Cyber sovereignty

The International Law Sovereignty Debate and Development of International Norms on Peacetime Cyber Operations

By Mark Visger
Tuesday, July 12, 2022, 8:01 AM

The United Kingdom’s position on sovereignty has limited progress in working toward state consensus on prohibited behaviors in cyberspace. By electing to treat sovereignty as a principle rather than as a substantive rule, the U.K. maintains that violations of sovereignty do not, on their own, constitute violations of international law. This position touched off the well-known debate surrounding sovereignty, with most states rejecting the U.K.’s position and concluding that a violation of sovereignty in fact violates a state’s international law obligations. 

A recent speech by U.K. Attorney General Suella Braverman attempted to move past this sovereignty debate. Braverman argued that the U.K. should begin moving forward on substantive discussions about cyber norms that are applicable below the armed conflict threshold.

In her speech, the U.K. attorney general proposed an expanded interpretation of the well-established international law prohibition of coercive intervention in the affairs of other states. The existence of a rule prohibiting intervention is not controversial. But questions exist about the application of the rule to cyberspace operations. Braverman’s focus on this rule raises the prospect of working toward a solution to the overarching problem of establishing clear peacetime customary norms while at the same time skirting the ongoing debate on sovereignty. Her approach to the nonintervention rule provides a starting point for all states to revisit conversations and debates about substantive peacetime norms in cyberspace. 

The U.K. position on sovereignty is likely based on the country’s desire to maintain operational flexibility in state-sponsored cyber operations to avoid potential violations of its international legal obligations. The sovereignty-as-principle position generally does afford operational flexibility. However, it also backs the U.K. into a corner as it relates to cyberattacks committed against the country. Jeffrey Biller and Michael Schmitt have pointed out the practical effects of the U.K. rejection of “sovereignty as a rule,” citing the challenges inherent in the U.K.’s attempt to label certain Russian cyberattacks as violations of international law. In this instance, Biller and Schmitt note that Russian cyber operations such as access and exfiltration of data from government and private networks—which the British government alleged were unlawful—would likely not be a violation of international law in the absence of a substantive rule of sovereignty. 

Varying approaches to sovereignty also restrict the ability of states to reach consensus on what behaviors in cyberspace violate international law. In the Tallinn Manual 2.0, the International Group of Experts (IGE) identify two types of activities that would violate sovereignty in cyberspace: infringement of a state’s territorial integrity—through physical damage to or loss of functionality of computer systems physically located on the territory of a state—and interference with a state’s inherent government function. Consensus has yet to be reached about whether additional activities that do not fall within these two categories constitute sovereignty violations. A significant category of attacks in this regard relates to data—particularly surveilling, exfiltrating, manipulating, or inserting data that does not otherwise affect functionality or government functions. 

States have begun to fill in these gaps and articulate their positions on sovereignty. Authoritarian states such as China assert strong positions on sovereignty, which is to be expected given such nations’ desire to control the internet. France has also notably taken a strong position on what cyberspace activities violate sovereignty—and has been critiqued for engaging in the very same types of cyberspace operations against other nations. 

It is therefore unsurprising that Braverman’s effort to address the sovereignty debate focused on a main pillar of international law: the rule against coercive intervention. To do so, Braverman homed in on the coercion aspect of the rule. The precise interpretation of coercion in this context historically has been difficult to define. The International Court of Justice opinion in Nicaragua v. United States famously focused its coercion analysis on the removal of free choice of the victim state. In her speech, Braverman proposed a much broader conception of coercion:

While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking. (Emphasis added.) 

She then goes on to specify “illustrative examples” of areas that may be subject to the rule: energy security, medical care, and economic stability. Braverman suggests that cyber activities that “[prevent] the supply of power” or “[cause] hospital computer systems to cease” might qualify as violations of the rule against coercive intervention. 

Braverman’s interpretation of the nonintervention rule has been subject to criticism. Some scholars argue that it misconstrues the traditional understanding of coercion, particularly centered on the intent to coerce. Considering this observation, Braverman’s proposal may be a good starting point to contemplate alternative understandings of the term. Such discussions could bridge the gap of the sovereignty divide and help states come to a meaningful common understanding of prohibited behavior under international law. As noted by the Dutch Ministry of Foreign Affairs, a “precise definition of coercion … has not yet fully crystallised in international law.” At the same time, a case can be made in support of Braverman that choice has been removed in the cyberattacks she referenced, and thus victim states were coerced. For example, states have chosen to ensure the provision of electricity to their citizens as part of their internal economic and social system. Therefore, a cyberattack that cuts off power then removes that choice and coerces that state into not providing power—a choice that that state would not normally make but for the cyberattack. 

This approach is an admittedly broad interpretation of coercion. And it runs the risk of creating an environment that would ultimately transform almost every cyberattack into a coercive intervention. It also highlights the need to assess what activities fall within a state’s domaine réservé—the domestic areas of a state activity that are fully and exclusively within a state’s jurisdiction. In the advent of cyberspace, the nonintervention rule has become even more imperative. It may be time for states to update their application of this element of the nonintervention rule amid changes to technology and to account for the unique challenges of applying existing international law to cross-border cyberspace operations. 

A broader nonintervention approach may also allow for a more pragmatic analysis of prohibited behaviors in cyberspace. The sovereignty rule outlined by the IGE in Tallinn Manual 2.0 was constrained by historical understandings of sovereignty. And it had a bit of a square-peg-in-round-hole feel as applied to cross-border cyberattacks because of the difficulty of applying sovereignty concepts in cyberspace. The Tallinn Manual 2.0’s sovereignty discussion focused on infringement of a state’s territorial integrity—through physical damage to or loss of functionality of systems physically located on the territory of a state—and interference with a state’s inherent government function. Despite the IGE’s recognition of the possibility of other cyberattacks that may also violate sovereignty, the group provided no consensus and no methodology to determine what specific types of attacks might also fall into this category. The amorphous outer boundaries of both sovereignty and nonintervention create the potential for a significant gap in the law. The IGE’s reasoning, while keeping with their intended lex lata approach (that is, stating the law as it currently exists instead of what the law should be), creates the potential for relatively minor cyber intrusions (for example, unauthorized access to a government licensing database) to be branded a violation of international law. And it results in more significant attacks not meeting the functionality or government function standard of what constitutes an internationally unlawful act unless the attack reaches the comparatively high threshold of coercive intervention. 

Braverman’s approach contains the seeds of an idea that allows for, in her words, “shared agreement on prohibited behaviors”—which hopefully would move the focus from legal doctrines to substantive behaviors. This shared agreement would result in broader consensus regarding prohibited behaviors in cyberspace even though states might arrive at their positions using differing theories of the law. If such a rapprochement takes place, international law would be better positioned to address emerging cyber activities through evolving customs and updated understandings of the application of existing legal norms, possibly creating a path to a treaty governing cyberspace activities. This would be a positive development and would allow states to begin working toward the goal of achieving a common understanding of peacetime cyber norms.