Skip to main content

From Cyber Norms to Cyber Rules: Re-engaging States as Law-makers


Several indicators point to a crisis at the heart of the emerging area of international cyber security law. First, proposals for binding international treaties by leading stakeholders, including China and Russia, have been met with little enthusiasm by other states, and are generally seen as having limited prospects of success. Second, states are extremely reluctant to commit themselves to specific interpretations of controversial legal questions and thus to express their cyber opinio juris. Third, instead of interpreting or developing rules, state representatives seek refuge in the more ambiguous term ‘norms’. This article argues that the reluctance of states to engage in international law-making has left a power vacuum, lending credence to claims that international law fails in addressing modern challenges posed by rapid technological development. In response, several non-state-driven norm-making initiatives have sought to fill the void, including Microsoft's cyber norms proposals and the Tallinn Manual project. The article then contends that this emerging body of non-binding norms presents states with a critical window of opportunity to reclaim a central law-making position, similar to historical precedents including the development of legal regimes for Antarctica and nuclear safety. Whether the supposed crisis will lead to the demise of inter-state cyberspace governance or a recalibration of legal approaches will thus be decided in the near future. States should assume a central role if they want to ensure that the existing power vacuum is not exploited in a way that would upset their ability to achieve strategic and political goals.

Hide All

1 M. Mead, The World Ahead: An Anthropologist Anticipates the Future (2005), 12.

2 R. Higgins, Problems and Process: International Law and How We Use It (1995), 39.

3 Koh, H.H., ‘International Law in Cyberspace’, (2012) 54 Harvard International Law Journal Online 1, at 10 .

4 L. Henkin, How Nations Behave (1978), 5.

5 Cf. J. Raz, The Morality of Freedom (1986), 155 (‘Autonomy is possible only within a framework of constraints.’).

6 See, e.g., J. Crawford, The Creation of States in International Law (2006), 41–2 (describing the presumption as a ‘part of the hidden grammar of international legal language’); but see, e.g., Accordance with International Law of the Unilateral Declaration of Independence in Respect of Kosovo, Advisory Opinion of 22 July 2010, [2010] ICJ Rep. 403, Declaration of Judge Simma, at 478, para. 2 (arguing that the presumption ‘reflects an old, tired view of international law’).

7 SS Lotus case (France v. Turkey), PCIJ Rep. Series A No. 10, at 18.

8 Cf. G.M. Danilenko, Law-Making in the International Community (1993), (1) (arguing that in order for the international legal system to remain effective, it needs to engage in (1) law-making in novel, so far ungoverned areas, and (2) constant upgrading and refinement of the existing law).

9 See, e.g., J.A. Camilleri and J. Falk, The End of Sovereignty?: The Politics of a Shrinking and Fragmenting World (1992); N. Walker, Sovereignty in Transition (2003); Bartelson, J.The Concept of Sovereignty Revisited’, (2006) 17 EJIL 463 ; Jacobsen, T., Sampford, C., and Thakur, R. (eds.), Re-envisioning Sovereignty: The End of Westphalia? (2008); Endicott, T., ‘The Logic of Freedom and Power’, and J.L. Cohen, ‘Sovereignty in the Context of Globalization: A Constitutional Pluralist Perspective’, in Besson, S. and Tasioulas, J. (eds.), The Philosophy of International Law (2010), 245 and 261, respectively.

10 See, e.g., Higgins, supra note 2, at 39; M. Byers, Custom, Power and the Power of Rules (1999), 13; H. Thirlway, The Sources of International Law (2014), 16–19. It is acknowledged that, in addition to state consent, modern international law may at least to some extent also be the product of abstract moral values such as ‘humanity’, ‘fairness’, or ‘communitarian values’. However, it would be beyond the scope of this article to revisit the longstanding debate about the relative contribution of state consent and abstract values to the process of formation of international law. For more on this topic see, e.g., Charlesworth, H., ‘Law-making and Sources’, in Crawford, J. and Koskenniemi, M. (eds.), The Cambridge Companion to International Law (2012), 187 at 187202 and works cited therein.

11 The term ‘international cyber security law’, as understood in this article, refers to an emerging legal discipline and a body of law that concerns the rights and obligations of states regarding cyber security. For an early attempt to define this term in more detail, see von Heinegg, W. Heintschel, ‘The Tallinn Manual and International Cyber Security Law’, (2012) 15 Yearbook of International Humanitarian Law 3, at 13.

12 See also Perritt, H.H., ‘The Internet as a Threat to Sovereignty? Thoughts on the Internet's Role in Strengthening National and Global Governance’, (1998) 5 Indiana Journal of Global Legal Studies 423, at 429; K. Ziolkowski, Confidence Building Measures for Cyberspace: Legal Implications (2013), 165.

13 T. Berners-Lee, ‘Information Management: A Proposal’, Internal Memo (CERN, March 1989), available at

14 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/68/98, 24 June 2013 (‘GGE Report 2013’), at 8, para. 19.

15 US, Department of State, ‘Statement on Consensus Achieved by the UN Group of Governmental Experts on Cyber Issues’, 7 June 2013, available at

16 GGE Report 2013, supra note 14.

17 Ibid., at 12–13.

18 See, e.g, A. Segal, The Hacked World Order (2016), 40.

19 Finnemore, M. and Hollis, D.B., ‘Constructing Norms for Global Cybersecurity’, (2016) 110 AJIL 425, at 448 .

20 The UN General Assembly subsequently ‘[w]elcom[ed]’ the GGE report in a unanimously adopted resolution without, however, discussing the details of its contents. See UN GA Res. 68/243, 9 January 2014, preambular para. 11.

21 GGE Report 2013, supra note 14, at 8, para. 19 (‘International law, and in particular the Charter of the United Nations, is applicable’) (emphasis added).

22 See, e.g., US, Office of the Secretary of Defense, Military and Security Developments Involving the People's Republic of China (2011), 6 (‘China has not yet agreed with the U.S. position that existing mechanisms, such as International Humanitarian Law and the Law of Armed Conflict, apply in cyberspace.’); E. Chernenko, ‘Russia Warns Against NATO Document Legitimising Cyberwars’, Kommersant-Vlast, 29 May 2013, available at (reporting the Russian government's scepticism towards the Tallinn Manual’s endorsement of the applicability of international humanitarian law to cyberspace).

23 For an examination of different approaches to the rule of law in cyberspace taken by, respectively, western countries and China, see Huang, Z. and Mačák, K., ‘Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches’, (2017) 16 Chinese Journal of International Law (forthcoming).

24 Osula, Accord A.-M. and Rõigas, H., ‘Introduction’, in Osula, A.-M. and Rõigas, H. (eds.), International Cyber Norms: Legal, Policy & Industry Perspectives (2016), 11 at 14.

25 For existing sectoral and regional treaties concerning aspects of cyber security, see text at notes 69–78, infra.

26 Wu, T.S., ‘Cyberspace Sovereignty? The Internet and the International System’, (1997) 10 Harvard Journal of Law & Technology 647, at 660. The initiative was reportedly supposed to ‘lead to an accord comparable to the international law of the sea, which governs the world's oceans’. ‘France Seeks Global Internet Rules’, Reuters News Service, 31 January 1996, available at

27 Letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, UN Doc. A/66/359, 14 September 2011, at 3–5; Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, UN Doc. 69/723, 13 January 2015, at 3–6.

28 See, e.g., United Kingdom, Response to General Assembly resolution 68/243 ‘Developments in the field of information and telecommunications in the context of international security’, May 2014, available at, at 5 (noting that ‘attempts to conclude comprehensive multilateral treaties, codes of conduct or similar instruments would [not] make a positive contribution to enhanced international cybersecurity’); M. Kaljurand, ‘United Nations Group of Governmental Experts: The Estonian Perspective’, in Osula and Rõigas, supra note 24, 111 at 123 (stating that ‘starting negotiations on the draft Code of Conduct . . . would be premature’).

29 See, e.g., J. Goldsmith, ‘Cybersecurity Treaties: A Skeptical View’, in P. Berkowitz (ed.), Future Challenges in National Security and Law (2011), available at, at 12; Waxman, M.C., ‘Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)’, (2011) 36 Yale Journal of International Law 421, at 425–6; Hathaway, O.A. et al., ‘The Law of Cyber-Attack’, (2012) 100 California Law Review 817, at 882; Eichensehr, K.E., ‘The Cyber-Law of Nations’, (2015) 103 Georgetown Law Journal 317, at 356; M.N. Schmitt and L. Vihul, ‘The Nature of International Law Cyber Norms’, in Osula and Rõigas, supra note 24, 23 at 39.

30 A. Aust, Modern Treaty Law and Practice (2000), 26.

31 See R.A. Clarke and R. Knake, Cyber War: The Next Threat to National Security and What to Do About It (2010), xi (‘The entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency.’).

32 Notable exceptions include, e.g., US, The White House, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (2011); Koh, supra note 3; Brian J. Egan, ‘International Law and Stability in Cyberspace’, Speech at Berkeley Law School, 10 November 2016, available at

33 Schmitt, M.N. and Watts, S., ‘The Decline of International Humanitarian Law Opinio Juris and the Law of Cyber Warfare’, (2015) 50 Texas International Law Journal 189, at 211.

34 See P.W. Singer and A. Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (2014), 4–8.

35 US, Department of Defense, Office of the General Counsel, Law of War Manual (2016), available at

36 Ibid., ch. xvi.

37 See further S. Watts, ‘Cyber Law Development and the United States Law of War Manual’, in Osula and Rõigas, supra note 24, 49 at 60–3.

38 Finnemore and Hollis, supra note 19, at 441–2.

39 International Law Commission (ILC), Articles on Responsibility of States for Internationally Wrongful Acts, 2001 YILC, Vol. 53 II (Part Two), Art. 1; Rainbow Warrior Arbitration (New Zealand v. France), Special Arbitration Tribunal, (1990) 20 RIAA 215, at 251, para. 75 (‘any violation by a State of any obligation, of whatever origin, gives rise to State responsibility’).

40 See further Schmitt and Vihul, supra note 29, at 25–7.

41 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/70/174, 22 July 2015 (‘GGE Report 2015’), at 7, para. 10 (emphasis added).

42 Ibid., at 7, para. 10.

43 Ibid., at 7–8, para. 13.

44 Ibid., at 7, para. 10.

45 US, White House, ‘Fact Sheet: President Xi Jinping's State Visit to the United States’, 25 September 2015, available at

46 For a general discussion of the process of gradual ‘surrender [of states’] monopoly on regulatory power’ from the perspective of global governance, see E. Benvenisti, The Law of Global Governance (2014), 25 et seq.

47 J. d'Aspremont, Formalism and the Sources of International Law (2011), 222.

48 Ibid., at 2.

49 Cf. US, International Strategy for Cyberspace, supra note 32, at 9 (‘The development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete.’).

50 Cf. Legality of the Threat or Use of Nuclear Weapons Case, Berchmans Soedarmanto Kadarisman, CR 95/25, 3 November 1995, at para. 46 (‘the framers of the United Nations Charter could not be aware of the threat of nuclear weapons’).

51 1945 Charter of the United Nations, 1 UNTS 16, Arts. 2(4) and 39–51.

52 Legality of the Threat or Use of Nuclear Weapons Case, Advisory Opinion of 8 July 1996, [1996] ICJ Rep. 226, para. 39.

53 See further Kadelbach, S., ‘Interpretation of the Charter’, in Simma, B. et al. (eds.), The Charter of the United Nations: A Commentary (2012), 71 at 89 (arguing that the utility of the Charter travaux is limited given that many problems were not foreseen in 1945, whereas for others shared meanings have been worked out over time).

54 Accord M.N. Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare (2013) (hereinafter ‘Tallinn Manual’), 42; M.N. Schmitt (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2017) (hereinafter ‘Tallinn Manual 2.0’), 328. See Section 4 infra for a detailed discussion of the two editions of the Manual and their contents.

55 The International Bill of Rights consists of the Universal Declaration of Human Rights (1948); the International Covenant on Civil and Political Rights (1966) and the two Optional Protocols annexed thereto; and the International Covenant on Economic, Social and Cultural Rights (1966) and its Protocol.

56 Hillary Rodham Clinton, ‘Internet Rights and Wrongs: Choices and Challenges in a Networked World’, 15 February 2011, available at; see also Egan, supra note 32, at 15 (‘[a]ny regulation by a State of matters within its territory, including use of and access to the Internet, must comply with that State's applicable obligations under international human rights law’).

57 UN GA, Human Rights Council, The Promotion, Protection and Enjoyment of Human Rights on the Internet, UN Doc. A/HRC/20/L.13, 29 June 2012, para. 1; UN GA, Human Rights Council, The Promotion, Protection and Enjoyment of Human Rights on the Internet, UN Doc. A/HRC/32/L.20, 27 June 2016, para. 1. See also GGE Report 2013, supra note 14, at 8, para. 21; GGE Report 2015, supra note 41, at 8, para. 13(e) and at 12, para. 26; Tallinn Manual 2.0, supra note 54, at 179.

58 Schmitt, M.N., ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’, (1999) 37 Columbia Journal of Transnational Law 914 (original list of six criteria: severity; immediacy; directness; invasiveness; measurability; and presumptive legitimacy); Schmitt, M.N., ‘Cyber Operations and the Jus Ad Bellum Revised’, (2011) 56 Villanova Law Review 576 (revised list of seven criteria: severity; immediacy; directness; invasiveness; measurability; presumptive legitimacy; and responsibility); Tallinn Manual 2.0, supra note 54, at 334–6 (restated list of eight criteria: severity; immediacy; directness; invasiveness; measurability; military character; state involvement; and presumptive legality).

59 For a notable exception, see Koh, supra note 3, at 3–4 (referencing the 1999 version of the ‘Schmitt criteria’).

60 See, e.g., Iran, Statement by H.E. Dr. Ali Akbar Salehi, Minister of Foreign Affairs of the Islamic Republic of Iran, 28 September 2012, available at (describing cyber attacks against Iran's nuclear facilities as ‘a manifestation of nuclear terrorism and consequently a grave violation of the principles of UN Charter and international law’ but stopping short of using the jus ad bellum language).

61 But see Tallinn Manual 2.0, supra note 54, at 342 (noting that all members of the international group of experts considered the Stuxnet operation as a use of force).

62 See, e.g., C. Henderson, ‘The Use of Cyber Force: Is the Jus ad Bellum Ready?’ Questions of International Law, 30 April 2016, available at

63 See ‘Tor Project’, available at For a recent analysis of legal issues raised by the uses and abuses of Tor from the perspective of international and European law, see Minárik, T. and Osula, A.-M., ‘Tor Does Not Stink: Use and Abuse of the Tor Anonymity Network from the Perspective of Law’, (2016) 32 (1) Computer Law and Security Review 111 .

64 See G.A. Fowler, ‘Tor: An Anonymous, And Controversial, Way to Web-Surf’, The Wall Street Journal, 17 December 2012.

65 Singer and Friedman, supra note 34, at 107.

66 Watson, K.D., ‘The Tor Network: A Global Inquiry into the Legal Status of Anonymity Networks’, (2012) 11 Washington University Global Studies Law Review 715, at 727.

67 UN, Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, David Kaye, UN Doc. A/HRC/29/32, 22 May 2015, para. 52.

68 See also Tallinn Manual 2.0, supra note 54, at 188 (noting that the international group of experts ‘could achieve no consensus on the precise parameters of the right to freedom of expression’) and 194–5 (‘although actions to prohibit, restrict, or undermine access to devices or technology that foster anonymity may, as a practical matter, reduce the exercise or enjoyment of international human rights online, such actions do not in themselves necessarily implicate international human rights law as a matter of lex lata on the basis of infringement with or loss of anonymity’).

69 Hathaway et al., supra note 29, at 873.

70 1992 Constitution of the International Telecommunication Union, 1825 UNTS 143 (hereinafter ‘ITU Constitution’).

71 Council of Europe, 2001 Convention on Cybercrime, ETS 185.

72 Council of Europe, 2003 Additional Protocol concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, ETS 189.

73 2009 Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security (hereinafter ‘Yekaterinburg Agreement’).

74 2014 African Union Convention on Cyber Security and Personal Data Protection, AU Doc. EX.CL/846(XXV).

75 Convention on Cybercrime, supra note 71, Arts. 2–10.

76 ITU Constitution, supra note 70, Art. 45 (prohibiting harmful interference) and Ann. (defining harmful interference).

77 Yekaterinburg Agreement, supra note 73. In 2017, India and Pakistan are expected to join the Shanghai Co-operation Organization (SCO), which will likely result in a corresponding increase in the number of state parties to the Agreement. See AFP, ‘India, Pakistan Edge Closer to Joining SCO Security Bloc’, The Express Tribune, 24 June 2016, available at

78 See further H. Rõigas, ‘Mixed Feedback on the “African Union Convention on Cyber Security and Personal Data Protection”’, CCD COE INCYDER Database, 20 February 2015, available at

79 See also Hathaway et al., supra note 29, at 873.

80 This has now been expressly acknowledged even by state representatives. See, e.g., Egan, supra note 32, at 5.

81 Finnemore, M. and Sikkin, K., ‘International Norm Dynamics and Political Change’, (1998) 52 International Organisation 887, at 895–9; see also Finnemore and Hollis, supra note 19, at 446–8 (examining the concept and function of ‘norm entrepreneurship’ in the cybersecurity context).

82 Byers, supra note 10, at 5.

83 See further Higgins, supra note 2, at 3–4 (analyzing the relationship between law and power from the perspective of international law).

84 J. Nye, The Future of Power (2011), 10.

85 See also Finnemore and Hollis, supra note 19, at 441–4 (arguing that, in addition to law, the bases on which particular conduct in cyberspace is labelled as appropriate or inappropriate include politics, culture, religion, and professional standards).

86 See further J. Crawford, Change, Order, Change: The Course of International Law (2013), 40–9 (demonstrating the effectiveness of international legal obligations on a diverse set of empirical examples including the protection of the ozone layer, restrictions on whaling, and slave trade).

87 S. Banner, Who Owns the Sky? The Struggle to Control Airspace from the Wright Brothers On (2008), 278.

88 See, e.g., M. Barrett et al., Assured Access to the Global Commons (2011), at xii; Jasper, S. and Moreland, S., ‘Introduction: A Comprehensive Approach’, in Jasper, S. (ed.), Conflict and Cooperation in the Global Commons (2012), 1 at 21; Tsagourias, N., ‘The Legal Status of Cyberspace’, in Tsagourias, N. and Buchan, R. (eds.), Research Handbook on International Law and Cyberspace (2015), 13 at 24–5; P. Meyer, ‘Outer Space and Cyberspace: A Tale of Two Security Realms’, in Osula and Rõigas, supra note 24, 155 at 157.

89 S. Shackelford, Managing Cyber Attacks in International Law, Business, and Relations (2014), 58.

90 Of course, the situation has dramatically changed since then. The number of space-faring states has been steadily increasing and even some non-state actors have demonstrated their capability to engage in outer space activities. See further Jankowitsch, P., ‘The Background and History of Space Law’, in von der Dunk, F. (ed.), Handbook of Space Law (2015), 1 at 1–28.

91 See further Sigholm, J., ‘Non-State Actors in Cyberspace Operations’, (2013) 4 Journal of Military Studies 1, at 9–23.

92 Czosseck, C., ‘State Actors and their Proxies in Cyberspace’, in Ziolkowski, K. (ed.), Peacetime Regime for State Activities in Cyberspace (2013), 1 at 1–3.

93 K. Bannelier and T. Christakis, Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors (2017), 9.

94 A. McKay et al., International Cybersecurity Norms: Reducing Conflict in an Internet-Dependent World (2014), available at

95 S. Case, ‘Remarks Prepared for Delivery (via satellite) Israel ’99 Business Conference’, 13 December 1999, cited in J. Goldsmith and T.S. Wu, Who Controls the Internet?: Illusions of a Borderless World (2006), 194 (urging nations to ‘revis[e] outdated and “country-centric” laws on telecommunications and taxes that could thwart the growth of the medium’ and instead embrace ‘international standards—from security, to privacy, to taxation.’).

96 McKay et al., supra note 94, at 2–3.

97 S. Choney, ‘6 Proposed Cybersecurity Norms Could Reduce Conflict’, Microsoft: The Fire Hose, 5 December 2014, available at

98 McKay et al., supra note 94, at 2. The complete list of the proposed norms may be found in the annex to the document: ibid., at 20.

99 S. Charney et al., From Articulation to Implementation: Enabling Progress on Cybersecurity Norms (2016), available at, at 3.

100 Ibid.

101 Ibid., at 7.

102 Ibid., at 6.

103 Ibid., at 2.

104 B. Smith, President of Microsoft Corporation, Transcript of Keynote Address at the RSA Conference 2017, 14 February 2017, available at

105 See ‘Tallinn Manual Process’, available at

106 Tallinn Manual, supra note 54.

107 Tallinn Manual 2.0, supra note 54.

108 Tallinn Manual, supra note 54, at 11; Tallinn Manual 2.0, supra note 54, at 2.

109 Tallinn Manual, supra note 54, rules 10–19.

110 Tallinn Manual, supra note 54, rules 20–95.

111 See, e.g., Eichensehr, K., ‘Review of The Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013)’, (2014) 108 AJIL 585, at 585–9.

112 See, e.g., Fleck, D., ‘Searching for International Rules Applicable to Cyber Warfare: A Critical First Assessment of the New Tallinn Manual ’, (2013) 18 Journal of Conflict & Security Law 331, at 332–5; Eichensehr, supra note 111, at 589; see also Xinmin, Ma, ‘Key Issues and Future Development of International Cyberspace Law’, (2016) 2 China Quarterly of International Strategic Studies 119, at 128 (noting the Chinese view that the risk of the law-of-war focus on the regulation of cyberspace was that it would aggravate the arms race and militarization in cyberspace).

113 Tallinn Manual 2.0, supra note 54, at 1–6.

114 See ibid., rules 68–154.

115 Ibid., at 2

116 Ibid., at 79–167.

117 Ibid., at 232–58.

118 Ibid., at 259–83.

119 Ibid., at 179–208.

120 McKay et al., supra note 94, at 12; Charney et al., supra note 99, at 7.

121 McKay et al., supra note 94, at 12.

122 Charney et al., supra note 99, at 8.

123 See also Smith, supra note 104, at 10 (calling on states to adopt a ‘global convention’ that would include norms from Microsoft's 2014 and 2016 proposals).

124 Tallinn Manual 2.0, supra note 54, at 4; see also Tallinn Manual, supra note 54, at 6.

125 Tallinn Manual, supra note 54, at 1; Tallinn Manual 2.0, supra note 54, at 1.

126 Tallinn Manual, supra note 54, at 5; Tallinn Manual 2.0, supra note 54, at 3.

127 See further Mačák, K., ‘Military Objectives 2.0: The Case for Interpreting Computer Data as Objects under International Humanitarian Law’, (2015) 48 Israel Law Review 55, at 59–63 (discussing the distinction between lex lata and lex ferenda in the first edition of the Manual).

128 Tallinn Manual 2.0, supra note 54, at 434; see also Tallinn Manual, supra note 54, at 124.

129 Tallinn Manual 2.0, supra note 54, at 415 (definition of cyber attack) and at 435, para. 4 (definition of civilian objects); see also Tallinn Manual, supra note 54, at 91 (definition of cyber attack) and at 125, para. 3 (definition of civilian objects).

130 See, e.g., the debate whether computer data may constitute an ‘object’ for the purposes of international humanitarian law: Dinniss, H.A. Harrison, ‘The Nature of Objects: Targeting Networks and the Challenge of Defining Cyber Military Objectives’, (2015) 48 Israel Law Review 39; Mačák, supra note 127; Schmitt, M.N., ‘The Notion of ‘Objects’ during Cyber Operations: A Riposte in Defence of Interpretive and Applicative Precision’, (2015) 48 Israel Law Review 81 .

131 McKay et al., supra note 94, at 3; see also Smith, supra note 104, at 10 (‘And we then need to build on that with a global convention.’).

132 Tallinn Manual, supra note 54, at 1. The sentence in question does not appear in the second edition of the Manual, however, there is nothing in its text suggesting that the Manual should not be seen as a non-binding document. Cf. Tallinn Manual 2.0, supra note 54, at 2 (‘Tallinn Manual 2.0 is not an official document . . . Tallinn Manual 2.0 must be understood only as an expression of the opinions of the two International Groups of Experts as to the state of the law.’).

133 Talmon, S., ‘The Security Council as World Legislature’, (2005) 99 AJIL 175, at 175. As the title of Professor Talmon's article suggests, the qualification to that general observation arises from the Security Council's recent practice of adopting resolutions containing obligations of general and abstract character. For a recent argument to the effect that non-state actors should be granted a role in international law-making, see Roberts, A. and Sivakumaran, S., ‘Lawmaking by Nonstate Actors: Engaging Armed Groups in the Creation of International Humanitarian Law’, (2012) 37 Yale Journal of International Law 107 . For more on the supposed ongoing surrender of states’ monopoly on regulatory power from the perspective of global governance, see Benvenisti, supra note 46, at 25 et seq.

134 Besson, S., ‘Theorising the Sources of International Law’, in Besson, S. and Tasioulas, J. (eds.), The Philosophy of International Law (2010), 163 at 173.

135 ILC, ‘Identification of Customary International Law: Text of the Draft Conclusions Provisionally Adopted by the Drafting Committee’, UN Doc. A/CN.4/L.872, 30 May 2016, at 2.

136 Thirlway, supra note 10, at 164, paraphrasing O'Connell, M.E., ‘The Role of Soft Law in a Global Order’, in Shelton, D. (ed.), Commitment and Compliance: The Role of Non-Binding Norms in the International Legal System (2000), 100 .

137 Besson, supra note 134, at 170–1; Charlesworth, supra note 10, at 199.

138 ILC, ‘Identification of Customary International Law: Text of the Draft Conclusions Provisionally Adopted by the Drafting Committee’, UN Doc. A/CN.4/L.872, 30 May 2016, at 2.

139 Cf. Franzese, P. W., ‘Sovereignty in Cyberspace: Can It Exist?’, (2009) 64 Air Force Law Review 1, at 38; Schmitt and Vihul, supra note 29, at 38.

140 This legal regime consists of five key international agreements: 1967 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, 610 UNTS 205 (‘Outer Space Treaty’); 1968 Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched Into Outer Space, 672 UNTS 119 (‘Rescue and Return Agreement’); 1972 Convention on International Liability for Damage Caused by Space Objects, 961 UNTS 187 (‘Liability Convention’); 1975 Convention on Registration of Objects Launched into Outer Space, 1023 UNTS 15 ‘Registration Convention’); 1979 Agreement governing the Activities of States on the Moon and Other Celestial Bodies, 1363 UNTS 3 (‘Moon Agreement’). It should be noted that this existing treaty framework does not comprehensively address the issue of military uses of outer space. An ongoing project, the Manual on International Law Applicable to Military Uses of Outer Space (MILAMOS), aims to respond to this need by developing a manual clarifying the fundamental rules applicable to such conduct in times of peace as well as in armed conflict. See further ‘McGill University launches the Manual on International Law Applicable to Military Uses of Outer Space (MILAMOS®) Project’, 27 May 2016, available at

141 See text at note 87, supra.

142 1959 Antarctic Treaty, 402 UNTS 71.

143 Notably, the Antarctic Treaty did not expressly include the protection of the Antarctic environment among the objectives of the treaty regime. However, it did encourage the contracting parties to propose measures regarding, inter alia, the preservation and conservation of living resources in Antarctica. Ibid., Art. IX(1)(6).

144 Ibid., Art. IX(1).

145 Joyner, C.C., ‘The Legal Status and Effect of Antarctic Recommended Measures’, in Shelton, D. (ed.), Commitment and Compliance: The Role of Non-binding Norms in the International Legal System (2003), 163 at 175–6.

146 See further ibid., at 179–81.

147 1991 Protocol on Environmental Protection to the Antarctic Treaty, 30 ILM 1455.

148 P.R. Josephson, Red Atom: Russia's Nuclear Power Program from Stalin to Today (2005), 2.

149 1986 Convention on Early Notification of a Nuclear Accident, 1439 UNTS 275; 1986 Convention on Assistance in the Case of a Nuclear Accident or Radiological Emergency, 1457 UNTS 133. Two additional conventions were adopted in the 1990s: 1994 Convention on Nuclear Safety, 1963 UNTS 293; 1997 Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management, 36 ILM 1436.

150 For an overview of these standards, see IAEA, ‘Measures to Strengthen International Co-operation in Nuclear, Radiation, Transport and Waste Safety’, IAEA Doc. GC(45)/INF/3, 31 August 2001, Attachment 2, at 1–7.

151 See note 149, supra.

152 See further N. Pelzer, ‘Learning the Hard Way: Did the Lessons Taught by the Chernobyl Nuclear Accident Contribute to Improving Nuclear Law?’, in the Joint Report by the OECD Nuclear Energy Agency and the International Atomic Energy Agency, International Nuclear Law in the Post-Chernobyl Period (2006), 73 at 86–8.

153 See further A. Boyle and C. Chinkin, The Making of International Law (2007), 211–29 (exploring the significance of soft law for international law-making).

154 See, e.g., J. Cooper, Raphael Lemkin and the Struggle for the Genocide Convention (2008).

155 1948 Convention on the Prevention and Punishment of the Crime of Genocide, 78 UNTS 277.

156 1984 Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, 1465 UNTS 85.

157 Amnesty International, ‘“No safe haven for torturers” – The rocky road to the Convention against Torture’, 19 November 2014, available at

158 2008 Convention on Cluster Munitions, 2688 UNTS 39.

159 J. Borrie, Unacceptable Harm: A History of How the Treaty to Ban Cluster Munitions Was Won (2009).

160 See text at note 1, supra.

161 For a recent comprehensive discussion of the diverse roles played by non-state actors on the international plane, see M. Noortmann, A. Reinisch, and C. Ryngaert (eds.), Non-State Actors in International Law (2015).

162 G. Austin, B. McConnell, and J. Neutze, Promoting International Cyber Norms: A New Advocacy Forum (2015), available at, at 10–17.

163 Ibid., at 15.

164 See D.A. Wheeler and G.N. Larsen, Techniques for Cyber Attack Attribution (2003), 1.

165 Hollis, D.B., ‘An e-SOS for Cyberspace’, (2011) 52 Harvard International Law Journal 374, at 378.

166 See, e.g., Z. Fryer-Biggs, ‘DoD's New Cyber Doctrine: Panetta Defines Deterrence, Preemption Strategy’, Defense News, 13 October 2012, available at; US, The DoD Cyber Strategy, April 2015, available at, at 11–12. Compare with US, Testimony of Richard Clarke, Special Advisor to the President for Cyberspace Security, Senate Judiciary Committee, Administrative Oversight and the Courts Subcommittee, 13 February 2002, available at (expressly admitting that the US had not yet had any evidence linking another state to a particular cyber attack).

167 US Federal Bureau of Investigation (FBI), ‘Update on Sony Investigation’, 17 December 2014, available at (‘the FBI now has enough information to conclude that the North Korean government is responsible for these actions’); see also J.B. Comey, Director, FBI, ‘Remarks at the International Conference on Cyber Security, Fordham University’, 7 January 2015, available at For a recent analysis of the legality of the cyber operations in question, see Sullivan, C., ‘The 2014 Sony Hack and the Role of International Law’, (2016) 8 Journal of National Security Law & Policy 437 .

168 US, Office of the Director of National Intelligence, ‘Assessing Russian Activities and Intentions in Recent US Elections’, 6 January 2017, available at, at ii (‘Russia's intelligence services conducted cyber operations against targets associated with the 2016 US presidential election’) and 2 (‘In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.’). For a recent analysis of the legality of the cyber operations in question, see J.D. Ohlin, ‘Did Russian Cyber-Interference in the 2016 Election Violate International Law?’, (2017) Texas Law Review (forthcoming).

169 Carlin, J.P., ‘Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats’, (2016) 7 Harvard National Security Journal 391, at 430.

170 Canada, Statement by the Chief Information Officer for the Government of Canada, 29 July 2014, available at

171 United Kingdom, Chancellor's Speech to GCHQ on Cyber Security, 17 November 2015, available at

172 Germany, Federal Ministry of Interior, Verfassungsschutzbericht 2015 [Report on the Protection of the Constitution 2015], June 2016, available at, at 248–9.

173 See, e.g., Wen Baihua, ‘Obama Should Abandon Cyber Deterrence Strategy’, China Military Online, 7 April 2016, available at (questioning the US-proclaimed unilateral ability to attribute).

174 Lindsay, J. R., ‘Tipping the Scales: The Attribution Problem and the Feasibility of Deterrence Against Cyberattack’, (2015) 1 Journal of Cybersecurity 53, at 63.

175 See, e.g., Rowe, N.C. and Custy, E.J., ‘Deception in Cyber-Attacks’, in Janczewski, L.J. and Colarik, A.M. (eds.), Cyber Warfare and Cyber Terrorism (2008), 91 at 91–6 (survey on deception in cyber attacks).

176 See, e.g., Tsagourias, N., ‘Cyber Attacks, Self-Defence and the Problem of Attribution’, (2012) 17 Journal of Conflict & Security Law 229 ; Huang, Z., ‘The Attribution Rules in ILC's Articles on State Responsibility: A Preliminary Assessment on Their Application to Cyber Operations’, (2015) 14 Baltic Yearbook of International Law 41 ; Mačák, K., ‘Decoding Article 8 of the International Law Commission's Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’, (2016) 21 Journal of Conflict & Security Law 405 .

177 Rid, T. and Buchanan, B., ‘Attributing Cyber Attacks’, (2014) 38 Journal of Strategic Studies 1, at 28.

178 For other similar calls on states to be more proactive in expressing their cyber-specific opinio juris, see, e.g., K. Ziolkowski, ‘General Principles of International Law as Applicable in Cyberspace’, in Ziolkowski, supra note 92, 135 at 175; Schmitt and Vihul, supra note 29, at 47; Schmitt and Watts, supra note 33, at 230–1; Egan, supra note 32, at 6–7.

179 Cf. Byers, supra note 10, at 18.

180 For existing national cyber security strategies, see NATO CCD COE, ‘Cyber Security Strategy Documents’, 7 March 2017, available at

181 See Section 4, infra.

182 GGE Report 2013, supra note 14, at 7, para. 12.

183 Charney et al., supra note 99, at 2; see also Smith, supra note 104, at 15 (highlighting the role of the industry in working with nation states on issues of cyber security).

184 NATO CCD COE, ‘Over 50 States Consult Tallinn Manual 2.0’, 2 February 2016, available at

185 Asser Institute, ‘The Tallinn Manual 2.0 and The Hague Process: From Cyber Warfare to Peacetime Regime’, 3 February 2016, available at (‘As a result of the significant impact the Tallinn Manual had, States now want to know of the progress being made and be a part of the process.’).

186 NATO CCD COE, ‘Experts: Multiple International Law Regimes Apply to Cyber Operations’, 11 February 2016, available at

187 International Law Association (ILA), Final Report of the Committee on the Formation of Customary (General) International Law: Statement of Principles Applicable to the Formation of General Customary International Law (2000), at 15, principle 5 and commentary.

188 See, e.g., Bethlehem, D., ‘The Secret Life of International Law’, (2012) 1 Cambridge Journal of International and Comparative Law 23, at 32–3 (discussing the complexity of considerations that states must take into account before deciding whether or not to make an official statement on a question of international law).

189 S. W. Harold, M.C. Libicki, and A.S. Cevallos, Getting to Yes with China in Cyberspace (2016), at x; see also ibid., at 86 (observing that the agreement was ‘not something that, to the best of our knowledge, any serious commentators on either side of the Pacific had predicted before the summit took place’).

190 US, White House, supra note 54; but see P. Bittner, ‘US Cabinet Officials Pull Out of China Cyber Talks After Orlando Shooting’, The Diplomat, 15 June 2016, available at (reporting the downgrading of the bilateral dialogue to sub-ministerial level due to domestic developments in the US).

191 See, e.g., Agreement between the Government of the Russian Federation and the Government of the People's Republic of China on Cooperation to Ensure International Information Security (2015), available at (in Russian); UK, ‘UK-China Joint Statement 2015’, 22 October 2015, available at (agreement not to conduct or support cyber-enabled theft of intellectual property); US, ‘Joint Statement on U.S.-Germany Cyber Bilateral Meeting’, 24 March 2016, available at // (agreement on a range of strategic and operational objectives); US, ‘JOINT STATEMENT: The United States and India: Enduring Global Partners in the 21st Century’, 7 June 2016, available at (committing to finalize a cybersecurity agreement in the near term).

192 See, e.g., Hathaway et al., supra note 29, at 877.

193 Shackelford, supra note 89, at 194 (noting that national definitions of critical infrastructure vary broadly due to an array of socioeconomic and political factors); but see Harold, Libicki, and Cevallos, supra note 189, at 71 (observing that US and Chinese stakeholders held ‘relatively similar views of the definition of critical infrastructure’).

194 Hathaway et al., supra note 29, at 881–2.

195 See, e.g., Austin et al., supra note 162.

196 UK, House of Commons, Defence Committee, ‘Defence and Cyber-security: Sixth Report of Session 2012–13’, 9 January 2013, at 12, note 16.

197 Singer and Friedman, supra note 34, at 187–8.

198 See d'Aspremont, supra note 47, at 2–3.

199 See, e.g., Egan, supra note 32, at 6–7.

200 Cf. Mead, supra note 1, at 12.

201 Cf. Higgins, supra note 2, at 39.

202 Cf. Koh, supra note 3, at 10; see also Egan, supra note 32, at 14.

* Senior Lecturer in Law at the University of Exeter, United Kingdom []. Earlier versions of this article were presented at the 8th Annual Conference on Cyber Conflict (CyCon) in Tallinn on 1 June 2016 and at the European Society of International Law Annual Conference in Riga on 9 September 2016. I am grateful to the participants for their feedback and suggestions. I would additionally like to thank Louise Arimatsu, Ana Beduschi, Russell Buchan, Ciarán Burke, Zhixiong Huang, Andrea Lista, Michael N. Schmitt, and Nicholas Tsagourias, as well as the anonymous reviewers for their valuable comments on earlier drafts.

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Leiden Journal of International Law
  • ISSN: 0922-1565
  • EISSN: 1478-9698
  • URL: /core/journals/leiden-journal-of-international-law
Please enter your name
Please enter a valid email address
Who would you like to send this to? *



Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed