On the Shelf, But Close at Hand: The Contribution of Non-State Initiatives to International Cyber Law

In late 2018, the New York Times reported that the U.S. Cyber Command had targeted individual Russian hackers in order to deter them from engaging in conduct that could affect the organization and outcome of the U.S. mid-term elections. This unusual preemptive step suggests that states are looking for creative solutions to safeguard their national interests in cyberspace. But to what extent should their conduct be guided by considerations of international law? In this essay, I explore several key aspects of that central conundrum. I argue that (1) we should see cyberspace as an underregulated (but not ungoverned) domain; (2) a main reason for that state of affairs lies in a unique strategic dilemma innate to the cyber domain; and (3) non-state initiatives, including the eponymous “rule book on the shelf,” have a critical role to play in the development of the law in this area.

Additionally, since the 1990s, states have occasionally floated the idea of a global cyber treaty. 6 Most recently, China, Russia, and several Central Asian nations put forward two consecutive versions of a "Code of Conduct for Information Security." 7 However, a few crucial provisions in the Code were off-putting to their Western counterparts. For instance, the duty to cooperate in combating terrorism, separatism and extremism 8 has given rise to criticism that such a wide formulation might have a negative impact on human rights. 9 As the United States noted in rejecting the instrument, it "cannot support approaches proposed in the draft Code … that would only legitimize repressive state practices." 10 To be sure, repeated failures of proposals with global ambitions underscore Dan Efrony and Yuval Shany's analysis that cyberspace is "exceptionally difficult to regulate." 11 Still, it is certainly imaginable that the cyber domain might one day be governed by a global binding agreement. After all, many other areas marked by nonnational spaces and/or shared resources have proved susceptible to such regulation, including Antarctica, 12 outer space, 13 or the high seas. 14 So how likely is it that there is going to be, say, a 2025 Cyberspace Treaty?
Not very. This is due to a complex mix of reasons. The digital domain may still be awaiting its "constitutional moment," a transformative event that would galvanize states into action and bring their representatives to the negotiating table. 15 The technology probably keeps evolving too fast to allow for a meaningful consolidation of interests, a necessary precursor to any drafting exercise. 16 Relatedly, accurate technical attribution of conduct in cyberspace remains a problem, 17 which in turn undermines potential verification efforts-and why bother drafting a treaty the compliance with which cannot be properly verified? 18 All these reasons weaken the prospects of a global cyber convention. However, the principal obstacle to state-led lawmaking in the area of international cyber law arguably lies in an unprecedented dilemma posed by the unique nature of cyberspace.

The Glass House Dilemma
Asymmetries of cyberspace mean that the most powerful nations are, in a peculiar way, also the most vulnerable ones. In other spheres of human activity, states that wield the greatest power generally seek the greatest latitude for their actions and thus usually endorse permissive norms of behavior. Conversely, as a rule, weaker states support restrictive norms, seen as shields against their more powerful adversaries. Accordingly, major maritime powers have historically preferred norms that strengthened the freedom of the seas, whereas coastal states have insisted on projecting their sovereignty seawards. 19 The situation is much less straightforward in the cyber domain. Paradoxically, the more a society relies on its cyber capabilities, the more it becomes vulnerable to malicious cyber operations. On the offensive side, cyber powers may thus prefer permissive rules that would leave some leeway for stone-throwing. But on defense, those same states desperately need restrictive rules to protect the elaborate glass houses they are sitting in. Any development of rules of behavior in cyberspace thus needs to address not only the usual diversity of views held by various states, but also the schizophrenic and sometimes mutually exclusive interests that an individual state may hold.
The best illustration of this dilemma is in the legal qualification of low-level cyber attacks that have come to define our time. Consider, for instance, the statement issued by the British National Cyber Security Centre (NCSC) in October 2018, which attributed a series of cyber attacks against various targets in the United Kingdom and elsewhere to the GRU, the Russian military intelligence service. 20 It expressly noted that "[t]hese attacks have been conducted in flagrant violation of international law," but, remarkably, the statement did not explain which specific international obligations had allegedly been breached. 21 Specifically, the NCSC noted that the GRU was "almost certainly responsible" for accessing e-mail accounts belonging to an unnamed UK-based TV station and for stealing their contents. 22 Similarly, it considered the GRU "almost certainly responsible" for attempting to compromise computer systems belonging to the Foreign and Commonwealth Office (FCO) and the Defence and Science Technology Laboratory (DSTL). 23 Such cyber operations can hardly be described as examples of friendly or responsible behavior. However, it is less certain that this conduct actually violated specific rules of international law.
The most obvious argument that the United Kingdom could have relied on, as noted by Jeffrey Biller and Michael Schmitt, is that interference with computer systems on UK territory without its consent violated its sovereignty. 24 Tallinn Manual 2.0 sets out the framework for such an argument in its Rule 4, which prescribes that "[a] State must not conduct cyber operations that violate the sovereignty of another State." 25 However, the Tallinn framework does not equate all interference with a violation. Rather, the experts considered that interference with cyber infrastructure (such as computer systems belonging to a private TV station) would, at a minimum, need to result in a loss of functionality of that infrastructure for the Rule to be violated. 26 It is unlikely that such effect materialized through the cyber operations against the e-mail accounts of the affected British TV station if they were limited to the exfiltration of data. By contrast, with respect to operations such as those against the FCO and DSTL, the Tallinn commentary considers that "changing or deleting data such that it interferes with … the 19  However, earlier in 2018, the United Kingdom expressly repudiated the view that nonconsensual interference in the computer networks of another state amounts to a violation of that state's sovereignty. 28 Instead, in a speech by its Attorney General, the United Kingdom endorsed the position "that there is no such rule as a matter of current international law." 29 This obviously reduced the United Kingdom's room for maneuver when it came to the legal qualification of the alleged Russian cyber operations. 30 It also likely explains why the NCSC statement did not contain any legal reasoning in support of the accusations.
This example illustrates the difficult dilemma faced by states that use their cyber capabilities in both offensive and defensive ways. In offence, it is in the United Kingdom's interest to "interpret down" the applicable law and assert, as the Attorney General did, that low-level attacks do not violate any existing international legal rules. Conversely, in defense, the United Kingdom's interest is to "interpret up" the law and insist, as the NCSC statement did, that such attacks do amount to violations. These interpretive dances are not only of symbolic value. When a state is the victim of a violation of international law, it is entitled to take action to compel the responsible state to stop, even if that action would otherwise be unlawful. 31 Any such conduct in response is governed by the law of countermeasures, the applicability of which to cyberspace has been expressly endorsed by the United Kingdom. 32 The glass house dilemma is a key element of the "perfect storm" of challenges for the regulation of cyberspace described in the lead article. 33 As the UK example shows, even those states that desire to move away from Efrony and Shany's "policy of optionality" 34 may find themselves torn between particular interpretations of international cyber law. By contrast, other domains are considerably more linear in terms of specific states' interests. For instance, as the future Outer Space Treaty was being developed in the 1960s, the dividing lines lay between the capitalist West and the communist East, and between the space-faring nations and states without such capability. 35 No such clear categories have yet emerged in the complex world of cyberspace. 36 The Role of the Non-state Actors Whatever the reason for states' silence, it has generated a regulatory void, which has in turn prompted other actors to step in. Reflecting the current multistakeholder approach to cyberspace governance, 37 these actors are 27 Id. at 22, para. 16. 28 See Jeremy Wright, Cyber and International Law in the 21st Century (May 23, 2018). 29 Id. 30 Biller & Schmitt, supra note 24. 31 Articles on Responsibility of States for Internationally Wrongful Acts, in Int'l Law Comm'n Rep. on the Work of Its Fifty-Third quite diverse. In addition to the two Tallinn groups of experts scrutinized in the lead article, they have included think tanks (EastWest Institute or Carnegie Endowment for International Peace), representatives of industry (Microsoft or Siemens), and ad hoc groupings (like the Global Commission on the Stability of Cyberspace (GCSC)).
What connects these efforts is their shared aim to articulate norms of state conduct in cyberspace. For instance, Microsoft called on states to "exercise restraint in developing cyber weapons" and to "commit to nonproliferation activities" concerning such weapons. 38 The Carnegie Endowment has pushed for a state commitment to refrain from conducting cyber operations that "undermine the integrity of data and algorithms of financial institutions." 39 And the GCSC has proposed a norm package on the stability of cyberspace, which includes norms urging states to disclose known vulnerabilities and to enact basic cyber hygiene. 40 These initiatives serve as "norm-making laboratories" for states. 41 Ultimately, only states make international law; moreover, there are obvious question marks surrounding the legitimacy of endeavors initiated by private actors. 42 Still, these initiatives do contribute in important ways to "the pluralisation of international norm-making." 43 The proliferation of cyber norms initiatives that are non-state driven but state-oriented gives states a unique opportunity to learn from, engage with, and react to those initiatives. It is these reactions that then become building blocks in the edifice of emerging rules of custom and interpretations of treaty rules-in other words, the law.
Several cyber-active (and predominantly Western) states have recognized the importance of these initiatives. For example, state representatives have described the Tallinn Manuals as "the first step in codifying cyber law," 44 as an aid in the creation of national positions on international cyber law, 45 and as a "roadmap" for state action in cyberspace. 46 The GCSC has received funding from states including Estonia, the Netherlands, and Singapore. And in November 2018, France launched the nonbinding "Paris Call for Trust and Security in Cyberspace," which was reportedly crafted jointly with Microsoft, and which more than fifty countries and two hundred other stakeholders subsequently signed. 47 However, what is more important than such pronouncements is the extent to which states meaningfully engage with the underlying initiatives. Precedents suggest that states do take some non-state-led proposals seriously. For example, the 1994 San Remo Manual on International Law Applicable to Armed Conflicts at Sea has greatly influenced the text of several national military manuals 48 and, in a submission to the International Court of Justice, the United States expressly stated that it considered most of its provisions to reflect customary law. 49 It is still early days for the cyber norms initiatives, but paradoxically even a repudiation of their interpretations (like the rejection of the Tallinn Manual's sovereignty-as-rule approach by the United Kingdom) confirms their growing influence. By providing much-needed nuance and granularity, non-state initiatives thus assist states in gradually resolving the glass house dilemma and help foster the international rule of law in the cyber domain.

Conclusion
The fact that a compilation of rules like the Tallinn Manual sits "on the shelves" of legal advisors around the world should not necessarily be seen as a weakness. To borrow an analogy from the culinary world, one doesn't really have to keep the cookbooks on the kitchen stove for them to have an impact on one's gastronomical creations. As long as the chef takes them "off the shelf " here and there and peruses them before beginning the next cooking adventure, they will probably have some influence on what the guests will consume that night. Like cookbooks, rulebooks (and other norms proposals) actually belong on the shelves-what matters is that they are easy to reach.