1 Summary of 2018 National Defense Strategy of the United States of America (Washington, D.C.: U.S. Department of Defense, 2018), p. 6. The United States began to regard cyberspace as an operational domain in 2011. Department of Defense Strategy for Operating in Cyberspace (Washington, D.C.: U.S. Department of Defense, 2011), p. 5; and David Alexander, “Pentagon to Treat Cyberspace as an ‘Operational Domain,’” Reuters, July 14, 2011.
2 Steve Ranger, “US Intelligence: 30 Countries Building Cyber Attack Capabilities,” ZDNet, January 5, 2017.
3 See, for example, The Department of Defense Cyber Strategy (Washington, D.C.: U.S. Department of Defense, 2015), p. 14.
4 U.S. Cyber Command, for example, has recently emphasized the latter capacities in delineating its strategies for future operations. See, for example, Richard J. Harknett, “United States Cyber Command's New Vision: What It Entails and Why It Matters,” Lawfare, March 23, 2018.
5 Huang, Zhixiong and Mačák, Kubo, “Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches,” Chinese Journal of International Law 16, no. 2 (2017), p. 299 (quoting Ma Xinmin, a senior Chinese diplomat and international lawyer).
6 See, for example, Julian Ku, “How China's Views on the Law of Jus Ad Bellum Will Shape Its Legal Approach to Cyberwarfare,” Aegis Series Paper No. 1707, Stanford University, Hoover Institution (2017), p. 2; and Arun M. Sukumar, “The UN GGE Failed. Is International Law in Cyberspace Doomed As Well?” Lawfare, July 4, 2017.
7 Lindsay, Jon Randall, “Restrained by Design: The Political Economy of Cybersecurity,” Digital Policy, Regulation and Governance 19, no. 6 (2017), p. 493.
11 See DeNardis, Laura, The Global War for Internet Governance (New Haven, Conn.: Yale University Press, 2014), ch. 1.
12 Goldsmith, Jack L. and Wu, Tim, Who Controls the Internet? Illusions of a Borderless World (New York: Oxford University Press, 2006); and Chander, Anupam and Lȇ, Uyȇn P., “Data Nationalism,” Emory Law Journal 64, no. 3 (2015), p. 677.
13 See, for example, Arun M. Sukumar, “The UN GGE Failed”; Garrett Hinck, “Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research,” Lawfare, January 5, 2018; and Cerf, Vinton, Ryan, Patrick, and Senges, Max, “Internet Governance Is Our Shared Responsibility,” I/S: A Journal of Law and Policy for the Information Society 10, no. 1 (2014), pp. 1–42.
14 See Price, Richard, “Reversing the Gun Sights: Transnational Civil Society Targets Land Mines,” International Organization 52, no. 3 (1998), p. 613.
15 See Demchak, Chris C. and Dombrowski, Peter, “Rise of a Cybered Westphalian Age,” Strategic Studies Quarterly 5, no. 1 (2011), pp. 32–61 (predicting states will delineate cyberspace “by formal agreement” with a “new cyber–Westphalian process” and “digital regions complete with borders, boundaries, and frontiers that are accepted by all states”).
16 Hollis, Duncan B. and Newcomer, Joshua M., “‘Political’ Commitments and the Constitution,” Virginia Journal of International Law 49, no. 3 (2009), p. 507; Raustiala, Kal, “Form and Substance in International Agreements,” American Journal of International Law 99, no. 3 (2005), p. 581; and Lipson, Charles, “Why Are Some International Agreements Informal?” International Organization 45, no. 4 (1991), p. 495.
17 Some modern treaties (such as multilateral environmental agreements) attempt to overcome this problem by devising built-in adjustment mechanisms to accommodate new facts, scientific developments, or agreements. Brunneé, Jutta, “Treaty Amendments,” in Hollis, Duncan B., ed., The Oxford Guide to Treaties (Oxford: Oxford University Press, 2012), p. 347; and Helfer, Laurence R., “Nonconsensual International Lawmaking,” University of Illinois Law Review 1 (2008), p. 75.
18 Hollis and Newcomer, “‘Political’ Commitments and the Constitution,” pp. 512, 526.
19 Raustiala, “Form and Substance in International Agreements,” p. 613; and Lipson, “Why Are Some International Agreements Informal?” p. 511.
20 See Hollis, Duncan B., “The Existential Function of Interpretation in International Law,” in Bianchi, Andrea, Peat, Daniel, and Windsor, Matthew, eds., Interpretation in International Law (New York: Oxford University Press, 2015), p. 78.
21 Finnemore, Martha and Hollis, Duncan B., “Constructing Norms for Global Cybersecurity,” American Journal of International Law 110 (2016), p. 471.
22 See, for example, UN Charter, Ch. VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression; Geneva Convention (IV) Relative to the Protection of Civilian Persons in Time of War, August 12, 1949, UNTS 75, p. 287; and Hague Convention (IV) Respecting the Laws and Customs of War on Land and Its Annex: Regulations Concerning the Laws and Customs of War on Land, October 18, 1907.
23 “The Montreux Document on Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies during Armed Conflict,” Government of Switzerland and the International Committee of the Red Cross (2008). For a proposal along these lines, see Hoffman, Wyatt and Levite, Ariel (Eli), Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace? (Washington, D.C.: Carnegie Endowment for International Peace, 2017).
24 Compare Henckaerts, Jean-Marie and Doswald-Beck, Louise, Customary International Humanitarian Law, International Committee of the Red Cross (New York: Cambridge University Press, 2005) with “Letter from John B. Bellinger III, Legal Adviser, U.S. Department of State, and William J. Haynes, General Counsel, U.S. Department of Defense, to Dr. Jakob Kellenberger, President, International Committee of the Red Cross, Regarding Customary International Law Study,” November 3, 2006, reprinted in International Legal Materials 46, no. 3 (2007), pp. 514–15.
25 Nate Lanxon and Tim Ross, “U.K. Blames North Korea for WannaCry Attack on Health Service,” Bloomberg, October 26, 2017; and Dustin Volz, “U.S. Blames North Korea for ‘WannaCry’ Cyber Attack,” Reuters, December 18, 2017.
26 Sarah Marsh, “US Joins UK in Blaming Russia for NotPetya Cyber-Attack,” Guardian, February 15, 2018.
27 See, for example, Kristen Eichensehr, “Three Questions on the WannaCry Attribution to North Korea,” Just Security, December 20, 2017; and Fidler, David P., “Was Stuxnet an Act of War? Decoding a Cyberattack,” IEEE Security & Privacy 9, no. 4 (2011), p. 56 (“Nation-states have been curiously quiet about Stuxnet…including the victim state (Iran)”). With respect to the Sony Pictures hack, President Obama declined to classify the incident as cyber warfare but referred to it as an act of “cyber vandalism.” Brian Fung, “Obama Called the Sony Hack an Act of ‘Cyber Vandalism.’ He's Right,” Washington Post, December 22, 2014.
28 See UN Charter, Articles 39, 42, and 51.
29 See Schmitt, Michael, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017), Rule 71 (“A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defense.”).
30 Ibid. (referring to “scale and effects” of the attack).
31 See, for example, UN General Assembly Resolution 2625 (XXV), “Declaration on Principles of International Law Concerning Friendly Relations and Co-operation among States,” October 23, 1970, A/RES/25/2625; and Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States), ICJ Reports 1986, p. 97–98 [para. 205]; see also Case Concerning Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, ICJ Reports 2005, p. 63 [para.163].
32 Schmitt, Tallinn 2.0, p. 312.
34 For a discussion, see Corn, Gary P. and Taylor, Robert, “Sovereignty in the Age of Cyber,” AJIL Unbound 111 (2017), pp. 207–12.
35 Schmitt, Tallinn 2.0, p. 17 (Rule 4).
36 See, for example, Gary Corn, “Tallinn Manual 2.0—Advancing the Conversation,” Just Security, February 15, 2017.
38 Schmitt, Tallinn 2.0, pp. 21–24.
39 See Ohlin, Jens David, “Did Russian Cyber Interference in the 2016 Election Violate International Law?” Texas Law Review 95 (2017), pp. 1579–598.
40 On retorsions and countermeasures, see International Law Commission, “Draft Articles on the Responsibility of States for Internationally Wrongful Acts,” in Report of the International Law Commission on the Work of its Fifty-Third Session, UN Doc. A/56/10, pp. 128–37 (articles 49–53).
41 See the Protocol Additional to the Geneva Conventions of August 12, 1949, and relating to the Protection of Victims of Armed Conflicts (Protocol I), June 8, 1977, UNTS 1125, p. 3, articles 48 (regarding distinction), 57(2)(a)(ii) (regarding precautions).
42 See Schmitt, Tallinn 2.0, pp. 415–22 (Rule 92).
43 One of us has written about such a duty in some detail. See Hollis, Duncan B., “Re-Thinking the Boundaries of Law in Cyberspace: A Duty to Hack,” in Ohlin, Jens David, Govern, Kevin, and Finkelstein, Claire, eds., Cyberwar: Law and Ethics for Virtual Conflicts (New York: Oxford University Press, 2015), p. 129.
44 Schmitt, Michael, “Military Necessity and Humanity in International Humanitarian Law: Preserving the Delicate Balance,” Virginia Journal of International Law 50, no. 4 (2010), p. 795.
45 See, for example, Davis, John S. II et al. , Stateless Attribution: Toward International Accountability in Cyberspace (Santa Monica, Calif.: RAND Corporation, 2017).
46 See David E. Sanger, “Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar,” New York Times, April 17, 2018.
47 See, for example, Charlie Dunlap, “Why Companies Should Not Sign the ‘Cybersecurity Tech Accord,’” Lawfire, April 21, 2018.
48 See, for example, the Wassenaar Arrangement, www.wassenaar.org (detailing export controls participants should adopt domestically for certain intrusion software and IP network surveillance systems).
49 See generally Chander and Lê, “Data Nationalism.”
51 Patrick Lin, “Ethics of Hacking Back—Six Arguments from Armed Conflict to Zombies,” U.S. National Science Foundation Paper, Sept. 26, 2016.
52 See generally Maurer, Tim, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press, 2018).