Prior to Russia’s physical invasion of Ukraine on February 24, 2022, there were blatant incursions into Ukraine that began spreading chaos before a single bomb fell. These incursions came about in cyberspace, as Russian hackers attacked systems belonging to Ukrainian agencies, banks, and Ukraine’s defense ministry.[1],[2] In addition to shutting down sites, hackers added messages saying to “be afraid and expect worse” with threats against the Ukrainian people being spread all over as Russia attempted to generate panic.[3]
Now, as the war in Ukraine rages on and the western world continually pressures Russia in the wake of its atrocities, the threat of cyberwarfare continues to expand. On April 8, Finland, while weighing the possibility of NATO membership, was hit with a distributed denial-of-service (DDoS) attack, disrupting multiple government servers, including Finland’s Foreign Ministry and Defense Ministry.[4] Though no physical damage occurred as a result of the DDoS attack, Russia’s goal of political intimidation and interference in Finland’s sovereignty is evident. Given President Biden’s recent remarks about the likelihood of cyberattacks on American companies in addition to critical infrastructure, the question now is not if more destructive cyberattacks will occur but when.[5] However, despite the physical world’s increased entanglement with cyberspace, the fact remains that international law has not made up its mind as to how to address the issues that cyberattacks pose. Though steps have been taken, without more concrete rules in place to prohibit the increasing threat of cyberattacks, the future state of the internet and its transition into the metaverse will remain uncertain and vulnerable.
The largest step taken to establishing a legal framework in regards to the international law of cyber operations was the creation of the Tallinn Manual.[6] The Tallinn Manual was put together by a group of independent legal experts and was initially published in 2013, with a second version, Tallinn Manual 2.0, being published in 2017.[7] As the creators of the Tallinn Manual acted independently of any nation or international entity, the manual does not have any legally binding effect. [8] That having been said, regardless of the mixed reactions to the manual, it signifies the greatest step forward toward the legal codification of cyber operations.[9] The Tallinn Manual prohibits the threat or use of force against States in a way that interferes with a States’ political independence or territorial integrity, which is in line with standards of customary law.[10] Though the Tallinn Manual does fall short in defining what constitutes the usage of force within the realm of cyber operations.
In order to assess whether a violation of territorial sovereignty has occurred, the experts gravitated towards analyzing physical damage, loss of functionality, and infringement upon territorial integrity falling below the threshold of loss of functionality.[11] The experts agreed that physically damaging property within a nations territory or stripping it of its functionality to the point that replacement is necessary would constitute a violation of territorial sovereignty.[12] The experts could not reach a consensus however, as to whether simply interfering with functionality or removing some information, which could diminish functionality, could be found to be a usage of force.[13] This is problematic as states may only engage in self-defense when cyberattacks reach a level of force considered comparable to an armed attack.[14] This means that nations must refrain from responding when cyberattacks merely suspend functionality of systems for a period of time or otherwise manipulate data in ways that fall below the Tallinn Manuals threshold for the usage of force. Given that cyberattacks with very tangible consequences can elude enforcement under the Tallinn Manual’s rules, the question exists as what adjustments need to be made to correct the course of international law.
In his article analyzing the impact of the Tallinn Manual on territorial sovereignty, Luke Chircop presented a solution in the form of a “strict inviolability” approach in regards to the usage of force within cyberspace, arguing that such an approach should be implemented as customary law.[15] Chircop states that because the servers holding data exist within a nations borders, that any action entailing more than de minimis effects should be classified as a violation of territorial sovereignty as such actions involve interfering with property within another state.[16] This approach would mean that anything beyond mere surveillance, particularly the insertion or manipulation of data, would constitute a usage of force to which a nation could theoretically respond.[17] Such an interpretation would go well beyond the Tallinn Manual, which leans towards kinetic attacks being necessary for a finding of a usage of force, with manipulation of data having to rise to a much greater level of interference in order to even be considered as violating territorial sovereignty.
Though appearing radical in comparison to current standards, the fact of the matter is that Chircop’s view of what is necessary to create a more sustainable cyber environment is accurate. As has been made clear following the cyberattacks perpetrated by Russia against Ukraine and other European states, there is a growing tendency to utilize cyberattacks in ways that cause real threats to states while falling below the Tallinn Manual’s threshold for what constitutes a violation of territorial sovereignty. Additionally, the last several years have seen an expansion in the idea of holding digital property and the concept of the metaverse.[18] Particularly as sales of non-fungible tokens (NFTs) rise, the world has shifted into one in which data itself can be regarded as unique and irreplaceable property that holds value and can be stolen or destroyed.[19] Similarly, as citizens of nations begin to hold property, attend events, and otherwise interact within the metaverse, there will be a need to increase protections on digital property and servers generally. Simple data manipulation or the suspension of services within the realm of the metaverse could easily mean the loss of millions of dollars worth of civilian property. As the Tallinn Manual prohibits attacking civilian objects, the destruction of such irreplaceable property through data manipulation should undoubtedly be prohibited.[20] Similarly, there are many aspects of the digital realm that may fall within the Tallinn Manual’s protection of cultural property.[21] As artwork is increasingly sold as NFTs, the rise of the metaverse may similarly lead to digital venues becoming regarded as cultural property, which may be shielded from military purposes. This would mean that cyberattacks on culturally significant digital properties may also be prohibited. Though it is currently much more difficult to delineate what may be culturally significant within the digital landscape, the fact remains that as our lives increasingly intertwine with cyberspace, the need protections for that space must increase.
Sadly, as the war in Ukraine has demonstrated, cyberattacks will not disappear anytime in the near future. It is evident from the increased militarization of cyberspace that states need to be prepared for future attacks. For now, as states continue to bolster their cyber defenses, we must continue to press for greater recognition of digital property rights and the protection such rights entail. As changes occur, customary law will hopefully evolve in a way that disincentivizes cyberattacks to a greater extent and enables nations to better respond to threats so that the future of the metaverse may continue to be a bright and open one.
[1] Luke Harding, Ukraine hit by ‘massive’ cyber-attack on government websites, The Guardian (Jan. 14, 2022 3:45pm), https://www.theguardian.com/world/2022/jan/14/ukraine-massive-cyber-attack-government-websites-suspected-russian-hackers.
[2] Sean Lyngaas & Tim Lister, Cyberattack hits websites of Ukraine defense ministry and armed forces, CNN (Feb. 15, 2022 6:43pm), https://www.cnn.com/2022/02/15/world/ukraine-cyberattack-intl/index.html.
[3] Harding, supra note 1.
[4] Leo Laikola, Finland Hit by Cyber Attack, Airspace Breach as NATO Bid Weighed, Bloomberg (Apr. 8, 2022 7:33am), https://www.bloomberg.com/news/articles/2022-04-08/finland-hit-by-cyber-attack-airspace-breach-as-nato-bid-weighed.
[5] Maggie Miller & Sam Sabin, Biden warns Russain cyberattacks ‘coming’, Politico (Mar. 21, 2022 2:58pm)https://www.politico.com/news/2022/03/21/biden-russia-cyberattacks-00018942.
[6] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., 2d ed. 2017) [hereinafter Tallinn Manual 2.0], at 1-7.
[7] Tallinn Manual 2.0, supra note 6.
[8] Id.
[9] Dan Efrony & Yuval Shany, A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice, 112 Am. Int’l L.J.4, at 585.
[10] Tallinn Manual 2.0, supra note 6, at 329 r. 68.
[11] Id. at 20 r. 4 ¶ 11.
[12] Id. at 20-21 r. 4 ¶ 13.
[13] Id. at 21 r. 4 ¶ 14.
[14] Id. at 339 r. 71.
[15] Luke Chircop, Territorial Sovereignty in Cyberspace after Tallinn Manual 2.0, 20(2) MelbJlIntLaw 14 (2019).
[16] Id.
[17] Chircop, supra note 15.
[18] Eric Ravenscraft, What is the Metaverse, Exactly?, Wired (Apr. 25, 2022 7:00am), https://www.wired.com/story/what-is-the-metaverse/.
[19] Sam Dean, $69 million for digital art? The NFT craze explained, L.A. Times (Mar. 11, 2021 10:34pm), https://www.latimes.com/business/technology/story/2021-03-11/nft-explainer-crypto-trading-collectible.
[20] Tallinn Manual 2.0, supra note 6, at 434 r. 99.
[21] Id. at 534-536 r. 142.
