ABSTRACT

Introduction In late 2014, a group calling itself “Guardians of Peace” orchestrated a campaign of cyber attacks against Sony Pictures Entertainment that destroyed systems and stole large quantities of personal and commercial data, such as unreleased movies. In addition, the group threatened anyone who were to attend the opening of a movie-The Interview-about North Korea that included an assassination of its ruler Kim Jong-Un (Carr 2013). The United States blamed North Korea for the attack (Federal Bureau of Investigations 2014) and responded by ordering a new round of sanctions against North Korean government officials and its defense industry (Associated Press 2015). The American response was the first ever response to a concrete cyber attack. North Korea, however, denied any involvement in the hacking of Sony and for their part accused the United States of being responsible for cutting of the nation’s already very limited connections to the Internet (Fackler 2014). The Sony hack and the American responses thereto illustrate the extent to the threat from cyber attacks and other forms of harmful cyber incidents (Schreier 2015; Arquilla and Ronfeldt 1993; Kello 2013).1 It is becoming one of the most pressing national security concerns and why a multitude of national governmental agencies are currently engaged in developing strategies and guidelines for both the offensive and defensive use of computer network operations.2 One of the more pressing issues with regard to the ongoing efforts to develop cyber strategies relates to the identification of the legal landscape that governs both the offensive and defensive use of computer network operations that may have an effect on the territory of another state, including on the latter’s electronic infrastructure. In short, to formulate a proper strategy in cyber space states need to know what offensive activities are lawful and how a targeted state is allowed to respond defensively. Interestingly, among its users, in its early years, cyber space was perceived of as a sui generis domain outside the reach of individual states. In contrast to the physical domains (land, sea, air and space), cyber space was supposed to be governed by the users themselves. In its 1996 “Declaration of Independence of Cyberspace,” for example, the Electronic Frontier Foundation had this to say to all the states of the world:

You are not welcome among us. You have no sovereignty where we gather. . . . We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. . . . You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don’t exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.