Grey Zones in the International Law of Cyberspace

Grey zones in cyberspace and cyberlaw have allowed Russia and other malicious cyber actors to take advantage of holes in responses. Within the fundamental component of sovereignty, there are two main grey zones within the normative language. Some critics argue that sovereignty is a “principle that yields no sovereignty-specific primary rule of international law” (Schmitt, 2019, p. 4). While the United States has always viewed a breach of sovereignty as enough to counterattack, other states with a gentler hand could be attacked and not have substantial laws in place to attack back. Furthermore, the responsibility of sovereignty has room for interpretation. In other words, if a country is attacked by a private corporation in another country, their sovereignty is violated. The question of responsibility and who actually violated the sovereignty, the corporation or the host country, is more unclear.

An additional grey zone in international cyber law lies in intervention. The international consensus on intervention is that countries should not intervene in the affairs, both internal and external, of another country because it violates the country’s sovereignty. However, the actions of a malicious actor are more unclear. As Schmitt explains, “elections fall within the domaine réservé, such that using cyber means to frustrate them would raise issues of intervention. By contrast, purely commercial activities typically do not” (Schmitt, 2017, p. 7). In other words, a malicious actor could skirt the retribution of a country even if they infiltrate it depending what the country defines as “influence”. An additional grey zone of intervention concerns coercion. Specifically, if coercion counts in the cyber realm as “influence”, an argument used to justify the Russian influence on the DNC.

Other grey zones within international cyber law include attribution and due diligence. While the international community is supposed to take responsibility for attacks that originate from its borders, academics argue that depending on the role of the government in the country, surveilling over its population is unrealistic. This case is pertinent to non-State actors acting within a country’s borders. The “control” that the government had is unclear and hard to prove if a country is turning a blind eye or genuinely is not catching cyberattacks on their soil. Similarly, are the grey zones for the international law of due diligence. The cyberattacks themselves are often launched using botnets, which have individual bots in countries all over the world. The responsibility of an individual country to proactively fight against it is unclear, and again, hard to prove in a court of law. If a country knows of an attack about to occur that originates from its land, the law is unclear on what preventive measures they are expected to take (or allowed to).

Regarding the Use of Force and Self-Defense, the United Nations posits that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations” (UN Article 2(4)). While the Tallinn Manual mostly focuses on a loss of life or physical damage, other countries, such as France, argue that economic loss and other losses should also warrant a response. The lack of a threshold for force can either leave countries vulnerable and unable to attack or could escalate attacks greatly with an unproportioned retaliation. On this same vein is International Humanitarian Law, specifically regarding the protections of civilians and non-civilians. The term “attack” is vague within the Tallinn Manual, thereby complicating when these protections need to be provided in the first place.