State Department’s Top Ten Answers on International Law in Cyberspace

Legal Advisor to the U.S. Department of State Harold Hongju Koh

From Harold Hongju Koh, Department of State:  Everyone here knows that cyberspace presents new opportunities and new challenges for the United States in every foreign policy realm, including national defense. But for international lawyers, it also presents cutting-edge issues of international law, which go to a very fundamental question: how do we apply old laws of war to new cyber-circumstances, staying faithful to enduring principles, while accounting for changing times and technologies? . . .

We are not alone in thinking about these questions; we are actively engaged with the rest of the international community, both bilaterally and multilaterally, on the subject of applying international law in cyberspace.

With your permission, I’d like to offer a series of questions and answers that illuminate where we are right now – in a place where we’ve made remarkable headway in a relatively short period of time . . .

Question 1: Do established principles of international law apply to cyberspace?

Answer 1: Yes, international law principles do apply in cyberspace. . . . the United States has made clear our view that established principles of international law do apply in cyberspace.

Question 2: Is cyberspace a law-free zone, where anything goes?

Answer 2: Emphatically no. Cyberspace is not a “law-free” zone where anyone can conduct hostile activities without rules or restraint. . . .

Question 3: Do cyber activities ever constitute a use of force?

Answer 3: Yes. Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. . . . .

Question 4: May a State ever respond to a computer network attack by exercising a right of national self-defense?

Answer 4: Yes. A State’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”

Question 5: Do jus in bello rules apply to computer network attacks?

Answer 5: Yes. In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.

Question 6: Must attacks distinguish between military and nonmilitary objectives?

Answer 6: Yes. The jus in bello principle of distinction applies to computer network attacks undertaken in the context of an armed conflict. . . .

Question 7: Must attacks adhere to the principle of proportionality?

Answer 7: Yes. The jus in bello principle of proportionality applies to computer network attacks undertaken in the context of an armed conflict. . . .

Question 8: How should States assess their cyber weapons?

Answer 8: States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. . . .

Question 9: In this analysis, what role does State sovereignty play?

Answer 9: States conducting activities in cyberspace must take into account the sovereignty of other States, including outside the context of armed conflict. . . .

Question 10: Are States responsible when cyber acts are undertaken through proxies?

Answer 10: Yes. States are legally responsible for activities undertaken through “proxy actors,” who act on the State’s instructions or under its direction or control. . . .established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the State’s instructions or under its direction or control.

Excerpt from remarks by Harold Hongju Koh, Legal Advisor U.S. Department of State, at USCYBERCOM Inter-Agency Legal Conference, Ft. Meade, MD.  (photo: Department of State)

Image: state%209%2021%2012%20Harold%20Koh.jpg