(Credit: lensw0rld – stock.adobe.com)
No. 3
Crossing Borders in Cyberspace
Regulating Military Cyber Operations and the Fallacy of Territorial Sovereignty
By Major Jeffrey D. Randall
In the early weeks of October 2020, sprawling across 100 countries, an enhanced form of cyber weapon called a botnet began positioning itself to influence the U.S. Presidential election.1 Nicknamed Trickbot, the weapon was a for-rent botnet that had surreptitiously implanted malicious software into nearly 250 million systems across the globe, massing computing power through hundreds of millions of “zombie” computers.2
Through its continent-spanning, decentralized design,
Trickbot’s threat structure aggregated worldwide computing power.3 As it began directing that computing power toward U.S. voter registration and electronic polling infrastructure, U.S. Cyber Command (USCYBERCOM) identified the botnet’s activities.4 United States Cyber Command quickly “flooded” Trickbot’s systems by deploying software into information infrastructure spread across the planet.5 That act preemptively cut off Trickbot’s opportunities to influence election computer infrastructure and helped preserve the integrity of the ensuing election.6 However, in undertaking its operation, legal advisors at USCYBERCOM had to confront a key, unsettled legal question7: Could the United States take preemptive action against a cyber threat located on other countries’ soil without those foreign states’ consent?
The Trickbot disruption operation was not the first time USCYBERCOM had confronted this question in a publicly-known operation. In Operation GLOWING SYMPHONY, which took place four years prior, U.S. cyber operators remotely infiltrated Islamic State (ISIS) militants’ computer networks, data storage accounts, and smartphones located in at least five countries.8 The Islamic State had been utilizing systems in these particular states to store and disseminate propaganda.9
Upon gaining access to those foreign systems, U.S. cyber operators
deleted troves of propaganda material, severed the terrorists’ access to
data, and dropped software into programs to deplete batteries and
disrupt hardware functionality.10 As such, Operation GLOWING SYMPHONY presented the same critical question of international law as the Trickbot disruption operation: Is consent or other justification required before undertaking cyber operations in computer systems located in another state?
Despite the “un-territorial” nature of most cyber activities,11 some states have taken the position that cyberspace is governed by a universal law of trespass flowing from the broader concept of territorial sovereignty, a principle that recognizes a state’s internal control over its territory.12 Accordingly, government leaders and their legal advisors must analyze whether territorial sovereignty operates as a binding rule of exclusion under international law, thereby requiring consent or other justification to legally create cyber-based effects in foreign systems. Those same leaders and advisors must also consider that, if territorial sovereignty imposes no such rule, what baseline international rules should states apply to cross-border cyber operations?
This article argues that, while states have historically used the term “violation of territorial sovereignty” with fluency in international disputes, international law lacks a customary trespass rule flowing from the broader principle of territorial sovereignty. Accordingly, states should advance non-intervention and use of force as the governing principles in cyber operations because they readily translate from analogous clandestine operation cases,
supply states sufficient normative protections, and maximize states’
freedom of action. Those three characteristics are critically important
in an offense-dominated domain where geography has become largely
irrelevant.
This article explains that argument in three parts. In “The Infirmity of
an International ‘Trespass’ Rule,” the article examines de facto patterns of prohibited conduct in leading cases involving purported territorial sovereignty violations, finding such cases fail to evince an international rule of trespass. “Regulating by Analogy: Comparing Approaches” argues that legal advisors should look to historical clandestine operations in which non-intervention and use-of-force principles provide legal guideposts for out-of-system cyber operations. And last, “The Need for Freedom of Action” demonstrates that non-intervention and use of force would ensure the most balanced baselines for transboundary cyber operations because they accommodate freedom of action against cyber threats while providing sufficient normative protections. This final section also explores how states could expand the “unable or unwilling” anticipatory self-defense doctrine to justify legitimate non-consensual operations if the international community eventually embraces a rule of territorial sovereignty in cyberspace.
The Infirmity of an International “Trespass” Rule
Sovereignty serves as a fundamental principle of international law and encompasses the “[c]ollection of rights held by a state, first in its capacity as the entity entitled to exercise control over its territory and second in its capacity to act on the international plain, representing that territory and its people.”13
As such, territorial sovereignty serves as a common organizing principle
among states.14 Consequential to the internal rights over a given territory, sovereignty affords a state, vis-a-vis other states, “the legal personality necessary to create and be bound by international law.”15 Under the Lotus rule, a state’s freedom is only circumscribed through treaties on specific matters, or by collective custom, the latter imposing universal rules known as customary international law.16
While states have signed treaties imposing certain boundaries in the sea and air domains, no treaty governs cross-border land movements, nor has the international community adopted a universal, domain-transcendent treaty governing cross-border movements generally.17 Despite this absence, some states and academics have asserted that a customary international rule of trespass forbids states from crossing one another’s borders without consent, arguing that “[a] violation of sovereignty occurs whenever one State physically crosses into the territory . . . of another State without either its consent or another justification in international law . . . .”18 Applied to cyberspace, those states and academics assert that territorial sovereignty functions as a rule of exclusion and would thus forbid nonconsensual effects in another state’s cyber system.19
In contrast, other academics and at least one state assert that the notion of territorial sovereignty, while an organizing principle in international law, lacks sufficient opinio juris and state practice to function as a binding rule of trespass against cross-border interference.20 Instead, they argue states should apply the traditional concepts of the use of force and non-intervention to govern cyber operations.21
As such, the international community remains divided on the role of
territorial sovereignty in cyberspace.22
To resolve the dispute surrounding the threshold international law
governing cross-border cyber operations, state leaders and their legal
advisors must look to seminal historical cases associated with purported
“territorial sovereignty” violations to determine whether states can
extrapolate a rule of interstate trespass from existing precedent.23
Although the term “violation of territorial sovereignty” appears with
regularity in international disputes, the following analysis highlights
that the substance of those violations consistently involves
de facto violations of the use of force and non-intervention, and international law regularly ignores any associated territorial trespass or activities below the non-intervention and use of force thresholds.24 In sum, state practice has failed to demonstrate the existence of any stand-alone customary international law of trespass flowing from the broader principle of territorial sovereignty.
Overt Military Activities
International cases referencing violations of territorial sovereignty involving overt military forces consistently demonstrate de facto threat or use-of-force violations, rather than recognizing an international trespass rule. For example, the International Court of Justice (ICJ) case of Corfu Channel involved a British aircraft carrier, warship, and cruisers sweeping for mines located as close as 500 meters from Albania’s coastline.25 While labeled a “violation of territorial sovereignty,” the case’s objective facts demonstrated a violation of the threat of the use of force.26 Indeed, in responding to Albania’s argument that Great Britain “made use of an unnecessarily large display of force, out of proportion to the requirements of the [mine] sweep,” the ICJ reasoned that “it does not consider that the action of the British Navy was a demonstration of force for the purpose of exercising political pressure on Albania.”27 Accordingly, the ICJ inappropriately ruled that Corfu Channel did not involve a threat of the use of force solely upon the inappropriate considerations of the offending state’s purpose and intent, rather than a de facto evaluation of the cross-border effects.
Similarly, in Nicaragua v. United States, the ICJ improperly characterized helicopter strafing, mine laying, and speedboat attacks on sea ports and oil installations as “violations of territorial integrity,”—another clear use of force.28
Critically, the ICJ omitted comment on other non-consensual incursions
below the use of force threshold,29 suggesting that—like in Corfu Channel—the ICJ may have relied on a less consequential characterization of certain activities to avoid risks to its institutional credibility. Other scholars have pointed out that other ICJ cases like Corfu Channel, Nicaragua v. United States, and Certain Activities Carried Out by Nicaragua in the Border Area of
Costa Rica
have entailed large-scale military forces and often involve threats of,
or actual, forcible border alterations—harms distinct from those posed
by cyber activities.30 In conclusion, when evaluated objectively, historical precedent involving alleged violations of territorial sovereignty in overt military force cases have more commonly and more accurately involved de facto violations of primary rules like the threat or use of force.31
If territorial sovereignty actually imposed a rule against international trespass, the very sorts of unfriendly, non-consensual incursions that a peacetime trespass rule would be expected to prohibit are clandestine incursions, like espionage. However, international law has historically tolerated surreptitious border incursions as long as those incursions avoid breaching use of force or non-intervention thresholds.32 While few clandestine cases reach the public eye, one example involved U.S. embassy and consulate rescue operations in Iran in 1980.33 In that instance, the Central Intelligence Agency (CIA) dispatched operatives to Iran in light aircraft, inserting agents into Iran to purchase vehicles, conduct rescue force reconnaissance, install landing strip lights in the desert, and take soil samples for a later-aborted military rescue operation.34 The CIA undertook those time-sensitive operations during a period of significant Iranian unrest when hostages remained under Iranian control.35 After these activities came to light in the press, the international community “neither challenged nor condemned” the operations.36 These activities mimicked the same class of activities that the ICJ ignored in Nicaragua v. United States.
Despite that international law “[f]requently segregates unlawful parts from otherwise lawfully conducted missions,”37
the CIA’s activities in Iran never received legal objections because,
presumably, they did not constitute standalone international wrongs.
Similar to the disregarded activities in
Nicaragua v. United States, the tolerance in the Iranian case echoes the general principle that international law ignores cross-border clandestine activities like espionage, even though they involve non-consensual border crossings and localized activities on a foreign state’s territory. Such tolerance is irreconcilable with the idea that territorial sovereignty imposes an internationally-recognized rule of trespass.
Some critics argue that, like the Iran case above, most state cyber operations do not “contribute to the crystallization of new customary law” because “[they] are highly classified or otherwise shielded from observation by other states.”38 Yet, states have been undertaking clandestine operations for centuries. Such deep-rooted state practice ensures clandestine activities have influenced the law. Indeed, in some instances, clandestine activities have contributed to positive international law. For example, Additional
Protocol (AP) I recognizes states’ need for clandestine operations and
preserves combatant immunity for clandestine operatives in most
instances.39 If non-consensual clandestine activities were considered patently illegal, explicit textual tolerance in AP I—not to mention protected status—would be highly irregular. Rather than not contributing to new customary international law, the circumstances surrounding states’ clandestine activities simply mean that some areas of practice, norms, and legal limits may remain visible to the state (i.e., through cleared government actors), but opaque to non-governmental commentators. Instead of arguing that those characteristics render clandestine activities irrelevant to customary international law,40 states should examine those instances when clandestine activities do trigger legal objection under the auspices of “territorial sovereignty,” and examine whether those cases evidence the existence of a rule distinct from use of force or non-intervention.
Indeed, like in the Iran case, international law generally tolerates cross-border clandestine activities—except in instances where they breach use of force and non-intervention thresholds. While these cases are often improperly characterized as territorial sovereignty violations, legal objections in these cases only arise when the clandestine methods are forcible or usurp a state’s political prerogatives.41 One use of force example involved French operatives in 1985 secretly infiltrating New Zealand and planting explosives on the Greenpeace ship, the Rainbow Warrior, as its crew was readying the ship to disrupt French nuclear tests in the South Pacific.42 When the explosives blew car-sized holes in the vessel, inadvertently killing a crew member and sinking the ship, New Zealand launched an investigation that ultimately exposed France’s involvement.43 In a protest at the United Nations (U.N.), New Zealand complained of a “violation of [its] territorial sovereignty.”44
Despite the label, international reactions solely focused on France’s forcible methods, rather than its collateral border incursion, territorial infringement, explosives smuggling, or other activities.45 New Zealand charged the officers with manslaughter and illegal explosives use, but withheld complaint of any illegal border crossing or explosives smuggling.46 In referencing their forcible methods, one of the French operatives invoked a use-of-force doctrine in acknowledging the bombing was “disproportionate,” largely since the French government had rejected the option of damaging the propeller shaft as a less forcible means to accomplish the operation.47 Most importantly, despite New Zealand labeling the matter a violation of territorial sovereignty, the effects in the case involved “death, injury, or significant destruction”—criteria that characterize the use of force.48 Accordingly, the case demonstrates not proof of a trespass rule flowing from territorial sovereignty, but rather an example of otherwise internationally permissible clandestine activities that ripened into an indiscriminate and disproportionate use of force.49
In other clandestine operations, states similarly and improperly invoke territorial sovereignty when the de facto violated legal interest is non-intervention.50 Like the use-of-force prohibition, non-intervention is a rule designed to protect state sovereignty. The U.N. Charter reflects the non-intervention principle and prohibits other states from intervening in “matters which are essentially within the domestic jurisdiction of any state . . . .”51 Extraterritorial abductions are emblematic of such cases.52 One famous clandestine example involved Israeli Mossad agents undertaking secret activities to infiltrate Argentina and abduct Adolf Eichmann. Eichmann was the architect of the Holocaust who fled Germany after World War II to enjoy safe harbor under the Argentinian president’s personally-supervised domestic asylum policy for former Nazi leaders.53 Once the Mossad agents completed their abduction and Argentina discovered Israel had secretly captured and spirited Eichmann to Jerusalem, Argentina protested at the United Nations.54 In its complaint to the Security Council, Argentina characterized the invasion of its legal interest not as one of territorial trespass, but rather “the exercise of jurisdictional acts [on its] territory . . . .”55
The U.N. Security Council deviated slightly from how the international
wrong was characterized, stating that “[t]he transfer
of Adolf Eichmann to the territory of Israel constitutes a violation of
the sovereignty of the Argentine
Republic . . . .”
56
The U.N. Security Council’s assessment focused on the illegal
intervention in a high-stakes political matter and never addressed
Israeli agents’ nonconsensual border crossing, logistics preparations,
or Israeli probing of local Argentines for helpful information; rather,
its focus was solely upon the jurisdiction usurpation.57
Such omissions show that the international wrong in the Eichmann case
consisted of Israel supplanting Argentina’s jurisdictional
prerogatives—not by virtue of a foreign power’s nonconsensual border
crossing, physical presence, or other localized activities.58
The foregoing cases demonstrate that territorial sovereignty does not
impose a rule of border-based international trespass. Despite
international law’s tendency to disaggregate unlawful activities from
integrated military operations and treat each unlawful activity
according to the rule violated,59 the Iran case never elicited any international challenge. Nor did the localized clandestine activities in Eichmann or Rainbow Warrior receive any legal treatment whatsoever. In sum, territorial sovereignty represents a baseline concept protected by other rules, like the use-of-force and non-intervention prohibitions—not a rule in and of itself. Whether employed for political convenience or otherwise, the concept of territorial sovereignty simply lacks independent legal force.
The Tallinn Manual 2.0
Environmental Harm Approach
Rather than carefully examining international precedent involving
clandestine military operations, the
Tallinn Manual 2.0 improperly advances a territorial sovereignty-as-rule approach to cyber operations by, primarily, analogizing cyber activities to indiscriminate environmental harms.60 The precedent on which the Tallinn Manual 2.0 primarily relies involved instances in which pollution, radiation, and falling space debris crossed borders into another state and caused harm therein. In those cases, the ICJ has cited territorial sovereignty as a basis to impose strict liability on offending states.61
From that precedent, the
Tallinn Manual 2.0 authors assert that territorial sovereignty functions as a universal border rule that forbids nearly all nonconsensual, cross-border cyber activities.
Indeed, while both pollution and cyber operations can cross borders undetected with the potential of causing physical harm, environmental harms are inherently indiscriminate and per se physically harmful.62 Military cyber operations are not. In fact, “[m]ilitary cyberspace operations can be carried out in a manner that fully comports with and respects the principles of distinction, necessity[,] proportionality . . . .”63 and non-intervention.64 The carefully-tailored battery depletion and data manipulation in Operation GLOWING SYMPHONY is one example of how states are fully capable of calibrating their operations and avoid indiscriminate effects and comply with the traditional principles animating state tolerance of clandestine action on their territory, like proportionality, necessity, and discrimination.65 As the preceding section demonstrated, states have historically tolerated clandestine operations when they comply with these traditional use-of-force principles,66 while condemning them on the same principles when they do not.67
Military cyber operations, unlike environmental harms, simply are not
inherently indiscriminate or
per se physically harmful, rendering the latter poor factual analogs for a rule governing cross-border cyber operations.
In summary, the foregoing cases illustrate that territorial sovereignty imposes no per se trespass rule against cross-border military incursions. Rather than a trespass rule, non-intervention and traditional use of force doctrines like distinction, necessity, and proportionality animate the international community’s responses.68 States may impute liability for indiscriminate harms like pollution and radiation, but states have historically viewed those harms factually and qualitatively distinct from military operations. The next section demonstrates how the traditional use-of-force and non-intervention principles in the physical domain provide states with a firm legal groundwork to assess the lawfulness of cyber operations.
Regulating by Analogy: Comparing Approaches
When government leaders and their legal advisors look past labels to the de facto patterns of prohibited conduct in clandestine action cases, they find sound precedent to regulate cyber operations. Rather than traditional overt military operations, transboundary cyber operations mimic historical clandestine operations in both form and function. Like operatives infiltrating a foreign state, cyber operations involve deliberately accessing a security gap in a foreign computer system through a software “exploit.”69 As in physical clandestine operations, cyber operations’ surreptitious nature is necessary to mission effectiveness, since exposure renders the operation vulnerable to defense.70 After a cyber operator gains system access, a given software exploit can insert a malicious file or “payload” into the foreign system, like an operative secretly smuggling weaponry to an objective.71 The payload then enables a cyber operator to delete or manipulate data, disable functionality, or remain latent for future use.72 Like other clandestine operations, cyber operations’ surreptitious nature, combined with their tailored “force, targeting, and timing,” can be particularly effective at directly shaping conditions to achieve military advantages.73 Indeed, offensive cyber operations have become the digital analog to historical territorial clandestine operations.
Applying Legal Principles from Military Clandestine Operations
Accordingly, the operation of non-intervention and use of force prohibitions in historical clandestine operations supply precedent to guide military cyber operations. For permissive precedent, cases like the disregarded pre-hostage raid activities in Iran demonstrate that international law is likely to tolerate low-grade operations undertaken on foreign soil in time-sensitive contexts. As such, the Trickbot disruption, which produced de minimis physical effects against the backdrop of an impending 2020 Presidential election, would be unlikely to elicit legal challenge, nor would the calibrated data and hardware operations of Operation GLOWING SYMPHONY. Additionally, other precursor activities—like the largely-ignored explosives smuggling in Rainbow Warrior—find cyber parallels with activities involving inserting malicious, but latent, software into foreign systems.74 Such operations would likely remain internationally permissible, absent destructive effects (like those in Rainbow Warrior).75
Rainbow Warriorillustrates the idea that states historically assess clandestine activities by their actual effects—not what the activities could have involved. This concept is critical in cyberspace when an intrusive cyber exploit may retain a number of destructive functionalities. Retaining these functionalities alone does not increase legal risk, at least so long as they remain latent. Legal advisors can look to aspects like these to support the legality of state cyber operations.
Other aspects of the same historical cases also provide states initial prohibitive guideposts. For example, the Rainbow Warrior case demonstrates that preemptive destruction of private property, absent compelling justification, will be viewed as disproportionate and unlawful.76 Applied to cyber operations, North Korea’s 2014 crippling attack on Sony’s computer infrastructure to protect minimal security interests in its dictator’s public image would similarly be subject to condemnation.77 Other cases, like the Eichmann abduction,78 illustrate that internationally unlawful coercion can occur in cases implicating only a single individual or entity, if it amounts to usurping a state’s decision-making authority in significant domestic prerogatives. Accordingly, cyber operations that impose chilling effects on political decisions in representative governments, like Russia’s 2007 debilitating denial of service attack against Estonia for a Russian statue removal, would remain similarly indefensible under international law.79 While these constitute only a few examples, they provide ready groundwork for government leaders and their legal advisors to develop an international legal regime for cross-border cyber operations.80
Problems with the Tallinn Manual 2.0
Approach
In contrast, the
Tallinn Manual 2.0’s cross-border harm approach imposes a historically unsupported prohibition on nearly all transboundary operations. Such an approach disregards states’ historical tolerance for localized clandestine operations that comply with traditional use-of-force principles, like discrimination, proportionality and necessity. Indeed, the Tallinn Manual 2.0 approach would lead to the absurd result that the United States would be responsible for damage to terrorists’ and Trickbot’s operators’ computers, purely on the basis of crossing into foreign territory and harming digital infrastructure therein. That kind of blanket prohibition effectively “[e]quates a mugger’s knife of a citizen on the street with a surgeon’s removal of a tumor from that ailing citizen, because both actions involve one human being’s putting a knife into another.”81 Such an approach ignores key characteristics of military cyber operations that have traditionally conditioned states’ responses to clandestine operations in the physical domain and provides neither historically-supported, nor desirable, legal baselines.
In contrast to environmental harms, clandestine activity cases supply government leaders and their legal advisors the most analogous precedent to assess cyber operations. States remain able to control and calibrate their cyber operations, rendering those operations more closely aligned to physical domain clandestine operations than the indiscriminate environmental harms upon which the Tallinn Manual 2.0’s approach relies. Not only do clandestine operation cases provide a workable precedent, but the next section demonstrates that cyberspace necessitates the freedom of action that a territorial sovereignty rule would prohibit.
The Need for Freedom of Action
Unlike territorial sovereignty, non-intervention and use-of-force principles supply states with critical features that enable them to most effectively regulate cyber activities. This section argues that one of those features is the ability to maximize responsible states’ freedom of action in a rapid and dynamic domain. While avoiding a rule of sovereignty enables this freedom of action, this section also acknowledges that states may ultimately coalesce around a rule of sovereignty and explores the “unable and unwilling” anticipatory self-defense doctrine as an alternative legal construct for states to retain the operational flexibility necessary to defend their interests against cyber threats.
Cyber Threats: Practical Protection Through Freedom of Action
In addition to providing circumscribed normative protections, use-of-force and non-intervention ensure states retain freedom of action to defend against non-state threats in the cyber domain. Under a territorial sovereignty approach, states would be restricted from preemptive cross border cyber operations—even when such operations would have no impact in the foreign state’s internal affairs.82 Such an obligation is particularly imperiling in the cyber domain where non-state threats, like ISIS and Trickbot, remain geographically dispersed, but retain the ability to aggregate cross-border activities for malicious purposes.
In the terrorism context, cyberspace offers an anonymous, worldwide sanctuary to disseminate violent messaging, raise money, and exercise command and control (C2), which undermines states’ abilities to prevent nefarious activity through physical actions in any particular state.83 Terrorist cells use software called The Onion Router (ToR) or the Invisible Internet Project to anonymize internet access.84 That software simultaneously provides users access to a “sub-internet” called the “Dark Web,” linking individuals together inside an unindexed internet in which groups can buy weapons, control dispersed networks, distribute radical materials, and fund their operations through virtual currency black markets.85 Based on the territorial transcendent nature of the terrorism threat, states require a legal construct that allows for freedom of action to engage terrorist threats through cyberspace, like in Operation GLOWING SYMPHONY.
Aside from terrorist groups, large scale ransomware crews, like those responsible for Trickbot, increasingly capitalize on the decentralized Internet of Things (IoT) to evade single host-nation disruption efforts. As one example, Trickbot’s operators recently began to shed the system’s server-based C2 architecture in favor of a hive model that leverages asynchronous, decentralized C2 across all IoT systems.86 Such structure enables those crews to leverage worldwide computing power while eluding efforts to dismantle their illicit network.87
State actors like Russia and North Korea are increasingly developing
their own, similar “hivenets” for both widespread malware infection and
large scale distributed denial of service attacks.88
States require freedom of action to defend against borderlesscyber
threats like Trickbot.
Applying a sovereignty rule to USCYBERCOM’s Trickbot operation showcases how unwieldy the construct would be against a malicious cyber actor, like Trickbot. Under a non-intervention/use-of-force approach, the United States would retain freedom of action to undertake operations against Trickbot without triggering any international law prohibitions; the United States simply must ensure its operations are calibrated to avoid intervening in a foreign state’s internal affairs or causing significant destruction. In contrast, territorial sovereignty as a rule would saddle the United States with the requirement—during a time of concentrated voter registration and pre-election polling—of requesting the consent of every state in which it wished to impose cyber effects across a 250-million-system hivenet.89 Some states may refuse to grant consent. Some may have been infiltrated by intelligence services of malicious state actors aligned with Trickbot.90
Even for consenting states, each request would have to navigate
bureaucracies and approval levels, preventing preemptive measures and
potentially allowing
Trickbot operators to insulate their software against U.S. cyber operations.91
The insurmountable hurdles of a normative approach to cyber threats
would undermine, not further, state security, and increase the
likelihood of harm and escalation, vice reducing it.92
As such, use of force and non-intervention provide the most desirable
baseline for transboundary cyber operations because they accommodate
freedom of action while simultaneously circumscribing the scope of
lawful activities to necessary, discriminate, and proportionate means.
Territorial Sovereignty and the “Unable or Unwilling” Doctrine
Despite territorial sovereignty’s lack of substance as a rule, and
states’ difficulties in defining the rule’s content, some states have
embraced the Tallinn Manual 2.0 approach and have asserted that sovereignty, as a rule, applies to cyber operations.93 Under that approach, unilateral cross-border action in cyberspace will remain unavailable absent host nation or U.N. consent, threat of armed attack, or the exhaustion of all domestically-available safeguards.94 Considering the speed of data, interconnectivity of cyberspace, and mutability of malicious actors, states will seek a legal safety valve to justify anticipatory cross-border operations that may otherwise breach a rule of territorial sovereignty in cyberspace.
One legal theory that may provide relief in the face of a restrictive rule of territorial sovereignty is the “unwilling or unable” doctrine.95 The “unable or unwilling” is a self-defense doctrine that justifies a victim state’s anticipatory defensive actions in third-party states unable or unwilling to suppress an imminent threat.96 The doctrine evolved from the famous Caroline case in which the British justified its anticipatory self-defense actions on U.S. soil, in part, because the United States was “unable” to prevent insurrectionists from using U.S. territory to launch cross-border attacks against British Canada.97 Properly employed, the doctrine requires proportional balancing of the victim state’s security interests with the territorial state’s sovereignty interests.98
In the cyber domain, many states currently struggle with the technical capacity to detect and eliminate malicious cyber activities, rendering many effectively “unable” to prevent malicious actors from co-opting private infrastructure within their territory.99 And the irrelevance of geography in data transmission supplies states with a firm position to characterize known cyber threats as “imminent.”100 Because the cyber domain lends itself to satisfying these precursor legal requirements, the “unable or unwilling” doctrine would provide significant utility to states otherwise restricted from out-of-system operations necessary because of a territorial sovereignty rule.101
Early state practice in cyberspace already suggests that
sovereignty-as-a-rule proponent states may already be implicitly relying
on the logic undergirding the “unable or unwilling” doctrine. For
example, in late 2019, France deployed “white worm” software into
hundreds of thousands of computers in Latin America to dislodge a
Paris-based botnet threatening users in Europe and other states, despite
having adopted a “system penetration” rule for territorial sovereignty
in cyberspace.102 While France never publicly explained the reasons underlying its operation, logic contemplated by the “unable or unwilling doctrine” would have theoretically enabled France to justify what would otherwise function as what it would see as violations of other states’ territorial sovereignty.103 If the international community coalesces around a sovereignty rule in cyberspace, other states will likely follow France’s lead as they seek the freedom of action necessary to maintain their own security in a persistently transnational threat domain.
However, the “unable or unwilling” legal defense suffers from a number of problems and should therefore function as a safety valve to an otherwise undesirable sovereignty construct, rather than as a primary aspect to an international cyber sovereignty regime. First, cyber threats almost inherently provide a hurdle to the procedural checkpoints of the doctrine, making potential abuse of the doctrine a near certainty. Further, the doctrine leaves significant ambiguity between legally-permissible anticipatory self-defense and illegal preemptive operations. Data speed, system co-optation, and the difficulty of discerning intent through code exacerbate the problems of distinguishing preemption from anticipatory self-defense.104 Moreover, the “unable or unwilling” proportionality analysis still requires states to define territorial sovereignty violations in order to balance any violation against its own security interests. This presents a problem when historical “sovereignty violations” suggest themselves to be a mislabeled legal fiction whose substance demonstrates little qualitative or quantitative difference from interests protected under widely-accepted use-of-force and non-intervention principles. Nonetheless, if states do ultimately rally around a rule of sovereignty, an expansion of the “unable or unwilling” doctrine will likely prove itself to be of critical utility as states collectively seek the freedom of action necessary to maintain security in the dynamism of the cyber domain.
In summary, non-intervention and use-of-force principles provide the most balanced, and historically honest baseline for operations in cyberspace. Those rules allow for the conceptual flexibility to preempt trans-territorial cyber threats without the foreseeable impasses imposed through consent or U.N. Charter requirements. However, if states ultimately unite around a sovereignty approach, further developing the “unable or unwilling” legal defense will become critical for states to maintain their security interests. But because that approach injects more layers of exploitable ambiguity and circuity into a cyberspace baseline than simply relying on traditional non-intervention and use of force principles, states should focus their efforts on those latter rules.
Conclusion
In conclusion, government leaders and their legal advisors confront key questions when assessing the international legality of any cross-border cyber operation: Does, or should, territorial sovereignty impose a trespassory restriction on operations in other states’ systems? If not, what precedent can legal advisors reference in discerning applicable law? And, finally, do any ideal baseline rules or principles emerge from that precedent?
This article addressed those issues in three sections. First, territorial sovereignty-as-a-rule suffers from two key infirmities. One, the idea of any form of a geography-based, international trespass rule fails to reconcile with international law’s historical tolerance for clandestine incursions. Two, the de facto substance of territorial sovereignty violations has involved patterns of conduct traditionally prohibited under use-of-force and intervention prohibitions. Seminal cases involving purported violations of territorial sovereignty evince interests already protected under use-of-force and non-intervention principles, rendering sovereignty-as-a-customary international rule a fallacious legal construct.
However, as advanced in section two, when government leaders and their legal advisors disregard sovereignty-as-a-rule and instead look to the substance of permissible and prohibited conduct in historical clandestine operations, they find a solid groundwork of workable precedent. Because cyber operations remain subject to calibration and control, the function of both non-intervention and use-of-force principles in historical clandestine operations cases readily translate as guideposts for military cyber operations. Accordingly, states should look to precedent involving clandestine operations to guide their legal assessments, vice the indiscriminate harm analogs underlying the Tallinn Manual 2.0 approach.
Apart from providing a factually analogous body of workable precedent, use-of-force and non-intervention principles provide states with a properly balanced international framework for cyber operations. Some argue that a rule of sovereignty would help stabilize state activities in cyberspace. But, the reality is that states have not historically honored a customary international rule of territorial sovereignty. Grafting one onto a domain in which geography is largely irrelevant will deny precedent of a long-standing international tolerance for clandestine incursions and place law-abiding states at significant asymmetric disadvantage.105 Non-intervention and use of force rules afford states freedom of action against trans-territorial threats like Trickbot and ISIS.106 The need for freedom of action in cyberspace means that, even in the event that states unite around a prohibitive rule of territorial sovereignty, they will seek legal bases to justify cross-border operations to secure state interests. While the “unable or unwilling” doctrine can provide such relief, a more honest and less problematic legal construct would simply involve focusing on use of force and non-intervention and abandoning the fallacy of territorial sovereignty in cyberspace. TAL
Maj Randall is a cyber, intelligence, and information law attorney at the International and Operational Law Branch (JAO), Judge Advocate Division, Headquarters, Marine Corps, at the Pentagon in Washington, D.C.
Notes
1. Robert Chesney, Persistently Engaging TrickBot: USCYBERCOM Takes on a Notorious
Botnet, Lawfare (Oct. 12, 2020, 3:53 PM), https://www.lawfareblog.com/persistently-engaging-Trickbot-uscybercom-takes-notorious-botnet.
2. Lee Matthews, Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts
and Is Still Going Strong, Forbes (July 14, 2019, 12:00 P.M.), https://www.forbes.com/sites/leemathews/2019/07/14/stealthy-trickbot-malware-has-compromised-250-million-email-accounts-and-is-still-going-strong/?sh=1c3d0dfe4884.
3. How Botnets Are Evolving: From IoT Botnets to Hivenets, Cyber Post (Oct. 30, 2020), https://thecyberpost.com/news/security/how-botnets-are-evolving-from-iot-botnets-to-hivenets/ (discussing Trickbot’s design evolution).
4. Chesney, supra note 1; Andy Greenberg, A Trickbot Assault Shows US Military Hackers’ Growing Reach, Wired (Oct. 14, 2020 1:50 PM), https://www.wired.com/story/cyber-command-hackers-trickbot-botnet-precedent/.
5. Attacks Aimed at Disrupting the Trickbot Botnet, KrebsOnSecurity (Oct. 2, 2020, 2:20 PM), https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/.
6. Ellen Nakashima, Cyber Command Has Sought to Disrupt the World’s Largest Botnet,
Hoping to Reduce Its Potential Impact on the Election, Wash. Post (Oct. 9, 2020, 8:16 PM) https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html.
7. Colonel (Retired) Gary Corn, Punching on the Edges of the Grey Zone: Iranian Cyber Threats and
State Cyber Responses, Just Sec. (Feb. 11, 2020), https://www.justsecurity.org/68622/punching-on-the-edges-of-the-grey-zone-iranian-cyber-threats-and-state-cyber-responses/ (comparing France’s statement on sovereignty’s application to cyberspace with the United Kingdom’s rejection of the concept’s application).
8. Ellen Nakashima, U.S. Military Cyber Operation to Attack ISIS Last Year Sparked Heated
Debate over Alerting Allies, Wash. Post (May 9, 2017, 6:33 AM), https://www.washingtonpost.com/world/national-security/us-military-cyber-operation-to-attack-isis-last-year-sparked-heated-debate-over-alerting-allies/2017/05/08/93a120a2-30d5-11e7-9dec-764dc781686f_story.html.
9. Gabriel Weiman, Going Dark: Terrorism on the Dark Web, 39 Stud. Conflict & Terrorism 195, 196 (2016).
10. Dina Temple-Raston, How the U.S. Hacked ISIS, NPR (Sept. 26, 2019, 5:00 AM), https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis.
11. See generally Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L.J. 326 (2015) (describing the non-physical nature of cyberspace and particularly the legal problems associated with linking territorial jurisdiction with data location).
12. E.g., French Ministry of the Armies, International Law Applied to
Operations in Cyberspace
(2019),
https://www.defense.gouv.fr/content/download/567648/9770527/file/international+law+applied+to+operations+in+cyberspace.pdf
[hereinafter
French Ministry of the Armies].
13. James Crawford, Brownlie’s Principles of Public International Law 448 (8th ed. 2012). Even though states may manifest drastically
different governmental systems, territorial sovereignty provides a
common organizing principle since all states retain control over
territory. Id.
14. Gary P. Corn & Robert Taylor, Sovereignty in the Age of Cyber, 111 Am. J. Int’l L. 207, 209 (2017) (describing the concept of “external sovereignty”).
15. Id.
16. S.S. Lotus (Fr. v. Tur.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 18 (Sept. 7) (standing for the proposition that where neither treaty, nor customary law, binds a state in a particular matter, the state retains freedom of action).
17. See,
e.g.,
Convention on International Civil Aviation, Dec. 7, 1944, 15 U.N.T.S. 295 (international treaty whereby states
have explicitly agreed to limit themselves from entering another state’s
airspace absent consent or other justification);
United Nations Convention on the Law of the Sea, Dec. 10, 1982, 1833 U.N.T.S. 397 [hereinafter UNCLOS] (international
treaty wherein states have agreed to various obligations for transiting
portions of the world’s oceans, to include obligations against entering
a state’s territorial sea and the airspace above a state’s territorial
waters except for under specific modes of operation, or with consent or
other justification).
18. E.g., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17, 19 (Michael N. Schmitt & Liis Vihul eds., 2017) [hereinafter Tallinn Manual 2.0].
19. Id. at 19, 67; French Ministry of the Armies, supra note 12, at 7 (the French position also includes system penetration).
20. Corn, supra note 7; Jeremy Wright, U.K. Att’y Gen., Check Against Delivery, Address Before the Chatham House Symposium on Cyber and International Law in the 21st Century (May 23, 2018) [hereinafter Chatham Symposium].
21. See Corn, supra note 7; see Chatham Symposium, supra note 20.
22. Compare Chatham Symposium, supra note 20 (“Some . . . argue for the existence of a cyber specific rule of a ‘violation of territorial sovereignty’ in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.”), with French Ministry of the Armies, supra note 12, at 7 (“Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty.”).
23. Such analysis presumes those cases illuminate state practice and opinio juris as the elements of customary international law. Sean Kanuck, Sovereign Discourse on Cyber Conflict Under International Law, 88 Tex. L. Rev. 1571, 1584 (2010);
see also
Corn & Taylor, supra note 14, at 209–11 (states cannot laterally apply concept of territorial sovereignty to cyberspace taken from other domain-specific treaty texts because each domain involves different versions of territorial sovereignty “borders” corresponding to the unique priorities and circumstances of that domain).
24. Geoffrey S. Corn et al., U.S. Military Operations: Law, Policy, and Practice
138 (2015) (while assessing “[international law] violations is supposed
to be a de facto one, the actual characterization by the nation-states involved is often a political decision that differs from the facts”).
25. Corfu Channel Case (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, ¶¶ 32–36 (Apr. 9).
26. Id.
27. Id. (emphasis added).
28. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14 ¶¶ 38, 81–86, 251 (June 27).
29. See generally id.
30. Corn & Taylor, supra note 14, at 212 n.15.
31. Id.
32. E.g., S.S. Lotus (Fr. v. Tur.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 209–10 (Sept. 7); Roger D. Scott, Territorially Intrusive Intelligence Collection and International
Law, 46 A.F. L. Rev. 217, 217–18 (1999).
33. Stansfield Turner,
Covert Common Sense: Don’t Throw the CIA Out with the Ayatollah, Wash. Post (Nov. 23, 1986).
34. Id.
35. See id.
36. W. Michael Reisman & James E. Baker,
Regulating Covert Action: Practices, Contexts, and Policies of Covert
Coercion Abroad in International and American Law 72
(1992).
37. Id.
38. Michael N. Schmitt, Taming the Lawless Void: Tracking the Evolution of International Law
Rules for Cyberspace, Tex. Nat’l Sec. Rev., Autumn 2020, at 33, 36.
39. Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protections of Victims of International Armed Conflicts (Protocol I), June 8, 1977, 1125 U.N.T.S. 3, §44, ¶ 3.
40. Schmitt, supra note 38, at 36.
41. Id.
42. Paul Brown, Felling of a Warrior, Guardian (July 15, 2005, 6:34 AM), https://www.theguardian.com/environment/2005/jul/15/activists.g2.
43. French Agent “Sorry” for Sinking Rainbow Warrior, Local (Sept. 6, 2015, 11:02 AM), https://www.thelocal.fr/20150906/french-agent-sorry-for-sinking-rainbow-warrior.
44. Reisman & Baker, supra note 36, at 66.
45. Id. at 66–67 (describing New Zealand and French reactions).
46. Id. at 66.
47. Brown, supra note 42.
48. E.g.,
Off. of Gen. Couns., U.S. Dep’t of Def., Department of Defense Law of
War Manual, 1014 n.9 (12 June 2015) (C3, 13 Dec. 2016) [hereinafter DoD Law of War Manual] (describing use of force criteria when evaluating cyber operations). See Tallinn Manual 2.0, supra note 18, at 329 (describing any threat or use of force in another state’s territory as offending Article 2(4) of the U.N. Charter).
49. See Reisman & Baker, supra note 36, at 66–67. One likely reason for avoiding invocation of use-of-force was New Zealand’s reliance on France for staple food shipments that France had threatened to cut off during the dispute. See id.; Corn et al., supra note 24 (describing that, while classifying “[international law] violations is supposed to be a de facto one, the actual characterization by the nation-states involved is often a political decision that differs from the facts”).
50. See, e.g., Corn & Taylor, supra note 14, at 209 (while non-intervention has historically involved forcible methods, the principle can involve both forcible and non-forcible means, so long as it involves coercion in a state’s internal affairs, or domaine reserve. The concept of domaine reserve implies “those matters of governance and jurisdiction committed to the sole responsibility of the state and its official actors”).
51. U.N. Charter art. 2, ¶ 7.
52. See, e.g., Malcom Shaw, International Law 680 (7th ed. 2014) (pointing out that “[u]nlawful apprehension of a suspect by state agents acting in the territory of another state . . . constitute[s] a breach of international law and the norm of non-intervention involving state responsibility”).
53. Uki Goñi, The Real Odessa: How Perón Brought the Nazi War Criminals to
Argentina 95, 125–34, 241, 291 (2002); Bill O’Reilly & Martin Dugard, Killing the SS: The Hunt for the
Worst War Criminals in History
53–54, 60–63 (2018).
54. U.N. SCOR, 15th Sess., 865th mtg.,
¶ ٣٤, U.N. Doc. S/PV.865 (June 22, 1960).
55. Id. (emphasis added).
56. S.C. Res. 138, pmbl. (June 23, 1960).
57. Id. (discussing the nature of the international law violation); O’Reilly & Dugard, supra note 53, at 109–54 (canvassing the spectrum of activities that Mossad agents were engaged in within Argentina leading up to the capture of Eichmann). Nor have commentators characterized those activities as illegal under international law, even after widespread publication. Id.
58. See Shaw,
supra
note 52.
59. Reisman & Baker, supra note 36, at 72.
60. Michael N. Schmitt & Liis Vihul, Respect for Sovereignty in Cyberspace, 95 Tex. L. Rev. 1639, 1652–54 (2017) (authors of the Tallinn Manuals citing radiation harms as animating its sovereignty rule of trespass in cyberspace); Beatrice A. Walton, Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in
International Law, 126 Yale L.J. 1460, 1519 n.174 (2017) (observing the Tallinn Manual’s linkage of its sovereignty rule to international pollution, radiation, and other environmental harm cases).
61. E.g.,
Nuclear Tests (Austl. v. Fr.), 1974 I.C.J. Pleadings 249, ¶ 456 (Nov.
23) (transboundary radiation);
Tallinn Manual 2.0, supra note 18, at 36–37 (citing Trail Smelter Arbitration (U.S. v. Can.), 3 R.I.A.A. 1965 (Trail Smelter Arb. Trib. 1941) (transboundary sulfur dioxide pollution). See Joan Johnson-Freese, China’s Anti-Satellite Program: They’re Learning, China-U.S. Focus (July 12, 2013), https://www.chinausfocus.com/peace-security/chinas-anti-satellite-program-theyre-learning (describing Chinese laser tests as creating indiscriminate harms out of space debris).
62. E.g., sources cited supra note 61.
63. Corn et al., supra note 24, at 152.
64. See Reisman & Baker, supra note 36, at 71–75.
65. Id. at 71–72, 75, 77.
66. Id.
67. E.g., sources cited supra note 48. See DoD Law of War Manual, supra note 48, § 6.7 (for example, the United States uses use-of-force concepts to describe the harms of indiscriminate weapons by describing indiscriminate weapons as those “weapons that are incapable of being used in accordance with the principles of distinction and proportionality . . . as well as weapons that, when used, would necessarily cause incidental harm that is excessive compared the military advantage expected to be gained from their use”). See also U.K. Ministry of Defence, Joint Serv. Pub. 383, The Joint Service
Manual of the Law of Armed Conflict
para. 6.4 (2004);
Ger. Fed. Ministry of Defence, Humanitarian Law in Armed Conflicts
Manual
paras. 401, 454–56 (Aug. 1992).
68. See Reisman & Baker, supra note 36, at 71.
69. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First
Digital Weapon
6 (2014).
70. Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of
Geopolitics
309 (2020).
71. Zetter, supra note 69.
72. See Nat’l Rsch. Council, Technology, Policy Law, and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities
1, 3 (William A. Owens et al. eds., 2009).
73. Zetter, supra note 69, at 308–09 (distinguishing “shaping” operations in cyberspace from conventional military force “signaling,” which involves indirectly inducing changes in adversary behavior because of force visibility and an adversary’s ability to calculate the capabilities that a particular known military force could impose).
74. See, e.g., David E. Sanger & Nicole Perlroth, U.S. Escalates Online Attacks on Russia’s Power Grid, N.Y. Times (June 15, 2019), https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html (describing U.S. actions in implanting potentially malicious, but currently benign malware into the Russian electric grid).
75. Reisman & Baker, supra note 36, at 66. See Michael Schmitt, U.S. Cyber Command, Russia, and Critical Infrastructure: What Norms and Law Apply?, Just Sec. (June 18, 2019), https://www.justsecurity.org/64614/u-s-cyber-command-russia-and-critical-infrastructure-what-norms-and-laws-apply/ (distinguishing benign malware implants from contact mines based on the former remaining subject to the supervisory control of U.S. cyber operators).
76. Reisman & Baker, supra note 36, at 71. While the Rainbow Warrior incident also involved an inadvertent death, New Zealand had disputed France’s nuclear tests for years and viewed the Rainbow Warrior as its “knight in shining armor.” Id. As such, New Zealand would likely have raised an international protest based on the ship sinking alone.
77. Buchanan, supra note 70, at 173–74 (describing the Sony attack in detail, which included millions of dollars in damage).
78. S.C. Res. 138, pmbl. (June 23, 1960).
79. Joshua Davis, Hackers Take Down the Most Wired Country in Europe, Wired (Aug. 21, 2007, 12:00 PM), https://www.wired.com/2007/08/ff-estonia/ (describing how Russia launched a Distributed Denial of Service operation against Estonia for its government’s removal of a Russian statue that symbolized oppression to the Estonian people, who had protested for its removal.).
80. See Reisman & Baker, supra note 36, at 71.
81. Id. at 75 (describing as improper similar efforts to outlaw all clandestine action in the physical domains).
82. Id.
83. Weiman, supra note 9, at 196, 200–02.
84. See Weiman, supra note 9.
85. Id. at 200–02.
86. How Botnets Are Evolving: From IoT Botnets to Hivenets, supra note 3.
87. Id.; Nakashima, supra note 8.
88. Scott Ikeda, Nation-State DDoS Attacks May Be the “New Normal”; Leaked Documents
Reveal Russia’s FSB Is Seeking to Build a Massive IoT Botnet, CPO Mag. (Apr. 3, 2020), https://www.cpomagazine.com/cyber-security/nation-state-ddos-attacks-may-be-the-new-normal-leaked-documents-reveal-russias-fsb-is-seeking-to-build-a-massive-iot-botnet/.
89. Matthews, supra note 2; Shannon Vavra, Cyber Command, Microsoft Take Action Against TrickBot Botnet Before
Election Day, CyberScoop (Oct. 12, 2020), https://www.cyberscoop.com/trickbot-takedown-cyber-command-microsoft/ (describing the election context of the Trickbot operation).
90. E.g., Catalin Cimpanu, TrickBot Gang Is Now a Malware Supplier for North Korean
Hackers, ZDNet (Dec. 11, 2019), https://www.zdnet.com/article/trickbot-gang-is-now-a-malware-supplier-for-north-korean-hackers/.
91. See Buchanan, supra note 70, at 309 (asserting that, once exposed, cyber operations are relatively easy to defend against).
92. For example, a territory-specific due diligence rule that “[s]tates should not knowingly allow their territory to be used for internationally wrongful acts [in cyberspace],” would be of little use against threats like Trickbot—since such threats aggregate malicious cross-border activity before achieving sufficient scale to become a threat. See U.N. Secretary-General, Group of Government Experts on Developments in the Field of
Information and Telecommunications in the Context of International
Security, ¶ 13(c), U.N. Doc. A/70/174, (July 22, 2015) (describing the due
diligence principle). In the cyber domain, since the threat
status itself can be borne through aggregating minor acts across various states, normative protection through a sovereignty-linked due diligence principle would remain unachievable because it would require 1) international consensus on a very low threat threshold, 2) common capacity to detect that threat, and 3) simultaneous, collective state action. Cf. id; see also Matthews, supra note 2; U.N. Secretary-General, Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, ¶ 13(c), U.N. Doc. A/70/174, (July 22, 2015).
93. E.g., Julia Voo et al., National Cyber Power Index 2020: Methodology and Analytical Considerations
(2020),
https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf
(listing the major state cyber powers that have asserted that
sovereignty imposes a rule in cyberspace);
French Ministry of the Armies, supra note 12, at 6–7 (French Ministry of the Army position on sovereignty in cyberspace); Letter from the Minister of Foreign Affairs, the Netherlands, to the President of the House of Representatives, the Netherlands, subject: The International Legal Order in Cyberspace the Netherlands to Parliament (5 July 2019) (Netherlands position on sovereignty in cyberspace); Michael Schmitt, Germany’s Position on International Law in Cyberspace, Part I, Just Sec. (Mar. 9, 2021), https://www.justsecurity.org /75242/germanys-positions-on-international-law-in-cyberspace (Germany’s position on sovereignty in cyberspace); Michael Schmitt, Finland Sets Out Key Positions on International Cyber Law, Just Sec. (Oct. 27, 2020), https://www.justsecurity .org/73061/finland-sets-out-key-positions-on-international-cyber-law/ (highlighting other European states who have provided legal opinions on sovereignty in cyberspace).
94. U.N. Charter arts. 42, 48, 51; Tallinn Manual 2.0, supra note 18, at 139.
95. The unwilling or unable defense theory has been invoked to justify use of force against terrorists operating in states unable or unwilling to suppress them. See, e.g., Philip Bobbitt, Terror and Consent: Wars for the Twenty-First
Century
464–699 (2008) (discussing the legal rationale underlying sovereignty
violations of states unable to suppress threats to third-party states);
Michael John Garcia & Jennifer K. Elsea, Cong. Rsch. Serv. R43720, U.S. Military Action Against the Islamic
State: Answers to Frequently Asked Legal Questions 19 (2014) (discussing the origins of the “unable or unwilling”
anticipatory self-defense doctrine and U.S. reliance thereon to justify
extraterritorial counterterrorism operations).
96. Garcia & Elsea, supra note 95, at 6 (citing Ashley Deeks, “Unwilling or Unable”: Toward a Normative Framework for Extra-Territorial Self-Defense, 52 Va. J. Int’l L. 483 (2012)).
97. Abraham D. Sofaer, On the Necessity of Pre-emption, 14 Eur. J. Int’l L. 209, 218–19 (2003).
98. Ashley Deeks, The Geography of Cyber Conflict: Through a Glass Darkly, 89 Int’l L. Stud. 1, 2, 13 (2013).
99. See, e.g., Comments by Argentina to Initial “Pre-draft” of the Report of the United Nations Open Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (Aug 27, 2020), https://front.un-arm.org/wp-content/uploads/2020/04/oewg-ict-comments-argentina-3.pdf.
100. Tallinn Manual 2.0, supra note at 18, at 138–39 (asserting that cybers that produce “loss of confidence in the longer term” in critical infrastructure “may be the factor that qualifies as a ‘grave and imminent peril’” even when the immediate effects of a hostile cyber operation do not present a significant threat in the short term).
101. E.g., Lucas Kello, The Meaning of the Cyber Revolution: Perils to Theory and
Statecraft, Int’l Sec., Fall 2013, at 7 (describing the offense-favoring nature of cyberspace).
102. Tom Jowitt,
French Cyber Police Takedown Paris-based Botnet, Silicon (Aug. 29, 2019, 10:41 AM), https://www.silicon.co.uk/security/cyberwar/french-cyber-police-takedown-botnet-282533. In addition to violating the French Ministry of Arms position on state sovereignty, the disinfecting action would also be a violation of state sovereignty under the Tallinn Manual approach. Tallinn Manual 2.0, supra note 18, at 68.
103. Ashley Deeks, Hoover Inst., Aegis Series Paper No. 2004, Defend
Forward and Cyber Countermeasures
11 (2020)
104. Andru E. Wall,
Demystifying the Title 10–Title 50 Debate: Distinguishing Military
Operations, Intelligence Activities & Covert Action, 3 Harv. Nat’l Sec. J. 85, 119–20 (2011) (discussing the difficulties of discerning intent from foreign code prior to it creating effects in a cyber ecosystem).
105. See, e.g., Corn & Taylor, supra note 14.
106. Weiman, supra note 9; Vavra, supra note 89.