ‘effects-based’ method in cyberspace
Few states have put their views on record on whether they would use an effects-based method of analyzing cyberoperations. The French government, in addition to stating that any unauthorized cyber operations into the French system would constitute a violation of sovereignty, also stated that sovereignty can be violated by ‘any production of effects by cyber means on French territory’[9]. France’s national cyber incident classification system is based on an effects-based valuation of the cyber operation, graded according to gravity[10]. Other states are also considering an effects-based approach, to include the Netherlands. In a recent statement on sovereignty and cyberspace, the Netherlands suggests limits to sovereignty and notes that ‘in general’ it endorses Rule 4 of the Tallinn Manual 2.0 ‘for determining the limits of sovereignty in the cyber domain’. The EU has recently adopted the view that an effects-based approach to state cyber activity in relation to its cyber sanction’s regime[11]. The sanctions are directed at cyberoperations that have a ‘significant effect’, and the EU lists the following to determine whether a cyberattack has a significant effect:
1. The scope, scale, impact, or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety;
2. The number of natural or legal persons, entities, or bodies affected;
3. The number of Member States affected;
4. The amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;
5. The economic benefit gained by the perpetrator, for himself or for others;
6. The amount or nature of data stolen, or the scale of the data breaches; or
7. The nature of commercially sensitive data accessed.[12]
This effects-based method is attractive from a practical point of view. It empowers states to respond to cyber operations that may not reach the threshold of intervention but that still cause harmful effects. As of this writing, there is no consensus as to what kinds of effects would meet a threshold for sovereignty violations. Because there is no agreement between states as to when a violation of sovereignty occurs in cyberspace, sovereignty violations have become almost totally subjective and open to interpretation. A jointly approved understanding of what amounts to a violation of sovereignty in cyberspace will soon become necessary. The frameworks above provide a road map of what should meet the significant effect threshold. It follows that anything falling below these factors are then de minimis in their effects and would not violate a nation's sovereignty.
The principle of non-intervention involves the right of every sovereign State to conduct its affairs without outside interference. The principle of nonintervention provides partial direction in the cyber realm because most cyber operations fall below the use of force, and do not fit within standard elements of the nonintervention rule[13]. [A5] Whether international law controls these kinds of cyber activities is still an open question. Some say the limits created by sovereignty answer this question, namely that sovereignty is itself a binding rule of international law that prevents one state from operating in the territory of another state, absent consent. If the ‘sovereignty as a rule’ approach was adopted, states looking to disrupt cyber infrastructure would be under an obligation to either seek Security Council authorization or the consent of the state in where the cyber infrastructure resides. Cyber operations and capabilities require operational security of the highest degree and the necessity to act with haste and agility. Operating through consent would likely surrender operational creativity to the enemy or make our response options ineffectual.
Furthermore, law and state practice show that sovereignty is not in fact a rule of international law. [A6] In practice, we’ve seen that it operates as a principle guiding state interactions, and has never been a binding rule that commands outcomes under international law. While the principle of sovereignty should factor into every cyber operation, it does not establish a complete bar against state cyber operations that affect cyberinfrastructure within another state, provided that the effects do not rise to the level of an unlawful use of force.
The US approach to cybersecurity indirectly rests on an effects-based approach. There is a presumption that the key issue when determining how the US will respond to attacks is based on what effects those operations will have in the affected nation. Whether the effects come about because of cyber means or kinetic means is mostly immaterial to the analysis. Because sovereignty exists merely as principle, it’s violation is immaterial in cyberspace operations.
V. What this means for the United States
China's propaganda, cybersecurity tactics, and its political efforts to lure nations away from Taiwan will increase strains in the Indo-Pacific region and make cyber sovereignty a major priority in maintaining security in the region. Putin's allegations about the US and NATO seeking to build a new global "axis"[14] and Russia and China's improved cooperation in the military sphere will aggravate the pseudo-arms race in the region. It is to the US advantage to ensure that nefarious powers do not abuse the law by interpreting any cyber operation as having a “significant effect.” A middle way is the best approach we can use to analyze cyber operations, which can then guide our understanding of whether a particular cyber operation will violate the sovereignty of another nation triggering international law violations. Furthermore, a middle way can prevent the application of sovereignty to justify the escalation of conflict across the globe.
China has made it very clear that it is actively seeking to create a “Chinese Century”[15], where China will geoeconomically and geopolitically dominate world affairs. The forefront of this effort will be in the cyber domain. International law is integral to maintaining international peace, and its applicability to cyber activities is, by now, beyond question. The embryonic nature of cyberspace, its interconnectivity, lack of separation between the private and public sectors, and its unsuitability with traditional concepts of geography, all illustrate how tough it is to apply international law to cyberspace without creativity – all of which make the cyberspace domain ripe for exploitation. A principal most ripe for exploitation by bad actors is the role that sovereignty should play in regulating states’ cyber activities.
To maintain superior military proficiencies, the United States must develop a resourceful means to execute operations in the cyber domain. The cyber domain is a system in and of itself, composed of different servers, clients, and laws. An effects-based approach in cyber operations leverages the usefulness of targeting the whole of an enemy system; therefore, the cyber domain should be considered as a living system, and within that system is cyber lawfare.
The United States needs to be first in crafting, maintaining, and shaping cyber law in this nascent realm. If we remain in a reactive state, bad actors will continue to manipulate international law in their favor, leaving us forever behind. To combat this, the United States should encourage other governments to be more transparent about their views on how international law applies to their cyber activities and explain their practices. States must make an informed conclusion as to what their position is on the application of international law to cyber activity. Intelligence agencies and foreign services within a state similarly need to speak with one voice to prevent subterfuge and predatory lawfare from bad actors. Once a legal position has been decided, states should indicate publicly what that position is. A single unified front will serve the interests of security and diplomacy in the face of a creative enemy.
States that disagree on how the law applies must discuss these issues openly. The UN is just one example where these discussions can take place. States, academics, the private-sector, and others can discuss these issues within academia, conferences, and so forth, furthering progress on the Tallinn Manual 2.0 and other enterprises. Discussion of sovereignty and non-intervention in the cyber context should be removed from deliberation of the law on use of force and armed conflict. Discussion should focus on how international law applies to everyday examples of state-sponsored cyber operations. There is likely more value in practical discussions about specific instances of how to use the law (‘is this behavior an internationally harmful act that merits retaliation? Why should it?) as opposed to papers about abstract principles (‘is sovereignty a rule or a principle?’). The United States can lead the way in establishing regular norms in the cyber domain. For instance, promoting a norm against large scale attacks on civilian infrastructure, or a norm against cyber-attacks on nuclear command and control systems.
A ban on attacking critical infrastructure would be more beneficial and achievable than attempting to reach some kind of general treaty on a series of wide-ranging principles. The United States should take the lead in shaping law and policy in the cyber realm and prevent nefarious state-actors from manipulating the vagueness[16] that exists in existing laws to their advantage. In the interim, using an effects-based approach in cyberspace can put a red line down wherein other nations know not to cross without risking retaliation from other nations. These approaches together would put the United States in a more secure and safe position in global security, now and in the future.
CPT Trevor J. Potter is an US Army JAG currently stationed at Joint Base Lewis McChord. He has previously worked as an Assistant Prosecuting Attorney in Lafayette CO, MO. He holds a JD from Willamette University and a BA in Philosophy from the University of Delaware.
If you’d like to write for Breaking Beijing, you can find the submission guidelines here. Submissions are always welcome! We don’t gatekeep so long as your ideas are good and you can back them up!
Endnotes
[1] U.N. Charter preamble
[2] Corfu Channel Case (United Kingdom v. Albania); Separate Opinion, 9 April 1949, ICJ Rep 43.
[3] Moynihan, H. (2020, December 17). The application of international law to State cyberattacks. Chatham House – International Affairs Think Tank. Retrieved March 27, 2023, from https://www.chathamhouse.org/2019/12/application-international-law-state-cyberattacks?preview=1
[4] Kenny, J. (2021, August 31). France, cyber operations and sovereignty: The 'purist' approach to sovereignty and contradictory state practice. Lawfare. Retrieved March 27, 2023, from https://www.lawfareblog.com/france-cyber-operations-and-sovereignty-purist-approach-sovereignty-and-contradictory-state-practice
[5] Moynihan, H. (2020, December 17). The application of international law to State cyberattacks.
[6] Egan, B. J. (2016, November 10). Remarks on international law and stability in cyberspace. U.S. Department of State. Retrieved March 23, 2023, from https://2009-2017.state.gov/s/l/releases/remarks/264303.htm
[7] See Schmitt, M. N. (2017), ‘Grey Zones in the International Law of Cyberspace’, The Yale Journal of International Law, 42(2): p. 11, referring to a ‘confusing melange of views’ on this issue.
[8] In 2012, Iran’s oil production was targeted by the ‘Wiper’ virus, which scrubbed hard drives clean, deleting the malware’s code with it.
[9] Ministère des Armées (2019), ‘Droit International Applique Aux Operations Dans Le Cyberspace’.
[10] Roguski (2019), ‘France’s Declaration on International Law in Cyberspace’.
[11] ‘It should be noted that the precise limits of what is allowed and what is not allowed have not been fully crystallized’, Minister of the Netherlands (2019), ‘Statement to parliament on 5 July 2019’.
[12] EU Council (2019), EU Council decision (CFSP) 7299/19 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, 14 May 2019, https://data.consilium.europa.eu/doc/document/ST-7299-2019-INIT/en/pdf.
[13] The non-intervention principle is the corollary of every state’s right to sovereignty, territorial integrity and political independence. Oppenheim (1996), Oppenheim’s International Law, Vol. 1: Peace, p. 428.
[14] Marrow, A. (2023, March 27). Putin accuses Australia of joining a military 'axis' as part of a 'global nato'. The Sydney Morning Herald. Retrieved March 27, 2023, from https://www.smh.com.au/world/europe/putin-accuses-australia-of-joining-a-military-axis-as-part-of-a-global-nato-20230327-p5cvk2.html
[15] Han, Zhen; Paul, T. V. (2020-03-01). "China's Rise and Balance of Power Politics". The Chinese Journal of International Politics. 13 (1): 1–26. doi:10.1093/cjip/poz018. Archived from the original on 2020-05-08. Retrieved 2021-03-17.
[16] The prohibition on non-intervention has been described by scholars as vague and ‘elusive’. It applies both to interventions by force and non-forcible interventions, but its content is not clearly defined outside the context of use of force. Lowe, V. (2007), International Law, Oxford University Press, p. 104.