National Cyber Security Strategies Reveal States' Thinking about Rules in the Cyberspace

National cyber security strategies serve as an useful tool to identify a state’s general position in regards to the rules and principles in cyberspace, finds the NATO CCDCOE’s law researcher Ann Väljataga in her recent research paper “Tracing opinio juris in National Cyber Security Strategy Documents” published by the CCDCOE.

By the end of 2018, almost 90 countries had adopted a national cyber security strategy. Diverse interpretations of international law in the cyber context are well reflected in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, a process and publication led by the CCDCOE, providing a comprehensive overview of various legal questions that arise with respect to cyberspace. At the same time, international cyber law has still many gray zones. In the comparative analysis of strategy documents from seven countries, the CCDCOE law researcher Ann Väljataga argues that national cyber security strategies serve as a valuable source of information on how states think and interpret the limits of mandatory, allowed and prohibited behaviour in cyberspace.

“Although cyber strategies are not legally binding, in these documents states often express their views on issues including but not limited to sovereignty in cyberspace, due diligence and state responsibility, “ explains Ann Väljataga, author of the study. “Typically the process of preparation of a national cyber security strategy is similar to legislative drafting: different interest groups are engaged, the greatest common denominator is found, numerous compromises are made and the final result is approved by all the parties. Therefore it is reasonable to look at any legally relevant statement in cyber security documents as a result of careful deliberation, reflecting the state’s position on sovereignty, reasonableness and attribution in cyberspace.”

The present study examines how the national cyber security strategy documents of the United States, the United Kingdom, the Netherlands, China, France, Russia and Australia view the grey zones. It appeared that sovereignty is always recognized as the cornerstone of national cyber security. While the majority of the studied documents did acknowledge that along with cyber sovereignty comes responsibility, there was no consensus about the thresholds for use of force and armed attack.

“Drawing from an almost universal understanding that countermeasures are justified in tackling state-sponsored cyber-attacks, the states representing a more Western liberal cyber policy suggest the possibility for opening the door to collective and anticipatory countermeasures, “ says Ann Väljataga. “Alongside evolving state practice and opinio juris expressed through other channels, national cyber security strategies are also opening up and offering legal thinking on attribution.”

National cyber security strategies may contain strong evidence of the norms to which the state sees itself as legally bound. Similarly, these documents help to shed some light on the capabilities it would be reasonable expect from a country to tackle the issues of cyber security.

NATO Cooperative Cyber Defence Centre of Excellence is a Tallinn-based knowledge hub, research institution, and training and exercise centre. The international military organisation is a community of 21 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.

NATO CCD COE is home of the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre also organises the world’s largest and most complex international technical live-fire cyber defence exercise Locked Shields and the International Conference on Cyber Conflict, CyCon, a unique event joining key experts and decision-makers of the global cyber defence community in Tallinn.