To What Extent Does International Law Apply In Cyberspace?

On 12th March, 2021, the final report was adopted by the Open-ended working group on developments in the field of information and telecommunications in the context of international security (“OEWG”). The report reaffirmed the widely held belief that international law (“IL”) encompasses cyberspace, as validated in several countries’ position papers (see here, here, here and here). This is crucial since the final OEWG report was developed as a result of the participation of forty-nine countries, with at least one country from each of the major United Nations Regional Groups. The academic debate on this topic can be seen to shift towards affirming IL’s application to cyberspace. Such can be seen with initiatives such as the Oxford Process and the Tallinn Manual 2.0

The report advocated a set of “voluntary, non-binding norms” (“new norms”) based on recommendations from member states (para 7). It is critical to note that the report concluded that these standards would operate in conjunction with the state’s existing obligations under IL. This is significant because it refutes the argument that these new norms will supplant a state’s responsibilities under IL. The final report confronts two mutually reinforcing assumptions about the scope of IL’s applicability in cyberspace. First, any IL concept can be applied to cyberspace only if sufficient opinio juris demonstrates its application. Second, because a new set of cybersecurity norms are being produced, the existing principles of IL would not apply to cyberspace. This assumption attempts to emphasize how IL in cyberspace is a distinct area of law that requires the development of new norms. This results in the conclusion that established principles would not apply in this new area of IL. 

This piece will focus on debunking these two erroneous assumptions, taking into consideration the OEWG report. History cannot be re-written, but IL can, depending on the rules and norms chosen by states. However, what are the rules and norms chosen by states in context to cybersecurity?

Refuting The Assumption Calling For a Requirement of Opinio Juris

The demand for new opinio juris on IL in cyberspace is predicated on the premise that various spheres demand distinct state practices, and so, there must be distinct standards for cyberspace. Israel’s Deputy Attorney General has argued in support of the assumption that IL cannot be applied automatically from the physical to the cybersphere. From a purely physical standpoint, he is correct; certain principles of IL are restricted to specific spheres. For example, the idea of freedom of navigation is restricted to ships operating on the high seas. However, he overlooked the fact that the cybersphere is not merely another physical sphere. This notion that IL will be applied differently in different areas appears to have originated in the law of armed conflict, where nations have varying commitments in various spheres (p. 97). 

The primary argument for doubting IL’s applicability in cyberspace is the assumption that cyberspace is a new frontier in and of itself. This is incorrect, as the activities do not take place in a new sphere. Rather, what we commonly refer to as cyberspace is a collection of information and communication technologies that enable users to more efficiently exchange and process information, such as the internet and other networks. Moreover, while software, code, and data all play a significant role in how these technologies work, they are inevitably comprised of physical components or hardware, such as cables, satellites, radio waves, computers, and their millions of silicon circuits, as well as the individuals who create, control, and use software, hardware, and data. Thus, while cyberspace activities span borders, they are nonetheless rooted in physical infrastructure.

In its Advisory Opinion on Nuclear Weapons, the International Court of Justice (“ICJ”) rejected the contention that principles of IL and International Humanitarian Law in particular would not apply to nuclear weapons since they are a new method of weaponry (para 86). Thus, the ICJ has also noted that the principles of IL apply to all weapons, regardless of when they came into existence (para 39). Additionally, the International Law Commission stated that every new technology is subject to existing principles of IL aimed at preventing transboundary harm (p. 154). Further, the OEWG report underlined that the issue is technology misuse, not technology use and that actions to avoid technology misuse should remain technology-neutral. This is not to say that no adjustments are necessary when extending IL principles to cyberspace; they may be required in some cases. What this does mean is that the starting point for IL in cyberspace is not limbo but rather established principles of IL. This becomes increasingly critical, as the Czech Republic recognized since the usage of cyberspace accelerates at a rate that no treaty can keep up with. More importantly, the need for the application of IL to cyberspace is not purely theoretical. It deals with attacks that have physical consequences for individuals. Indeed, the application of IL for cyberattacks in Ukraine attributed to Russia was covered in length in a publication by the NATO Cooperative Cyber Defence Centre of Excellence. 

Debunking the Assumption that the New Norms Will Replace the Existing Principles of IL

The 2015 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (“GGE”), which the United Nations General Assembly subsequently adopted, urged the establishment of new norms of responsible state behaviour in cyberspace. As indicated at the outset of this piece, these new standards were intended to be voluntary and non-binding. Thus, what is the relationship between these new standards and established IL principles? One of these new standards requires states to prevent their territory from being utilized for cyber operations that violate IL (p.8, III 13 c). As a matter of fact, such a notion already exists as a general principle of IL; it is referred to as due diligence. Is this to say that a fundamental principle of IL has been reduced to non-binding advice under the new norms? 

The proponents of this assumption may desire to suggest that states have opted to dilute some IL principles in cyberspace. States have stated during their deliberations in the OEWG that the new standards do not replace or alter their existing obligations, but rather complement them (see here, here, here and here). Moreover, these statements constitute opinio juris since they express nations’ intent to apply IL to cyberspace. The GGE report also noted that the new standards do not supplant existing legal concepts, but rather serve to complement them (p. 12, VI 28 b). Thus, particularly when it comes to established norms of IL standard, various states have maintained that the substantial amount of state practice enforcing them further validates their application to cyberspace (see here, here and here).


As this piece argued, existing principles of IL continue to govern the sphere of cyberspace. Principles that have been accepted stay accepted until states decide to change or alter them. Having stated that, such acknowledgement by all states also holds a certain degree of importance. Only once a majority consensus has been achieved with clarity, can major issues such as cyberattacks on critical infrastructure be addressed. 

Further, as mentioned previously, there are some specific legal lacunas in cyberspace, such as the question of whether cyberattacks can give rise to armed conflicts in their current thresholds. France has asserted that cyberattacks can initiate hostilities (p. 12), and has also claimed that physical harm is not the sole basis for the application of IHL to a cyberattack (p. 8). On the other hand, Israel states that without physical harm there should not be an application of IHL to a cyberattack, highlighting the current uncertainties. (such debates can be found here and here). Nevertheless, while new specific cyberspace-related norms and treaties are undoubtedly required, this does not mean that existing obligations do not apply. As the OEWG continues to welcome participation from any interested States, it is critical that more States begin to meaningfully contribute to this dialogue.

Ahan Gadkari is a penultimate year B.A LL.B candidate at O.P. Jindal Global University. He currently works with the Centre for Trade and Investment Law, Ministry of Trade and Commerce.

Image: Vice Magazine.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s