Public International Law/International Law in Cyberspace





Author: Pia Hüsch "Required knowledge: Link" "Learning objectives: Understanding XY."

This is where the text begins. This template follows our style guide. Please take into account our guidelines for didactics. If you're wondering how to create text in Wikibooks, feel free to check out our guide on how to write in Wikibooks.

A. Introduction
Note: updated version in Word doc

The application of international law to cyberspace is one of the great challenges international law faces in the 21st century. By the second decade of the 21st century, cyber operations have become increasingly common in inter-state relations. Whether in the form of cyber espionage or election interference, inter-state cyber operations are nowadays normalised. Although the application of international law to cyberspace was originally contested, it is nowadays widely agreed upon and has been confirmed by individual states, UN working groups and scholarship. While such consensus is a laudable first step, it is at the same time an agreement that is minimal at best. Since then, the conversation has moved on to the decisive question of how exactly international law applies to cyberspace.

This chapter provides a first overview of the discourse on how international law applies to cyberspace. To this end, the chapter introduces a range of areas of international law that are relevant for the regulation of cyberspace and inter-state cyber operations. These areas are by no means an exhaustive list, nor is each topic dealt with in depth. Instead, introducing this range of areas of international law demonstrates how complex and wide-ranging the question of how international law applies to cyberspace is. This chapter will address topics such as international law-making and actors in cyberspace and the application of general principles of international law to cyberspace, including the prohibition of the use of force, the principles of sovereignty, and non-intervention. Furthermore, it covers aspects such as jurisdiction in cyberspace and state responsibility. Finally, the chapter addresses the application of international humanitarian law as well as human rights law to cyberspace.

B. International Law-Making and Actors in Cyberspace
To understand how international law applies to cyberspace, it makes sense to briefly consider relevant parties involved in determining such application and in contributing to the discussion. Firstly, states remain the primary lawmakers of international law. This also holds up in a cyber context where states primarily contribute to the discourse via state statements, setting out their specific interpretation of how the application of international law can be understood in cyberspace. These statements are at the centre of the debate on how international law applies to cyberspace, but while some of them are detailed and contain useful examples, others remain somewhat generic.

Furthermore, a number of other actors and initiatives advance norm-making in cyberspace, including non-binding norms. Not all of these actors can be addressed here. Most prominently, however, there are two UN working groups, the U.S.-led UN Group of Governmental Experts (GGE) that has come to an end in 2021 and the Russian-led UN Open ended working group (OEWG) which continues to meet at the time of writing. Both groups work on similar issues and publish consensus reports, but their composition differs. Other multilateral fora that have previously positioned themselves on the application of international law to cyberspace are organisations such as NATO as well as collective groups of states like the G20.

However, states are not the only relevant actors pursuing norm-development in cyberspace. They are joined by several multi-stakeholder fora advancing cyber norms, such as the Paris Call, the Internet Governance Forum, International Telecommunications Union as well as ICANN, the Internet Cooperation for Assigned Names and Numbers which maintains the technical infrastructure of the internet. The number of relevant actors is further complemented by private sector companies such as Microsoft that play an active role in norm development. The most prominent collection of academic interpretations of international law in cyberspace are advanced in the non-binding Tallinn Manuals, referenced frequently throughout this chapter. Whereas all of these organisations contribute to the discussion on how international law applies to cyberspace in one way or another, primary focus of this chapter rests on states’ individual and collective interpretations.

C. General Principles of International Law
In the absence of a comprehensive cyber treaty that explicitly regulates cyberspace by advancing new norms, the debate on the application of international law to cyberspace primarily revolves around the application of existing principles of international law to cyberspace. The following section will exemplify such discussion by taking a closer look at a number of principles. Particularly relevant principles include the prohibition of the use of force and the right to self-defence. Closer attention will be paid to the Stuxnet Operation in Iran, wildly considered the only cyber operation seen until today that amounts to a use of force and potentially an armed attack. Secondly, this section addresses the application of sovereignty to cyberspace before, thirdly, turning to the principle of non-intervention and its application in cyberspace.

I. Use of Force & Self-Defense
The prohibition of the use or threat of force is an ius cogens norm of public international law and wildly considered as the cornerstone of the UN Charter. It is embodied in Art. 2(4) and is also applicable in cyberspace. This has been confirmed by states, the UN working groups and is also reflected in the Tallinn Manual and academia. Thus, there is no longer any debate on the applicability of the prohibition of use of force in cyberspace, but as is the case for many principles of international law, the question remains how its application can be understood exactly, including the question of what amounts to a use of force in cyberspace addressed in this chapter.

As the term “force” is not defined in the UN Charter, its exact scope and meaning have been subject to much scholarly debate since the UN Charter came into force. As Delerue writes, “The lack of a precise definition is clearly problematic”. At the very least, it leaves open fundamental questions, some of which are of pivotal importance for the cyber context. For example, the question arises whether force is merely restricted to “armed force”. Some support this interpretation, while others suggest that force can extend beyond “armed force”. The drafting process of the UN Charter reveals that the drafters did not intend to include any use of force, as they excluded economic, political and indirect force from Art. 2(4). Clearly, only the latter interpretation includes cyber operations. In light of the development of modern technologies and weapons including biological and chemical weapons, “the debate on the qualification of cyber operations as armed operations comes across as relatively outdated” and it seems no longer “accurate to limit the prohibition of the use or threat of force to armed force”.

Yet, even without limiting force to armed force, not every cyber operation amounts to a use of force. The exact qualification of when cyber operations amount to a use of force differs greatly amongst both states and scholars. Delerue identifies three different approaches that determine whether a use of force has occurred: the target-based approach, the instrument-based approach and the consequence-based approach. The target-based approach considers that a cyber operation amounts to a use of force where it penetrates critical national infrastructure. However, as there is no minimum threshold that has to be met here, the approach is generally considered as too inclusive. The second, instrument-based approach emphasises the “similarity between cyber operations and traditional weapons”, which, however, is often far-fetched. As such, this approach seems outdated and mismatched to the realities of low-intensity cyber operations. Finally, it is the consequence-based or effects-based approach that finds most support. It stresses the importance of the effects caused by cyber operations and foresees that any cyber operation resulting in the physical destruction or loss of life amounts to a use of force. Several criteria have been established to determine whether the effects caused by a cyber operation amounts to a use of force, including severity, immediacy and invasiveness.

Even where this nowadays most popular interpretation is followed, it is less clear whether non-physical effects can also amount to a use of force and whether there is a de minimis threshold that has to be met to constitute force. Currently, there is no scholarly agreement on these matters. And although many states support an effects-based interpretation, these categories remain largely based on an existing legal framework tailored around kinetic uses of force. Consequently, the question remains whether a cyber-specific approach may still add value to the discourse.

Closely related to the prohibition of the use of force is the question when such force amounts to an armed attack, triggering another state’s customary right to self-defence enshrined in Article 51 of the UN Charter. Although some states consider that any violation of the use of force also amounts to an armed attack, this interpretation forms a minority view. The far more common interpretation understands that not any use of force amounts to an armed attack but that an armed attack is only reached where a significant threshold is met. Such interpretation is also supported by the ICJ’s Nicaragua case, in which the Court held that only the “most grave forms of the use of force” constitute an armed attack. In order to determine what amounts to such “most grave form” of the use of force, the Nicaragua case set out the scale and effects test. Such assessment considers the scale, i.e. “the magnitude and intensity of the cyber operation (amount of force used, its location and its duration)” as well as its effects, i.e. “the consequences of the cyber operation (damage and casualties)”. Of course, the question arises what factors are taken into account when conducting such assessment. Whereas taking into account non-physical effects is still controversial, not every cyber operation with physical effects amounts to an armed attack either. Instead, an assessment of scale and effects needs to be made. The Tallinn Manual 2.0, for example, speaks of “all reasonably foreseeable consequences of the cyber operation” that must be taken into account. Equally controversial is also the question whether the accumulation of events can mean that several cyber operations not meeting the threshold individually can collectively meet the threshold of an armed attack. To this day, no cyber operation has publicly been qualified as an armed attack.

II. Sovereignty
Already outside a cyber context, the principle of sovereignty is a highly complex principle of international law. While no authoritative definition of the principle exists, many scholarly suggestions of definitions evolve around concepts such as territory, control, and independence. Besson, for example, calls it the “supreme authority over a territory”. But scholarly debate around the role of sovereignty has been divided, some still considering sovereignty as a cornerstone of public international law in the 21st century, others considering it largely outdated. Nevertheless, there is no doubt that states still consider it highly relevant, including in a cyber context. States have repeatedly stressed that state sovereignty applies to cyberspace. However, again the question arises as to what that means exactly. Sovereignty is an incredibly broad, historically and politically complex principle. Such complexity means that already outside a cyber context it is difficult to pin-point as to what sovereignty means exactly – a problem that is now transposed to the cyberspace debate. Here, the question on how sovereignty applies to cyberspace can also be addressed from many different angles.

One way in which the principle of sovereignty plays out in cyberspace is through exercising jurisdiction. Jurisdiction is a key component of state sovereignty and as such, will be addressed separately in section XX. A second perspective that can be taken when examining how sovereignty applies in cyberspace is focusing on the question of governance of cyberspace. Some considerations on this topic have already been shared in section B. of this chapter.

It is a third perspective, however, that often receives the most attention when discussing the application of sovereignty to cyberspace: the question whether sovereignty constitutes a principle or a rule of international law. Why does this debate matter in the first place? Where a cyber operation is attributable to a state (see state-responsibility section XX ) and the activity in question violates a primary rule of international law but no circumstances precluding wrongfulness are applicable, the act constitutes an international wrongful act. In response to such international wrongful act, the targeted state may use countermeasures. These have to fulfil certain requirements like proportionality, but overall, it allows a state to respond in a way that otherwise might be unlawful itself. However, where no primary rule of international law was violated and consequently, no international wrongful act can be established, the targeted state may merely use retorsion in response but cannot legally resort to countermeasures.

Many states and scholars have since positioned themselves in this so-called “principle vs rule” debate. On the one hand, there is the United Kingdom which has repeatedly confirmed its interpretation that sovereignty merely constitutes principles of international law. This means that although many specific rights are closely related to this principle, where a cyber operation does not violate any of these specific rights, they do not constitute a violation of international law and thus, no international wrongful act either. The targeted state therefore cannot resort to lawful countermeasures. Some scholars have supported this view, but overall, support for this interpretation remains somewhat limited.

In contrast, many states have positioned themselves in the “sovereignty as a rule” camp, confirming that they understand sovereignty as a primary rule of international law and that where such rule is violated, the activity in question amounts to an international wrongful act. Finland, for example, explicitly confirms this view by stating that it “sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility”. So do New Zealand, Germany and France. The interpretation that sovereignty constitutes a rule of international law has also been supported by the experts of the Tallinn Manuals and many other international legal scholars. Under this interpretation, sovereignty almost serves as a catch all function for those cyber operations that otherwise do not meet the threshold of other primary rules of international law.

Whereas the majority view thus sides with the sovereignty as a rule interpretation, this does not mean that states in this camp agree on one definition of sovereignty. To the contrary, considerable differences amongst these states remain. This primarily concerns the question when a violation of sovereignty occurs exactly. While all states in this group agree that such violation constitutes an international wrongful act, they differ on what they consider the relevant threshold that has to be met for such violation. Some states like France consider any penetration of their networks a violation of sovereignty, others require a certain de minimis threshold to be met. The question of what exactly constitutes such threshold often remains open in state statements. Some refer to the Tallinn Manuals on the matter, others do not specify what they think constitutes such threshold. It is clear though, that even where states agree that sovereignty constitutes a rule of international law, the devil is in the details and again, the question of how such principles applies exactly remains open.

Whereas the principle vs rule debate has occupied a prominent spot in the discussion on the broader application of how international law applies to cyberspace, some scholars have pointed out that the practical impact of this debate is indeed limited. This is particularly true for states that enjoy considerable cyber powers which can respond to offensive cyber operations in kind and may engage in such activities themselves. As a consequence, they may have limited interest in clarifying these thresholds.

III. Non-Intervention
A further general principle of international law that applies to cyberspace is that of non-intervention. The principle of non-intervention is based on the idea of sovereign equality and that as all states are equal, one state may not intervene in the affairs of another state. The application of the principle to cyberspace has been widely agreed upon, including in the UN working groups, state statements, the Tallinn Manuals and academia more widely. But although there is a general agreement that the principle of non-intervention constitutes a primary rule of international law (in contrast to the principle vs rule debate that exists for the principle of sovereignty, see above), its application remains subject to many uncertainties. This is especially true for those activities that remain below the use of force threshold. Whereas a military intervention is the most obvious form of intervention, the discussion on the application of non-intervention to cyberspace primarily revolve around those cyber operations that remain below the use of force threshold. This section will therefore focus on these so-called low-intensity or disruptive cyberoperations.

A first look at the principle raises the impression that the principle of non-intervention is – as far as general principles of international law go – not just well-established but also well-defined. The ICJ’s Nicaragua case is the key reference in this context when stating that “The principle of non-intervention involves the right of every sovereign State to conduct its affairs without outside interference” and that “The existence in the opinion juris of States of the principle of non-intervention is backed by established and substantial practice”.

Two requirements follow from this judgment which have to be fulfilled in order for an activity to amount to an unlawful intervention. Firstly, the activity in question must target another state’s domaine réservé. The domaine réservé is typically defined as an area in which a state can decide freely. The Permanent Court of International Justice considers the decisive question whether the matter in question is “not, in principle, regulated by international law”. As the scope of international law has, however, significantly expanded over the last decades, e.g. to include human rights law, international criminal law or international environmental law, the area outside the scope of international law decreases. This is, however, not a cyber-specific problem. Instead, the exact scope of the domaine réservé has always remained undefined. Some areas very clearly fall under its scope though. The Nicaragua case lists a number of areas that fall under its scope, including “the choice of political, economic, social and cultural system, and the formulation of foreign policy”. A prime example of an activity that falls within a state’s domaine réservé is holding elections. As elections and related election interference is a prime example for how the principle of non-intervention can be applied in cyberspace, this chapter will take a closer look at cyber-enabled election interference below.

The activity in question must, however, also fulfil a second requirement in order to qualify as an unlawful intervention, that of coercion. The ICJ’s Nicaragua underlines the importance of this requirement when it refers to it as “the very essence” of intervention. Coercion as a requirement is crucial and points to the “core of the mischief” as it distinguishes mere influence, which may be unwanted but not unlawful, from unlawful intervention.

Much like is the case for the term domaine réservé, the exact definition of coercion remains unclear, particularly so in cyber context. Reismann, for example, speaks of coercion as an “imperative pressure”; Oppenheim famously referred to it as “dictatorial interference”.

What exactly constitutes coercion is thus not clear - a problem that is further augmented in the cyber context, where interaction between states are constant and often disruptive, but not always easily defined as coercive. The following example will demonstrate how difficult it is to apply these definitions to cyber operations.

This example has demonstrated how difficult it is to apply the principle of non-intervention in practice. This is the case as most low-intensity cyber operations to not reach the high thresholds set out by the non-intervention principle. While some academic suggestions to redefine these thresholds exist, they remain purely academic at this point. As the law stands, this means that most cyber operations fall short of these thresholds.

D. Jurisdiction in Cyberspace
Exercising jurisdiction is “the legal competence of a State […] to make, apply, and enforce legal rules”. As such, it is a way for the state to exercise its authority or control over a specific territory or activity and is a central competence of a state. Like with many of the principles discussed here, there is little doubt that jurisdiction generally applies to cyberspace. States have repeatedly confirmed that they enjoy jurisdiction over Information and Communications Technology infrastructure in their territory. Similarly, academia has also argued in favour of its applicability and so do the Tallinn Manuals. This includes prescriptive/legislative jurisdiction, enforcement jurisdiction and adjudicative jurisdiction alike.

While it might seem intuitive that a state would enjoy jurisdiction over cables and computers in its own territory, establishing jurisdiction is not always straightforward. Given the at least in part a-territorial nature of cyberspace, it is not always clear how such jurisdiction can be established in cyberspace. Generally speaking, jurisdiction can be established where there is a link between the state and the person or activity concerned. It can be established through a number of principles, such as territoriality or nationality as well as universality. In cyberspace, however, it is primarily the question how the territoriality principle can be applied to establish a link between the state and the activity in question. This is because the nationality principle applies in the same fashion as outside a cyber context, even though identification of actors might be harder at times. Universal jurisdiction can be established for grave crimes or piracy, but not regular online behaviour.

A closer look at three theoretical approaches illustrates the difficulty of establishing jurisdiction in cyberspace. Let us take the example of a French website globally selling items online. Some argue that in this instance, the destination approach should be followed, i.e. granting a state jurisdiction if the website in question has been locally accessed. Whereas this reasoning has been applied in the past, it is ultimately not considered practical: given that customers from all over the world might be able to order from this website, it allows for too many competing claims for jurisdiction. This is because there is hardly any threshold that has to be met for a state to argue it has jurisdiction. As a consequence, it comes close to a universal jurisdiction which, traditionally, is only reserved for the most severe crimes, such as piracy, but not to regular activities in cyberspace such as online shopping.

Therefore, a variation of the destination approach, i.e. the targeted destination approach, has been advanced. According to it, no longer any state that can access the website can establish jurisdiction but only those states that have been targeted by a website. The targeted destination approach has been applied by the European Court of Justice, but has been criticised for advancing fragmentation of otherwise global cyberspace and has been consider unsuitable for intangible services, e.g. streaming films.

Finally, there is the origin approach, i.e. the idea that jurisdiction is granted to the state where a website is either registered or hosted. Coming back to our example, this means that the French registered website would only have to comply with French law even when it sells items to customers in other states. While such approach is appreciated by businesses who under this approach merely have to comply with the law of one state, it also bears the risk of a “race to the bottom” as businesses are thus tempted to registered in the state with the most lenient regulation in place.

This short overview is by no means comprehensive, but it has illustrated some of the factors that need to be considered when trying to apply existing principles around jurisdiction to activities in cyberspace and what risks and impacts follow. Finally, this section will take a closer look at a particularly controversial issue concerning jurisdiction in cyberspace.

E. State-Responsibility
States are not the only active parties using cyber operations to achieve their aims. Various groups of users may deploy cyber operations, e.g. as cyber criminals with primarily monetary aims or hacktivist pursuing political aims. Many states also outsource their cyber operations to non-state actors or proxy-actors, benefitting from their skills, their cheap labour and the anonymity, given the lower risk of the activity being traced back to the state. However, the line between who is responsible for the activity in question is not always straight forward. Indeed, attributing a cyber operation to as much a question of fact and technical attribution as it is a legal one.

There are also criminal hacker groups that conduct attacks which are primarily conducted out of monetary motivation, but which are nevertheless suspected to have some ties to governments – at the very least in the sense that they do not fear prosecution for their actions from a certain state as long as they do not target it directly. For example, the Conti ransomware group was responsible for a wide range of ransomware attacks in 2020 and 2021. Although “evidence of Conti’s direct ties to the Russian government remains elusive”, their activities largely aligned with the interest of the Russian government and they do not have to fear prosecution by the Russian state.

In a domain that allows skilled actors to remain largely anonymous, understanding what cyber operation took place and what its consequences are is critical next to identifying from which machine a cyber operation was launched, who launched it and whether the act can be attributed to a state actor against whom the response can be taken is key. While the attribution of a cyber operation to a machine or a person is primarily factual and technical, it is also extremely complex and often challenging to find evidence for attribution, especially where actors impersonate one another. Nevertheless, significant progress has been made in the forensic analysis that forms the basis for any factual assessment of attribution.

States are nowadays more likely to attribution cyber operations than they were in the beginning of the 21st century. For such attribution, however, there also needs to be legal attribution. Legal attribution of an act or an omission to a state can be made under the law of state responsibility. It determines whether the act of a group or an individual constitutes an international wrongful act that can be attributed to a state and, if this is the case, whether there are any circumstances precluding wrongfulness. For the application of the law of state responsibility in cyberspace, which was confirmed by states, the UN working groups, and initiatives such as the Tallinn Manual, it is primarily the issue of attribution that raises further debate.

The law of state responsibility can primarily be found in the 2001 Articles on State Responsibility which provide insights on when an act or omission can be attributed to a state. This is of course the case if state officials or a state organ acts on behalf of the state, but may also be the case for individuals or groups as the proxy actors mentioned above. Art. 8, widely considered to reflect customary international law, clearly states that"“The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct”."The group or individual must therefore not act in complete dependence on the state, in which case they would amount to a state organ anyway, but it suffices if they are either under the instructions or direction or control of a state. The difference between the three notions – if there is one – is not always clear. If a state instructs a group to conduct a specific cyber operation, the act is attributable to the state. Although not all details must be determined, not every generic call for action qualifies as instruction, nor is an act attributable to a state if the group or individual exceed the instructions given. Direction refers to an “ongoing relationship of subordination”, e.g. where a state gives long-term guidance rather than specific instructions to a group. Finally, control that goes beyond mere control over the territory in question but amounts to actual control over the non-state actor means that the act or omission can be attributed to the state.

Much more could be said here about the various degrees of connection between the state and the non-state actor in question and what legal consequences such relationship carries. For the purposes of this introductory chapter, however, it is important to remember that just because states outsource their cyber operations to individuals or groups, this does not mean they cannot be held responsible for such acts or omissions. Instead, the law of responsibility also applies in cyberspace and allows for the attribution for such acts or omissions to the state in question. Even though factual and technical attribution still remains challenging, much progress has been made on the forensics behind such analysis.

F. International Humanitarian Law in Cyberspace
Unlike some of the other areas of international law examined here, the applicability of international humanitarian law (IHL) in cyberspace was a controversial topic amongst states. For example, the failure to reach agreement over the 2017 UN GGE report arguably at least partially stems from disagreement regarding the applicability of international humanitarian law in cyberspace. The academics of the Tallinn Manual 1.0, published in 2013, had already clearly supported the applicability of IHL to cyber operations conducted in the context of an armed conflict. Since then, individual states have confirmed this interpretation.

Confirming the general applicability of IHL in cyberspace, a closer look at practice is needed to understand how and when it applies exactly. The narrative of a cyber pearl harbour and cyber Armageddon, which were particularly prominent in the 2010s, are nowadays considered inaccurate - particularly in light of the Russian 2022 invasion of Ukraine. Nevertheless, such language raises the question of when and how IHL applies to cyber operations. The application of IHL is triggered where an international or non-international armed conflict exists. However, to this day, no individual cyberattack has reached this threshold and it remains unlikely that this threshold will be reached. As such, international humanitarian law will most likely apply to cyber operation where these form part of a conventional armed conflict, as is the case in Ukraine. Long subject to Russian cyber attacks, Ukraine faced an increase in number and intensity of such attacks in the context of the 2022 invasion. Russia continues to attack Ukraine through a range of cyber activities, including DDoS attacks and other cyber operations, some of which are coordinated with kinetic attacks.

Where a cyber operation does form part of an international or non-international armed conflict and constitutes an attack, it has to comply with the same principles of IHL that also apply to kinetic attacks. Given this short introduction of this chapter, this section is limited to the following provisions that point the reader to key elements of international humanitarian law but naturally does not present a comprehensive analysis.

I. The Principle of Distinction
The principle of distinction is a central principle of IHL which forms part of customary international law and as such, it is applicable to international and non-international armed conflicts. It foresees that an attack must at all times distinguish between combatants or military objectives who can be directly targeted and civilians or civilian objects who may not be directly targeted. Medical or religious personnel of armed forces, injured combatants or prisoners of war may not be directly targeted. Military objectives, i.e. objects that according to their nature, use, purpose or location make an effective contribution to military operations and whose capture, destruction or neutralisation would confer a definite military advantage, may be directly targeted. In contrast, civilian objects and civilians may not be directly targeted, unless they have been turned into a military objective (e.g. by location munition in a school) or are civilians directly participating in hostilities may not be targeted. Whereas these rules apply to cyberspace, details thereof remain unclear. The interconnectivity of ICT infrastructure further means that it is not always clear how to distinguish between civilian and military structures. To enable greater distinction, the ICRC has suggested a digital emblem marking hospitals and other digital infrastructure that may not be directly targeted.

II. The Principle of Proportionality
The second cornerstone principle of IHL is that of proportionality, which is also part of international customary law, and therefore, applies to international and non-international armed conflicts alike. It means that an attack against a military objectives is unlawful where the concrete and direct anticipated military advantage of an attack is excessive in relation to the attack’s impact on civilian life or the damage or destruction of civilian objects. If an attack is directed against civilians or a civilian object, the attack is automatically unlawful and may even amount to a war crime. The principle of proportionality also applies to cyber operations that are an attack in an armed conflict. Controversial is the question whether attacks that do not cause or are intended to cause physical effects are also subject to the proportionality assessment. The Tallinn Manual, for example, argues that this is not the case. Accordingly, information operations or electronic warfare against communications systems are not subject to the proportionality assessment.

III. The Principle of Precaution
Thirdly, an attack must comply with the customary principle of precaution, i.e. the attacker must take constant care to spare the civilian population, civilians and civilian object and must take all feasible precautions to minimise or avoid incidental loss of civilian life, injury or damage or destruction to civilian objects. It follows that when planning or conducting an attack that is likely to result in excessive harm, such attack must be cancelled or suspended. As such, the principle is similar to the principle of proportionality, but refers to elements such as timing, means and methods of an attack. The Tallinn Manual provides insights on how precautions can be taken for cyber attacks, e.g. by including technical experts in the planning of attacks.

Further critical principles like the prohibition of perfidious attacks or questions such as the geographical scope of the applicability of IHL to cyber operations as well as the application of the law of neutrality cannot be covered here for reasons of scope. However, the previous examples have demonstrated that although it is unlikely that cyber attacks may amount to an armed conflict on their own, where they form part of such armed conflict, they are subject to the same key provisions conventional attacks are.

G. Human Rights Law
Early versions of cyberspace and the development of the internet were seen as a revolutionary opportunity to advance human rights standards globally, the development of one fertilising the development of the other. Such development, however, was not appreciated by authoritarian states which, by relying on notions of sovereignty and non-intervention, restricted access to the internet as a form to oppose U.S. soft power. Nowadays, the intersection of cyberspace and human rights often raises associations of internet restrictions, internet shut downs and human rights infringements. Examples that come to mind is the Great Firewall in China, the heavy free speech restrictions in Russia or repeated shutdown of internet in Iran in response to protests. They all illustrate how closely cyberspace and human rights are interconnected.

I. Freedom of Expression Online
There is widespread agreement that human rights also apply online. Amongst the most prominent examples of human rights online are some of the civil and political rights related to communications, including the right to freedom of expression and the right to privacy as well as connected rights such as the freedom of opinion and thought. The freedom of expression and its application to cyberspace is a particularly contentious topic, but differences in interpretation of the scope of free speech have existed long before the popularity of the internet and social media. For example, the U.S. follows a much more expansive interpretation of freedom of speech than Germany, particularly when it comes to Holocaust denial and hate speech, but differences are also reflected amongst different human rights treaties like the ECHR or the ICCPR. However, varying restrictions of the freedom of expression are particularly evident when comparing restrictive practices of authoritarian and liberal states. In light of increased restrictions of free speech online, procedural protections of the right to free speech are crucial.

Varying approaches to the restriction of free speech stand in particularly stark contrast to the divergence of communications enabled by the global reach of social media platforms. While large proportions of the globe are connected through platforms like Facebook or Twitter, access thereto is restricted in states like China or Iran. Within these platforms, however, freedom of speech is not unregulated either. Instead, content moderation or the lack thereof by social media platforms is a reoccurring topic of controversy. The powerful position of a handful of tech giants raises questions over who regulates freedom of speech and again, what procedural safeguards are in place.

II. The Right to Privacy Online
The right to privacy is another key human right that is central in the debate on how human rights law applies online. It can be found in international human rights treaties such as Art. 17 ICCPR. As such, it pre-dates the rise of the internet, but in an increasingly inter-connected world fuelled by data, the right to privacy has gained ever more importance.

In some respects, much progress has been made with respect to protecting privacy in the digital age. Particularly the EU’s General Direction on Privacy Rights (GDPR) has been highly influential in setting standards of data protection in and beyond Europe. However, there remain significant discrepancies between the standards set out in human rights treaties such as the ICCPR and “the reality of government practices on privacy”, such as expansive surveillance practices. Additional concerns include the powerful role of tech-giants, fed by ever more information users post online, raises questions about privacy standards and how government can or wants to impose them via the private sector regulation as well as how government can protect citizens’ privacy from interferences via cyber crime or cyber espionage.

III. A New Right to Internet Access?
Human rights law online also addresses the realisation of economic, social and cultural rights. While it is clear that economic, social and cultural rights also apply online, how they can be advanced largely relates to aspects such as digital access and a stable and secure internet connection in the first place. These circumstances are, however, not always given but instead, there is a digital divide both across and within states. Given the economic and cultural importance of the internet, some find that access is key to realise the right to development while others have gone even further and advocated for a self-standing human right to internet access. However, such argument is highly controversial and points out that many details on the question of how human rights law plays out online is in fact still unclear and under development.

Further Readings

 * Source I
 * Source II

Conclusion
In a highly digitalised world, almost all aspects of life are interconnected with online activities. This is also true for subject matters that typically fall under the scope of international law, such as general principles of international law, humanitarian law or the law of state responsibility. This chapter has demonstrated that existing norms of international law find application in cyberspace, whether it is to inter-state cyber operations targeting foreign elections or those conducted in connection with armed conflicts, or whether it affects human rights law and the freedom of speech online. However, this chapter has also pointed out that although the application of international law to cyberspace is widely agreed upon, including the more specific areas thereof examined in this chapter, the discussions on how it applies exactly are still at their beginning. Both technology and state practice are developing further, feeding into the discourse on how international law exactly applies to cyberspace. Furthermore, numerous initiatives on norm-development in cyberspace add to the discourse. Against this backdrop, many of the details on the interpretation and application of international law remain unclear at this stage, requiring further research and clarification by both academia and state practice.