The rapid evolution of cyber capabilities and their increasing use by state actors presents a significant challenge to international law, which was primarily designed for kinetic warfare.

While there's a general consensus that existing international law does apply to cyberspace, its application often remains ambiguous and contested.

Here's how international law should evolve to define and regulate cyber warfare:

I. Clarifying Existing Principles:

Rather than creating an entirely new body of law, the primary focus should be on clarifying how established principles of international law apply to cyberspace.

1. Interpretation of the UN Charter:

   • "Use of Force" and "Armed Attack": This is the most crucial area of debate. International law needs clearer thresholds for when a cyber operation constitutes a "use of force" (prohibited by Article 2(4) of the UN Charter) and, more importantly, when it escalates to an "armed attack" (triggering the right to self-defense under Article 51).

     • Proposal: Focus on the effects of the cyber operation, rather than just the method. If a cyberattack causes death, injury, significant physical damage, or severe disruption akin to a kinetic attack (e.g., shutting down a power grid for an extended period, leading to widespread chaos and loss of life), it should be considered a "use of force" or "armed attack." Mere data theft or espionage, while violations of sovereignty, typically do not meet this threshold. States could work towards a consensus on a "harm threshold" or "severity of effects" test.

   • Sovereignty: Reiterate and clarify that unauthorized intrusion into a state's cyber infrastructure (even for espionage or data theft, without destructive effects) constitutes a violation of its sovereignty. This would solidify the legal basis for non-kinetic countermeasures.

   • Non-Intervention: Strengthen the interpretation that cyber operations intended to interfere in a state's internal affairs (e.g., election interference, manipulation of public discourse) violate the principle of non-intervention.

2. Application of International Humanitarian Law (IHL) / Law of Armed Conflict (LOAC):

   • Distinction: Clarify how to distinguish between military and civilian cyber infrastructure, especially given dual-use systems (e.g., a civilian internet backbone used by the military).

     • Proposal: Develop guidelines for identifying legitimate military targets in cyberspace and emphasize the obligation to avoid targeting civilian infrastructure.

   • Proportionality: Provide guidance on assessing the anticipated civilian harm (direct and indirect, immediate and long-term, including "reverberating effects") of a cyberattack against the expected military advantage.

     • Proposal: States should consider the cumulative effects of cyber operations. The unique interconnectedness of cyberspace means a seemingly minor attack could have cascading, unpredictable consequences.

   • Precaution in Attack: Clarify what "feasible precautions" look like in a cyber context to minimize civilian harm, including pre-attack intelligence gathering, vulnerability assessment, and potentially issuing warnings.

   • Unnecessary Suffering: Prohibit cyber weapons that cause superfluous injury or unnecessary suffering, similar to conventional weapon prohibitions.

II. Addressing Key Challenges and Gaps:

1. Attribution:

   • The Challenge: Definitive attribution is notoriously difficult in cyberspace.

   • Proposal: While full legal attribution might remain the purview of states, international law can encourage norms of responsible state behavior regarding attribution, such as:

     • Promoting technical cooperation and information sharing to enhance forensic capabilities.

     • Establishing an international body (e.g., under the UN) that can provide technical assistance for attribution, even if it doesn't make legal pronouncements.

     • Developing a common understanding of what constitutes sufficient evidence for a public attribution.

2. State Responsibility:

   • The Challenge: Holding states accountable for cyberattacks conducted by proxies, non-state actors, or individuals acting on their behalf.

   • Proposal: Clarify the criteria for state responsibility, particularly regarding "effective control" or "direction and control" over non-state actors in cyberspace (e.g., adapting the ICJ's Nicaragua case principles). States should also be held responsible for not preventing or stopping malicious cyber activities originating from their territory if they have the knowledge and capability to do so.

3. Neutrality:

   • The Challenge: The use of infrastructure in neutral states (routing traffic, hosting servers) by belligerents.

   • Proposal: Clarify the obligations of neutral states to prevent their territory/infrastructure from being used for cyber warfare, and the rights of belligerents concerning such use.

4. Supply Chain Security:

   • The Challenge: State-sponsored actors compromising critical software and hardware supply chains.

   • Proposal: Develop international norms or best practices for states to ensure the security and integrity of their technology supply chains, and to refrain from inserting vulnerabilities into ICT products used globally.

5. Peacetime Norms of Behavior:

   • The Challenge: Many malicious cyber activities (espionage, IP theft, influence operations) occur below the threshold of "use of force."

   • Proposal: Continue to develop and strengthen voluntary, non-binding norms of responsible state behavior in cyberspace through forums like the UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG). These norms should explicitly prohibit:

     • Attacks on critical infrastructure that provides essential services to the public.

     • Sabotage of electoral processes.

     • Theft of intellectual property for commercial gain.

     • Interference with emergency response services.

III. Enforcement and Dispute Resolution:

1. Confidence-Building Measures (CBMs):

   • Proposal: Encourage bilateral and multilateral CBMs (e.g., hotlines, regular dialogues, information exchange protocols) to reduce miscalculation and foster trust.

2. Dispute Resolution Mechanisms:

   • Proposal: Explore mechanisms for mediating or resolving disputes related to cyber incidents, possibly through the UN, regional organizations, or specialized tribunals.

3. Sanctions and Countermeasures:

   • Proposal: International law should clarify the parameters for permissible non-forceful countermeasures (retorsions and reprisals) in response to cyber violations that do not meet the "armed attack" threshold, ensuring they are proportionate and do not violate other international obligations.

Challenges to Evolution:

• State Disagreement: Fundamental disagreements exist among major powers (e.g., "all existing law applies" vs. "we need new laws," differing interpretations of sovereignty).

• Rapid Technological Change: Law struggles to keep pace with the speed of cyber technology.

• Attribution Difficulty: Remains a significant hurdle for practical enforcement.

• Lack of Political Will: Many states prioritize gaining and maintaining cyber advantage over submitting to strict legal constraints.

The Tallinn Manuals (2.0 and soon 3.0) serve as influential non-binding academic interpretations of how existing international law applies to cyberspace, offering a valuable starting point for discussions. Ultimately, the evolution of international law in this domain will require sustained diplomatic effort, a willingness to compromise, and a shared understanding of the need to prevent uncontrolled escalation in the digital realm.