The U.S. response to the Russia DNC hack has been criticized as “late” and “weak”: the United States’ response to the Russian intrusions was delayed, and the United States limited its responses to self-help measures. Professor Banks points out that the timing and nature of the U.S. response in fact reflects the challenges posed by an underdeveloped part of the international cyber law—attribution. In this piece, Professor Banks examines Tallinn 2.0’s treatment of attribution in the cyber context. Given that this area of law is still underdeveloped, he suggests that the U.S. identify some attribution benchmarks as well as lawful responses to deter future cyber intrusions.
Category Archives: TLR Vol. 95-7
Is countering terrorism a legitimate reason to violate the right to privacy in cyberspace? Professors Barnsby and Reeves identify a potential risk under Tallinn 2.0 that the counterterrorism exception might swallow a state’s obligations to respect and protect international human rights, given the broadly defined “legitimate purpose” and the vaguely defined “terrorism” in the manual. Nevertheless, Professors Barnsby and Reeves point out that this kind of uncertainty in Tallinn 2.0 is not new. Like Tallinn 1.0, Tallinn 2.0 also intentionally left some definitional gaps for further legal developments in the cyber context. Such gaps, Professors Barnsby and Reeves argue, are necessary for a project like the Tallinn Manual and would be better filled by state practices.
In this piece, Professor Ingber explores the phenomenon of “interpretation catalysts” through the lens of the Tallinn Manual process. Specifically, she identifies two levels on which the interpretation catalysts have operated in the Tallinn Manual process—first, the catalyst that triggered the Tallinn Manual process, i.e., the 2007 Estonia cyberattack, has prompted the creation of the entire Tallinn Manual process where a group of experts defined legal rules as guidance for state actors. Second, the Tallinn Manual process itself has triggered states to respond by engaging in a rule-definition process in a broader context of cyberspace law.
In the area of cybercrime, the dilemma of attribution impedes the prevention and mitigation of cyber harm. Gaining momentum among States and commentators, a potential solution to the problem of attribution is a response proxy—an entity against whom action is taken when action against a responsible party is not feasible. However, such a proxy response by way of a cyber duty of due diligence may be counterproductive and lead to greater instability in the international system. Combining the principle of due diligence in cyberspace and the doctrine of countermeasures, a longstanding international law response to illegal acts by another State, produces an attractive solution on its face. Nonetheless, due diligence-inspired countermeasures as an attempt to close the attribution gap may yield unintended consequences, including significant costs to security, stability, and even to international law compliance.
When it was revealed that the Russian government interfered in the 2016 U.S. presidential election by, among other things, hacking into the e-mail system of the Democratic National Committee (DNC) and releasing its e-mails, international lawyers were divided over whether the cyber attack violated international law, as none of the standard rubrics for understanding illegal interventions clearly and unambiguously apply to the facts in question. The lack of fit with the doctrinal requirements for an illegal intervention against another State’s sovereignty is simply an indication that the notions of “sovereignty” and “intervention”—though mainstays of contemporary public international law doctrine—are poorly suited to analyzing the legality of the conduct in this case. A far better rubric for analyzing the behavior is the notion of self-determination, a legal concept that captures the right of a people to decide, for themselves, both their political arrangements and their future destiny. Unfortunately, the right of self-determination has largely lain fallow since the global process of decolonization was completed, with the exception of a few cases of controversial secessions. But the Russian hacking campaign is evidence that self-determination’s departure from the scene in international law should be mourned and, if possible, reversed because there are situations and cases where the best legal categories for understanding the situation are not sovereignty and intervention but rather the notion of self-determination.
In its chapter on international human rights law (IHRL), the Tallinn Manual 2.0 fails in its stated objective of furnishing “[s]tate legal advisors charged with providing international law advice to governmental decision makers” with “an objective restatement of the lex lata.” While the editors and authors plainly intend that their audience be mindful of human rights, the fluid and rapidly developing law in this area presents challenges, and so do widening divisions of opinion that are evident between governments, international experts, and civil society on what human rights law requires in the new digital age. To get the law right, the conscientious legal advisor should look elsewhere. Military and national security lawyers, chosen as experts to formulate and draft rules, may care deeply about human rights but generally do not develop deep familiarity with IHRL and its constitutive processes—that is more typical of human rights advocates, litigators, academics, and state specialists. Legal advisors should look first to treaty obligations and then more widely at international interpretation of rights from the most experienced states and practitioners in the international-, regional-, and state-level systems.
While the plea of necessity may be available for states in their responses to cyberattacks, frequent and pretextual invocations of necessity may destabilize international peace and security. Tallinn Manual 2.0 recognizes the plea of necessity, drawing on classic examples of necessity from traditional international customary law sources, but the application of these sources to cyberwarfare presents unique concerns. Although pleas of necessity require states to identify their essential interests, allowing states to unilaterally define these interests or limit the concept of critical infrastructure raises questions for the applicability of the necessity doctrine. Additionally, the cyber operations have uncertain and unpredictable effects, thus making it difficult to determine when the last “window of opportunity” for responsive action is about to close. States seeking to clarify vague definitions and better understand legitimate responsive action first ought to commit to procedural norms to establish accountability so that a better international consensus on the plea of necessity may emerge.
Since the late 1990s, the United States has operated from the premise that international law applies in cyberspace. This remains the U.S. approach nearly two decades later. What appears to have changed since then is the Department of Defense’s position on sovereignty in cyberspace. In 1999, the question was not whether a State could violate another State’s sovereignty as a matter of law; rather, the challenge was identifying when cyber operations do so. Recently, the DoD has indicated that it may have reassessed its position that sovereignty can be violated as a matter of international law in the cyber context. In this article, Professors Schmitt and Vihul examine the point of contention between the DoD’s earlier view, as well as the Tallinn Manuals’, and that which now appears to be the revised DoD position.