It’s not often that we come away from international law workshops most impressed and inspired by methodological debates. But that was our common takeaway of a recent Hebrew University Cyber Security Research Center event on the Tallinn Manuals on Cyber Operations. Before sharing our thoughts, we’d like to underscore that Yuval Shany is the director of the Hebrew University Cyber Security Research Center and Matt Waxman is an external advisor.
The workshop—which was conducted under Chatham House rules and included current and former officials as well as academics from Israel and NATO members—considered important, substantive questions of international law and cyber operations, including the rules and thresholds regarding sovereignty, force, countermeasures, and self-defense. Some of the most heated and productive debates, however, centered not on the answers to these questions but the best way to approach them.
For starters, most of the participants seemed to accept that new cyber treaties are unlikely but that existing international legal frameworks are applicable and should be adapted to deal with cybersecurity and cyberconflict. From there a significant methodological split emerged, with many participants falling somewhere in between.
One approach, reflected to a large extent in the Tallinn Manuals, relies heavily on analogical reasoning. International law doctrine for kinetic operations or actions traditionally taking place in physical space regulates activities on the territory of unconsenting states, appropriate responses to hostile actions, countermeasures, states’ duties to mitigate threats to others, and so on. These rules are not always clear and uncontested, but to the extent they are, international rules for cyber can best—or at least presumptively—be derived by analogy: What do various cyber-activities or responses to cyber-activities most resemble in physical space, and what would their rules dictate? Advantages of this largely deductive approach include clarity, consistency of legal rules across various domains, and the legitimacy that comes from prior state consent and consensus. Many states will therefore gravitate naturally toward this method.
An alternative approach, whose precise contours have yet to be clearly spelled out, starts not with existing doctrines from physical space but with their purpose: international stability, self-protection of states’ core interests, responsibility for protecting individual rights and so on. It asks what rules would best contribute to those purposes and the legal principles that underlie them. Critics argue that this tends to reduce law to policy and that purposes are ill-defined, but this principle-based approach may produce legal interpretations that are more effective and lasting if states find them to serve their common interests.
These competing approaches—and, again, there are also middle-ground or hybrid positions—represent a familiar debate between legal formalism and instrumentalism, but cybersecurity and cyberconflict add some special twists, especially for the United States and Israel. Most significant, technology is changing rapidly—along with cyber capabilities and vulnerabilities—so predicting in advance how effectively rules may work and serve their interests is tricky. States are still developing their strategies and counterstrategies, and much of that planning and operations take place in secret and under conditions of uncertainty regarding future technology and the degree in which other actors can be induced to “play by the rules.”
As top-tier cyber-powers as well as military powers (regionally, in Israel’s case), the United States and Israel may have much to gain from the second, functional approach, especially if they combine it with a prudent wait-and-see strategy of legal diplomacy that emphasizes pragmatic responses to real-world contingencies (e.g., public as well as back-channel diplomatic responses to cyberattacks, cyber-intelligence operations, cyber operations against non-state actors, etc.).
A problem, however, is that there is a race between real-world events, spurred by fast changes in technology, and adaptation of international law. In this race, the latter may be at risk of losing or have a hard time keeping up. Government officials and outside experts are therefore wrestling with ways of accelerating legal adaptation. Among the most interesting questions we heard being debated at this workshop in this regard were the following:
- Should states be taking a more active role in explaining publicly their general approach to international law and cyber-operations, including how legal regulation fits with their broader cyber strategy?
- Are some states miscalculating the relative costs and benefits of secrecy and transparency of specific cyber-operations or responses to them, given a desire to shape international rules through actual practice and justification?
- With little likelihood of broad, multilateral breakthroughs, should small groups of states try to develop and promote diplomatically some common interpretive approaches?
- What role does the technology industry have to play in international legal adaptation, given that international law remains the province of states but private companies have a lot of influence in this area?
- Should new institutions be created in order to provide common security solutions, to attribute legal responsibility for cyberattacks, and to engage, where necessary, in collective reaction to large-scale cyberattacks affecting a multiplicity of jurisdictions?