Taming the Lawless Void: Tracking the Evolution of International Law Rules for Cyberspace

This article discusses the trend towards normative action in cybersecurity policies on an international scale. In other words, how the specific language surrounding international cyber law has the potential to affect countries positively or negatively. Schmitt concedes that a new treaty or set of laws governing cyberspace is unlikely due to ideological differences, yet there is a growing increase in language interpretation in existing laws. In fact, Schmitt points out that the word “cybersecurity” itself is disputed, as it is used mainly by liberal democracies, while more authoritarian regimes such as Russia and China use the word “information security”. Because interpretation of existing laws allows countries to have more freedom in their policies, states and nonstate actors are incentivized towards normative action. States can either choose liberal interpretations of each of the laws or a limited interpretation, both which have downsides and benefits depending on the cybersecurity needs of an entity. While “rule of law” (states that follow the laws with limited interpretation) states are clearer about sovereignty and therefore are attacked less, they can often be bogged down with the limited laws when defending themselves. On the other hand, states that adopt a liberal interpretation of cybersecurity laws are more likely to defend themselves in whatever way they see fit, although their liberal adaptation often leads fewer countries to collaborating politically. For these reasons, countries often “cherry-pick” which laws they want to follow liberally and which they want to follow more limitedly.

The key laws within international cyber law include sovereignty, intervention, due diligence, use of force, and responses. As Schmitt argues, both sovereignty and intervention allow room for several different norms and thresholds about what the country will allow and when they have to intervene. Due diligence, the idea that a government should first try to end cyber conflict through law enforcement or other means before fighting back on a large scale, is a precedent set by the International Court of Justice. Although there is a growing inclination of states to follow due diligence, some countries still resist the language in challenging what “trying to end the conflict” actually means. Similarly, in use of force and responses to cybersecurity, there was normative barriers to their universal adoption. France and Estonia, for example, challenge the damage that has to be done to warrant a response, both setting low thresholds on action, deterring attacks. Other countries, on the other hand, set higher thresholds on what use of force warrants, which in many cases, saves the country resources and time. The final main pillar of the international cybersecurity law, responses, has been lowering in normative behavior because states want more freedom to be protected and more freedom to attack. One of the subpoints about responses to cyberattacks, for example, is the “notice” requirement, which mandates that a country announce before they launch a counter cyberattack. However, countries have begun to consider this point as a formality, a point that can be dispensed of in a real emergency. In all of the language, Schmitt concludes that the future holds a further interpretation of these same laws to create cyber nuances, rather than new laws all together. These normative firewalls depend per country and per law. While freeing in policy, this practice allows states to agree publicly with a rule and subsequently, violate it. Despite these downfalls, a shift towards focusing on the existing language of cybersecurity laws and following them, even basically, marks an important shift towards a more law-conscientious cyber sphere.