NETmundial, Borders in Cyberspace, and a Duty to Hack

NETmundial, Borders in Cyberspace, and a Duty to Hack

Last week’s NETmundial conference serves as a reminder of just how much the nature of cyberspace remains (at least theoretically) undetermined.  We still can’t agree on what kind of resource cyberspace “is”:  Is it a global public good as Sir Tim Berners Lee proclaimed (i.e., a res communis) or just a collection of technology subject to sovereignty regulation like so many other resources?  This theoretical divide may help explain the continuing back and forth between multi-stakeholder governance (which includes, but does not privilege, a role for States) versus the multilateral governance project (which most certainly does).  NETmundial may have been a net plus for multi-stakeholder proponents, but I’m much less sanguine that it represents an end to claims that cyberspace can — and should — be regulated primarily by government controls over internet resources (for more on the details of NETmundial and its final statement see Milton Mueller’s take-away here).

My skepticism about how international law will draw borders for cyberspace governance leads me to think about other roles borders can play in cyberspace — that is, using international law to draw lines separating acceptable from unacceptable behavior, permitted conduct from required conduct, etc.  I’ve drafted a new chapter that, in the context of cyber war, examines both the ways we draw law from borders and borders from law in cyberspace.  I critique the status quo on both theoretical and functional grounds, concluding that we should seek to start a new process not just for constructing governance regimes, but normative ones as well.  Consistent with the book’s central focus on cyber war, I proffer a case-study for such an approach with respect to armed conflicts, arguing international humanitarian law should adopt a Duty to Hack.  My idea is that, even though it does so only occasionally now, international law should regularly require States to use cyber-operations in their military operations whenever they are the least harmful means available for achieving military objectives.  You can download a copy of the paper here on SSRN.

For those looking for more details, here’s the abstract:

Warfare and boundaries have a symbiotic relationship. Whether as its cause or effect, States historically used war to delineate the borders that divided them. Laws and borders have a similar relationship. Sometimes laws are the product of borders as when national boundaries delineate the reach of States’ authorities. But borders may also be the product of law; laws regularly draw lines between permitted and prohibited conduct or bound off required acts from permissible ones. Both logics are on display in debates over international law in cyberspace. Some characterize cyberspace as a unique, self-governing ‘space’ that requires its own borders and the drawing of tailor-made rules therein. For others, cyberspace is merely a technological medium that States can govern via traditional territorial borders with rules drawn ‘by analogy’ from pre-existing legal regimes.

This chapter critiques current formulations drawing law from boundaries and boundaries from law in cyberspace with respect to (a) its governance; (b) the use of force; and (c) international humanitarian law (IHL). In each area, I identify theoretical problems that exist in the absence of any uniform theory for why cyberspace needs boundaries. At the same time, I elaborate functional problems with existing boundary claims – particularly by analogy – in terms of their (i) accuracy, (ii) effectiveness and (iii) completeness. These prevailing difficulties on whether, where, and why borders are needed in cyberspace suggests the time is ripe for re-appraising the landscape.

This chapter seeks to launch such a re-thinking project by proposing a new rule of IHL – a Duty to Hack. The Duty to Hack would require States to use cyber-operations in their military operations whenever they are the least harmful means available for achieving military objectives. Thus, if a State can achieve the same military objective by bombing a factory or using a cyber-operation to take it off-line temporarily, the Duty to Hack requires that State to pursue the latter course. Although novel, I submit the Duty to Hack more accurately and effectively accounts for IHL’s fundamental principles and cyberspace’s unique attributes than existing efforts to foist legal boundaries upon State cyber-operations by analogy. Moreover, adopting the Duty to Hack could constitute a necessary first step to resolving the larger theoretical and functional challenges currently associated with law’s boundaries in cyberspace.


Foreign Relations Law, General, International Human Rights Law, Latin & South America, National Security Law, Organizations
Notify of
Jeffrey L. Vagle
Jeffrey L. Vagle

I very much like the direction of this paper, but have reservations re a government’s ability to completely understand or control the full effects of cyber operations. I concede, of course, that a typical cyber operation would not come close to the possible collateral damage to life and property that even the most “surgical” of air strikes would likely create. But, as we’ve seen in the past, software–especially complex software such as virii and other purpose-built malware–tend not to behave exactly as planned in the long run, and can live on to infect systems that were never targeted, even among friendly nations.
Even worse, because of the complexity and unknowable nature of cyberspace, I’m concerned that states may overreact to cyber operations based on (possibly irrational) fear of this unknown, especially among the less technical persons of authority (and there’s more than a few of these) in government.


[…] The reliance on new terms to describe war can be devastating.  Our focus on what might be “cool” has lead some to suggest we need to actually support drone, robotic, and cyber warfare.  These types of war are less likely to directly involve humans and therefore are cleaner.  We then have a “duty to hack.” […]


[…] NETmundial, Borders in Cyberspace, and a Duty to Hack – Opinio Juris […]