One of the most challenging questions of the contemporary world is whether existing international norms apply in cyberspace.

Since widespread personal, commercial, and governmental use of the Internet began in the mid-1990s, individual states’ efforts to facilitate the use of cyberspace and protect users from malevolent activities are yet to provide a sustainable solution.

During this period, the Internet has become increasingly important to social, economic, and political life around the world, but threats, such as cyber-crime, expanded as well.

For the first time, in 2007, it became publicly clear that cyber operations are a powerful tool for conveying political or strategic messages by States, non-State groups and individual hackers. 

Cyber operations also made the international community aware of how cyber operations could be used to dramatically disrupt life in a country. This issue raises a question if the cyberspace should remain unregulated. If it needs to be regulated, how?

To begin with, cyberspace is the virtual environment in which computers interact with other computers. Many functions of modern-day society are heavily reliant on cyberspace.  From communications and commerce to defense and security, activities in cyberspace are now part of everyday life for many people. 

These activities involve significant interactions between individuals and entities in different States and have innumerable real-life repercussions in the territory within the jurisdiction of one or more states.

To give just a few examples: transactions over the Internet or e-commerce; communications through social media; the use of cyber ‘currencies’ such as bitcoin and others that rely on blockchain technology; cyber-attacks committed by actors in one State against the critical infrastructure in another State; the use of cyberspace by one State to interfere in the political processes of another State; the collection of intelligence or other acts of espionage in cyberspace or economic espionage; and the use of cyberspace for military purposes, such as shutting down an adversary’s communications platform during a military operation.

Although the devices that generate activities in cyberspace (servers, computer networks, and the like) exist within the traditional territory of States, the interactions between these devices do not take place within the territory of a State or States in the traditional sense. 

As a result, activities in cyberspace raise significant questions regarding how best it can be regulated internationally. In other words, should there be international institutions or international governance in the areas of sovereignty, jurisdiction, and extraterritoriality?

Like in many areas, such as environment, investment, and human rights, States need to cooperate and regulate cyber-related activity beyond a country’s physical boundaries (territory). Indeed, States may take action through cyberspace to mitigate cyberspace threats.

Although there is general agreement that international law applies in cyberspace, activities conducted in cyberspace frequently raise novel jurisdictional questions or seem to be prime candidates for international agreements.  An electronic transaction between a company in State A and a company in State B may actually travel through servers located in a given State. It is not always clear which State’s laws and rules govern such behavior.  

To give but one example, in 2018, the U.S. Supreme Court reversed a long-standing U.S. doctrine requiring that a merchant have a physical presence in a U.S. state in order for that state to have the authority to tax Internet sales to consumers in that state. This outcome has international implications because the same logic would appear to apply to Internet sales involving sellers in other countries.

At this time, there is relatively little specific international governance of cyberspace.  To date, discussions regarding various aspects of the international legal framework for cyberspace have taken place with mixed success.

An example of an existing supranational law that may well develop into an international norm in cyberspace is the European Union’s General Data Protection Regulation (GDPR).

 Generally speaking, the GDPR governs the handling within the European Union of personally identifiable information of individuals and the export of such data, and it applies to enterprises doing business with the European Union. Given the breadth of its coverage, the GDPR may result in the establishment of international norms that govern the handling of personal data.

Generally established international law also applies to cyberspace, of course, such the U.N. Charter’s restrictions on the use of force in another State’s territory, or the customary international law prohibition against intervention in the internal affairs of another State. 

International norms establishing responsibility for environmental harm to another State or areas beyond national jurisdiction also apply in cyberspace. It can be expected that international law, institutions, and norms will continue to be developed to deal with these and other cyberspace issues.

There’s a need to have international regulatory framework to ensure that cyber-technologies are open, interoperable, secure, reliable, and stable. Pursuing these objectives globally requires the States’ commitment to addressing cyberspace-threats.

Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for all countries without exception. Which standards or norms should apply to ensure that data shared or stored in cyberspace is safeguarded from corruption, compromise or loss? 

When a company in one country stores its data in another country, whose laws govern the access to and security of that data?

The writer is a law expert.