Yesterday, the Texas Law Review hosted a fantastic daylong symposium on the Tallinn Manual 2.0, which is being released to the public today. (Details of the event at Texas Law School can be found here—I highly recommend the event to anyone interested in cybersecurity and the laws of war.) The Tallinn Manual is a remarkable document, partly because of the breadth of issues that it covers and partly because the cyber terrain shifts like quicksand. I focus here only on one small aspect of the manual—its application of the law of state sovereignty.
As the Manual notes, international law typically distinguishes jurisdiction to prescribe, adjudicate, and enforce the law. Jurisdiction to enforce and adjudicate are usually limited to what the state can actually get its hands around—including foreign assets and persons within the state’s reach. Jurisdiction to prescribe is believed to be broader, including legislative steps to protect the state’s own citizens at home or abroad, regulate conduct on the state’s soil, prevent attacks against the state, and so on. Given these fairly fundamental distinctions, it might seem sensible enough for the Tallinn Manual 2.0 to begin with a survey of the law of jurisdiction. After all, one cannot talk about cybersecurity for very long before hearing all sorts of anxiety about sovereignty—anxiety about one state’s ability to breach the territorial border of another through the civilian internet, questions of who constitutes a state actor, and so on.
But when it comes to the laws of cyberwarfare, very little actually turns on the most basic jurisdictional distinctions. Imagine, for example, what happens if a state alleges that its citizen is the victim of a cyber attack abroad. What follows from that fact—that the state has the jurisdiction over a response? If there is actual harm to the victim, few will question the state’s legitimate interest in protecting its citizens; the relevant questions will turn on attributing the attack and delimiting the state’s response. Or suppose a state is upset about a cyber campaign that has domestic territorial effects. Does the state’s claim that its “sovereignty was violated” change their legal or military response? It is simply not clear what follows from this assertion.
Like the first edition, the second edition of the Manual notes, in its very first rule, that: “A State may exercise control over cyber infrastructure and activity within its sovereign territory.” This is both a deeply obvious point and one that, at some level, is unlikely to be true. Of course a state has the authority—and would take it even if it did not have it—to exercise control over what it can control, namely the things within its territorial reach (including servers and companies on its soil). But what does it mean to say that a state may exercise control over cyber “activity” within its territory? And how far does this rule extend? For example, when the European Court of Justice says that Google must honor a right to be forgotten, and remove links to certain web results, does the Tallinn Manual’s rule endorse the court’s ruling because Google engaged in cyber “activity” in Spain? If so, does the Manual’s rule endorse enforcing the court’s order within Spain, all of Europe, or worldwide? For European domains—Google.de, Google.es, Google.fr—or Google.com? Even if the scope of the word “activity” were not vague, it merely begs the question: what does this Rule suggest that Spain can do in order to force Google to comply with its rules? As Google’s ongoing legal battles over the right to be forgotten indicate—battles, by the way, fought in Spain, France, and elsewhere—this is no easy problem.
The revised and expanded edition of the Manual, in other words, still begins with distinctions that matter to basic conflict of laws problems, but it is not clear to me how much work they do in armed conflicts. For example, one passage notes: “In light of the variety of jurisdictional bases in international law, two or more States often enjoy jurisdiction over the same person or object in respect to the same event.” This statement does not begin to describe the half of it. Of course, states will have competing claims over aspects of cyber activity. If those claims are legal claims, then one hopes they are resolved in a court and according to conflict of laws principles—not with armed conflict.
So why begin a (second) manual on the law of cyberwarfare with bland assertions about state sovereignty that do not actually do much work in the arena of cyberwar? My guess is that this section of the Manual was a political bone to give to states that feel a loss of sovereign control over this whole internet thing. “Sovereignty” in this context is used by state actors to signal their deep anxiety about cyberspace. Whether that is an actual loss of sovereignty—and whether sovereignty is a helpful legal concept in this space—is very much yet to be seen. So while the Manual is a hugely important contribution, it begins with something of a red herring. The real action is in the manual’s treatment of the laws of war to this new domain—questions that will have profound consequences and which are much harder to answer than noting that states have an interest in and authority over internet infrastructure on their soil.