Skip to content
Commentary | 9 February 2018

Law and Order in Cyberspace

Image of Maarja Naagel

Maarja Naagel |Researcher at the Law Branch of the NATO Cooperative Cyber Defence Centre of Excellence

Cyber NATO Global Security

In the international cybersecurity debate the West should not be misled by the differences of the terms used (cybersecurity vs. information security), rhetoric of “legal vacuum” in cyberspace, or accusations of the militarisation of cyberspace. This kind of political rhetoric, disguised in legal arguments, is designed to distract the international community from the obvious undermining of the norms-based order that has been accepted since the creation of the United Nations. Accepting this rhetoric would only expand the so-called grey areas which, given their modus operandi, are comfort zones for certain states’ activities.

To illustrate this, let’s look at the most basic document of the international order as we know it – the UN Charter. The prohibition of threat or use of force in international relations was laid down in article 2(4) of the UN Charter. Of course, there are exceptions to the rule – most importantly the inherent right of self-defence reflected in article 51. Any other case must be dealt with by the UN Security Council, which can give authorisation to use force by states under Chapter VII of the Charter. The reality has not always quite lived up to the expectations, however the rules are there and almost all states, almost all of the time, adhere to them.

Of course in 1945, when the UN Charter was signed, cyberspace did not exist. Today, information and communication technology (ICT) is already an inherent part of our everyday lives, from individuals using their smartphones to whole states depending on ICT to function and provide vital services, such as power supply and healthcare. We see incidents on a fairly regular basis that disrupt these services, be they provided by public or private entities, and many states have passed legislation to regulate ICT-enabled activities from internet banking to digital databases, or from self-driving vehicles to the fight against cyber-crime. And yet, when it comes to discussions as to how states operate in cyberspace we still hear claims that it is such a new environment that it is functioning in a “legal vacuum“.

States are increasingly willing to embrace the opportunities of ICT and cyberspace. However, when it comes to the issues of taking responsibility under international law for their actions in cyberspace they often seem overwhelmed by the unknowns of cyberspace.

States have encountered the legal challenges of new technologies before. The most obvious examples in the context of international law are the emergence of air warfare in the early 20th century and the rise of nuclear weapons following the Second World War. When combat was first extensively taken to the air by the use of bomber aircraft in the First World War it seemed very different from warfare as it was previously understood. Questions were raised as to what rules apply. But states soon realised that the set of rules would be essentially the same as before, and they would be applied by way of interpretation and in certain cases adjusted. With regard to nuclear weapons, the International Court of Justice ruled in its Advisory Opinion in the Legality of Nuclear Weapons Case in 1996 that the provisions of the United Nations Charter that prohibit use of force apply to any use of force, regardless of the weapons employed. Although some specific rules have been agreed on certain aspects of nuclear weapons (e.g. non-proliferation), nuclear weapons are in the same set of international law norms that regulate any state conduct.

The same logic applies in cyberspace. Existing international law applies to states’ use of ICT. Some rules may need to be reinterpreted or adjusted as necessary. Indeed, there are several issues in international law as it applies in cyberspace that are unsettled. For example, the use of force in cases of non-destructive cyber operations or the application of the instructions, direction or control criteria codified in the Articles on State Responsibility, in cases of attribution of acts by non-state actors to states. But there is no reason to conclude that international law in general, or the United Nations Charter, the law of state responsibility or international humanitarian law specifically would be inapplicable. All it means is that the law in a particular issue is still unsettled. State practice and the accompanying opinio iuris will eventually clarify it.

Claims that the applicability of the right to self-defence or international humanitarian law to cyberspace would mean militarising cyberspace are not only wrong but also hypocritical, especially coming from Russia, given that Moscow has officially declared its development of offensive cyber capabilities. If the right to self-defence would not apply in cyberspace then why would a law-abiding nation develop such capabilities?

Western nations should be cognisant of the differences in concepts when it comes to cyberspace, but even more so of the motivations behind them. We must stay committed to the rules-based international order and develop international law through practice and where appropriate, the corresponding expressions of what we believe the law is in specific cases. This would contribute to creating further clarity as to what the legal standard in an unsettled norm should be and, where necessary, would ultimately create new customary international law.

A good example of evolving state practice is attribution where, despite difficulties, states are making progress and also publicising the outcome. The United States openly attributed the 2014 Sony Pictures hack and the 2017 WannaCry ransomware incident to North Korea. The 2016 US Democratic National Committee hack was by the same government attributed to Russia. With somewhat lesser certainty, France attributed a hack to Emmanuel Macron’s presidential campaign’s e-mail servers in 2017 also to Russia. These instances show that attribution under international law is not just a technical issue, it is also political. According to the authors of the Tallinn Manual 2.0 (a comprehensive study on the international law applicable to cyber operations) the legal standard is reasonableness – would a reasonable state in similar circumstances attribute the activity with reasonable certainty to a state. Attribution is a political issue that in addition to digital forensics relies on intelligence, assessment of the geostrategic situation, modus operandi, past actions and possible motivation of suspected states. These examples of public attribution are but first steps in the right direction.

We should not go along with the mystifying rhetoric that cyberspace is an environment where nothing is certain, anything is possible and one can get away with anything. This, along with the insincere rhetoric coming from countries such as Russia and China, would only further distract the focus from what is practical and practicable. We should stay firm in our commitment to the rules-based international order and also pursue the efforts to universalise the understanding among states that international law, including the right to self-defence, international humanitarian law and the law of state responsibility, apply in cyberspace. Some law is always better than no law. Accepting the alternative would undermine the rules based order that is one of the pillars of the international community as we know it, not only in cyberspace but also in the physical world. These efforts should be further reinforced by acting when necessary and communicating the sense of our actions and the legal basis in a clear way. That will give more legal clarity and credibility to our policy and ultimately avoid the emergence of situations where the severest of measures, such as acting in self-defence, would have to be applied.


This article reflects the independent view of NATO CCD COE Law Branch researcher Maarja Naagel. It does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence, member nations of the Centre or NATO.

The opinions articulated above represent the views of the author(s), and do not necessarily reflect the position of the European Leadership Network or any of its members. The ELN’s aim is to encourage debates that will help develop Europe’s capacity to address the pressing foreign, defence, and security challenges of our time.