We need an international law of cyberspace

[Commentary] The current zeitgeist seems to be the normalization of cyber insecurity. As someone who believes international law has an (imperfect) role to play in preserving international peace and stability, I find the current scenario increasingly worrisome. The level and breadth of cyber exploitations suggests a world in which actors are engaged in a race to the bottom of every data well they think might be useful for their own purposes, on the theory that their adversaries (and their allies) are all doing the same. In such a world, law seems to be playing a diminishing role. The conventional wisdom suggests intelligence agencies will be intelligence agencies and we should let this play out via diplomacy or power politics. International law has long failed to prohibit espionage and, the thinking goes, by analogy it should also leave cyber espionage alone. If that’s true, international law has little to say about China taking whatever data it can on employees of the US federal government. From a national security perspective, there are important interests that militate against regulating or constraining data collection from abroad.

Yet, I worry that we’re reaching a tipping point: if we concede that international law can do little for the problem of cyber exploitations, we are effectively conceding the rule of law in cyberspace. All of this leads me to ask: is it time to revisit the question of how international law deals with data breaches? I recognize some may say “no” or that after long and careful thought, the answer may remain the same. But, the rising importance and success rates of data breaches across the globe suggests it’s high time for international law to at least engage these questions more closely.

[Duncan Hollis is a law professor at Temple University]