Ius Gentium

University of Baltimore School of Law's Center for International and Comparative Law Fellows discuss international and comparative legal issues

1 Comment

All’s Fair in Love and Cyberwar

Elizabeth Hays

A United States drone strikes a car near a gas station in Syria.[1] Inside that car, Junaid Hussain lays lifeless.[2] Though a seemingly normal 21-year-old British man with an education and a wife, Junaid possessed exceptional computer hacking skills and ties to ISIS’s cyber division.[3] Instead of the United States sending a sniper to take out Junaid, a person used his or her trigger finger to direct the drone strike from a computer miles away from the gas station.[4] Throughout history, technology has drastically changed warfare. The advances in cyberspace technology are no exception and the law is struggling to keep up.


While country-on-country cyber-attacks have made headlines in the 21st century, such attacks can be dated as far back as the Cold War.[5] In June 1984, a United States satellite detected a large blast in Siberia.[6] That blast turned out to be an explosion on a Soviet gas pipeline.[7] A malfunction in the computer-controlled system that the Soviets stole from a firm in Canada caused the explosion.[8] Unware to them, the CIA caused the malfunction by tampering with the software, resetting  the pump and valve settings to produce pressures far beyond the capabilities of the pipeline welds, which  ultimately resulted in destruction.[9]

The most recent and controversial cyber-attack resulted in WikiLeaks publishing a series of confidential emails exchanged between several key members of the Democratic National Committee.[10] The release negatively impacted the Democratic Party in the public eye and resulted in the call for resignation from the DNC chairperson, the CEO, the CFO, and the Communications Director.[11] Despite President Trump’s initial accusation, these hackers are not just 400 pound guys in a basement; they are sophisticated and, potentially, dangerous adversarial governments.[12]

The United States accused Russian President Vladimir Putin of ordering an “influence campaign” aimed at weakening Hilary Clinton’s campaign and strengthening Donald Trump’s.[13] The campaign consisted of hacking Democratic groups and individuals and releasing that information via third party websites, including WikiLeaks.[14]  Intelligence agencies concluded with high confidence that Russia had intended to undermine American faith in the electoral system by hurting Hilary Clinton’s chances of winning.[15] As a result, in December 2016, America responded with what was arguably its strongest response yet to a state sponsored cyberattack.[16] “All Americans should be alarmed by Russia’s actions” stated Former President Obama.[17] While there is partisan disagreement about the scope and intent of the Russian cyber-attack on the 2016 United States Presidential Election, 77% of Americans from a wide variety of political backgrounds believe that cyber-attacks against computer systems in the United States are a serious threat.[18] Meanwhile, 63% of Americans believe that the United States is not adequately prepared to deal with these cyber threats.[19]


While President Trump has repeatedly stated that the Russian hacking had no influence on the outcome of the election, it is becoming clear that cyber-attacks are becoming more prevalent and powerful.[20] Intelligence agencies reported that the Russian election intervention is an old-fashioned Soviet-style propaganda campaign made more powerful by the tools of cyberage.[21] While it may seem like this was a onetime event and new attack, it was actually a part of a campaign that went undetected for years.[22]

The same international laws apply to cyberspace as they do to traditional warfare domains. Yet, cyber-attacks are difficult for the international community to analyze due to their complexity and secrecy. In response to this challenge, the NATO Cyber Centre wrote the Tallinn Manual on the International Law Applicable to Cyber Warfare.[23] Applying the principles of the international law of war in cyberspace, the manual has been the primary guide for armed conflicts.[24] According to the principles in the manual, the Russian cyber-attacks on the DNC are below the threshold of an armed conflict.[25] On the other hand, if Russia had destroyed America’s cyber infrastructure, it would likely be enough to be a use of force and thus a violation.[26]

Yet others experts, such as the chairman of the U.S. Naval War College’s international law department Michael Schmidt, believe that the DNC hack was in fact a violation of international law.[27] For example, the hack could have threatened U.S. sovereignty.[28] The hackers attempted to intervene into the internal fairs of the United States affairs, which includes running elections.[29] However, there would need to be proof that Russia not only stole information but used the information to manipulate election results.[30]


Therefore, the DNC hacks still lie in a legal gray zone. While the Tallinn Manual provides excellent guidance on applying international law in cyberspace, the Tallinn Manual 2.0 is in the works to expand upon it.[31] The goal of this additional manual is to examine how international law applies to cyber-attacks below the threshold on an armed conflict.[32] Until then, clever nations will continue to use cyber-attacks, like the DNC hack, to cause harmful effects but not cross the line that would trigger an armed response.[33]


Elizabeth Hays is a third year law student at the University of Baltimore School of Law. She completed her undergraduate studies at the University of Baltimore, where she majored in Jurisprudence. Her legal interests include administrative law, national security law, and maritime law. Elizabeth has previously interned with the U.S. Army JAG Corps and the U.S. Coast Guard JAG Corps. Additionally, she participated in the winter study abroad program in Curaçao in 2015/16. She is currently the Co-President of University of Baltimore Students for Public Interest (UBSPI) and a Staff Editor for University of Baltimore Law Forum.

[1] Nick Gutteridge, ISIS Top Hacker Dead: British Jihadi Junaid Hussain Blown up in US Drone Strike in Syria, Express, (Aug. 27, 2015).

[2] Id.

[3] Id.

[4] Id.

[5] War in the Fifth Domain, The Economist (Jul. 1, 2010).

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Harold Stark, How Russia Hacked Us in 2016, Forbes (Jan. 24, 2017).

[11] Id.

[12] Scott Shane, Russian Intervention in American Election Was No One-Off, N.Y. Times (Jan. 6, 2017).

[13] Jill Dougherty, U.S. Election Hacking: Russia Hits Back at ‘Unfounded’ Allegations, CNN Politics (Jan. 15, 2017).

[14] Id.

[15]Paul Krugman, Russia’s Hand in America’s Election, N.Y. Times (Dec. 11, 2016).

[16] David E. Sanger, Obama Strikes Back at Russia for Election hacking, N.Y. Times (Dec. 29, 2016).

[17] Id.

[18] Sarah Dutton, Most Americans Think Russia Tried to Interfere In Presidential Election, CBS News (Jan. 18, 2017).

[19] Id.

[20] Jill Dougherty, U.S. Election Hacking: Russia Hits Back at ‘Unfounded’ Allegations, CNN Politics (Jan. 15, 2017).

[21] Scott Shane, Russian Intervention in American Election Was No One-Off, N.Y. Times (Jan. 6, 2017).

[22] Id.

[23] Jill Dougherty, NATO Cyberwar Challenge: Establish Rules of Engagement, CNN Politics (Nov. 7, 2016).

[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] Id.

[31] Id.

[32] Id.

[33] Id.



No Common Heritage: Why the Internet Cannot be Regulated Like the Sea

Matthew Matechik

In the rapidly unfolding digital age, the strongest player on the international stage is not necessarily the state with the biggest weapons or the most soldiers. Instead it is the cyber actor, which may or may not be a state, capable of most effectively leveraging the Internet to achieve objectives. Like the seafaring captains of old, these actors navigate the labyrinth of the Internet to discover, to trade, to pillage, and to conquer. Digital packets are their vessels. The Internet is their sea.

Internet Pirate

Like the sea, the internet encircles the globe. Like the sea, the Internet is used for benign activity, such as commerce and leisure, but also for destructive activity, such as theft and combat. The sea has sailors and pirates; the internet has cyber professionals and hackers. The comparison seems appropriate and begs the questions: Can international law regulate the Internet like it regulates the sea?

The similarities between the Internet as a medium and the sea as a medium suggest that international principles governing the use of the sea could effectively be applied to the use of the Internet. Upon inspection, however, this theory quickly erodes for numerous reasons. Perhaps the most significant obstacle is the lack of a common heritage to the Internet. Common heritage is the critical component that has allowed the law of the sea to develop.

Customs governing the use of the sea probably began to emerge when humans first encountered other humans at sea. These customs grew out of a recognition that the sea was an incredibly vast shared space that no one nation could hold in the way that land territory could be held. The sea was recognized as the common heritage of mankind. Seafaring parties intersected with both allies and enemies in this shared space. Customs and laws continued to develop over millennia to regulate these encounters. As humanity’s access to the sea increased, international norms increased, including codifying many of these customs in the UN Convention on the Law of the Sea (UNCLOS). These laws were based on the idea that all humans enjoyed freedom of the sea because it was common heritage.  The laws fostered shared use of the sea while deterring nefarious actions on the sea.

As a recent phenomenon, the Internet has no such common heritage, although it has become a common resource. The Internet traces its origins back to a research project completed by the United States Defense Advanced Research Projects Agency (DARPA) during the 1960s.[1] Its usage grew exponentially until it became the truly globe-spanning super network of today, reaching an estimated 3 billion people.[2] Because the United States was the primary driver of early Internet adoption, its infrastructure and usage patterns have developed in such a way that most of the world’s internet traffic passes through the United States.[3] This position offers the United States unique advantages and opportunities that the United States is unlikely to relinquish.

Global Internet Map

Other nations have more recently undertaken measures to ensure their own Internet posture also offers unique advantages and aligns with their interests. For example, China has erected “The Great Firewall” around Chinese Internet users, allowing China to censor which traffic is accessible by Chinese users.[4] China is leveraging its Internet power to further its interests at the expense of internet freedom and access. Meanwhile in the European Union, some European leaders are advocating for new Internet regulations that could bolster European tech companies’ positions against their American counterparts.[5] The fortifying of digital space will not enable the international community to adopt any sort of “freedom of the Internet” measures akin to the freedom of the seas.  Quite the opposite in fact, the trend seems to be increasing restrictions on communal use.

Even if the international community did characterize the Internet as a resource to be shared by all, regulation appears to be technically impossible, at least at present, because Internet traffic cannot be finitely quantified and observed in the same way that seafaring vessels can. Sea regulations are enforceable in large part because nations are able to observe a meaningfully quantifiable number of vessels and react by employing the appropriate legal measure. On the sea, the regulator can, for example, react to nefarious activity by boarding a vessel and searching it.

Over the Internet, the regulator would likewise have to conduct inspections in some manner but there are far too many data packets to deal with. By the end of 2016, an estimated 1,000,000,000,000 gigabytes of data will traverse the Internet annually.[6] That number is too large to fathom its significance. Finding nefarious activity among that much data and reacting appropriately while still fostering Internet freedom is technically impossible given the current state of technology. There are simply too many packets traversing the internet.

The lack of common heritage to the Internet and technological limitations on widespread enforcement make the application of the law of the sea’s principles to the Internet impossible for now. The international community must approach the Internet with a fresh perspective that considers its modern and unique characteristics. The Council of Europe’s Convention on Cybercrime, which entered into force in 2004, is currently the leading international convention in this field. The Convention identifies numerous cybercrimes that signatories must address in their domestic criminal laws, requires that certain law enforcement procedures be put into place, and demands that signatories cooperate to investigate and prosecute cybercrimes.[7] The Convention has been ratified by forty-seven states so far and signed by an additional seven.

The Convention shows some real promise because it addresses uniquely cyber issues and has seen at least some adoption. However, it still lacks global utility because it does little to address state-on-state cyber acts and lacks signatures from significant cyber powers, notably China and Russia. The lack of widespread adoption suggests cyber stakeholders with competing interests have a long way to go before they are able to agree on international regulation that works as effectively as sea regulations.

Matthew Matechik is an Evening J.D. student at the University of Baltimore School of Law (Class of 2016). He currently works full-time for the U.S. Federal Government as a Counterterrorism Analyst. He has a Bachelors of Arts (Magna Cum Laude, 2008) from Florida State University. All views in this blog post are Matthew’s own views and do not represent that of the U.S. Government. 

[1] http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet

[2] http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/

[3] http://faculty.georgetown.edu/irvinem/CCTP748/Internet-Mediology.html

[4] http://abcnews.go.com/Technology/story?id=4707107&page=1

[5] http://www.reuters.com/article/2015/06/23/us-eu-digital-letter-idUSKBN0P32AX20150623

[6] http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNI_Hyperconnectivity_WP.html

[7] http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm