Election hacking, the rule of sovereignty, and deductive reasoning in customary international law

Abstract This article considers the international laws applicable to irresponsible state behaviour in cyberspace through the lens of the problem of election hacking. The rule of sovereignty has taken centre stage in these discussions and is said to be preferred to the non-intervention rule because it evades the problem of coercion. Proponents of the cyber rule of sovereignty contend that there is such a rule; opponents reject the existence of the rule as a matter of existing law. The objective here is to explore the methodologies involved in the identification of the cyber rule of sovereignty under customary international law. The work first frames the debate in the language of regulative and constitutive rules, allowing us to show that a regulative rule of sovereignty can, logically, and necessarily, be deduced from the constitutive rule of sovereignty. The content of the regulative rule can also be deduced from the constitutive rule of sovereignty, but it has a more limited scope than claimed by the proponents of the rule, notably the Tallinn Manual 2.0. The rule of sovereignty prohibits state cyber operations carried out on the territory of the target state and remote cyber operations which involve the exercise of sovereign authority on that territory, e.g., police evidence-gathering operations. The rule of sovereignty does not, however, prohibit other remote, ex situ state cyber operations, even those targeting ICTs used for governmental functions, including the conduct of elections. The rule of sovereignty is not, then, the solution to the problem of election hacking.


Introduction
The political scientist, Joseph Nye makes the point that, just as sea power and air power opened up novel ways for states to achieve their foreign policy goals, the Internet and related information and communications technologies (ICTs) have created new opportunities for states to realize their foreign policy ambitions through the deployment of cyber power. 1 The open nature of democratic societies is said to place them at particular risk from malicious state cyber operations, 2 with much of the focus so far on the threats posed by information operations, where the objective is to change or reinforce the attitudes of citizens. 3 This article, by way of contrast, focuses on the problem of election hacking, defined as cyber operations that look to influence the outcome of a vote by targeting the ICTs used in the election. Real-world examples include distributed denial of service (DDoS) attacks on government websites, 4 and the websites of political parties, 5 to prevent them communicating with the public; removing people who have traditionally supported one party from the electoral roll; 6 obtaining voter information and sending threatening messages concerning voting intentions; 7 and even changing the outcome of the election by hacking the vote tabulation software. 8 Whilst the dangers of election hacking are widely recognized, there is no consensus on the applicable international law rules. The standard way that international lawyers frame foreign state intermeddling in domestic politics is in terms of the non-intervention rule, which prohibits state cyber operations that use methods of coercion. 9 The element of coercion is thought by some to create problems for the application of the non-intervention rule because coercion is often thought of in terms of a conscious unwilling act on the part of the victim. 10 But this understanding does not translate easily to the cyber domain, where the target state is often unaware of the clandestine hacking of its ICTs. Whilst there are ways of understanding 'coercion' that do capture clandestine hacking operations, 11 the lack of agreement on the content of the cyber non-intervention rule has led scholars and policy makers to look elsewhere for limiting rules, including the individual right to political participation, 12 the collective right to (democratic) self-determination, 13 and the cyber rule of sovereignty, 14 found in Rule 4 of the Tallinn Manual 2.0., which would effectively prohibit all forms of election hacking (see below): 'A State must not conduct cyber operations that violate the sovereignty of another State.' 15 According to the Tallinn Manual, Rule 4 represents an objective statement of the current international law applicable to state cyber operations (the lex lata). 16  in significant disagreement: 17 supporters of the Tallinn Manual maintain that there is a rule of sovereignty, which applies equally in the cyber domain; opponents deny the existence of the cyber rule of sovereignty as a matter of existing law.
The question of responsible state behaviour in cyberspace has become the subject of ongoing discussions at the United Nations. There is general agreement that the rules of international law apply to the use of ICTs by states, 18 but no consensus as to which rules apply, or how they apply. The final report of a UN Group of Governmental Experts (UNGGE) concluded that the non-intervention rule and human rights apply to state behaviour in cyberspace, 19 but failed to affirm the existence of the cyber rule of sovereignty. 20 The search for agreement on the legal and normative framework for responsible state behaviour in cyberspace has now been remitted to an Open-ended Working Group on the use of ICTs, 21 where the rule of sovereignty has again assumed a central place in discussions, but with no consensus emerging. 22 The objective of this article is to bring some clarity to these discussions by focusing on the methodologies involved in the identification of the existence and content of rules of customary international law. Section 2 outlines the debate on the status of the cyber rule of sovereignty. Section 3 considers the standard, inductive methodology involved in the identification of customary rules, explaining that a regulative rule of sovereignty cannot be inferred from the practices or policy positions of States. Section 4 shows that international lawyers also rely on deductive methodologies to determine the existence of customin this case, deducing the regulative rule of sovereignty from the constitutive rule of sovereignty. Section 5 considers the content of the rule of sovereignty, again by reference to a deductive methodology, showing that the cyber rule of sovereignty prohibits in situ state cyber operations and remote operations that usurp inherently governmental functions, but that the rule does not prohibit other remote state cyber operations targeting ICTs, including those that merely interfere with the exercise of inherently governmental functions. 23 The conclusion briefly summarizes the arguments, explaining why the rule of sovereignty is not the solution to the problem of election hacking.

Debating the rule of sovereignty
There are two kinds of international law rules: regulative rules and constitutive rules. 24 Regulative rules regulate the behaviours of states. They typically take the form of an imperative, 'Do X', or 'Do not do X'. 25 Non-compliance with a regulative rule 'breaks' international law, entailing international responsibility. Constitutive rules, by way of contrast, allow for the creation of new institutional facts (i.e., facts of the international law system). 26 These include, for example, the institutional facts of 'treaties', the 'High Seas', and the 'sovereign State'. Constitutive rules are typically expressed in terms that 'X counts as Y (in context C)'. 27 Thus, an agreement concluded between states in written form and governed by international law counts as a treaty; 28 all parts of the sea not included in the territorial sea or exclusive economic zone count as the High Seas; 29 and some political communities count as sovereign states. 30 Failure to comply with the requirements of a constitutive rule does not 'break' the rule; it simply fails to create the new institutional fact. 31 Thus, a political community that fails to meet the criteria of statehood does not 'break' international law by declaring its independence; 32 it simply does not count as a sovereign statefor the purposes of international law.
The Tallinn Manual's cyber rule of sovereignty is a claimed regulative rule of customary international law, in the form, 'Do not conduct cyber operations that violate the sovereignty of another State.' 33 But the rule can also be expressed in a way that combines the regulative and constitutive rules of sovereignty: 'A sovereign State must not conduct cyber operations that violate the sovereignty of another sovereign State.' 34 In other words, political communities which count as states (the constitutive rule of sovereignty) must not violate the sovereignty of other states (the regulative rule of sovereignty).
The notion of a regulative rule of sovereignty was initially met with scepticism, with opponents arguing that 'sovereignty is a principle : : : rather than a hard and fast rule'. 35 The significance of the 'sovereignty as rule' versus 'sovereignty as principle' debate is not always clear, 36 although the principle of sovereignty appears to work as a placeholder for the moral or political standing of the state, 37 which in turn generates certain regulative rules (although the process of rule-generation is not explained), including the non-intervention rule. 38 The key dividing line in the literature is 26 C. Cherry, 'Regulative Rules and Constitutive Rules', (1973) 23 Philosophical Quarterly 301, at 303. 27 See Searle, supra note 25, at 52. Whilst the terminology of regulative and constitutive rules is widely used, scholars often employ the terms in different ways, with diverse views as to whether there is a category difference between regulative and constitutive rules, i.e., whether regulative rules can also constitute (see A. Giddens, The Constitution of Society (1984), at 19-20); whether constitutive rules can also regulate (J. Ransdell, 'Constitutive Rules and Speech-Act Analysis', (1971)  N. Tsagourias, 'Electoral Cyber Interference, Self-determination and the Principle of Non-intervention in Cyberspace', in Broeders and van den Berg, supra note 13, at 47 ('The importance of the principle of non-intervention derives from the fact that it emanates from and protects essential aspects of the principle of state sovereignty.').
clear though: Some international law scholars, especially those specializing in the international law on cyber, 39 see sovereignty as a regulative rule, entailing international responsibility when the rule is broken. 40 Other international lawyers deny the existence of a regulative rule of sovereignty in the cyber domain as a matter of existing law. 41 Proponents and opponents of the cyber rule of sovereignty disagree on the existence of the rule, on the relevance of the available state practice, and on the proper methodology for the identification of the customary rule of sovereignty.
On the existence of the cyber rule of sovereignty, proponents make the point that the International Court of Justice (ICJ) has, on several occasions, relied on a regulative rule of sovereignty to determine violations of international law. 42 We see this, for example, in the Corfu Channel case, concerning the legality of a UK minesweeping operation, when the ICJ declared that the action of the British Navy 'constituted a violation of Albanian sovereignty'. 43 Opponents respond by noting that the cases cited involved substantial military presence or de facto control of territory, and therefore 'implicate higher thresholds than the [cyber] sovereignty-as-a-rule proponents assert'. 44 On the question of state practice, proponents highlight several instances which they claim support the existence of a regulative rule of sovereignty. 45   On the question of methodology, proponents of the regulative rule do not look only to the available state practice and opinio juris to show the existence of a customary rule of sovereignty. The Tallinn Manual, for example, claims that a number of customary rules 'derive from the general principle of sovereignty', 49 including the rule that a state must not conduct cyber operations that violate the sovereignty of another state. 50 Opponents reject this deductive approach, with Jack Goldsmith and Alex Loomis contending that the Tallinn Manual adopts 'an unorthodox method for identifying customary international lawso unorthodox : : : that it is entirely implausible that it reflects lex lata'. 51 The objective here is to bring some clarity to these debates by focusing on the different methodologies involved in the identification of the existence and content of rules of customary international law. There are two ways this can be done (either alone or in combination): by way of induction, and by way of deduction. 52 In the case of induction, we examine the available state practice and opinio juris to see if there is evidence of a general practice that is accepted as law; in the case of deduction, we deduce the existence of a customary rule from an existing rule, or from the constitutive rule of sovereignty. In all cases, we are looking for reasons to believe in the factual existence of a regulative rulein this case the regulative rule of sovereignty (we are not talking about the creation of customary rules), with William Whewell explaining that 'Induction moves upwards, and deduction downwards, [to meet] on the same stair.' 53 The two possibilities are considered in turn.

Identification of custom by way of induction
Article 38(1)(b) of the Statute of the International Court of Justice lists as one of the sources of international law, 'international custom, as evidence of a general practice accepted as law'. 54 Whilst the provision is badly drafted, there is general recognition it outlines a two-element approach: to show the existence of custom, there must be (i) evidence of a general practice; and (ii) evidence of a belief the practice is required by international law (the opinio juris element). 55 Induction is central to the identification of custom, 56 because a customary rule, by definition, 'is not written and has no "authoritative" text'. 57 In Continental Shelf (Libya/Malta), the ICJ 49 See Tallinn Manual, supra note 15, Rule 1, Explanatory para. 3 (emphasis added). 50 Ibid., Rule 4. ('The two-element approach is often referred to as "inductive", in contrast to possible "deductive" approaches by which rules might be ascertained other than by empirical evidence of a general practice and its acceptance as law (opinio juris). The twoelement approach does not in fact preclude a measure of deduction as an aid, to be employed with caution, in the application of the two-element approach.'). only must the acts concerned amount to a settled practice, but they must also be such, or be carried out in such a way, as to be evidence of a belief that this practice is rendered obligatory by the existence of a rule of law requiring it.'). 56 The reliance on inductive methodology depends on deductive reasoning, a point the ICJ recognizes: See Military and Paramilitary Activities in and against Nicaragua, supra note 9, at 88, para. 186 ('In order to deduce the existence of customary rules, the Court deems it sufficient that the conduct of States should, in general, be consistent with such rules.'). expressed the point this way: 'It is of course axiomatic that the material of customary international law is to be looked for primarily in the actual practice and opinio juris of States.' 58 In the same way that we infer the general physical law of gravity from empirical observations of apples always falling towards the ground, we infer the existence of 'contingent' 59 customary rules from the behaviours and utterances of states. 60 There are three steps in any inductive methodology: the collection of empirical, real-world data; an evaluation of that data, looking for patterns; and reaching a conclusion based on the evidence. Our conclusion will be compelling, or not, depending on the extent to which the data supports the conclusion. Arguments with significant confirmatory evidence are said to be strong; those without are said to be weak. The results of inductive reasoning cannot, then, be categorized as being 'true' or 'false'only as being cogent or not cogent, depending on the extent to which the conclusion is supported by the data. 61 The more empirical evidence in support of the conclusion, the more likely it is to be truethe so-called Bayesian hypothesis. 62 In relation to state practice, the inductive method directs us to the following: collect the available evidence of the practice of states; 63 evaluate that data, looking for patterns in those practices; 64 and reach a conclusion, based on the data, as to whether there appears to be a rule of appropriate conduct. Absolute conformity in the practice is not required, with the ICJ referring variously to the requirement for state practice to be 'virtually uniform', 65 or 'in general' consistent with the rule. 66 In relation to the claimed rule of sovereignty, there is limited state practice in the physical domain and no clear state practice in the cyber domain. Schmitt and Vihul have carried out the most detailed survey of state practice in the physical domain, but they find only five instances where the rule of sovereignty has been expressly invoked between states. 67 In relation to the cyber domain, the most detailed evaluation of state practice has been carried out by Dan Efrony and Yuval Shany, who detail several state cyber operations targeting ICTs in other states, including the Shamoon 1 cyber operation, blamed on Iran, which destroyed the hard drives of tens of thousands of computers in Saudi Arabia, and the WannaCry and NotPetya ransomware attacks, blamed respectively on North Korea and Russia, that infected computer systems all around the world. On the question as to whether there is evidence, in the practice of states, of a regulative rule of sovereignty, Efrony and Shany conclude that their case studies 'do not fully clarify this point of contention'. 68 On the one hand, states do not claim a legal right to conduct malicious cyber operations and there have been some diplomatic complaints by victim states. On the other, the rule of sovereignty is not invoked by the target state in any of the cases they examined. Thus, for example, statements attributing responsibility to North Korea and Russia for the WannaCry and NotPetya operations 'did not explicitly refer to infringements of sovereignty, or any specific rule derived thereof'. 69 Goldsmith and Loomis make the same point, concluding that in none of the state cyber operations they examined, 'not a single one, have we found evidence that the victim state complained about a violation of a customary international-law rule of sovereignty'. 70 Along with evidence of state practice, the identification of custom requires evidence of a belief that the practice is accepted as law (opinio juris), allowing us to distinguish between customary international law rules and rules of appropriate behaviour complied with as a matter of political convenience. 71 In simple terms, the patterns of states utterances must reflect the existence of a regulative rule expressed in terms of rights and duties. 72 Again, the inductive method directs us to: collect the data on the verbal acts of states concerning the status of the rule, found, for example, in official publications; 73 evaluate the data, looking for a clear pattern in states utterances on the status of the rule; and reach a conclusion as to whether there is a regulative international law rule, whereby breaking the rule entails international responsibility.
The different positions on the status of the cyber rule of sovereignty can be categorized as follows: first, those statesnotably the United Kingdom, 74 and United States of America 75who do not believe in the existence of a regulative rule of sovereignty; second, those stateslike Peru, 76 and Russia 77who remain agnostic on the issue, i.e., have not taken a position when commenting on the rules applicable to cyber operations; third, those states who believe in the existence of the See International Law Commission, supra note 52, Draft Conclusion 10(2) ('Forms of evidence of acceptance as law (opinio juris) include, but are not limited to: public statements made on behalf of States; official publications; government legal opinions; diplomatic correspondence; decisions of national courts; treaty provisions; and conduct in connection with resolutions adopted by an international organization or at an intergovernmental conference.'). 74 S. Braverman, Attorney-General, 'International law in Future Frontiers', 19 May 2022, available at www.gov.uk/ government/speeches/international-law-in-future-frontiers ('The general concept of sovereignty, by itself, does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct, going beyond that of non-intervention.'). See also J. Wright, Attorney General, 'Cyber and International Law in the 21st Century', 23 May 2018, available at www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century ('Sovereignty is of course fundamental to the international rules-based system. Although I am not persuaded that we can currently extrapolate from that general principle a specific rule'.  93 Sweden, 94 and Switzerland; 95 and, finally, the majority of states who have not expressed an opinion on the status of the cyber rule of sovereignty, notwithstanding the active discussions on the issue at the United Nations and elsewhere.
To show the factual existence of a rule of customary international law through inductive reasoning, we require sufficient evidence of state practice and opinio juris to conclude that the rule exists, limiting states behaviours. Reliance on an inductive methodology means that we cannot prove the existence of customary rules, only find good evidence for them. One consequence is that different international lawyers can come to different conclusions on the existence of a rule after considering the same evidence. 96 Proponents of the cyber rule of sovereignty have examined the available state practice and opinio juris and concluded that there is sufficient evidence to show a general practice that is accepted as law. 97  'China's Views on the Application of the Principle of Sovereignty in Cyberspace', at 2, available at documents.unoda.org/ wp-content/uploads/2021/12/Chinese-Position-Paper-on-the-Application-of-the-Principle-of-Sovereignty-ENG.pdf. 85 'International Law and Cyberspace: Finland's National Positions', available at www.valtioneuvosto.fi/en/-/finlandpublished-its-positions-on-public-international-law-in-cyberspace. 86 France, 'International Law Applied to Operations in Cyberspace', at 2, available at documents.unoda.org/wp-content/ uploads/2021/12/French-position-on-international-law-applied-to-cyberspace.pdf. 87 Germany, 'On the Application of International Law in Cyberspace', at 3, available at documents.unoda.org/wp-content/ uploads/2021/12/Germany-Position-Paper-On-the-Application-of-International-Law-in-Cyberspace.pdf. 88 See Hollis Fourth Report, supra note 76, para. 52. 89 Ibid.

90
'Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace', July 2020, Art. II(3), available at www.nournews.ir/En/News/53144/General-Staff-of-Iranian-Armed-Forces-Warns-of-Tough-Reaction-to-Any-Cyber-Threat. 91 'Italian position paper on "International law and cyberspace"', at 4, available at documents.unoda.org/wp-content/ uploads/2021/10/italian-position-paper-international-law-and-cyberspace.pdf. 92 The Netherlands, 'International Law in Cyberspace' (document sent by the Government of the Kingdom of the Netherlands to Parliament 5 July 2019, at 2, available at www.government.nl/documents/parliamentary-documents/2019/ 09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace. 93 New Zealand, 'The Application of International Law to State Activity in Cyberspace', para. 11, available at www.dpmc. govt.nz/publications/application-international-law-state-activity-cyberspace. 94 Sweden, 'Position Paper on the Application of International Law in Cyberspace', at 2, available at documents.unoda.org/ wp-content/uploads/2022/07/Position-Paper.pdf. reached the opposite conclusion. 98 Neither determination can be categorized as true or false, only cogent or not cogent. However, the limited state practice in the physical domain and absence of clear state practice in the cyber domain, along with the divided positions of states, makes it difficult to accept the claim there is a general practice that is accepted as law. We cannot, then, based on an inductive methodology alone, show the factual existence of a rule of sovereignty.

Identification of custom by way of deduction
There are times when the ICJ looks to deductive reasoning in the identification of customary international law rules: customary rules are deduced from existing rules of customary international law, which themselves reflect a general practice that is accepted as law, and from the constitutive rule of sovereignty. The two possibilities are considered in turn, 99 after an explanation of the way that international lawyers use deductive reasoning.

Deductive reasoning by international lawyers
Deductive reasoning is the process of drawing a conclusion from what we already know and believe. There are typically two steps in the process: An evaluation of what we know and believe; and, drawing a novel conclusion, making explicit something implicit in what we already know and believe. The standard form of deduction is the modus ponens, a rule of logic in the form: If P, then Q P Therefore Q. 100 A well-known example concerns the mortality of the Greek philosopher, Socrates: If Socrates is human, then Socrates is mortal; Socrates is human; Therefore, Socrates is mortal.
With deductive reasoning, we start with our knowledge and beliefs and produce a novel conclusion. The aim is to reach a valid conclusion which is true because our knowledge and beliefs are true. A conclusion is logically valid provided no mistakes have been made in the reasoning. But this does not guarantee the veracity of the conclusion. The veracity of the output conclusion (Q) depends on the veracity of the input premise (P) -If P, then Q. Valid deductive conclusions will be wrong if the input premise is wrong. Consider the followinglogically validargument: If Socrates is human, then Socrates can fly; Socrates is human; Therefore, Socrates can fly. But Socrates cannot fly: This is a brute fact of the world. The fact I reason that Socrates can fly can be tested empirically and proved to be 'false'.
International lawyers rely on deductive reasoning when they deduce new facts about the nature, scope or content of the international law system from their existing knowledge and beliefs (i.e., without gathering new empirical, real-world datae.g., instances of state practice). But the facts of the international law system are different from the brute facts of the world (e.g., whether Socrates can fly, or not). Brute facts are true whatever we say or think about them; the facts of a social institution, like international law, by way of contrast, are only true because those who recognize 98 See Goldsmith and Loomis, supra note 51, at 13. 99 The ICJ has also recognized the possibility of deducing regulative rules from moral principles (see Corfu Channel, supra and accept the social institution accept they are true. 101 For example, it is a brute fact of the world that two-thirds of the Earth's surface is covered in salt water, but an institutional fact that all parts of the sea not included in the territorial sea or exclusive economic zone count as the 'High Seas'. The institutional facts of the international law system (like the fact of the High Seas) are only facts because states and international lawyers accept that they are true; thus, some parts of the oceans do count as the High Seas, because those engaged in the practice of international law accept that this is the case. (note: this institutional fact is still a fact, and anyone who says there is no such thing as the High Seas is objectively, factually wrong).
Reasoning about the facts of the international law system takes place, then, within the context of the social practice of international law. 102 When asked a question about international law, I can use deductive reasoning to give an answer, with the solution being implied by what I already know about the established rules and what I believe about the nature, structure and organizing principles of that system. But it is not enough for me alone (working in the 'I' mode) to reason that P implies Q, because the construction of knowledge in the international law system is a social process, undertaken collectively by those working within the framework provided by the social institution of international law: 103 we, collectively, as international lawyers, must reason that P implies Q, based on what we already know and what we believe. The modus ponens can, then, be reformulated in the following way in the case of deductive reasoning by international lawyers: If (we, international lawyers, believe and understand that) P, then Q P Therefore (we, international lawyers, believe and understand that) Q.
Take our example concerning the deduction of the existence and content of rules of customary international law. 'I' can use deductive reasoning to explain the existence and content of a customary rule, based on what 'I' know about the established rules and what 'I' believe about the nature, structure and organizing principles of the international law system. But if my conclusion is inconsistent with what other international lawyers know and believe about the international law system, then 'I' cannot make the case that 'we', international lawyers, believe and understand some fact about the scope and content of customary international law. The necessary implication must be that my deductive conclusions cannot be characterized as being 'true' or 'false', only 'strong' or 'weak', depending on the extent to which they align with the knowledge and beliefs of other practitioners of international lawparadigmatically, the ICJ, which has the loudest voice in any debate on questions of international law.
There are, then, three steps in the process of deductive reasoning for me, as an international lawyer: first, I reflect on what I already know and believe about the content, nature, structure and organizing principles of the paradigmatically, the ICJwould have reached the same conclusion, given their knowledge and beliefs, with any differences explained by different understandings about the content, nature, structure and organizing principles of the international law system. 104 In other words, to make a cogent claim concerning some alleged fact of international law, I must be able to reformulate my deductive conclusion in terms that, 'We, international lawyers, believe and understand this fact to be true.'

Deduction of customary rules from existing custom
The existence of customary rules can be deduced from the existence of recognized and accepted rules of customary international law, which themselves reflect a general practice that is accepted as law. 105 In Legal Consequences of the Construction of a Wall, for example, the ICJ deduced the rule prohibiting the acquisition of territory using military force from the rule prohibiting the use of force: The Court first recalls that [under] the United Nations Charter: "All Members shall refrain in their international relations from the threat or use of force" : : : On 24 October 1971, the General Assembly adopted [the Declaration on Friendly Relations], in which it emphasized that "No territorial acquisition resulting from the threat or use of force shall be recognized as legal." As the Court stated in [its 1986 Nicaragua judgment], the principles as to the use of force incorporated in the Charter reflect customary international law : : : the same is true of its corollary entailing the illegality of territorial acquisition resulting from the threat or use of force. 106 It is important to note that the Court does not simply apply deductive (If P, then Q) logic, i.e., the ICJ does not simply claim that implicit in the customary rule prohibiting the use of force is the rule that states may not acquire territory using force. Instead, the Court frames the argument in terms of its more general understanding of the international law system, also pointing out that its deductive conclusion fits with that of states on the same issue, as reflected in the Friendly Relations Declaration.

Deduction of customary rules from sovereignty
Customary rules can also be deduced from the fundamental principles of the international law system. 107 The ICJ explains the point this way in Delimitation of the Maritime Boundary in the Gulf of Maine Area: [T]he underlying idea is that reasoning depends on constructing a model (or set of models) based on the premises and general knowledge, formulating a conclusion that is true in the model(s) and that makes explicit something only implicit in the premises, and then checking the validity of the conclusion by searching for alternative models of the premises in which it is false.
The mental model explains that we reason deductively by constructing a mental model, based on what we know and believe, in order to solve a certain problem. We use our model to reach a deductive conclusion which is implicit in what we know and believe to be the case. We then test our conclusion against the conclusions of others, using different models, based on different premises. See P. 14, at 55-6, para. 101 ('It is "every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States" : : : A State is thus obliged to use all the means at its disposal in order to avoid activities which take place in its territory : : : causing significant damage to the environment of another State.'). customary rules whose presence in the opinio juris of States can be tested by induction based on the analysis of a sufficiently extensive and convincing practice, and not by deduction from preconceived ideas. 108 Here, the ICJ divides customary rules into two types: those rules whose existence must be shown by an inductive methodology, by examining the evidence of state practice and opinio juris; and a limited set of essential customary rules whose existence can be shown by deduction from preconceived ideas. Whereas the inductive methodology starts with the collection of empirical evidence, deductive reasoning produces a novel conclusion from the existing knowledge and beliefs of international lawyers, without the need to collect new data in the form of state practice and opinio juris. 109 The case for the existence of essential customary rules identified by way of deduction is often framed in terms of the fundamental rights of states. 110 State sovereignty is said to imply the existence of certain 'fundamental rights', which are logically and necessarily required to protect the sovereignty of the state. 111 Thus, a political community which counts as a sovereign state enjoys the fundamental rights of the sovereign state, 112 with those rights expressed in terms of regulative rules.
Ricardo J. Alfaro outlines the deductive argument for the existence of fundamental rights in the following way: an organized political community 'is a State because it is independent and sovereign'. 113 Sovereignty and independence 'are consubstantial [i.e., of one and the same substance or essence] with the State and inseparable from it'. 114 From this we can imply the existence of certain rights, which are inherent in the status of being a state. These are the fundamental rights 'without which it is impossible for the State to exist or for the mind to conceive it'. 115 The alienation of these rights 'would mean the disappearance of the State[,] i.e., it would not be a State any more'. 116 Alfaro gives the example of the non-intervention rule, explaining that: because the state is independent, 'it has the right to live free from external control and have its independence respected by other States'. 117 If this were not the case, the political community would no longer be a state. The sovereignty and independence of the state logically and necessarily, then, implies the existence of 'the basic duty of non-intervention'. 118 The non-intervention rule is the most widely cited example of a fundamental right of states, 119 being expressly referenced in the key documents on fundamental rights. 120 When the rule came before the ICJ, the Court explained its understanding in the following way: Tomuschat, supra note 59, at 299. 110 The principle of non-intervention involves the right of every sovereign State to conduct its affairs without outside interference; though examples of trespass against this principle are not infrequent, the Court considers that it is part and parcel of customary international law. [The principle of non-intervention] has moreover been presented as a corollary of the principle of the sovereign equality of States [in the Declaration on Friendly Relations, which set out the 'basic principles' of international law]. 121 There are four points to note here: first, non-intervention is tied to sovereignty; second, the ICJ appears unconcerned with the 'not infrequent' instances of inconsistent state practice; third, the ICJ references a deductive methodology when it notes that non-intervention has been 'presented as a corollary of the principle of the sovereign equality of States'; finally, the ICJ aligns its deductive conclusions with the knowledge and beliefs of states, reflected in the Declaration on Friendly Relations.

A regulative rule of sovereignty
The previous sections showed that certain 'fundamental rights' of states can be deduced from the constitutive rule of sovereignty. 122 Whilst we might look for evidence of state practice and opinio juris, this is not necessary to confirm the existence of these essential rules: the factual existence of the fundamental rights of states is understood to be logically and necessarily implied by the principle of state sovereignty. 123 The argument can be expressed as follows: some political communities count as sovereign states; this implies the existence of certain essential regulative rules to protect the 'sovereignty' of the state; these essential regulative rules are logically and necessarily required for international law to maintain its core identity as a legal system made by, and for, 'sovereign' statesi.e., without these essential regulative rules, the international law system would be a different kind of law system for different kinds of actors.
We see this kind of deductive reasoning in the Tallinn Manual 2.0. when it claims that 'A number of principles and rules of conventional and customary international law derive from the general principle of sovereignty.' 124 The Manual further notes that 'A well-accepted definition of "sovereignty" was set forth in the Island of Palmas award of 1928.' 125 In the award, Max Huber explains that sovereignty signifies the exclusive right of the state 'to exercise [within a certain territory], to the exclusion of any other State, the functions of a State'. 126 This results in the following deductive claim: If (we, international lawyers, believe and understand that) some political communities count as sovereign states, and sovereignty includes the exclusive right to exercise sovereign authority with respect to a territory, then it must be wrong for another state to exercise sovereign authority on that territory; States are sovereign, and sovereignty does include the exclusive right to exercise sovereign authority with respect to a territory; Therefore (we, international lawyers, believe and understand that), it must be wrongas a matter of international lawfor one state to exercise sovereign authority on the territory of another state (without consent or a permissive rule of international law).
The veracity of this logically valid output depends on accepting Huber's definition as the correct definition of 'sovereignty'. Whilst some are not convinced, 127 most international lawyers who have written on sovereignty have relied on Huber's understanding. 128 James Crawford, for example, contends that 'sovereignty involves a monopoly of governing authority', making direct reference to the Island of Palmas award. 129 The argument for the regulative rule of sovereignty is, then, both logically valid and based on a sound premise.
The remaining question is whether the deductive claim for the existence of the regulative rule of sovereignty aligns with the knowledge and beliefs of other international lawyers, paradigmatically the ICJ. In Corfu Channel, the ICJ made the point that 'Between independent States, respect for territorial sovereignty is an essential foundation of international relations.' 130 In its 1986 Nicaragua (Merits) judgment, the ICJ determined that unauthorized overflights by government aircraft were 'in breach of [the United States'] obligation under customary international law not to violate the sovereignty of another State'. 131 The ICJ's understanding of the content, nature, structure and organizing principles of the international law system provides support, then, for the deductive conclusion that a regulative rule of sovereignty is logically and necessarily required to protect the sovereignty of the state.
The deductive logic of international law confirms the existence of a regulative rule of sovereignty, which is logically and necessarily implied by the constitutive rule of sovereignty: political communities which count as states (the constitutive rule of sovereignty) must not violate the sovereignty of other states (the regulative rule of sovereignty). The regulative rule applieslike all general international law rulesin the physical domain and in the cyber domain. 132 Thus, we can conclude that the United Kingdom and United States are factually wrong when they deny the existence of a regulative rule of sovereignty as a matter of existing international law (lex lata). The real question, to which this article now turns, is this: what is the content of the regulative rule of sovereignty?
6. Content of the regulative rule of sovereignty Ordinarily, the identification of the existence and content of a customary rule takes place at the same moment, with both the existence and content being manifested in the evidence of state 127 Vaughn Lowe, for example, complains that whilst Huber's formula provides a framework for addressing the question of who the Sovereign is, 'it is of much less help when the question is whether that sovereignty has or has not been infringed by the acts of another practice and opinio juris. 133 We have already seen, in relation to the rule of sovereignty, that there is limited state practice in the physical domain and no clear state practice in the cyber domain to allow us to identify the content of the rule. There is, furthermore, no consensus in the opinio juris: there are those states who have expressed a belief in the existence of the rule of sovereignty, but without taking a position on its content -Austria, 134 Bolivia, 135 Chile, 136 and Estonia; 137 states who consider that the rule of sovereignty prohibits any state cyber operation targeting the ICTs in another state -China, 138 Finland, 139 France, 140 Guatemala, 141 and Iran; 142 other states who argue that the rule of sovereignty only prohibits state cyber operations resulting in damage or a loss of functionality to the ICTs in another state -Canada, 143 Czech Republic, 144 Germany, 145 Italy, 146 New Zealand, 147 and Sweden; 148 and, finally, states who consider that the rule of sovereignty specifically prohibits state cyber operations targeting ICTs used for inherently governmental functions -Czech Republic, 149 Finland,150 Guyana, 151 The Netherlands, 152 New Zealand, 153 Sweden, 154 and Switzerland,155 including ICTs used in elections -Canada, 156 and Germany. 157 The content of customary rules can sometimes be identified by way of deduction. We see this, for example, in the ICJ's judgment in Arrest Warrant of 11 April 2000. The Court began by confirming the existence of the customary rule providing that Ministers for Foreign Affairs enjoy immunity from the criminal jurisdiction of other states. 158 The relevant question was whether the content of the rule recognized an exception in cases concerning accusations of crimes against humanity. To answer this, the ICJ made the following deductive argument: the purpose of the customary rule is to ensure that foreign ministers can effectively carry out their functions on behalf of their states; in the performance of these functions, they are often required to travel internationally; this logically requires that, throughout the terms of their office, when abroad, foreign ministers must enjoy full immunity from the jurisdiction of the courts of other states. Therefore, 133 the issuing of an arrest warrant for a serving Minister for Foreign Affairs infringed the immunity from criminal jurisdiction enjoyed by them under international law. 159 The Tallinn Manual 2.0. deploys deductive reasoning to explain the content of the cyber rule of sovereignty. The Manual is central to these discussions because it has set the terms of the debate, 160 with all scholars, 161 and several states, 162 explaining their positions by reference to the Tallinn Manual. The Manual deduces the content of the regulative rule of sovereignty from Max Huber's definition of sovereignty in the Island of Palmas award: 'Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.' 163 From this formulation of sovereignty, the Tallinn Manual deduces the content of the cyber rule of sovereignty: first, states must not conduct cyber operations that target the cyber infrastructure located on the territory of another state; second, states must not conduct cyber operations targeting the inherently governmental functions of another state. 164 The argument can be formulated as follows: If the correct definition of sovereignty was given by Max Huber, then the rule of sovereignty prohibits state activities on the territory of another state and state activities targeting the inherently governmental functions of another state; We do believe and understand that the correct definition was given in the Island of Palmas award; Therefore, the rule of sovereignty prohibits state activities on the territory of another state and state activities targeting the inherently governmental functions of another state. This is a logically valid argument, built on a sound premise, i.e., Huber's definition captures the essence of state sovereignty (see above). The main question, then, is as follows: are the Tallinn Manual's deductive conclusions on the content of the cyber rule of sovereignty aligned with the knowledge and beliefs of other international lawyers, thereby reflecting a shared understanding of the content, nature, structure and organizing principles of the international law system?

Prohibition on targeting cyber infrastructure in another state
The group of experts responsible for drafting the Tallinn Manual were agreed that the rule of sovereignty prohibits in situ state cyber operations by state agents physically present on the territory of the target state (e.g., inserting a USB flash drive to introduce malware). The deductive argument for this position is explained as follows: (i) a number of customary rules derive from the principle of sovereignty; (ii) this includes the regulative rule of sovereignty; (iii) sovereignty signifies the exclusive right of the state to exercise, within a certain territory, the functions of a state; (iv) based on its internal sovereignty, a state may control access to its territory; (v) there is a violation of the rule of sovereignty whenever one state physically crosses into the territory of another state without its consent; 165 (vi) therefore, any non-consensual state cyber activities on the territory of another state violate the regulative rule of sovereignty. 166 One problem is that the Tallinn Manual appears to be conflating two regulative rules here: the rule that says, 'Do not enter the territory of another State without its consent', and the rule that says, 'Do not carry out any activities on the territory of another State, without its consent.' Moreover, the Tallinn Manual appears to be deducing the second rule from the first, whereas the most obvious deductive claim is that the exclusive right of the state to exercise, within a certain territory, the functions of a state logically and necessarily precludes the exercise of sovereign authority by another state on that territory. Notwithstanding the deficiencies in logic, the Tallinn Manual's deductive conclusionthat the exercise of governmental power on the territory of another state is a violation of the rule of sovereigntyis supported by the conclusions of the ICJ. In Certain Activities/ Construction of a Road, for example, Costa Rica alleged that Nicaragua had violated its territorial sovereignty in the area of Isla Portillos by excavating a channel ('caño'), with the aim of connecting the San Juan River with the Harbor Head Lagoon. Nicaragua did not contest the facts but maintained that it had full sovereignty over the caño. The ICJ disagreed, concluding that the disputed territory belonged to Costa Rica. Consequently, Nicaragua's dredging activities on Costa Rican territory, 'were in breach of Costa Rica's territorial sovereignty'. 167 The cyber rule of sovereignty prohibits, then, state cyber operations from being conducted on the territory of another state, for the reason that the regulative rule of sovereignty prohibits states from carrying out non-consensual activities on the territory of another state, i.e., whilst state agents are physically present on the territory of the other state. This is one of the essential rules of customary international law, logically deduced from the principle of sovereignty. A good example of a violation of this rule would be the efforts of the Russian GRU intelligence cyber warfare team, in 2018, to carry out a closed access hack operation targeting the Wi-Fi network of the Organisation for the Prevention of Chemical Weapons in the Hagueon the territory of the Netherlands. 168 The Tallinn Manual then makes another deductive step: because a state controls access to its territory, there is a violation of the rule of sovereignty when a remote, ex situ state cyber operation targets the cyber infrastructure located in another state. The Manual is clear that this regulative rule 'is based on the premise that a State controls access to its sovereign territory'. 169 The argument finds some support in the literature, 170 and in the views of some states. Finland, for example, explains the logic of the position in the following way (although note the equivocation in the final sentence): The International Court of Justice has consistently confirmed that it is a duty of every State to respect the territorial sovereignty of others. This applies to unauthorized intrusions to physical spaces such as overflight of a State's territory by an aircraft belonging to another State : : : Similarly, a non-consensual intrusion in the computer networks and systems that rely on the 165 Ibid., para. 10 (this regulative rule 'is based on the premise that a State controls access to its sovereign territory'). 166 Ibid., para. 6. cyber infrastructure in another State's territory may amount to a violation of that State's sovereignty. 171 The deductive argument for the Tallinn Manual's rule prohibiting remote state cyber operations targeting the ICTs in another state proceeds as follows: (i) a number of customary rules derive from the principle of sovereignty; (ii) this includes the regulative rule of sovereignty; (iii) sovereignty signifies the exclusive right of the state to exercise, within a certain territory, the functions of a state; (iv) based on its internal sovereignty, a state may control access to its territory; (v) this rule already applies to the state's officials and goods; 172 (vi) by analogy, the rule also applies to malware, 173 software designed to cause damage or disruption, 'sent across' the state border, via the Internet; 174 (vii) therefore, remote state cyber operations targeting the ICTs in another state constitute a violation of the regulative rule of sovereignty.
But herein lies the problem: proponents of the rule of sovereignty cannot agree whether the rule prohibits all remote state cyber operations (the 'pure sovereignty' position), or only those resulting in damage or loss of functionality to ICTs (the 'relative sovereignty' position). 175 Moreover, neither argument works as a matter of international law deductive reasoning, meaning that no general prohibition on remote state cyber operations can be deduced from the sovereignty of the target state.
The relative sovereignty position does not work as a matter of deductive logic. It contends that remote state cyber operations violate the rule of sovereignty only when they cause damage or loss of functionality to ICTs. This is the dominant position amongst proponents of the cyber rule of sovereignty. 176 The argument can be expressed as follows: if the sovereignty of the state accords the state the right to control access to its territory, then there is a violation of the rule of sovereignty whenever malware 'sent across' the border by a state causes damage or loss of functionality to ICTs on the territory of the target state. But this argument does not work: if we accept that the wrongful act is the crossing of the state border without consent, 177 then it cannot logically be the case that only some remote cyber operations are prohibited. We cannot deduce the requirement for evidence of damage or loss of functionality from the right of the state to control access to its territory, for the reason that we cannot explain why there is no violation when malware 'sent across' the border fails to cause damage or loss of functionality to ICTsas with the case of 'backdoors', malware which allows for later access by outside powers (e.g., the SolarWinds hack, whereby Russia accessed US federal government computers, without causing damage or loss of functionality). 178 171 See Finland, supra note 85, at 2 (emphasis added). 172 In Right of Passage over Indian Territory, the ICJ confirmed that the territory state has the right to determine whether, or not, officials and goods from another state can enter its territory: Right of Passage over Indian Territory (Portugal v. India), Merits, Judgment 12 April 1960, [1960] ICJ Rep. 6, at 40. The fact that state officials and goods have no right of entry does not logically mean there is a violation of international law if they enter the territory without permission; it simply means that the state has no right to complain if its officials or goods are denied entry. 173 Whilst the analogy between malware and physical persons and goods is not self-evident, it does have merit. Consider, for example, the different ways that a state could destroy a nuclear facility: by sending human troops across the border; by firing a physical missile targeting the facility; or, by way of targeted malware (e.g., Israel's Stuxnet malware that destroyed Iranian nuclear facilities). On Stuxnet and the use for force see R.  176 Schmitt, supra note 14, at 752 ('Consensus also appears to have coalesced around treating a relatively permanent loss of cyberinfrastructure functionality as the requisite damage.'). 177 The Tallinn Manual is clear that the rule prohibiting remote state cyber operations 'is based on the premise that a State controls access to its sovereign territory': See Tallinn Manual, supra note 15, Rule 4, Explanatory para. 10. 178 See Eichensehr, supra note 161, at 10.
The approach of the pure sovereigntists, by way of contrast, is logically sound, but their conclusion is not shared by other international lawyers. The argument is straightforward: if the sovereignty of the state accords the state the right to control access to its territory, then there is a violation of the rule of sovereignty whenever another state's malware crosses into the territory without consent. All remote state cyber operations, even those causing no damage or loss of functionality (e.g., installing backdoors for later entry), are, on this understanding, violations of the rule of sovereignty. Some states, notably China 179 and France, 180 and some authors, 181 including some of the experts responsible for the Tallinn Manual, adopt this catch-all position. However, most states and most scholars, including most proponents of the cyber rule of sovereignty, 182 and most of those responsible for the Tallinn Manual, 183 do not accept this conclusion. The point is significant, because, whilst the process of deductive reasoning involves reflecting on what we already know and believe to draw a novel conclusion, the outcome is only argumentatively forcible when accepted by other international lawyers, with any disagreement explained by different understandings of international law. Given that most states and most academics do not agree that the sovereignty of the state logically and necessarily implies a prohibition on all remote state cyber operations, we must conclude that the pure sovereigntists have a different understanding of the nature, structure and organizing principles of the international law system to that possessed by most states and international lawyers. The result is that the pure sovereigntists cannot reframe their deductive claims in the required form that 'We, international lawyers, believe and understand that all remote State cyber operations violate the rule of sovereignty.'

Prohibition on targeting governmental functions
The Tallinn Manual's international experts further concluded that the rule of sovereignty prohibits cyber operations that interfere with, or usurp, the inherently governmental functions of another state. Again, the regulative rule is deduced from the nature of sovereignty, as defined in Island of Palmas. Two issues must be disaggregated: the claim that the rule of sovereignty prohibits remote cyber operations that usurp inherently governmental functions; and the claim that the rule prohibits cyber operations that interfere with the inherently governmental functions of another state.

Prohibition on usurping governmental functions
The Tallinn Manual's argument that the rule of sovereignty prohibits remote cyber operations which usurp the inherently governmental functions of the target state can be explained as follows: (i) a number of regulative rules derive from the principle of sovereignty; (ii) this includes the rule that a state must not conduct cyber operations that violate the sovereignty of another state; (iii) sovereignty was defined by Max Huber as the exclusive right of the state to exercise, within a certain territory, the functions of a state; (iv) therefore, the regulative rule of sovereignty prohibits state cyber operations which usurp (i.e., wrongfully appropriate) the inherently 179 See China, supra note 84, at 2 ('No State shall : : : access the ICT infrastructure of another State or infringe on the network systems within the jurisdiction of another State.'). 180 See France, supra note 86, at 3 ('Any cyberattack against French digital systems : : : constitutes a breach of sovereignty.'). 181 See, for example, R. Buchan, Cyber Espionage and International Law (2018), at 51 ('Any non-consensual incursion by one state into the territory of another state violates the rule of territorial sovereignty, regardless of whether that infraction produces damage.'). 182 See Schmitt, supra note 14. 183 Some of the experts responsible for the Tallinn Manual also argued for this understanding, pointing out that it is 'consistent with the object and purpose of the principle of sovereignty that affords States the full control over access to and activities on their territory'. But 'no consensus could be achieved [among the group of experts] as to whether, and if so, when, a cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty'. See Tallinn Manual, supra note 15, Rule 4, Explanatory para. 14. governmental functions of another State, 'because the target State enjoys the exclusive right to perform them, or to decide upon their performance'. 184 This is a valid deductive argument based on sound premises, accepted by most international lawyers: If the correct definition of sovereignty was given by Max Huber, then the rule of sovereignty prohibits other states from wrongfully appropriating the sovereign powers of the state within its territory; We do believe and understand that the correct definition was given in Island of Palmas; Therefore, the rule of sovereignty prohibits state activities that usurp the inherently governmental functions of the state. Support for this conclusion can be found in the judgment of the ICJ in Certain Activities/ Construction of a Road. Nicaragua alleged that Costa Rica's construction works had resulted in sediment deltas on its territory, and that these constituted 'physical invasions, incursions by Costa Rica into Nicaragua's sovereign territory : : : through the agency of sediment'. This, it was claimed, amounted to a 'trespass', meaning that Costa Rica had 'violated Nicaragua's territorial integrity and sovereignty'. 185 The ICJ rejected the claim, concluding that the argument for a violation of territorial integrity 'via sediment [was] unconvincing'. The ICJ also noted that there was 'no evidence that Costa Rica exercised any authority on Nicaragua's territory or carried out any activity therein : : : Therefore, Nicaragua's claim concerning the violation of its territorial integrity and sovereignty must be dismissed'. 186 A reverse reading of the judgment strongly suggests the opposite: the exercise of state authority in the territory of another state (as well as any governmental activity carried out by state agents therein, i.e., whilst physically present on the territory) is a violation of the rule of sovereignty, since the territorial state has the exclusive right to exercise, within its territory, the functions of a state.
Remote state cyber operations involving the exercise of inherently governmental functions in the territory of another state violate the rule of sovereignty because only the territorial state has the right to exercise the functions of the state in its territory. One example would be a remote state cyber law enforcement operation, such as evidence gathering by hacking computers in another state (without permission or a permissive rule of international law), 187 because only the territorial state has the right to carry out criminal justice investigations in its territory (or to allow other actors to carry them out). 188 Inherently governmental functions like this must be distinguished from other state activities which do not implicate the rule of sovereignty. 189 Recall that, following Island of Palmas, sovereignty signifies the exclusive right of the state to exercise the functions of the state within a certain territory. This logically and necessarily excludes the possibility of other states exercising the functions of the state in the territory. But it does not logically and necessarily preclude the possibility of other remote state activities impacting the ICTs in the target state, i.e., activities which do not concern inherently governmental functions. Thus, for example, remote state ransomware operations, such as the WannaCry and NotPetya attacks, blamed respectively on North Korea and Russia,190 are not concerned with the exercise of inherently governmental functions, and do not therefore implicate this aspect of the cyber rule of sovereignty.

Prohibition on interfering with governmental functions
The Tallinn Manual further claims that the rule of sovereignty prohibits remote cyber operations that interfere with inherently governmental functions. This is the aspect of the rule most relevant to election hacking. 191 The conduct of elections is clearly an inherently governmental function. Malicious remote state cyber operations, such as DDoS attacks on the websites of political parties, the removal of voters from the electoral roll, or changing the outcome by hacking the vote tabulation software, constitute interferences with that inherently governmental function. A rule of sovereignty prohibiting interferences in the ICTs used in elections would, therefore, make unlawful all cases of election hacking.
The Tallinn Manual's deductive argument for the regulative rule prohibiting interferences in inherently governmental functions as one element of the cyber rule of sovereignty proceeds as follows: (i) a number of regulative rules derive from the principle of sovereignty; (ii) This includes the rule that a state must not conduct cyber operations that violate the sovereignty of another state; (iii) sovereignty concerns the exclusive right of the state to exercise, within a certain territory, the functions of a state; (iv) the rule of sovereignty, therefore, prohibits cyber operations that interfere with the inherently governmental functions of the target state, 'because the target State enjoys the exclusive right to perform them, or to decide upon their performance '. 192 The deductive logic can be expressed in the following way: If the correct definition of sovereignty was given by Max Huber, then the rule of sovereignty prohibits other states from interfering with the sovereign powers of the state; We do believe and understand that the correct definition was given in Island of Palmas; Therefore, the rule of sovereignty prohibits state activities that interfere with the inherently governmental functions of the territorial state. This is a valid deductive argument, based on a sound premise accepted by most international lawyers: there are no errors in the application of the rules of logic; and sovereignty, as explained by Max Huber in Island of Palmas, does concern the right of the state 'to exercise [in regard to a portion of the globe], to the exclusion of any other State, the functions of a State'. 193 The difficulty lies with the Tallinn Manual's conclusion that the constitutive rule of sovereignty implies a 'non-interference' rule, since this reflects a different understanding of the nature, structure and organizing principles of the international law system to that held by most international lawyers.
The argument that the rule of sovereignty prohibits all remote state cyber operations that interfere with the inherently governmental functions of the target state can be explained as follows: some political communities count as sovereign states (the constitutive rule of sovereignty); the sovereignty of the state is consubstantial with state independence; this logically and necessarily implies the existence of a regulative rule that no state has the right to interfere in the government of another because this would negate the sovereignty of the target state. 190 These were not characterized by the victim states as violations of sovereignty: See Efrony and Shany, supra note 68, at 641. Domestic criminal laws may well apply to the individual state agents and the state organs responsible, and other rules of international law might apply to the state responsible. 191 Schmitt, supra note 14, at 753 ('The issue in the election context is interference.'). First, a regulative rule of sovereignty can be deduced from the constitutive rule of sovereignty. This regulative rule is logically and necessarily required for international law to maintain its identity as a legal system made by, and for, sovereign states. In other words, if international law did not protect the 'sovereignty' of those political communities which count as states, it would not be the international law system that we know and understand.
Secondly, the content of the regulative rule of sovereignty can be deduced from the nature of sovereignty. Whilst imperfect and inelegant, the definition provided by Max Huber in Island of Palmas captures the essence of how international lawyers understand the notion: sovereignty concerns the exclusive right of the state to exercise, within a certain territory, the functions of a state. Thus, in Case of the SS 'Lotus', the Permanent Court of International Justice confirmed that '[T]he first and foremost restriction imposed by international law upon a State is thatfailing the existence of a permissive rule to the contraryit may not exercise its power in any form in the territory of another State.' 199 Thirdly, the essential regulative rule of sovereignty prohibits state agents from carrying out non-consensual activities on the territory of another state. In situ state cyber operations carried out on the territory of another state are violations of the rule of sovereignty.
Fourthly, the rule of sovereignty does not prohibit all remote, ex situ state cyber operations targeting ICTs located in another state. Neither of the deductive claims for a regulative rule based on the wrong of malware entering the territory without consent works: the relative sovereignty position cannot explain why the violation of a rule based on the wrong of non-consensual entry logically requires evidence of damage or loss of functionality to ICTs; whereas, the deductive conclusion of the pure sovereigntist position, that all remote state cyber operations violate the rule of sovereignty, is not shared by most states or international lawyers, including most proponents of the cyber rule of sovereignty.
Fifthly, the rule of sovereignty prohibits remote state cyber operations that usurp the inherently governmental functions of the target state. Sovereignty involves the exclusive right of the state to exercise, within the territory, the functions of a state. The exercise of sovereign authority in the territory of another state (without consent, or some permissive rule of international law) is a violation of the rule of sovereignty. Thus, state cyber operations involving the exercise of inherently governmental functions, such as remote law enforcement evidence gathering operations, are violations of the rule of sovereignty.
Finally, the rule of sovereignty does not prohibit remote state cyber operations that merely interfere with the exercise of governmental functions. To believe in the existence of the non-interference rule, as one element of the rule of sovereignty, means not believing in the non-intervention ruleand all states and all international lawyers, including the proponents of the rule of sovereignty, believe in the non-intervention rule. The answer to the problem of election interference, including election hacking, does not lie in the rule of sovereignty, but in exploring the meaning of 'coercion' in the non-intervention rule. As I have argued elsewhere, there are ways of understanding coercion that capture remote state cyber operations that take control of, or disable, the ICTs used in elections. This is coercive because the outside power by-passes the governmental institutions of the state, to ensure that the target state acts (or does not act) as intended by the outside power. 200