Understanding Jurisdiction in Cyberspace

Our project maps the law and policy that shapes cyber operations in the Indo-Pacific. To do this, we analyze the most important constraints on those operations, providing an in-depth look at the legal structures that shape them. These could be the laws affecting data sovereignty, Chinese vulnerability disclosures, American cyber espionage authorities, or private-sector data management.

But before looking at those individual structures, a natural place to start is by asking which “body of law” do practitioners in the region look to for information on these topics? In other words, which set of rules apply, and where do we find them?

The answer is not always straightforward. But from an American perspective, there are three places to look: U.S. domestic law, international law, and foreign law. How these different bodies of law affect a decision depends on who is making the decision. Namely, these bodies of law will affect public and private sector entities differently. Understanding these high-level distinctions is important to appreciating the individual legal structures that shape Indo-Pacific cyberspace.

U.S. Cyber Law

For American entities, the most important body of law to pay attention to in cyberspace is U.S. domestic law. This holds regardless of whether the entity is public or private.

U.S. domestic law both prescribes and proscribes government cyber action.

Consider the effect of U.S. domestic law on a public entity first. This bucket includes federal agencies like the Department of Defense, Federal Bureau of Investigation, Central Intelligence Agency, and Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

Related to these public organizations, U.S. domestic law is both prescriptive and proscriptive. Prescriptively, each of these agencies can only act under an authority derived from the U.S. Constitution. The Constitution is the foundation of U.S. domestic law. It lays out the entire universe of things that the government can do. That universe is limited. As the Tenth Amendment to the Constitution states, “The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.”

This means that every action taken by a U.S. government organization must be traceable to the Federal Constitution. For example, the Department of Defense can only hire a cyber operator because Congress passed a law appropriating the funds to do so; Congress can only appropriate those funds because the Art. I § 8 of the Constitution gives it the power to “raise and support Armies.”

If a federal agency exceeds its authority (whether that authority is derived directly from the Constitution or through a law passed by Congress), its actions are subject to judicial review and ruled invalid. In our rule-of-law system, this is typically enough to prevent abuses of authority, but ultimately those abuses are punished through the checks and balances of government and the political process (i.e., voting).

U.S. domestic law also has a proscriptive effect on public organizations. That is, it often will tell them what they cannot do. Proscriptions are often criminally enforceable—if a federal employee exceeds his authority and violates a proscription, he could be imprisoned for breaking federal law.

An example in the national security context is torture: If a soldier intentionally inflicts severe physical pain on a prisoner for the purpose of eliciting information, he could be imprisoned under the Torture Act of 1994. Similarly, if a federal agent electronically surveils an American without judicial authoritzation, he may violate that American's Fourth Amendment right against unreasonable searches and thus be liable under 42 U.S.C. § 1983.

U.S. domestic law proscribes private action.

In contrast, consider the effect of U.S. domestic law on private organizations. While U.S. law prescribes and proscribes government action, it is only this latter, proscriptive function that affects private parties. This is because of the same Constitutional Amendment listed earlier, which states that “[t]he powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.”

In common sense terms, U.S. law does not list all possible actions that U.S. citizens can take. It constrains, rather than enables, the actions of private citizens. But just like individuals in public organizations, private organizations face criminal penalties for violating U.S. domestic law.

Take for example the Computer Fraud and Abuse Act. This is a federal criminal statute that criminalizes hacking. Specifically, it imposes criminal penalties on a person who “intentionally accesses a computer without authorization or exceeds authorized access” to obtain information. Thus, a private corporation that hacks a competitor to obtain trade secrets is punishable under this federal law.

International Cyber Law

While domestic law is crafted and enforced through the power of the state, international law is crafted and enforced through the  consensus of the many states. This presents problems for the meaningful development and application of an international law of cyber.

International law relies on multilateral consensus

The modern international order traces its roots back to the United Nations Charter. In the wake of the Second World War, this document established a collection of rights and responsibilities for states that participate in the international system. It also provided a framework for enforcing those responsibilities. Today, international law has grown to encompass a broad range of topics, such as international maritime law, international human rights law, and international humanitarian law.

Critically, all of this international law stems from consensus. That is, the states that participate in the international system must agree what the rules are. In contrast to domestic law, which relies on the power of the state for its enforcement, international law relies on the cooperation of the many states. Because no one state holds sufficient power to enforce the rules of international law, that law must be something that all states agree on and are thus willing to enforce collectively.

This dependence on consensus means that international law often lacks the clear distinctions that we find in the domestic context. Without such bright lines, the rules are much harder to apply. This means that whether something is illegal under international law is often equivocal. This is certainly true under both jus ad bellum (law before war) and jus in bello (law in war). Both bodies of law concern whether the use of force is lawful. Both include a large gray area. Was the United States’ invasion of Iraq in 2003 unlawful aggression or anticipatory self-defense? What about Russia’s invasion of Ukraine? The answer often depends on where you sit.

Multilateral consensus is rare in the nascent law of cyber.

Equivocation begins even earlier in international law of cyber: What even is a “use of force” in cyberspace? The international community has not yet decided. The United States appears to take the position that only those “cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” Many states agree. But what if the attack does not involve physical effects? Some states (notably France, the Netherlands, and Norway) suggest that a non-destructive cyber attack could qualify as a use of force. But that is far from a consensus opinion.

Even assuming there is consensus that a cyberattack violates international law, a question remains: Is there consensus for punishing that violation? Looking at the structure of the United Nations, a reasonable assumptin is that the U.N. Security Council bears this responsibility. But that body also relies on consensus for action. Its five permanent members—the United States, the United Kingdom, France, China, and Russia—can veto any Security Council Resolution. A look at that list of countries reveals why the Security Council rarely takes substantial steps to punish violations of international law.

From the viewpoint of the U.S. President, international law’s many gray areas and lack of enforcement mean that adherence to international law is a policy decision. He weighs the flagrancy of a violation and its resulting benefit to American interests against the value that adherence would provide to the rules-based international order and American diplomatic relations. Sometimes this has led Presidents to decisions that were arguably illegal under international law (e.g., drone strikes in Pakistan, Guantanamo Bay detentions).

Compare this with violations of U.S. domestic law. A federal court can imprison for committing a crime. It can conceivably even imprison the President for crimes committed outside the scope of official duties. Thus, adherence to domestic law is required in a way that adherence to international law is not.

Foreign Cyber Law

Foreign law is another country’s domestic law. In countries that adhere to the rule of law, the law functions similiarly to U.S. domestic law: it both proscribes and prescribes government action. In all states, it proscribes private conduct.

From the standpoint of an American person or private organization, foreign law constrains action only if that person or organization has sufficient contacts in the foreign country. For instance, Apple does substantial business in China. It also manufactures its products there. Thus, it must conform to Chinese law. This means it must localize data regarding Chinese citizens, partner with Chinese companies, follow with censorship laws, and comply with government requests for user data. Of course, a company without operations in China does not need to adhere to these requirements.

Likewise, foreign law does not impose hard constraints on public agencies. These agencies do not fall under foreign jurisdiction. This is true even for agencies like the State Department that have personnel stationed abroad. Those employees receive a degree of diplomatic immunity from prosecution under local laws. In turn, they are expected to respect local laws. But the consequences for failing to do so are diplomatic. Some behavior, such as intelligence collection, necessarily involves violating local law. But all states accept some degree of this behavior as part of the modern international order.

Conclusion

It is not always clear what body of cyber law controls. Much depends on where you sit. But law only functions effectively with a complementary enforcement mechanism. The consensus-based nature of the international system means that adherence to international law may be a policy decision. Adherence to foreign law also may be unnecessary, particularly without substantial contacts in the foreign jurisdiction. But for those under American jurisdiction, U.S. domestic law always imposes constraints with an ability to enforce them. Thus, an American cyber practitioner must always pay attention to U.S. law: Violate that and prison time looms.