The Evolution of International Law in Cyberspace

I. Introduction

The Evolution of International Law in Cyberspace reflects a growing need to regulate global behavior in an increasingly digital world. As cyber operations escalate in frequency, scale, and geopolitical impact, states and institutions are under pressure to define legal boundaries that govern actions in this domain. The rise of state-sponsored cyber attacks, disinformation campaigns, and digital espionage has prompted international legal scholars, governments, and private actors to reassess how existing frameworks apply—or fail to apply—to modern threats.

The foundational rules of international law, including sovereignty, non-intervention, and the prohibition on the use of force, were designed in a pre-digital era. Yet, they now serve as the legal scaffolding for cyberspace governance. The Tallinn Manual 2.0, United Nations reports, and state practice show that nations are interpreting these rules through the lens of strategic interest. Some seek clarity and global norms to deter malicious behavior, while others prefer ambiguity to maintain operational freedom.

In this legal grey zone, the balance between digital sovereignty, international security, and human rights has become increasingly complex. The next sections will examine how international law has evolved, what challenges remain, and what future directions are emerging for law in cyberspace.

II. The Legal Foundations of Cyber Norms

International law provides the basis for state conduct in cyberspace, even though it was originally developed for the physical world. Core principles—such as state sovereignty, non-intervention, due diligence, and the prohibition of the use of force—now guide legal expectations in the digital realm. These principles are not new laws; rather, they are being interpreted and applied to new technologies and cyber activities.

One key source is the United Nations Charter, which remains the cornerstone of global peace and security. Article 2(4) prohibits the use of force, while Article 51 affirms the right to self-defense. These provisions now inform how states respond to hostile cyber operations, such as those that target infrastructure or elections.

Customary international law also plays a role. While not written in treaties, customary norms emerge from consistent state behavior coupled with a belief in legal obligation (opinio juris). However, because cyber operations are often secret, it's harder to establish clear custom. Few states openly declare their legal interpretations, making it difficult to form binding customary norms.

In response, non-binding guidelines and interpretive texts have gained influence. The Tallinn Manual 2.0, created by a group of independent legal experts under NATO’s Cooperative Cyber Defence Centre of Excellence, outlines 154 rules on how international law applies to cyber operations. Although not legally binding, it is widely referenced by scholars and policymakers.

The UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) have also worked on cyber norms. Their reports, especially from 2013 and 2015, affirmed that international law applies to cyberspace and introduced voluntary norms for responsible behavior.

States differ in how they apply these rules. France, the Netherlands, and Finland favor a rules-based approach. The United Kingdom and the United States have shown more flexible or cautious interpretations, particularly on questions of sovereignty and intervention.

While no single treaty governs cyberspace, the combination of the UN Charter, state practice, and expert-driven frameworks form a growing legal structure. These foundations continue to evolve as new threats and technologies emerge. Understanding them is essential for grasping the legal future of cyberspace.

III. Methods of Legal Evolution in Cyberspace

The development of international law in cyberspace has followed three main paths: treaty-making, the formation of customary law, and reinterpretation of existing rules. Each method carries distinct challenges and reflects the political realities of the digital age.

1. Treaty Development: Slow and Unlikely

Creating new treaties for cyberspace has faced political resistance. Global consensus is difficult due to diverging national interests. Some countries, like Russia and China, advocate for treaties that emphasize information control and state sovereignty. In contrast, Western democracies favor norms that protect open internet principles.

The Russian-proposed draft cybercrime convention has gained support in the UN General Assembly, but it faces criticism for risking human rights and duplicating the existing Budapest Convention on Cybercrime, already ratified by dozens of states. Most democracies argue that negotiating a new treaty would be slow, may dilute protections, and likely result in vague or lowest-common-denominator rules.

2. Customary Law: Hindered by Secrecy and Silence

Customary international law requires two conditions: consistent state practice and a belief that such behavior is legally required. In cyberspace, this evolution is slow. Cyber operations are often covert, classified, or denied. Without visible state behavior and formal legal declarations, it becomes difficult to establish recognized norms.

Even when states respond to cyber incidents, they rarely invoke international law directly. They often use political or economic language instead of legal reasoning, which limits the formation of clear custom. Statements from countries like Australia, France, and the Netherlands acknowledging the legal relevance of cyber norms are still exceptions.

3. Interpretation of Existing International Law: The Most Active Path

The most practical method of legal development has been interpreting existing rules—such as sovereignty, intervention, and the use of force—to apply them to digital actions. This approach allows flexibility without requiring new treaties. For example, the Tallinn Manual 2.0 explains how current laws can be applied to cyber incidents, including peacetime and conflict scenarios.

Some countries promote expansive interpretations to strengthen legal protections in cyberspace. Others prefer ambiguity, maintaining maneuverability. This divergence is strategic. States aiming to deter hostile cyber acts seek clarity. Others, who engage in or tolerate aggressive cyber behavior, avoid rigid legal definitions.

Summary Table: Three Methods of Legal Evolution

Among these methods, reinterpretation remains the most viable route. As cyber operations grow more common and impactful, states are increasingly pressured to define their positions. Legal evolution in cyberspace is not only a technical process but a geopolitical one—driven by both law and power.

IV. Normative Tensions and Legal Strategies Among States

States are not unified in their legal approach to cyberspace. Some push for clearer rules. Others benefit from ambiguity. These opposing strategies reflect deeper political and strategic interests, shaping how international law is evolving in this domain.

1. Legal Clarity as a Strategic Shield

Many states support a strong, rules-based cyber order. Their goal is to build legal certainty that deters hostile actions and limits conflict. Countries like France, the Netherlands, Finland, and Australia argue that clarity strengthens deterrence. It sets clear boundaries, enabling quicker and more lawful responses to violations.

For example, after the 2015 and 2019 UN reports, several governments issued public statements recognizing sovereignty and due diligence as binding obligations in cyberspace. These legal declarations shape state behavior and contribute to building norms over time.

Supporters of this strategy see law as a normative firewall. It discourages cyber operations that could trigger retaliation or damage trust. Legal clarity also helps prevent escalation. If states agree on what constitutes a violation, they are less likely to misinterpret each other’s actions.

2. Legal Ambiguity as a Strategic Asset

Other states, like the United Kingdom, prefer a more cautious approach. In 2018, the UK publicly rejected the idea that sovereignty is an independent rule in cyberspace. Instead, it treats it as a principle, not a binding norm. This position gives the UK more flexibility in conducting and responding to cyber operations.

Some realist-minded democracies also hesitate to define strict rules. They worry that legal clarity might restrict their future actions, especially if other states do not follow the same rules. In asymmetric conflicts, law-abiding states risk limiting their options, while lawless actors exploit the system.

This tension is visible in the strategic debate around gray zone operations—cyber activities that are harmful but fall below the threshold of armed conflict. These actions exploit legal ambiguity, making attribution and retaliation harder.

3. Competing Visions and Political Blocks

Geopolitical alliances influence legal strategies. Liberal democracies often work together to shape norms through multilateral forums and expert groups, like the Tallinn Manual project or the Paris Call. Meanwhile, Russia and China promote "information security" frameworks that emphasize content control and state sovereignty.

These differences are not just legal—they reflect core values. Open societies push for transparency and individual rights. Authoritarian states prioritize control and regime stability. As a result, progress toward global consensus remains slow.

4. The Legal Chessboard: Strategic Summary

Normative tensions in cyberspace reflect deeper struggles over power, trust, and digital sovereignty. International law is not just a tool—it’s a battlefield of interpretation. The direction it takes will depend on which legal strategies prevail in shaping the rules of cyber engagement.

V. Core Legal Principles in Practice

As international law adapts to cyberspace, key principles—sovereignty, non-intervention, due diligence, and the use of force—are being tested. States apply these rules differently, based on their legal traditions, political aims, and cyber capabilities. This section outlines how each principle functions in the digital realm and how states are putting them into practice.

1. Sovereignty

Sovereignty is central to international law. It gives each state the right to control activities within its territory. In cyberspace, the question is: Does a remote cyber operation that affects another country’s infrastructure violate that country’s sovereignty?

The Tallinn Manual 2.0 affirms that cyber operations can violate sovereignty in two ways:

• When they cause physical damage or loss of functionality.

• When they interfere with inherently governmental functions (e.g., disabling election systems).

Some countries accept this view. In 2019, France declared that any cyberattack affecting French digital systems constitutes a breach of sovereignty. The Netherlands, Finland, Switzerland, and Austria have taken similar positions.

By contrast, the United Kingdom argues that sovereignty is a principle, not a rule—meaning it cannot be violated on its own. This view has been widely criticized and not endorsed by other major democracies.

2. Non-Intervention

The rule of non-intervention prohibits coercive actions in the internal or external affairs of another state. For cyber operations to breach this rule, they must:

• Target matters that are reserved to the state (e.g., political, economic, or military decisions).

• Involve coercion, not just influence or disruption.

Cyberattacks that disable health systems, manipulate elections, or distort public policy could qualify—if they aim to control another state's decisions.

For example, cyber operations linked to election interference or pandemic response sabotage (like those targeting Czech hospitals during COVID-19) are cited as possible breaches.

While states agree on the rule itself, they differ on what counts as coercion. Some push for a lower threshold—where making a decision difficult, not just impossible, would be enough. Others warn this would make the rule too vague to apply fairly.

3. Due Diligence

Due diligence requires a state to prevent its territory from being used for hostile cyber operations against other states—if it is aware of the operations and can act.

Although widely discussed, due diligence is not yet universally accepted as a binding rule. The 2013 and 2015 UN GGE reports listed it as a voluntary norm. But momentum is shifting.

In 2019, France, the Netherlands, and Finland officially recognized it as an obligation. Others, like Australia, use cautious language, saying states “should” act if aware of harmful activity. Still, no state has formally rejected the idea outright.

Importantly, the rule doesn’t require prevention—only that a state acts when a violation occurs and if intervention is feasible.

4. Prohibition on the Use of Force

Article 2(4) of the UN Charter prohibits the use of force in international relations. Cyber operations that cause physical damage or injury clearly fall under this ban. But most attacks don’t destroy property—they disable systems, steal data, or disrupt services.

To address this, legal scholars and several states apply a “scale and effects” test. If the effects of a cyber operation are equivalent to a conventional armed attack, it may be treated as such.

For instance:

• A cyberattack that shuts down a power grid and causes fatalities could qualify.

• A massive economic disruption might also meet the threshold, according to France and the Netherlands.

Most states agree that some non-physical cyber operations can count as force. The debate now centers on how severe the effects must be.

Key Principles Summary

As these principles are interpreted and applied, they shape how states behave in cyberspace. Legal consensus is forming—but gaps remain. How these rules evolve will determine the future stability and security of the global digital environment.

VI. Legal Responses to Hostile Cyber Operations

When faced with cyberattacks, states must choose responses that align with international law. These responses may include countermeasures, self-defense, or invoking necessity. Each option comes with strict legal conditions, and their application in cyberspace remains under debate.

1. Countermeasures

Countermeasures are responses to internationally wrongful acts. They allow a state to break certain legal obligations temporarily—but only to pressure the responsible state into compliance.

For a countermeasure to be lawful:

• It must respond to a prior wrongful act.

• The response must be proportional.

• It cannot involve the use of force.

• Normally, the injured state must notify the responsible state before acting.

In cyberspace, the notification requirement is debated. Due to the speed and secrecy of cyberattacks, some states argue notice is impractical. France and the Netherlands have both said that urgent countermeasures may be justified without prior warning. The UK takes this further, saying no legal duty to notify exists if doing so would reveal sensitive capabilities.

2. Collective Countermeasures

Traditionally, only the directly injured state can take countermeasures. But cyberattacks often affect global systems or multiple countries.

In 2019, Estonia proposed that collective countermeasures should be allowed—so allies can support one another. This idea remains controversial. Most states still follow the traditional rule, and France has formally opposed Estonia’s view. The debate continues as cross-border cyber threats increase.

3. Necessity

Necessity allows a state to breach certain obligations to protect an essential interest from grave and imminent danger—if no other legal option exists.

This is different from countermeasures because:

• It can apply even when the attacker’s identity is unknown.

• It does not require the target to be responsible for the threat.

France and the Netherlands have both supported this approach for cyber threats. For example, a state could invoke necessity to disrupt an unidentified malware attack threatening its banking system or hospital network.

However, necessity is hard to justify. The danger must be immediate, and the response must be the only way to stop it.

4. Self-Defense

Under Article 51 of the UN Charter, a state may use force in response to an “armed attack.” In cyberspace, this includes attacks causing:

• Physical destruction.

• Injury or death.

• Serious loss of critical infrastructure or economic stability.

Most cyberattacks fall below this threshold. But if one qualifies, the victim state could respond with military or cyber force.

The United States, France, and Australia accept that cyber operations can trigger the right of self-defense. The Tallinn Manual also supports this view. But the response must still follow the principles of necessity and proportionality.

Summary Table: Legal Response Options

Cyber threats challenge traditional ideas of timing, attribution, and proportionality. As cyber operations grow in complexity, legal responses must remain flexible—but grounded in clear principles. States are adapting slowly, building legal tools to defend themselves while avoiding escalation.

VII. The Role of Non-State Actors and Multistakeholder Norms

States remain the central actors in international law, but in cyberspace, non-state actors play an increasingly influential role. Technology companies, academic experts, and civil society organizations help shape norms, develop frameworks, and fill legal gaps. These contributions, though not binding, affect how international law in cyberspace evolves in practice.

1. Technology Companies as Norm Shapers

Private companies operate much of the world’s digital infrastructure. Firms like Microsoft, Google, and Amazon possess technical knowledge, data, and cyber capabilities that rival or exceed those of many governments.

In 2017, Microsoft proposed a “Digital Geneva Convention” to protect civilians from state-sponsored cyberattacks. While not adopted as law, the idea sparked global discussion and influenced how policymakers frame cyber protections.

Microsoft also helped launch the CyberPeace Institute, which documents cyber incidents that affect humanitarian and medical sectors. This initiative tracks harm and helps promote accountability, even when legal enforcement is lacking.

2. Expert-Driven Frameworks

Legal experts and academic institutions play a critical role in guiding interpretation. The Tallinn Manual 2.0, produced by an independent group of scholars, remains the most detailed resource for applying international law to cyber operations.

Though not officially endorsed by any state, many governments cite the manual to explain or support their legal views. Its influence extends into diplomacy, military doctrine, and multilateral discussions.

Other expert bodies—such as the Global Commission on the Stability of Cyberspace (GCSC)—propose voluntary norms, including the protection of electoral infrastructure and the prevention of cyber operations targeting public health services. These norms often serve as models for future treaties or domestic policies.

3. Civil Society and Multistakeholder Agreements

Civil society organizations, including privacy advocates, internet governance groups, and humanitarian institutions, raise awareness about rights and risks in cyberspace. They promote transparency, accountability, and ethical conduct.

Initiatives like the Paris Call for Trust and Security in Cyberspace, endorsed by over 70 governments and hundreds of private organizations, exemplify the multistakeholder model. The Paris Call promotes voluntary commitments to protect civilians, uphold international law, and strengthen supply chain security.

Such efforts build trust and coordinate best practices, especially where law is ambiguous or silent.

4. Limits and Legal Gaps

While non-state actors can propose norms and document violations, they cannot enforce international law. Only states can create binding rules and carry out legal obligations. This limitation creates a gap between practice and enforcement.

Still, the growing collaboration between state and non-state actors enhances global cyber governance. For example, joint efforts between companies and governments help track ransomware groups, share threat intelligence, and improve cyber resilience.

Illustration: Contributions by Non-State Actors

In cyberspace, lawmaking is no longer confined to diplomatic chambers. Private actors, scholars, and NGOs shape the discourse and influence how norms take root. Their involvement reflects the complex, shared nature of digital infrastructure—and offers a path forward when intergovernmental progress stalls.

VIII. Current Trends and Future Directions

The evolution of international law in cyberspace is ongoing and shaped by shifting geopolitics, technological growth, and emerging risks. Although core legal principles provide a foundation, divergent interpretations and strategic behavior continue to fragment consensus. Still, recent trends point to gradual progress—and possible paths forward.

1. Increasing Legal Transparency by States

More governments are publishing their official views on how international law applies to cyber operations. This shift toward legal transparency is significant.

Countries such as Australia, the Netherlands, France, Finland, Estonia, the United Kingdom, and the United States have released position papers or public statements outlining how they interpret sovereignty, intervention, due diligence, and other norms.

This growing body of state practice is valuable. It helps clarify where states agree, where they differ, and how customary norms may develop. Legal openness also builds pressure on silent states to define and publish their own positions.

2. Regional Fragmentation and Norm Clusters

As global consensus proves elusive, regional blocks are taking the lead in shaping cyber norms. This includes:

• Five Eyes countries (U.S., UK, Canada, Australia, New Zealand) coordinating cyber doctrine and intelligence.

• EU member states promoting digital sovereignty, privacy, and ethical frameworks.

• Russia and China pushing for tighter state control over information through the concept of “information security.”

These diverging models create norm clusters—legal interpretations that reflect shared political goals more than universal agreement. Over time, this fragmentation may harden, complicating cooperation in cyber governance.

3. Multi-Stakeholder Influence Growing

Non-state actors continue to gain influence in norm creation. Multistakeholder initiatives like the Paris Call, CyberPeace Institute, and Global Commission on the Stability of Cyberspace are shaping discussions even without legal power.

These platforms foster coordination, especially when state negotiations stall. Their focus on humanitarian protections, election security, and critical infrastructure provides practical input into ongoing legal debates.

4. Technology Driving Legal Innovation

Emerging technologies—including artificial intelligence, autonomous cyber tools, and quantum computing—pose new legal questions:

• Who is responsible when AI launches a cyberattack?

• Can autonomous tools be proportionate or discriminate in armed conflict?

• Will quantum communication require new legal safeguards?

As technology advances faster than law, the interpretive approach will remain key. States and legal experts will adapt old rules to new tools—just as they have done with past revolutions in warfare and surveillance.

5. Anticipated Legal Shifts

Several trends suggest where legal norms may evolve next:

6. Toward Legal Resilience

Despite tensions, the overall trajectory points toward stronger legal frameworks. States are recognizing that without shared rules, cyberspace becomes a space of unchecked risk. The more interconnected societies become, the more they rely on legal stability to defend digital rights, protect infrastructure, and avoid escalation.

The challenge ahead is not just defining the law—but making it workable across cultures, technologies, and power dynamics. Dialogue, transparency, and practical cooperation will be essential to shape a resilient legal order in cyberspace.

Also Read

Explore more articles related to the foundations, development, and global influence of international law:

• What Is International Law?

• Academic Exploration of the United Nations Charter

• The Evolution of the United Nations Charter

• The Age of Grotius: Foundations and Impact on International Law

• Global Financial Institutions

• The Sources of International Law

• The Struggle for Human Rights in Authoritarian Regimes

• Legal Theory and International Law

• International Law as a Unitary System

Conclusion

The evolution of international law in cyberspace is no longer theoretical—it is an active, ongoing process driven by real-world threats and strategic behavior. While foundational rules such as sovereignty, non-intervention, due diligence, and the prohibition on the use of force continue to guide conduct, their interpretation varies among states. Some nations advocate for clarity to deter aggression, while others preserve ambiguity to maintain operational flexibility.

Non-state actors—especially technology companies, legal experts, and civil society groups—are shaping norms and pushing for accountability where formal law lags behind. Their influence complements state-led initiatives and provides critical insights in a domain dominated by private infrastructure and global interdependence.

Key trends suggest cautious but steady progress: more governments are publishing legal positions, norm clusters are forming, and multistakeholder models are gaining traction. Meanwhile, emerging technologies like AI and quantum computing are creating new legal challenges that will test the adaptability of existing frameworks.

Despite political divides and normative tensions, the trajectory is clear. International law remains essential for stability in cyberspace. Its continued development—through interpretation, cooperation, and transparent dialogue—will be vital to protecting digital rights, securing critical systems, and maintaining peace in the information age.

References

1. Schmitt, M. N. (2020). Taming the Lawless Void: Tracking the Evolution of International Law Rules for Cyberspace. Texas National Security Review, Vol. 3, No. 3, pp. 32–47.

2. Schmitt, M. N. (Ed.). (2017). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press.

3. United Nations General Assembly. (2015). Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (A/70/174).

4. United Nations General Assembly. (2013). Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (A/68/98).

5. UN Charter, 1945, Articles 2(4) and 51.

6. International Court of Justice (ICJ). (1986). Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America).