The Law of Cyber Peace

In December 2014, Sony Pictures was the victim of a data breach, allegedly by a group of hackers known as the “Guardians of Peace” with ties to the North Korean regime.11

The breach sparked a wave of partisan commentary, with President Obama calling the incident an example of “cyber vandalism,” while Senator John McCain called it “the manifestation of a new kind of warfare.”22   This episode highlights the difficulty of classifying cyber operations under international law, given the widely divergent views that can result from the same fact pattern. Cybersecurity often seems to be in the eye of the beholder. This begs the question as to what is the most appropriate legal framework for guiding policymakers’ responses to such incidents. This can be a particularly vexing question for incidents below the armed attack threshold, at which point the law of armed conflict is activated, and which is also where the vast majority of cyber operations fall,33 from the now infamous 2015 U.S. Office of Personnel Management (OPM) breach to more recent attacks on the South Korean subway, Cisco, and the SWIFT code system relied on by myriad financial firms.44 Yet it is also an arena in which international attention is increasingly being paid. This may be seen by the governance spectrum of State approaches to enhancing cybersecurity as well as norm-building efforts such as the 2015 G20 communique on the applicability of international law to cyberspace,55 the 2016 G7 cybersecurity statement,66 and the G2 cybersecurity code of conduct.77

Increasing and worthwhile attention has been paid to applying existing international law to the cause of enhancing global cybersecurity. The bulk of this research, though, has been focused on leveraging international humanitarian law to regulate the conduct of cyber warfare.88

Yet much of this work is largely hypothetical given how exceedingly rare it is for a cyber operation to cross the armed attack threshold.99 The majority of the cyber risk facing the public and private sectors lies in the arena of cybercrime and espionage.1010 More scholars have been applying international law “below the threshold” to these issues as may be seen by the Tallinn 2.0 project,1111 but much more work remains to be done.1212 For example, perhaps surprisingly, relatively little literature exists examining the potential to leverage private international law to the cause of mitigating global cyber risk.1313

This Article seeks to help address this omission by offering a roadmap that synthesizes and extends work in this field. It does so by drawing from cybersecurity due diligence, cyber risk insurance, project finance, voluntary frameworks, trade, investment treaties, and underexplored realms of public international law including the Vienna Convention on Diplomatic Relations, global commons regimes, and Mutual Legal Assistance Treaties (MLATs).1414

The time is ripe for a fresh look at existing international legal tools that would help us better manage the multifaceted cyber threat. Only then can an accounting be made of gaps to be filled in by norms, ethics, custom, and perhaps one day, new accords. This work is meant to be a follow-up study to another article analyzing the applicable international law to cyber operations both above and below the armed attack threshold, taking into account legal development in the preceding seven years.1515 It is also a summation of an array of stand-alone efforts investigating various aspects of the law of cyber peace into a coherent whole while breaking new conceptual ground, particularly in the rapidly evolving field of private international cybersecurity law as one component of a “polycentric” approach to promoting cyber peace.1616

This Article is structured as follows. Section II reviews the private international law applicable to the cause of promoting a global culture of cybersecurity, including the rise of “voluntary” cybersecurity risk frameworks.1717

Section III analyzes the applicable public international law below the armed attack threshold. Finally, Section IV investigates the role that cybersecurity norms may play as legal harmonization proceeds, along with examining proposed cybersecurity accords and the role that polycentric governance may play in fostering cyber peace.1818

International law has been defined as “the body of legal rules,” norms, and standards that applies “between sovereign States” and non-State actors, including international organizations and multinational companies, enjoying legal personality.1919

Traditionally, the primary sources of international law include treaties, custom,2020 and general principles of law.2121 Subsidiary sources of international law include judicial decisions and scholarly writing.2222 Given the recent nature and rapid development of cyber-capabilities, there are comparatively few treaties that specifically address the rights and obligations of States vis-à-vis cybersecurity, with the notable exception of the Council of Europe Convention on Cybercrime (Budapest Convention) discussed below.2323 Absent a robust treaty regime, and given the geopolitical difficulties of negotiating new agreements in this area,2424 it is vital to clarify the role of existing private and public international law related to the promotion of cyber peace.

Private international law is a far-reaching and often underappreciated body of law.2525

Although myriad definitions exist, the Organization of American States has defined private international law as “the legal framework composed of conventions, protocols, model laws, legal guides, uniform documents, case law, practice and custom, as well as other documents and instruments, which regulate relationships between individuals in an international context.”2626 Given how expansive this category of law is, its potential for shaping the emerging field of international cybersecurity law is immense, ranging from cybersecurity standards and national frameworks to cybersecurity risk insurance programs, trade and investment treaties, cybersecurity due diligence, and relevant case law. Many law firms, for example, see cybersecurity devolving throughout their practice areas, including the more traditional international law practice groups of project finance, international trade, and international arbitration.2727 Space constraints prohibit a comprehensive analysis of each of these facets of private international cybersecurity law within this Article. Rather, the goal here is to begin to map out what we know and identify governance gaps to help jumpstart a broader conversation about the utility of private international law in furthering the cause of cyber peace. First, though, it is important to define core concepts, beginning with the notion of “cyber peace” itself.

Private-sector cybersecurity best practices, along with national, bilateral, and regional bodies acting as norm entrepreneurs that are identified throughout this study are together conceptualized as components of a “polycentric” approach to promoting a global culture of cybersecurity. This multi-level, multi-purpose, multi-functional, and multi-sectoral model,2828

championed by scholars including Nobel Laureate Elinor Ostrom and Professor Vincent Ostrom, challenges orthodoxy by demonstrating the benefits of self-organization, networking regulations “at multiple scales,”2929 and examining the extent to which national and private control can in some cases coexist with communal management, as may be seen in the success of the largely self-organized Internet Engineering Task Force, the body responsible for the communications side of Internet governance.3030   The field also posits that, due to the existence of free riders in a multipolar world, “a single governmental unit” is often incapable of managing “global collective action problems”3131 such as cyber attacks. Instead, a polycentric approach recognizes that diverse organizations working at multiple levels can create different types of policies that can increase levels of cooperation and compliance, enhancing “flexibility across issues and adaptability over time.”3232 Such an approach, in other words, recognizes both the common but differentiated responsibilities of public- and private-sector stakeholders as well as the potential for best practices to be identified and spread organically, generating positive network effects that could, in time, result in the emergence of a cascade toward a positive cyber peace.3333

The International Telecommunication Union (ITU), a U.N. agency specializing in information and communication technologies, pioneered some of the early work in the field by defining “cyber peace” in part as “a universal order of cyberspace” built on a “wholesome state of tranquility, the absence of disorder or disturbance and violence.”3434

Although certainly desirable, such an outcome is politically and technically unlikely, at least in the near term. That is why cyber peace is defined here not as the absence of conflict, a state of affairs that may be called negative cyber peace.3535 Rather, it is the construction of a network of multilevel regimes that promote global, just, and sustainable cybersecurity by clarifying the rules of the road for companies and countries alike to help reduce the threats of cyber conflict, crime, and espionage to levels comparable to other business and national security risks. To achieve this goal, a new approach to cybersecurity is needed that seeks out best practices from the public and private sectors to enhance cybersecurity due diligence. Working together through polycentric partnerships, we can mitigate the risk of cyber war by laying the groundwork for a positive cyber peace that respects human rights, spreads Internet access along with best practices, and strengthens governance mechanisms by fostering multi-stakeholder collaboration.3636

The following Section begins the exploration of how we can leverage private international law to promote cyber peace from the bottom up, starting with private-sector cybersecurity innovations that are helping to define a global standard of cybersecurity care including due diligence, cyber risk insurance, project finance, and international arbitration. Next, the movement toward “voluntary” cybersecurity frameworks is analyzed as a data set to begin a more thorough analysis of the current status of customary international cybersecurity law, before turning to bilateral, regional, and global trade and investment treaty frameworks.

What is cybersecurity due diligence? In the private-sector transactional context, this term has been defined as “the review of the governance, processes and controls that are used to secure information assets,”3737

which makes it stand apart from more outwardly focused public international law concepts of due diligence. This increasingly central concept to a variety of governmental and business activities, as it is used here, builds from this definition and may be understood as the customary national and international obligations of both State and non-State actors to help identify and instill cybersecurity best practices and effective governance mechanisms so as to promote cyber peace through enhancing the security of computers, networks, and information and communication technology (ICT) infrastructure. Cybersecurity due diligence obligations may exist between States, between non-State actors (for example, private corporations and end-users), and between State and non-State actors.3838 But determining exactly what nations’ due diligence obligations are to secure their networks and to prosecute or extradite cyber attackers is no simple feat. Surprisingly, this central concept has received little attention in the literature.3939 This Subsection summarizes the current state of play in this field focusing on relevant International Court of Justice (ICJ) jurisprudence—namely Corfu Channel,4040 Trail Smelter,4141 and Nicaragua4242 —as well as evidence from the private sector to enrich the discussion before moving on to the related topic of cyber risk insurance.

The first relevant ICJ case regarding the due diligence obligations of nations is Corfu Channel, particularly the holding in that decision that one country’s territory should not be “used for acts that unlawfully harm other States.”4343

As applied to cybersecurity (a very different context from its nautical origins), this decision could implicate a duty to terminate cyber emanations from a State’s own territory, as well as perhaps a duty to warn other States as to vulnerabilities in its networks that could be exploited by malicious actors and used to harm other nations.4444 Yet this interpretation would be difficult to enforce in practice given the wide array of vulnerabilities replete in a nation’s networks, only some of which may be under a nation’s direct control, as may be seen by the more than eighty-five percent of U.S. critical infrastructure that is in private hands.4545 Moreover, the growing use of cloud-based services can engender complex jurisdictional issues,4646 while the duty to warn may have itself been subsumed by the 2015 G20 communiqué that called for a duty to assist victim nations,4747 which could implicitly include a duty to warn these nations of impending attacks.

An ad hoc international tribunal also addressed what could become the contours of a cybersecurity due diligence norm in its Trail Smelter decision, which centered on pollution crossing the U.S.-Canadian border giving rise to adverse health and environmental effects. The decision, among other things, was concerned about the nature of Westphalian sovereignty, and whether modern notions of sovereignty should be based just on territory, or whether the effects arising from one nation that impact another could also give rise to obligations through the emerging doctrine of effects jurisdiction.4848

Ultimately, Trail Smelter held that “no State has the right to use or permit the use of its territory . . . to cause injury by fume . . . to the territory of another . . . when the case is of serious consequence and the injury is established by clear and convincing evidence.”4949 Even though the decision was directed towards the emission of “fumes,” Trail Smelter has come to represent the broader “no harm” principle, which requires of States “that activities within their jurisdiction or control respect the environment of other States.”5050 This “no harm” principle, although directed towards the environment, may enjoy parallels with cyberspace and cybersecurity, and may serve as the foundation for a broader State obligation not to permit domestic activities that result in serious international consequences. Yet it should be noted that this precedent does not yet enjoy widespread State practice, given that it could implicate a huge array of transboundary harms. Still, the reference to “serious consequences” could suggest a graduated cybersecurity due diligence obligation not to permit, for example, harms above a certain threshold, be they environmental or digital.

Finally, the ICJ addressed the core issue of State sovereignty in its Nicaragua decision when the Court stated that nations have an obligation not to interfere in one another’s domestic affairs if that intervention relates to “the choice of a political, economic, social, and cultural system, and the formulation of foreign policy.”5151

This ruling may be read as being in contrast to the Court’s effects jurisdiction analysis in Trail Smelter. It also tracks the divergent State practice on Internet governance, with some States asserting varying degrees of Internet sovereignty while others profess Internet freedom and the virtues of the “global networked commons.”5252 How multi-stakeholder Internet governance may be balanced with classic conceptions of State sovereignty over the long run remains unclear, but the potential for domestic cyber policies to have international ramifications has arguably never been greater;5353 a case in point being the European Court of Justice’s 2015 Safe Harbor decision, which has rippled across cyberspace.5454

In summary, the international jurisprudence is unsettled, and, as such, is far from dispositive on the question of a cybersecurity due diligence norm. Both State practice and lessons from the private sector can and should be considered to help build out the private international law of cyber peace, which thus far has been largely untapped to answer such questions. For example, facets of national cybersecurity strategies could, in time, crystallize into customary international law as State practice clarifies.5555

Similarly, given the extensive public-private cross-pollination of cybersecurity best practices, private-sector efforts aimed at enhancing cybersecurity are informative given the extent to which they are shaping national policymaking, with the 2014 National Institute for Standards and Technology (NIST) Cybersecurity Framework being a case in point.5656

Jason Weinstein, former deputy assistant attorney general at the U.S. Department of Justice, summarized the issue of cybersecurity due diligence succinctly when he said: “When you buy a company, you’re buying their data, and you could be buying their data-security problems.”5757

In other words, “[c]yber risk should be considered right along with financial and legal due diligence considerations.”5858 Already a majority of respondents in one 2014 survey reported that cybersecurity challenges are altering the M&A landscape, while eighty-two percent said that cyber risk would become more predominant over the following eighteen months.5959 Simply put, according to Thomas J. Smedinghoff, of counsel at Locke Lord Edwards LLP, “The cybersecurity situation of the company you are acquiring affects the value of the company, it affects the liability you might be taking on, and it affects the costs you might have to incur.”6060 Managers now considering what form cybersecurity due diligence should take have a wealth of resources (as well as a growing array of compliance obligations) to consider.6161 These include, in the U.S. context, the NIST Cybersecurity Framework discussed further below,6262 as well as guidance from the Securities and Exchange Commission, National Association of Corporate Directors, and the Payment Card Industry (PCI) Security Standards Council.6363 Together, these frameworks, and others, provide the beginnings of a cybersecurity due diligence standard guiding judges as they work through causes of action such as breach of fiduciary duty and negligence resulting from data breaches.6464

Despite some progress, though, many remain predominantly reactive in their cybersecurity stances.6565

In order to improve the status quo, firms must leverage proactive cybersecurity best practices ranging from risk-based data management to minimizing the danger of insider threats through meshing corporate and human resources policies and reviewing the cybersecurity track records of vendors and potential partners.6666 Over time, as legal harmonization progresses, there will be more opportunities to build out cybersecurity norms, including due diligence, which is already being assisted by the rapid growth and sophistication of the cyber risk insurance market.

Insurance has been called a “key part of the [cybersecurity] solution,” but it has only recently begun to catch on, albeit in fits and starts.6767

After all, insurance is a primary way that we as a society manage risky behavior across myriad sectors, from car accidents to healthcare. Indeed, state and federal law even requires the purchasing of different types of insurance to mitigate risk—including car and health insurance—which begs the question, why not cyber risk insurance? The trouble, as we will see, lies in the accurate assessment of risk. Still, as data models and frameworks improve, such policies are increasingly popular tools for a growing array of small- and medium-sized enterprises as well as multinational corporations and major universities. Even the U.S. government has begun to discuss ways in which to encourage the more rapid update of cyber risk insurance policies.6868 Indeed, according to Roger Smith of Allianz, “Cyber insurance is probably the fastest growing insurance in the world.”6969 This Subsection discusses the triumphs and travails of the cyber risk insurance market before moving on to related due diligence considerations.

Insurance firms have been experimenting with cyber risk insurance policies for more than a decade; Zurich North America, for example, began offering “a reward for information leading to the conviction of” cyber terrorists back in 2002.7070

By some estimates the market will be worth more than $7.5 billion by 2020 with an increasing number of firms looking to invest in coverage,7171 a trend that could be reinforced depending on regulatory developments such as the Securities and Exchange Commission (SEC) cyber attack disclosure guidelines.7272 Other nations are going further, with Australia requiring cyber attack disclosure in 2016,7373 which could better inform the process of quantifying risk premiums. As one 2008 survey explained, “cyber insurance is a concept that has a great deal of intellectual appeal, has seen a degree of implementation, but that isn’t taking the enterprise world by storm.”7474 Part of the reason is cost.7575 While some small firms like Brookeland Fresh Water Supply in East Texas, from which cybercriminals stole $35,000, have been kept afloat by insurance (because of its insurance policy, instead of going out of business, it only lost its $500 deductible), many other small, medium, and large enterprises have been refused coverage.7676 If managers are not forthcoming, or do not have adequate safeguards in place, then the insurance company may decline coverage, as happened to British electrical grid operators in early 2014.7777 And since cyber attacks can happen irregularly, the cost of protection may not always be worth it,7878 especially given the need for applicant firms to pass the equivalent of a cybersecurity audit.7979

Calculating cyber risk insurance premiums is no simple matter; there is little reliable data—a factor that is critical,8080

for example, to pricing healthcare and automobile insurance. Still, many firms are moving forward despite the relative newness of the problem and the relative lack of incentives for effective information sharing, which can result in skewed calculations.8181 This is notwithstanding the fact that annual premiums can run from the thousands to the hundreds of thousands depending on the type and size of organization seeking coverage.8282 Geography matters in the number of insurance options that firms have—Australian companies, for example, can reportedly choose from fifteen carriers,8383 whereas there are more than twenty providers in the U.S. depending on the specific market in question.8484 And there is evidence that deductibles are rising in step with proliferating cyber risk with some firms reportedly limiting their total coverage to $100 million.8585 Healthcare companies and retailers in particular—with both sectors having experienced recent high-profile breaches, such as Anthem and Target—are experiencing some of the steepest rises, with some firms facing a tripling of costs.8686 Anthem, for example, had to agree to pay the first $25 million of future breach costs out of pocket before it could get insured for $100 million in coverage.8787 Target reportedly was hoping to cover $90 million of the $264 million in losses from its 2014 breach through insurance.8888 Some discounts are available, though, to help with spiraling costs; Bryce and AIG, for example, have a history of offering rebates for firms using secure hardware and software packages.8989 Other insurers are going further. Ben Beeson of Lockton Companies, for example, has stated that, “Insurers are promoting newer technologies for securing payment card transactions that exceed credit card companies' requirements, such as tokenization and end-to-end encryption.”9090 Over time, such efforts could help ratchet up the overall level of cybersecurity preparedness across a range of businesses. And there is plenty of room to grow with an array of industries, such as manufacturing, as well as the public sector, largely lacking coverage.9191 Still, there is an active debate underway about the utility of incentivizing the purchase of cyber risk insurance given that it could lead to moral hazard by contributing to a more reactive mindset on the part of managers, meaning that it should only be considered as one piece in a polycentric approach aimed at managing cyber risk.

Many leading global law firms include project finance practice groups that help arrange financing for large infrastructure projects around the world. To take one example, Hogan Lovells LLP has been involved with deals ranging from defense and healthcare to light rail, sanitation, and satellites, in deals totaling more than $250 billion as of 2016.9292

Cybersecurity is forming an increasingly important component of these deals. This trend has been recognized by such groups as the Financial Industry Regulatory Authority (FINRA), which noted in a 2015 report that, “[b]roker-dealers are increasingly exposed to cybersecurity risks, and breaches at a broker-dealer could entail adverse implications for investors, firms, capital markets and even broader swaths of the financial system.”9393 Ensuring that a robust set of cybersecurity best practices is in place across the financial industry and within law firms (which are themselves often the targets of cyber attackers9494 ) can do a great deal to help mitigate cyber risk.

When project finance deals go awry, or nations pass policies or even expropriate investments, international dispute resolution proceedings including arbitration may result, which are fast becoming another major (if somewhat controversial9595

) component of many firms international practice groups. One particular facet of this practice that is increasingly of interest in the cybersecurity context is the rise of investment treaty arbitration under bilateral investment treaties (BITs), which are discussed further below.9696 In short, investment treaty arbitration is a treaty-based regime that leverages the rules and structures of international law along with private arbitration to make binding decrees on governments regarding the regulatory relationship between investors and the State.9797 Myriad forums exist for investment-treaty arbitration, but among the most important is the International Convention for the Settlement of Investment Disputes (ICSID). This specific arbitral process is important since it is designed to overcome the adjudicatory problems that often arise when a sovereign is involved in an international commercial transaction. The ICSID process is supposed to be autonomous, so much so that contracting States cannot even entertain challenges to ICSID awards. In practical effect, the only power a national court retains over ICSID judgments is the ability to recognize and enforce the ICSID award itself, subject to the ICSID internal appeal procedure created within the ICSID framework.

As of April 2016, the ICSID Convention has been ratified by 161 States,9898

yet it suffers from an underwhelming number of submitted cases.9999 Some commentators, such as noted arbitration authority Professor Thomas Carbonneau, highlight the problems associated with enforcement as one of the main obstacles to wider use of the ICSID Convention.100100 The ability of a state to essentially renege on its promise to arbitrate and enforce an award is a troubling aspect of the ICSID process, a concern that is further compounded by the traditional confidentiality of arbitration proceedings and awards. Indeed, beyond investment disputes, international commercial arbitration is a closed—almost secret—process. Shrouded behind a curtain of confidentiality (so sacrosanct that some national courts have inserted confidentiality into an otherwise silent arbitration agreement101101 ), the end result is that international arbitration has limited precedential value in building a law of cyber peace. For example, a search of the Investor-State Law Guide—a leading resource for international arbitral decisions—conducted in October 2015 for various key terms referencing cybersecurity only resulted in a single result for the prefix “cyber.”  This 2015 case, Lao Holdings, did not deal with cybersecurity per se, but rather related areas such as “cyber gossip.”102102 Other arbitral decisions may well have referenced cybersecurity as of this writing, but the fact that many are kept confidential means that their precedential value is quite limited.

At the next level up from private-sector innovation in the due diligence, insurance, project finance, and arbitration arenas, States are also experimenting with a wide array of frameworks and other bottom-up cybersecurity governance efforts aimed at securing critical infrastructure, protecting trade secrets, and mitigating the risk of cyber conflict.103103

Among other arenas, this trend may be seen in an increasing array of nations, including the U.S.,104104 creating voluntary cybersecurity frameworks designed to help foster a culture of cybersecurity particularly among critical infrastructure providers.105105 This effort, led by NIST,106106 is breaking new ground when it comes to fashioning a standard of cybersecurity care that is already having an impact not only in the U.S., but around the world with NIST actively collaborating with several dozen nations. It may indeed be true that none of these nations have gotten the regulatory mix exactly right given the continuing prevalence of cyber attacks across them,107107 but it is equally accurate that learning can and does happen across nations and sectors that could lead to what Professors Jack Goldsmith and Tim Wu call “regulatory spillover effects,” which can “be good or bad, depending on which regulatory scheme prevails.”108108 As such, it is important not to ignore State practice when it comes to building out the law of cyber peace. Space constraints prohibit a thorough recounting of all the relevant available data.109109 However, in summary, these nations and the E.U. generally (out of the more than twenty with which NIST has had active consultations) are, to a greater or lesser extent, emulating various aspects of the NIST Cybersecurity Framework in their domestic policymaking. The U.K., Italy, Japan, and, to a lesser extent, Australia seem to be the most supportive of many aspects of the NIST Cybersecurity Framework, as is the E.U., as seen in its support of core NIST Cybersecurity Framework terminology. In contrast, South Korea’s philosophy of more top-down cybersecurity policymaking stands in contrast to the spirit of bottom-up cybersecurity governance, even as it engages with the U.S. on NIST Cybersecurity Framework deployment. Such State practice is informative in discussions relating to cybersecurity norm development, a topic unpacked further in Section IV.

At the next conceptual level up from domestic policymaking, it is also important to note the role played by national cybersecurity strategies in laying out how nations view both the cybersecurity challenge and the role of the State in meeting it.110110

For example, in an analysis of thirty-four national cybersecurity strategies undertaken in 2015, it was found that fifty-six percent of the nations surveyed referenced the importance of information sharing as a key component of managing the multifaceted cyber threats to critical infrastructure, whereas only twenty-four percent mentioned the need for new regulation to enhance critical infrastructure cybersecurity.111111 These data help illustrate the extent to which there is a reticence on the part of a number of nations about taking a too heavy-handed role when it comes to regulating cybersecurity, highlighting the attractiveness of a more bottoms-up NIST Cybersecurity Framework-like approach.

Still, it remains unclear exactly how many nations will follow the lead of these countries in preferring a bottoms-up approach to cybersecurity risk management. Indeed, some of the leading cyber powers—including China and Russia—favor more State-centric approaches to enhancing critical infrastructure cybersecurity. This may be seen in the Russian government’s stated goal of by 2020 centralizing its efforts to detect and prevent cyber attacks, including those on critical infrastructure, giving over many functions to the Federal Security Service (FSB).112112

Moreover, regime effectiveness studies are notoriously difficult to undertake in this context. For example, the U.S. has more than 3,200 independent power utilities, unlike, for example, Germany, which has four major providers.113113 Some U.S. firms are taking appropriate steps to secure their systems, but differences in resources and expertise make the uptake of best practices haphazard in a purely bottoms-up system,114114 even as more space for experimentation and innovation is possible with so many actors identifying and instilling best practices.115115 Thus, as State practice crystallizes further, and by mining data such as has begun to be gathered by the International Telecommunication Union,116116 further research is required to better understand the most effective role for States in furthering a customary law of cyber peace.

Beyond State practice, there is an increasingly important role being played by minilateral legal instruments in promoting especially bilateral cybersecurity, though realizing the full benefit of these instruments will require reform as is discussed below. Before delving into the role of BITs in potentially protecting bytes, though, it is first important to offer some context. During the colonial era up to the nineteenth century, the leading developed nations held the view that foreign investors were entitled to property rights protections under international law, and that if their property was in fact taken then they were entitled to “prompt, adequate, and effective compensation.”117117

The modern terminology to describe such expropriations arose in the 1930s in a dispute between the governments of Mexico and the U.S. involving confiscated agrarian and oil properties, some of which were owned by U.S. citizens, resulting in a now famous diplomatic exchange between U.S. Secretary of State Cordell Hull and the Mexican Minister of Foreign Affairs.118118 In one of Hull’s notes, he put forward a standard for compensation that became the leading formulation for the protection of investor property rights under customary international law through the 1970s: “no government is entitled to expropriate private property, for whatever purpose, without provision for prompt, adequate, and effective payment therefore.”119119 Gradually, though, with the colonial era ending, new legal insturments began to take the place of the Hull Rule, namely the rise of BITs that have, over time, become the most important legal mechanism for the encouragement and governance of foreign direct investment (FDI) and, increasingly, trade secret protections.

BITs accord wide-ranging rights to investors, including the protection of contractual rights, and recourse to international arbitration should any disputes arise,120120

a topic of increasing political sensitivity both in Europe and the U.S.121121 The driving force behind this facet of international law has been the rapid growth of FDI, which, according to the World Bank, “increased seven fold from . . . 1970 to 2000.”122122 By 2012, FDI stocks had risen to some $22 trillion.123123 These growing figures have fueled the rise of BITs, which numbered nearly 3,000 by 2013124124 and covered a large range of industry sectors and business activities.125125 At the July 2013 China-U.S. Strategic and Economic Dialogue, for example, the U.S. and China publicized plans to begin negotiating an expansive BIT that will reportedly include the difficult issue of enhancing bilateral cybersecurity.126126   According to U.S. Treasury Secretary Jacob J. Lew, if successful, this would be “the first time China has agreed to negotiate a bilateral investment treaty, to include all sectors and stages of investment, with another country.”127127 Although some questions already have arisen regarding the seriousness of both sides in the negotiations, with direct investment between China and the U.S. increasing and trade secrets theft showing few signs of abating,128128 the potential for significant progress that could help deepen the U.S.-Chinese cybersecurity dialogue exists.129129   Indeed, it may already be bearing some fruit with the U.S.-China “cyber accord” in September 2015 that included measures to fight intellecutal property theft.130130

 In the U.S., trade secret theft of a product in interstate or international commerce violates the Economic Espionage Act131131

if “the intended beneficiary is a foreign power.”132132 However, the utility of the Economic Espionage Act in prosecuting trade secret theft is limited in the context of foreign state-sponsored cyber attacks that target corporate trade secrets, given the difficulties of attribution, extradition, and determining an appropriate forum to resolve the dispute—hence the potential value of investor-state arbitration. Other applicable U.S. statutes include the Computer Fraud and Abuse Act,133133 the National Stolen Property Act,134134 wire fraud,135135 and the 2016 Defend Trade Secrets Act, which created a federal cause of action for trade secret misappropriation.136136

The world’s various legal systems and cultures maintain different levels of intellectual property protections. Therefore, as emphasized by U.S. Deputy Secretary of State William Burns, the U.S. and China, for example, “need to reach a shared understanding of the rules of the road”137137

in cyberspace. BITs may be a vehicle to engender such norms. The use of BITs in this manner provides two key elements often lacking in other protective regimes like the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS): grievances that fall within the purview of a BIT not only can be pursued by an individual but also can be resolved within an internationally-accepted arbitration mechanism. The use of arbitration provides several advantages, as has been mentioned, such as the use of a neutral setting for resolution of grievances, well-established rules of arbitration and enforcement of awards, and access to and the use of well-established investor-dispute focused arbitration institutions. And of course, pursuing a claim under a BIT agreement allows a foreign investor to bring a claim against that host state in investor-state arbitration without the need to petition its home government to initiate dispute settlement proceedings.138138

Despite its advantages, BIT-based investment arbitration is not without its detractors. Unlike its predecessor—the Treaty of Friendship, Commerce and Navigation discussed in Section III—BITs are designed to be less complicated and more narrowly focused. However, they also are prone to unpredictable and, at times, even inconsistent interpretation. Their brevity created an apparent justification for judicial activism in order to clarify vague treaty language and to close gaps left open by the drafters.139139

As a result of this and other concerns, states have begun reconsidering their approach to investment treaties. As some countries started to denounce their BITs, others, like Bolivia and Ecuador, exited the ICSID Convention altogether.140140 In fact, States became more hesitant to negotiate BITs.141141 This relative decline in BIT enactment and participation rates cannot be explained by a saturation of the field alone.142142 Rather, more and more countries have put their BIT programs on hold in order to re-evaluate their approach to investment policymaking. These statistics highlight the ambiguity with which many nations view BITs and investor-state arbitration, with BIT rates dropping and some power centers pushing back on the use of arbitration, even as the overall number of BITs and arbitrations continues to increase.

Ultimately, for BITs to realize their potential as an important component of the law of cyber peace, the political and legal costs of these agreements need to be mitigated and interest rekindled on the part of developed and developing nations alike. Greater attention will also need to be paid to the compensation standard in play, since compulsory licenses will likely not fully compensate those that have lost trade secrets. Further, more transparency is needed in the investor-state arbitration arena to help address legal fragmentation and build the precedent necessary for stable and predictable international customary cybersecurity law. The absence of transparency is a growing concern in the international community as investor-state arbitration rates increase, but there have been positive steps made in this regard that should be reinforced in future BITs.

Aside from BITs, cybersecurity is also becoming an important topic in regional and global trade negotiations. Ongoing U.S.-E.U. trade talks have been shaped in part by cybersecurity and privacy concerns, especially in the aftermath of NSA surveillance programs and intellectual property protections.143143

The proposed Trans-Pacific Partnership also has a cybersecurity component (which may still move forward without immediate U.S. participation),144144 and even the World Trade Organization (WTO) employs enforcement mechanisms that may be applicable to cyberattacks if national security concerns could be overcome.145145 Together, these multilateral investment and trade regimes could provide a basis for fostering regional collaboration to enhance global cybersecurity at a time of relatively slow progress on domestic and multilateral cybersecurity policymaking.146146 Yet the applicability of these regimes to cybersecurity has been underappreciated in the literature to date,147147 in part because of legitimate concerns about the utility of this field of law as applied to cybersecurity that requires clarification and reform, as is discussed further below. Specifically, this Subsection builds from the foregoing discussion of BITs to ascertain the applicability of multilateral trade forums—notably the WTO—in helping to foster a law of cyber peace.

Beginning in 1994, the WTO expanded its coverage from trade in goods and trade in services to coverage of intellectual property through TRIPS.148148

Article 39 of this Agreement references trade secrets, which could be invaluable to negatively impacted individuals and firms that have been the victims of intellectual property theft.149149 As members of the WTO, both the U.S. and China, along with other important cyber powers such as Russia, are bound by the trade secret standards mandated by TRIPS.150150 Yet criticism of TRIPS has continued as applied to trade secrets; for example, some have argued that TRIPS has too limited coverage and an inadequate compensation regime. Similarly, even though States often comply with WTO judgments,151151 it has “no jailhouse, no bail bondsmen, no blue helmets, no truncheons or tear gas.” 152152 In other words, enforcement continues to be problematic, leaving the utility of this vehicle to help address the plight of victims in cross-border transactions involving trade secrets theft uncertain. More generally, the WTO has to date been ineffective as a forum for enhancing global cybersecurity because of the aforementioned national security exception. BITs may also be hobbled by the same exception unless perhaps the “good faith” standard put forward by the U.S. catches on and is made more robust.153153   Ultimately, however, both bottom-up (e.g., BITs) and top-down (e.g., WTO) regimes have unique benefits and drawbacks, necessitating a polycentric approach to enhancing cybersecurity and building a law of cyber peace coupled with relevant analogies from public international law.

Although the private law of cyber peace offers a number of helpful insights regarding ways to enhance global cybersecurity law and policy by harnessing this patchwork of tools, model laws, and data on State practice, it is vital to not ignore the public law of cyber peace. Indeed, this is the body of law with the longest history in regulating global commons spaces, and thus it is important to review it to understand what governance gaps may be filled. This Section undertakes this task by proceeding as follows: First, analogies from arms control regimes are considered, focusing on the interwar years and the nuclear war context. Second, global commons regimes are explored, including space, Antarctica, climate change, and the law of the sea. Third and finally, related regimes including MLATs, extradition treaties, and custom, are explored before moving on to discuss how the public law of cyber peace may be combined with private international law to create the legal foundation for a global culture of cybersecurity.

Arms control treaties have long helped limit the risk of conflict escalation across an array of contexts, to varying degrees of success. This Section investigates the history of two such efforts focusing on the interwar years between World War I and World War II and efforts to reign in the proliferation of nuclear weapons.154154

Although negotiated in different contexts during varied historical epochs, parallels and cautionary tales are drawn to the cybersecurity arena.

1. Interwar Arms Control: Being Cognizant of the Roots of Cyber Conflict.

Following the disastrous results of World War I, with millions of armed forces casualties,155155

the great powers embarked on an effort to limit the size of their own and antagonistic armed forces to limit the risk of future global armed conflict. The resulting major arms control treaties of the 1920s and 1930s primarily determined national strength in terms of fleet size.156156 This changed in the post-World War II period, when “strategic nuclear capability . . . replaced fleets as the measure of global power status.”157157 However, the interwar years do convey “an image of a policy environment not unlike our own today,” replete with the military grappling with the consequences of a technological revolution built on new products such as fighter planes, submarines, and tanks (as opposed to IT during the modern Revolution of Military Affairs), along with the complexities of navigating multipolar politics.158158

The interwar arms control regime was based on the 1922 Washington Treaty that placed limits on naval fleet sizes, and was followed by a slew of other treaties designed to ward off another arms race.159159

They failed. Why?160160 Among the lessons learned from this experience by scholars was that “by ignoring underlying sources of conflict, technical agreements may exacerbate insecurity.”161161 An example is the 1930 London Naval Treaty, which “reaffirmed Japan’s defensive superiority in the Pacific,” but failed to address Western and Japanese policy differences toward a unified China.162162 Thus, whereas cyber arms control is not necessarily impossible, to effectively keep the relative cyber peace, agreements must be as comprehensive as possible and take into account the likely reasons that a cyber conflict would start. A cyber weapons treaty would do little good, for example, if negotiators ignored its status during an armed conflict or the geopolitical context in which a conflict could arise, such as U.S.-China relations over Taiwan, or an attributed attack on critical infrastructure. Consequently, the interwar arms control treaties provide a fruitful cautionary tale for what can happen when good intentions race ahead of good policy that takes realpolitik into account for future agreements.

2. The Analogy of Nuclear War.

According to Jim Lewis of the Center for Strategic and International Studies, we understand nearly as much about the relationship between cyber conflict and international security now as we did about strategic thinking related to nuclear weapons in the early 1950s.163163

Assuming that is the case, then it may be helpful to briefly consider the conventions and applicable case law on nuclear warfare to frame contemporary efforts aimed at controlling cyber weapons. During the 1950s and 1960s, nuclear policy was a tightly veiled secret with relatively little public discussion,164164 similar to early debates on state-sponsored cyber attacks.165165 That was until Herman Kahn’s books, including On Thermonuclear War and Thinking About the Unthinkable, began a renaissance in scholarly work on the topic that had a great impact on U.S. nuclear policy.166166 The most significant legal decision on the use of nuclear weapons came in 1994, when the U.N. General Assembly voted to submit a request for an advisory opinion to the ICJ on the question of “whether the threat or use of nuclear weapons would be lawful.”167167 The U.S. argued in the case that nuclear weapons cannot be banned in the abstract, but rather each case “must be examined individually.”168168   Ultimately, the ICJ stated that the threat or use of nuclear weapons “would generally be contrary to the rules of international law.”169169 However, the court did not define whether “the threat or use of nuclear weapons would be lawful or unlawful in an extreme circumstance of self-defense, in which the very survival of a State would be at stake.”170170 Even though the ICJ did not declare all nuclear weapons illegal, the logic of its holding, that “methods and means of warfare . . . which would result in unnecessary suffering to combatants, are prohibited,”171171 is applicable to cyber conflict given the interconnectivity of cyberspace and resulting potential for damage as seen in attacks like Stuxnet.172172

The ICJ has not explicitly considered the legality of cyber weapons to this point.173173

Custom, as was mentioned in Section II, requires widespread State practice that is undertaken out of a sense of legal obligation.174174 State practice in the aftermath of cyber attacks seems to suggest a lack of consensus on how best to respond. Consider the initial reaction, or lack thereof, from states including Iran following Stuxnet.175175 However, the fact that States often attempt to hide their cyber activities through intermediaries or otherwise obfuscate could be understood as implicitly acknowledging the unlawfulness of the actions. It may also suggest a growing recognition that certain cyber attacks breach the customary international law norm of nonintervention as seen in recent G20 and G7 cybersecurity pronouncements discussed further in Section IV.176176   Yet, even in the absence of custom, several treaty regimes may provide a basis for the regulation of some cyber attacks under international law that fall below the armed attack threshold, at least until new regimes come online, including in the global commons context discussed next.

As difficult as the regulation of chemical, biological, and nuclear weapons may present, it is even more complex to prohibit the use of cyber attacks under international law, due in no small part to technical challenges, verification issues, and the attribution problem, among other concerns.177177

Nevertheless, some nations, such as Russia, potentially fearing Western digital dominance, are pushing for such an arms control-style cyber treaty.178178 Given the political, technical, and legal difficulties of such an approach, this Subsection instead considers lessons gleaned from other treaty systems governing the global commons that have sought to limit the use of weapons to help build out the law of cyber peace, including arms control treaties during the interwar period, nuclear weapons law, space law, and the Antarctic Treaty System (ATS). The Subsection concludes with an analysis of other applicable accords.

1. Introducing the Global Commons.

A “commons” is a general term meaning “a resource shared by a group of people.”179179

The notion of the commons can mean either a “resource system” or “a property rights regime,” depending on context.180180 As the term is used here, the notion is that certain areas (such as the sky, relevant in the climate change context) belong to all and should be preserved for posterity instead of private persons or the State exclusively managing the resource.181181 Under international law, “commons” are the exception, not the rule, given that territorial sovereignty has in large part defined international relations and international law since the 1648 Treaty of Westphalia, which ushered in the modern nation-state system.182182 The notion of the global commons posits that there are limits to national sovereignty in certain parts of the world, and that these areas should be “open to use by the [international] community but closed to exclusive appropriation” by treaty or custom.183183 At its height, the global commons comprised nearly seventy-five percent of the earth’s surface, including the high seas and Antarctica, as well as outer space, the atmosphere, and some argue, cyberspace.184184 Some of these regions were gradually regulated to a greater or lesser extent not by individual countries, but by the international community at times through the vague Common Heritage of Mankind (CHM) concept.185185 More recently, this trend has reversed itself; for instance, individual coastal nations, rather than the international community, now control the vast majority of readily accessible offshore resources.186186 The same trend might be playing out in cyberspace where many nations are seeking to assert greater control online, further challenging the notion of cyberspace as a commons.187187 Indeed, is cyberspace really still a commons, and for that matter, was it ever? Or is it being enclosed to such an extent that it is becoming a form of private property, or even an extension of national territory? Fundamentally, who enjoys sovereignty in cyberspace, and how might it be exercised? And why do these distinctions matter for cybersecurity?188188 These are the questions that drive the analysis of the “cyber pseudo-commons,” necessitating an analysis of other global commons regions to glean governance best practices. These examples are framed around historic lessons and policy options from each applicable regime, which are in turn summarized in Section IV as part of a polycentric approach to building out a law of cyber peace.

2. From the Digital Frontier to the Final Frontier: Arms Limitation in Space Law as an Analogy for Cyber War.

Outer space is inherently similar to cyberspace; both are vast areas encompassing both territorial and extraterritorial components. Like the weapons systems that have been developed to attack satellites, cyber attacks could have a large-scale strategic impact, both on terrestrial and orbiting assets.189189

In short, the use of either anti-satellite or sophisticated cyber weapons can be game changers. More broadly, both outer space and cyberspace are domains in which intelligence gathering has been widely tolerated, even though the outcry has been greater in the case of cyber espionage than orbital reconnaissance.190190 The nature of cyberspace also makes tracking difficult, because even though the physical Internet is routed in particular jurisdictions, controlling the packets of information that comprise cyberspace is another matter.191191 Similarly, “[s]pacecraft and satellites in orbit pass above many different sovereign jurisdictions,”192192 similar to the myriad jurisdictions through which cyber attacks transit.193193

Space and telecommunications systems are intertwined with cyberspace, including in such areas as imagery collection, navigation, and signals intelligence, to say nothing of sustainable use discussed further below.194194

However, space law’s failure to address whether the legal regime applies during an armed conflict limits its utility as applied to promoting cyber peace. Moreover, the military use of space was not forbidden by the OST, while, according to the Department of Defense (DOD), “[t]here is no legal prohibition against developing and using space control weapons,”195195 for example, save for placing nuclear weapons or other weapons of mass destruction (WMDs) into orbit.196196 A growing list of nations is developing space weapons.197197 Vision for 2020, a 1998 U.S. government report, explains that the U.S. should dominate space, a view shared by retired General Joseph W. Ashy, formerly of U.S. Space Command, who has said: “It’s politically sensitive, but it’s going to happen . . . we’re going to fight in space.”198198

International efforts to form a legal regime for space weapons have been nearly as happenstance as those aimed at limiting cyber weapons.199199

Russia and China have advocated for an expanded regime to control both space and cyber weapons.200200 Yet unlike the sophisticated infrastructure and advanced technology needed to develop and deploy space weapons, nearly all nations participate in the Information Age to some degree, whereas only some eighty nations have engaged in space exploration, and fewer still could be considered actively spacefaring.201201 Barring a major conflict, most States do not expect or have the resources “to be either an attacker or a defender” in space in the near term.202202 In contrast, nearly “all states can reasonably expect to be both”203203 an attacker and defender in cyberspace to some degree, which can make reaching consensus difficult.

In summary, analogizing space law illustrates that it is possible to regulate an area of the global commons to bar the most egregious military weapons systems, as this regime has done with nuclear weapons placed in orbit. Space law, however, does not fit the mold of cyber peace given the prevalence of cyber attacks, none of which are equivalent to a WMD attack.204204

There is no cyber equivalent of a nuclear weapon––no single attack now known that can, by itself, bring a country to its knees.205205 A more apt analogy may be the collective action problem of space junk. Some estimates place the total number of objects capable of damaging a spacecraft at more than thirty-five million, making attribution difficult.206206 As with a stray bolt damaging a satellite, a piece of malware can wreak havoc with disparate websites and networks. As of 2015, however, there has been little multilateral agreement on how to better manage orbital debris, though limited polycentric initiatives have been undertaken that could be informative to cyber peacebuilding.207207 Instead of finding analogies to ban certain types of code then, might it be possible (and desirable) to regulate all cyber attacks under public international law?

3. Freeze the Code: The Antarctic Treaty System Approach to Cyber Attacks.

Rather than banning only certain types of cyber attacks, another (admittedly difficult and complex) option to consider is regulating all cyber attacks. The Antarctic Treaty, which besides managing a continent was the first arms control treaty of the Cold War, provides a fruitful analogue because it goes further than the OST and bans all military activities.208208

The main objective of the Antarctic Treaty System (ATS) is to ensure “that Antarctica shall continue forever to be used exclusively for peaceful purposes.”209209 Like Antarctica, the Internet is a rich resource, being a repository of knowledge and a vital channel for commerce and communications. However, imposing a freeze on developing new software that could be used to launch malicious exploits, even if it were possible, would likely not be preferable given that it could stifle innovation, among other legitimate concerns.210210 Nor would a traditional international accord likely be capable of keeping up with rapidly changing IT, necessitating a kind of standing public-private committee of cybersecurity experts that could analyze industry best practices and help identify new security threats as they arise. Subsequent enforcement and coordination would thereafter pose daunting challenges. On the surface, then, it appears that neither barring certain malignant code nor all possible variations of cyber attacks under international law is an effective, efficient response to the cyber threat without substantial technological improvements.211211 What then about the potential of using either atmospheric governance or international communications to prosecute attackers and their facilitators?

4. On Climate Change and Cyber Attacks.

It is difficult to think of two issues with a greater potential to negatively impact both our natural environment and the global economy than climate change and cyber attacks. Though the long-term estimates on both are notoriously hard to pin down, contested estimates on the cost of cyber attacks range from approximately $400 billion for 2014 to more than $3 trillion by 2020.212212

  Similarly, the cost of climate change has been estimated at some $1.2 trillion annually, which works out to roughly 1.6 percent of global GDP.213213   Moreover, although the atmosphere and cyberspace are distinct extraterritorial arenas, they share similar problems of overuse, difficulties of enforcement, and the associated challenges of collective inaction and free riders.214214 It is also true that actions taken by a multiplicity of actors on different governance scales (from local to global) can impact both the global climate change problem and the cause of promoting cyber peace. This is part and parcel of the literature on polycentric governance—sometimes called the Bloomington School of Political Economy—which is quickly coming into vogue as the preferred model of tackling “new” global collective action problems, marking a shift from twentieth century models of global commons governance and is discussed further in Section IV.

Applying the complete corpus of international environmental law, or even that segment focusing on atmospheric governance, is beyond the scope of this Article.215215

However, there are targeted lessons from the ongoing climate change negotiations that deserve attention, beginning with the Montreal Protocol before moving on to the Twenty-First U.N. Framework Convention on Climate Change (UNFCCC) Conference of the Parties (COP21) 2015 meeting in Paris.216216

Much like Rachel Carson’s Silent Spring helped jumpstart a global conversation about the state of environmental protection, and Garrett Hardin’s article The Tragedy of the Commons helped popularize the dangers of open access regimes, another article, this time by three British scientists, helped precipitate arguably the most successful international treaty in history—the Montreal Protocol—which, in 2009, became the first U.N. treaty to achieve universal ratification after the U.N. Charter itself.217217

Why has the Montreal Protocol been so successful, and what lessons does it hold for climate change and for that matter cybersecurity? In short, the science was clear, scarcity was plain, alternatives were available, and geopolitics was simpler.218218 This state of affairs stands in opposition to how the climate change context during the UNFCCC COP process, which were long mired in geopolitical, international economic, and security challenges, as were brought into sharp relief at COP15 in 2009.219219 COP21 succeeded where COP15 failed largely because of the high number of serious national climate pledges on the lead up to the conference itself, with the U.S.-China announcement on bilateral emissions reductions leading the way.220220 By July 2015, nearly five months before COP21 would convene, more than a dozen nations, plus the E.U., had made climate pledges, with many more to come.221221 Analogizing atmospheric governance to promoting cyber peace, a push could be made to follow the COP21 approach in the cyber context and encourage transparency, such as by nations announcing pledges that best fit their unique national circumstances ahead of multi-stakeholder cybersecurity forums. The U.S.-China G2 Cybersecurity Code of Conduct is a helpful step forward in this direction, as are the G20 and G7 cybersecurity pronouncements discussed further in Section IV.

5. Applying the Law of the Sea to Promote Cyber Peace.

The Law of the Sea (LOS), like outer space, Antarctica, and the atmosphere, enjoys parallels with cyberspace. The codification process that resulted in the first United Nations Convention on the Law of the Sea (UNCLOS) treaty began in 1945, leading to UNCLOS I in 1958.222222

However, UNCLOS I did not sufficiently address concerns about the legal status of the deep seabed lying underneath the high seas, highlighting the need for further negotiations.223223 Relatively little was accomplished at UNCLOS II due to geopolitical divides.224224 This served as an impetus for UNCLOS III, which was tasked with regulating the use, exploration, and exploitation of all living and non-living resources of the high seas,225225 a vast area comprising more than seventy percent of the planet’s surface.226226 Still, the role of the private sector remained truncated, a cautionary tale when considering paths toward revamping Internet governance to promote cyber peace. As the deep seabed mining provisions of UNCLOS proved unsatisfactory to the developed world, the treaty was amended in 1994 to better comport with private economic development,227227 provisions that are now being put to the test with the uptick in deep seabed exploration by mining firms.228228

Among the provisions of UNCLOS III that may be applied to cybersecurity include Article 19, which states that a nation should not use another “nation’s territorial sea to engage in activities prejudicial to the peace, good order, or security of the coastal State.”229229

  This prohibition includes the collection of information, distribution of propaganda, or interference with systems of communications230230 —provisions that have direct application to such exploits as Distributed Denial of Service (DDoS) attacks. Moreover, Article 113 requires domestic criminal legislation to punish willful damage to submarine cables,231231 which represent the fiber-optic circulatory system of the global Internet. Depending on how broadly “damage” is conceived,232232 an argument could be made that the Article 19 prohibition should also apply to Article 21 and 113 claims involving submarine cables.233233   This could mean that, depending on State practice, cyber attackers who send code through submarine cables that come to shore in coastal States could be in breach of UNCLOS. However, this does not include enforcement mechanisms beyond calls for domestic criminal legislation, highlighting the need for State practice to mirror international treaty obligations if the law of cyber peace is to be an effective deterrent to cyber attackers.

UNCLOS is also an important example of a regime that was unsuccessful until it better recognized the needs of the private sector. Both proposed and existing legal regimes being applied to strengthen cyber peace should similarly ensure sufficient protections for private enterprise to promote engagement and spur innovation by not sidelining private entities as Internet governance evolves.234234

Relatedly, the history of UNCLOS also underscores the importance of including non-state actors and effective public-private partnerships in polycentric efforts aimed at managing global common pool resources,235235 including the Internet.

Building from the analysis of global commons regimes, this final Subsection investigates the utility of other applicable public accords—focusing on international telecommunications law, MLATs, and extradition treaties—before moving on to an analysis of governance gaps undertaken in Section IV.

1. International Communications Law and Cyber Attacks.

In many ways, the development of international communications law was the direct precursor to cyber law, beginning with agreements dating from the 1800s designed to protect the first submarine cables.236236

A key focal point for modern telecommunications governance is the ITU, the oldest still-active intergovernmental organization in the world.237237 For more than 150 years, the ITU has been the primary organization responsible for multilateral telecom governance,238238 and more recently it has also played a role in Internet governance.239239 The ITU Convention militates against “harmful interference,” defined in Annex 3 of the document as that which “endangers . . . safety services, or seriously degrades, obstructs or repeatedly interrupts a radio communication service.”240240 “Safety services” include technologies “used permanently or temporarily for the safeguarding of human life and property,” which could conceivably refer to public services such as health, police, and public transport, along with critical infrastructure more generally, all of which are vulnerable to cyber attacks.241241 However, the lack of mandatory enforcement mechanisms and its failure to apply during armed conflicts limits the efficacy of this regime, as does political resistance from some stakeholders to empower the ITU to have a larger role in enhancing global cybersecurity.242242

The ITU Convention also gives governments wide discretion in regulating private activity that “may appear dangerous to the security of the State,”243243

including acts “contrary to . . . public order, or to decency.”244244 Such broad authority opens the door to a wide range of domestic regulatory interventions in Internet governance. Indeed, at least according to the U.S. DOD, international communications law currently “contains no direct and specific prohibition” against the use of cyber attacks “by military forces, even in peacetime.”245245 As a result, whereas elements within the ITU Charter may help the international community manage cyber attacks, it offers limited guidance in promoting cyber peace without additional support.

2. Mutual Legal Assistance Treaties.

Numerous bilateral and multilateral treaties dealing with everything from legal assistance, extradition, diplomatic relations, and friendship, to status of forces agreements, also include provisions that impact cybersecurity. The U.S., for example, is party to dozens of MLATs that could be used to seek criminal prosecution of cyber attackers, especially those MLATs that either explicitly mention IT or are termed broadly enough to cover all law enforcement investigations.246246

However, there are often no enforceable obligations under these treaties, limiting their utility, as seen in the 2007 alleged Russian cyber attacks on Estonia, and the 2013 episode regarding Russian President Vladimir Putin’s refusal to extradite accused NSA leaker Edward Snowden to U.S. authorities despite the presence of a U.S.-Russia MLAT.247247   The U.S. is also “a party to more than a hundred bilateral extradition treaties.”248248 Without such accords, national governments would “have neither an international obligation nor the domestic authority to deliver custody of an individual” for prosecution in a foreign jurisdiction.249249   These treaties could be amended to more effectively bring the perpetrators of cyber attacks to justice, such as by including incentives for information sharing, sanctions for noncompliance, and making their coverage more explicit. There is, in fact, an effort to update the U.S.-U.K. MLAT along these lines.250250 States may be willing to expend the political capital to make these revisions due to the gravity of the cyber risk that they face, along with the increasing clarity surrounding the extent of interconnection within the global networked commons.

3. Extradition Treaties and Diplomatic Relations.

Another avenue to promote cyber peace would be to leverage existing treaties to help safeguard certain tempting targets such as embassies. The 1961 Vienna Convention on Diplomatic Relations enshrines the right of “inviolability of the premises” of a diplomatic mission, its archives, private residences and property of its agents, and its communications.251251

Applied to the law of cyber peace, then, this regime could protect all transmissions made to and from government embassies and missions against cyber attacks or espionage. This regime would be applicable in attacks that have already been waged against Russian and Japanese embassies, among others.252252   The reverse has also occurred, such as when the U.S. declared Venezuela’s consul general a persona non grata after she allegedly planned cyber attacks against U.S. networks.253253 Still, some countries are not relying on such legal instruments to protect themselves, such as Estonia, which has taken the proactive step of creating a “virtual embassy” to back up its citizens’ data outside of its geographic borders.254254

Treaties of friendship, commerce, and navigation could also be used to leverage the prospects for cyber peace.255255

Other applicable frameworks to a law of cyber peace include countermeasures allowing states to respond to violations,256256 several U.N. General Assembly resolutions relating to cybersecurity,257257 and limited regional initiatives such as NATO’s cybersecurity efforts, along with the Council of Europe, Organization of American States, and Shanghai Cooperation Organization’s cybersecurity initiatives.

Section III undertook a wide-ranging, non-comprehensive investigation into some of the sources of public international law that, together, could be leveraged to help build out the law of cyber peace if the limitations described are overcome. While a patchwork, these regimes together provide a helpful polycentric foundation that could be synergistically refined through additional protocols and public-private partnerships across a range of industries, sectors, and country groupings. To ascertain the promise of such an approach in further building out the law of cyber peace (assuming that new treaty formation remains off the table for geopolitical reasons), Section IV begins by further unpacking the benefits and drawbacks of polycentric governance in the cybersecurity context before moving on to discuss implications for policymakers and managers.

Increasingly, leaders such as the former President of Estonia, Toomas Ilves; the former Director of the Internet Corporation for Assigned Names and Numbers (ICANN), Fadi Chehadé; and even Nobel Laureates such as Professor Elinor Ostrom have proffered polycentric governance as the best path forward to addressing the global collective action problems of climate change and cyber attacks.258258

Indeed, already some of the public- and private-sector efforts highlighted in this Article may be bearing fruit with, by some estimates, the severity of cyber attacks beginning to plateau and “an emerging norm against the use of severe state-based cyber tactics” emerging.259259 But it is equally important to consider the evolution and limits of this approach.

It may be easiest to understand polycentric governance in juxtaposition to the alternative—monocentrism, which is a political system where the authority to enforce rules is “vested in a single decision structure that has an ultimate monopoly over the legitimate exercise of coercive capabilities.”260260

At its core—building from important notions of legitimacy, power, and multiple decision centers—polycentric governance is concerned with the rule of law. In this manner, the U.S. constitution has been described as an “experiment in polycentricity,” with federalism being one way to operationalize the concept.261261 Professor Michael Polanyi did a great deal to develop and advance the field of polycentric governance. In many ways, his approach was original in that it began with a realization as to the importance of social organization in the process of scientific discovery above and beyond strict adherence to the “scientific method.”262262 He realized, for example, that polycentric structures are vital for scientific discovery given that the inherent “freedom is utilized to search for an abstract end goal (objective truth).”263263 This can only occur in the absence of an overarching authority in arenas driven by ideals including beauty, truth, and justice in the contexts of art, religion, and the law.264264 In this way, capitalism itself may be seen as polycentric given that it incorporates “a web of many agents that constantly adjust their behavior to the decisions made by others.”265265 This may be compared against a monocentric-socialist system in which a centralized command and control authority is tasked with organizing a top-down structure for making production decisions.266266 In such a polycentric system, ideas of equity and justice, Polanyi argued, may only be crystallized by a gradual process of trial-and-error experimentation.267267 Arguably, we are undertaking such experimentation now at the global level, with divergent State and private-sector practice geared toward promoting cyber peace as was discussed in Sections II and III.

Professor Lon Fuller agreed with Polanyi’s assessment with regards to polycentrism, arguing that many legal decisions are in fact polycentric in that they involve multiple “decision centers and the network of cause and effect relationships is not understood very well.”268268

Such a conceptualization of the justice system highlights, among other issues, the prevalence of unintended consequences that can frustrate justice seekers.269269 As such, Professor Fuller argued that as the degree of polycentricity in a system increases, judges should be more inclined to leave a decision to either the competitive market or to the political branches.270270 Similar arguments could be made with regards to cybersecurity, especially given the difficulty involved with identifying cybersecurity best practices in a dynamic technological environment. However, debates swirling around a cybersecurity market failure271271 and the relative lack of action by the U.S. Congress on cybersecurity militate against the courts deferring to the other branches.

The Ostroms’ work on polycentric governance, begun in the 1960s, was initially centered on questions of metropolitan governance, but subsequently evolved in two directions—social theory, and empirical investigations of governance structures. The Ostroms argued that coordination in complex systems is in fact possible through interorganizational arrangements that “would manifest market-like characteristics and display both efficiency-inducing and error-correcting behavior.”272272

In other words, by taking a political economy approach, the Ostroms were able to show that “competition among public agencies is not necessarily inefficient.”273273 Yet the great leap in governance research was the Ostroms’ contention to test their presumption, “to undertake critical tests where divergent theories imply contradictory conclusions.”274274 This was the birth of empirical polycentric governance research, the ramifications of which continue to resonate around the world in a wide array of contexts, including with regards to cybersecurity.

As applied to cybersecurity, the field of polycentric governance has an array of particularized lessons drawn from Professor Ostrom’s work, as summarized in her Institutional Analysis and Design (IAD) Framework.275275

This is a framework of governance best practice gleaned from decades of commons field studies and applied, among other contexts, to global commons issues including atmospheric governance. Some of these principles similarly have resonance to the cause of cybersecurity due diligence, including the need to undertake effective cost-benefit analysis,276276 conduct supply chain monitoring with an eye toward spotting hardware and software vulnerabilities, and institute governance strategies that permit ample space for innovation while still mandating proven best practices.277277 The latter goal may be furthered by, for example, requiring NIST Cybersecurity Framework compliance for all suppliers and potential partners, something that more firms are undertaking. For example, in early 2015, Bank of America announced “that it is using the Framework and will also require it of its vendors,” while “QVC is announcing that it is using the Cybersecurity Framework in its risk management.”278278

At a more global level, this approach highlights support for minilateral norm building, which we are already seeing across a number of fora including the G2, G7, and G20. For example, the G2 Cybersecurity Code of Conduct that was mentioned in the introduction calls for mutual restraint in cyber economic espionage, particularly the theft of trade secrets.279279

Similarly, the G7 continued its work on cybersecurity in 2016, publishing its view that “no country should conduct or knowingly support ICT-enabled (information and communication technology) theft of intellectual property” and that all G7 nations should work to “preserve the global nature of the Internet,” including the free flow of information in a nod to the notion of cyberspace as a “global networked commons.”280280  The 2015 G20 has perhaps been the most active forum pushing, in particular, the international law of cyber peace, stating in a 2015 communique, for example, that: (1) “international law, including the United Nations (UN) Charter, applies to nation-state conduct in cyberspace;” and (2) “no country should conduct or support the cyber-enabled theft of intellectual property.”281281 Similarly, the U.S. proposed three peacetime norms that were accepted for inclusion in the 2015 U.N. Group of Governmental Experts consensus report, which includes language on protecting critical infrastructure, safeguarding Computer Security Incident Response Teams, and collaborating on cybercrime investigations.282282

282

Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN General Assembly, A/70/174 (July 22, 2015).Hide

These forums are proving invaluable for minilateral norm building that is helping to crystallize State practice. Overall, this form of polycentric undertaking is similar to efforts like the Guiding Principles on Business and Human Rights (Guiding Principles) Framework approach authored by Professor John Ruggie, which encourages greater stakeholder buy-in from diverse organizations rather than a multilateral, top-down approach to promoting human rights in business practices.283283

283

See, for example, John G. Ruggie, Just Business: Multinational Corporations and Human Rights 78 (2013).Hide

Such an approach could also aid in norm building by norm entrepeneurs, such as leading businesses and governments announcing efforts that could eventually cause a “norm cascade” in which cybersecurity best practices become internalized and eventually codified in national and international laws.284284

284

See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).Hide

Ultimately, though, the trick is finding the appropriate “balance between simplicity and complexity” to better leverage the power of polycentric governance to promote cyber peace.285285

285

Michael D. McGinnis, Elinor Ostrom: Politics as Problem-Solving in Polycentric Settings, in Elinor Ostrom and the Bloomington School of Political Economy 281, 285 (Daniel H. Cole & Michael D. McGinnis eds., 2014).Hide

B. Summary and Implications

TOP

Taken together, the diverse sources of private and public international law discussed in this Article provide the beginnings of a legal framework to manage cyber attacks during peacetime. The private and public sectors are pioneering systems of cybersecurity due diligence and cyber risk insurance that are already helping to mitigate the cyber risk of an array of small, medium, and large organizations. Existing bilateral and multilateral trade and investment treaties provide the ability for private entities to protect their intellectual property such as through international arbitration. If a host nation’s domestic laws criminalize cyber attacks, then applicable MLATs and extradition treaties would apply to make perpetrators accountable in various jurisdictions. If the attack were directed against a foreign mission or embassy, then the Vienna Convention on Diplomatic Immunity would provide certain remedies and potentially reparations to the victim nation, potentially combined with virtual embassy schemes such as the one currently pioneered by Estonia. Moreover, provisions under UNCLOS III regulating submarine cables, the ability to prosecute private parties in breach of the ITU treaty in telecommunications law, and interference with satellite transmissions in space law, all place restrictions on cyber attackers. This regime has been criticized as “patchwork,”286286

286

Finnemore & Sikkink, supra note 284, at 859.Hide

partly because of prevalent enforcement and verification concerns.287287

287

For more on regime effectiveness in the cybersecurity context, see Shackelford, supra note 10; Shackelford, On Climate Change and Cyber Attacks, supra note 16.Hide

  But it is a foundation, however limited, from which to build the edifice of cyber peace.

If political impasses are overcome and State practice further crystallizes, negotiators could craft a new cybersecurity treaty to improve upon the suboptimal status quo that: (1) defines appropriate graduated sanctions against nations harboring or sponsoring cybercriminals and terrorists where possible; (2) clarifies which international legal provisions apply below the armed attack threshold; (3) establishes a regime for attribution that includes robust information sharing; (4) provides for enforcement mechanisms; and (5) provides a system of efficient dispute resolution.288288

288

See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 880 (2012).Hide

Several proposals have been made along these lines, and indeed it may be possible to build on recent norm development, such as from the G20, by requiring a duty to assist victim nations, not interfering with cybersecurity investigations (including first responders), and codifying a prohibition on attacking critical infrastructure.289289

289

Group of Governmental Experts, supra note 282.Hide

Ultimately, the limitations of existing regimes, created by analogy and the extension of principles developed to suit different challenges, demonstrate the limits of international laws to enhance cybersecurity. Internet freedom arguments about the “unregulatability of BITs” and the ability of attackers to circumvent national borders remain powerful especially given rapid technological advancements, but have been partly undermined by the work of scholars, such as Professor Joel Reidenberg, who have advocated for the potential of private regulatory regimes to serve as proxies for laws.290290

290

Andrew W. Murray, The Regulation of Cyberspace: Control in the Online Environment 203–04 (2006).Hide

However, the fundamental difficulty of enforcing regulations in cyberspace remains apparent given problems of attribution, environmental plasticity, and the inter-networked nature of cyberspace, among other challenges.291291

291

Id. at 205.Hide

This means that although regulation is possible in cyberspace, it is fraught with difficulties. It is best, then, to consider law and norms alongside market-based incentives and code as part of a polycentric system for fostering cyber peace given the absence of a comprehensive legal regime. By stacking such regimes, as it were, gaps within one arena may be offset by coverage in another such that more robust coverage results.

What other options exist in enhancing cybersecurity beyond adapting existing treaties? Some argue for the widespread use of preventative self-defense with its attendant dangers of international instability and escalation.292292

292

See Christopher C. Joyner & Catherine Lotrionte, Information Warfare as International Coercion: Elements of a Legal Framework, 12 Eur. J. Int’l L. 825, 858–59 (2001).Hide

Others would prefer a regime of universal jurisdiction, whereby any State would be able to prosecute cyber attackers.293293

293

See Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57, 57 (2010).Hide

An extreme option is a movement toward a surveillance society such that every State would have greater information awareness, raising obvious privacy implications while not necessarily contributing to overall cybersecurity.294294

294

See Denver Nicks, Report: Usefulness of NSA Mass Surveillance ‘Overblown,’ Time (Jan. 13, 2014), (https://perma.cc/CP73-FWNW).Hide

Among other issues, each of these approaches raises the thorny problem of harmonization, as well as reciprocity. Given that the U.S. remains a leading cyber power, U.S. cybersecurity policy may well be mirrored back; we have to be comfortable with the reflection.

V. Conclusion

TOP

International law changes with events: as Justice Oliver Wendell Holmes wrote, “The life of the law has not been logic; it has been experience.”295295

295

Oliver Wendell Holmes, Jr., The Common Law 1 (1923).Hide

It is essential for policymakers to consider cyber attacks as the revolutionary threat that they are to the security and welfare of citizens around the world in order for real and lasting progress to be made. But it is equally necessary for scholars, jurists, and negotiators to place a greater emphasis on developing and clarifying the law of cyber peace, given that this legal regime will be responsible for managing responses to the vast majority of cyber attacks.296296

296

See Mary Ellen O’Connell, Cyber Security without Cyber War, 17 J. Conflict & Sec. L. 187, 187 (2012).Hide

Important work, including Tallinn 2.0, has contributed greatly to this effort, but much more remains to be done, particularly with regards to ascertaining the status of customary international cybersecurity law based on data about State practice, and the overall regime effectiveness of various cyber laws. This Article has explored how some existing private and public sources of international law may be applied to promote cyber peace. As has been shown, there is not an absence of law in cyberspace. It is far from the untamed digital Wild West that it is at times made out to be. The issue is one of reconceptualizing cyber attacks and determining appropriate responses within an evolving polycentric system. Existing regimes should not be abandoned, or their value underappreciated, in favor of new cybersecurity accords, given that little clarity exists as to what such treaties might look like, even if it was politically feasible to negotiate and ratify them. Better, one might think, to bolster the process of legal clarification and norm building now, and not let the great be the enemy of the good.