must take action in cyberspace during daily competition to preserve U.S. military advantages and defend U.S. interests. We will focus on states that may pose a strategic threat to U.S. prosperity and security, particularly China and Russia. We will conduct operations in cyberspace to gather intelligence and prepare military cyber capabilities that can be deployed in the event of a crisis or conflict. We will defend ourselves to prevent or stop malicious cyber activity at the source, including activities that do not fall within the level of armed conflict. We will strengthen the security and resiliency of networks and systems that contribute to America`s current and future military advantages. We will work with our inter-agency, industry and international partners to advance our common interests. On the other hand, other States and stakeholders pointed out that there are gaps or inefficiencies in existing legislation that require the formulation of new rules. This could be done through a new treaty or the development of customary international law. However, proponents of new rules disagree on the desired end state.
Some states focus on a treaty that would protect states from individuals (for example, those who engage in subversive speech or threaten state security through online activities). Others seek a treaty that would protect people from states (e.g., by prohibiting states from conducting malicious cyber operations against critical cyber infrastructure and requiring positive efforts by states to cooperate and prevent such operations by others). The future forum for the application of international law? So far, the strongest forums for dealing with the application of international law have been non-governmental forums. Internet governance involves a multi-stakeholder process. And non-state actors, such as the independent expert groups that produced the Tallinn manuals, have dominated the discourse on how international law regulates state cyber operations. Such efforts could continue to have an impact, as evidenced by the three recent Oxford statements by international lawyers on the law`s prohibitions and protections against the health sector and vaccine research in the context of the COVID-19 pandemic, as well as foreign interference in elections ahead of the 2020 U.S. presidential election. At the same time, efforts by UN Member States to address international law on cybersecurity and ICT issues have increased. In addition to the initial forum of the UN Intergovernmental Group of Experts, UN processes now include an open working group in the First Committee of the UN General Assembly and a third committee on a UN Convention on Cybercrime. However, it is not clear that the United Nations will be the only point of contact to guide discussions on the application of international law.
Regional organizations (such as the European Union) can offer an alternative that, in some cases, can avoid certain aspects of geopolitics that dominate the UN`s discourse. Other existing or future multi-stakeholder processes could also take over. The last sentence is of particular importance. It essentially states that government lawyers must decide whether a cyber operation resembles espionage (or technically “the type of intelligence or counterintelligence activities for which there is no international legal prohibition per se”). If the operation does that, then it is not a violation of sovereignty. But if the operation does not resemble this type of activity, it may well violate sovereignty. If not, why would lawyers even engage in an investigation to that effect? This brief introduction provides an overview of the application of international law to cyberspace, the actors involved, the main problems related to its application, and possible future avenues that international law could take to regulate cyberspace. Another issue raised by the Ney Declaration stems from the position of the Ministry of Defence on the existence and scope of an obligation under international law to respect the sovereignty of other states. The position of the Ministry of Defense described by Ney is important in several respects. First, it excludes the possibility that countermeasures are violent in nature. An ongoing debate among international law scholars is whether a countermeasure in response to an unlawful cyber operation involving the use of force can itself reach the level of use of force (albeit below the level of armed attack in self-defense, see Judge Simma`s separate opinion in the ICJ Oil Platforms case).
This debate prevented the Tallinn Manual 2.0 experts from reaching a consensus on the admissibility of violent countermeasures. However, the position of the Ministry of Defence, in my view, rightly strengthens the argument against vigorous countermeasures. With this attitude, the United States joins Great Britain, Australia, the Netherlands and France. (However, given that the United States believes that there is no difference between the use of force and an armed attack, the Department of Defense could not likely consider violent countermeasures below the level of an armed attack to exist even as a conceptual issue, let alone that only the use of force at a lower level is permitted.) Positions of Finland on developments in the field of information and telecommunications in the context of international security The fallacy of this justification is that it considers as evidence of the non-existence of the rule not to condemn cyber operations as violations of sovereignty. However, unless they reject the existence of such a rule in the non-cyber context (a highly problematic proposition given the overwhelming evidence to the contrary), proponents of the position have the burden of justifying the non-applicability of the existing sovereignty rule to cyber operations, as occurred in the case of the obligation to notify countermeasures discussed above. So far, no principled defence of the approach has been proposed, and there is little expression of opinion to conclude that states have remained silent on the basis of the legal belief that the general rules of sovereignty do not extend to cyber operations. National Cyber Security Strategy – Preparation Underway (June 2016) Traditional espionage can also be a useful analogue. Many of the techniques and even objectives of intelligence and counterintelligence operations are similar to those used in cyber operations.
Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se, even if it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States that practice it, indicating the absence of a norm of customary international law against it. When we look at a planned military cyber operation, we can therefore consider the extent to which the operation resembles or is equivalent to the type of intelligence or counterintelligence activities for which there is no prohibition per se under international law. The Department of Defence`s commitment to this established requirement is commendable. However, the question of what to do if the identity of the perpetrator of a hostile cyber operation is somewhat uncertain remains open. In other words, to what extent must a State be sure that an illegal cyber operation is attributable to another State under the law of State responsibility before taking a countermeasure? There are two points of view, both of which are discussed in the Tallinn Handbook 2.0. According to the first view, a State takes countermeasures at its own peril. Thus, if a State wrongly attributes a hostile cyber operation to another State against which it is taking a countermeasure, it has committed an act contrary to international law, since there is no reason to exclude illegality from its response. The second competing view is that international law requires States to be reasonable, but not just. As long as the answer was based on reasonable attribution in good faith, it is legal. It may seem that the second view offers more flexibility to States taking countermeasures.
However, the first view may mean that there is no standard of proof that the state must meet before engaging in such acts, even if it is responsible for the consequences of that act. Offensive operations, such as those envisaged by Persistent Engagement and Defending Forward, are a source of concern for many States. The Cyber Command`s vision statement acknowledges this reality when it states that “we recognize that adversaries already condemn U.S. efforts to defend our interests and allies as aggressive, and we expect them to similarly attempt to portray our strategy as a `militarization` of cyberspace.” However, the statement continued: “The command makes no apologies for defending the United States.