National position of the United States of America (2020)

Introduction
This is the national position of the United States of America on international law applicable to cyberspace. The position has been presented by Hon. Paul C. Ney, Jr., General Counsel of the US Department of Defense during the US Cyber Command Legal Conference on 2 March 2020.

Applicability of international law
"We recognize that State practice in cyberspace is evolving. As lawyers operating in this area, we pay close attention to States’ explanations of their own practice, how they are applying treaty rules and customary international law to State activities in cyberspace, and how States address matters where the law is unsettled."

"It continues to be the view of the United States that existing international law applies to State conduct in cyberspace. Particularly relevant for military operations are the Charter of the United Nations, the law of State responsibility, and the law of war. To determine whether a rule of customary international law has emerged with respect to certain State activities in cyberspace, we look for sufficient State practice over time, coupled with opinio juris—evidence or indications that the practice was undertaken out of a sense that it was legally compelled, not out of a sense of policy prudence or moral obligation."

Use of force
 "Article 2(4) of the Charter of the United Nations provides that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” At the same time, international law recognizes that there are exceptions to this rule.  For example, in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack.  This is true in the cyber context just as in any other context.

Depending on the circumstances, a military cyber operation may constitute a use of force within the meaning of Article 2(4) of the U.N. Charter and customary international law. In assessing whether a particular cyber operation—conducted by or against the United States—constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine. Even if a particular cyber operation does not constitute a use of force, it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed." 

Prohibition of intervention
 "[..] the international law prohibition on coercively intervening in the core functions of another State (such as the choice of political, economic, or cultural system) applies to State conduct in cyberspace. For example, “a cyber operation by a State that interferes with another country’s ability to hold an election” or that tampers with “another country’s election results would be a clear violation of the rule of non-intervention.”   Other States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.

There is no international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations. Because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.

Some situations compel us to take into consideration whether the States involved have consented to the proposed operation. Because the principle of non-intervention prohibits “actions designed to coerce a State … in contravention of its rights,” it does not prohibit actions to which a State voluntarily consents, provided the conduct remains within the limits of the consent given." 

Self-defence and armed attack
 "[..] in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context." 

Countermeasures
 "Depending on the circumstances, DoD lawyers may also consider whether an operation that does not constitute a use of force could be conducted as a countermeasure. In general, countermeasures are available in response to an internationally wrongful act attributed to a State. In the traditional view, the use of countermeasures must be preceded by notice to the offending State, though we note that there are varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency.  In a particular case it may be unclear whether a particular malicious cyber activity violates international law.  And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available." 

Peacetime cyber espionage
 "For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. This proposition is recognized in the Department’s adoption of the “defend forward” strategy: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The Department’s commitment to defend forward including to counter foreign cyber activity targeting the United States—comports with our obligations under international law and our commitment to the rules-based international order.

The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).

Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.

Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations." 

Sovereignty
 "As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law." 

International humanitarian law (jus in bello)
 "It is also longstanding DoD policy that U.S. forces will comply with the law of war “during all armed conflicts however such conflicts are characterized and in all other military operations.” Even if the law of war does not technically apply because the proposed military cyber operation would not take place in the context of armed conflict, DoD nonetheless applies law-of-war principles. This means that the jus in bello principles, such as military necessity, proportionality, and distinction, continue to guide the planning and execution of military cyber operations, even outside the context of armed conflict." 

Voluntary, non-binding norms of responsible state behavior
 "DoD lawyers also advise on how a proposed cyber operation may implicate U.S. efforts to promote certain policy norms for responsible State behavior in cyberspace, such as the norm relating to activities targeting critical infrastructure. These norms are non-binding and identifying the best methods for integrating them into tactical-level operations remains a work in progress. But, they are important political commitments by States that can help to prevent miscalculation and conflict escalation in cyberspace. DoD OGC, along with other DoD leaders, actively supports U.S. State Department-led initiatives to build and promote this framework for responsible State behavior in cyberspace.  This includes participation in the UN Group of Governmental Experts and an Open-Ended Working Group on information and communications technologies in the context of international peace and security.  These diplomatic engagements are an important part of the United States’ overall effort to protect U.S. national interests by promoting stability in cyberspace." 