Influential resource on international cyber law updated for 2024

An influential legal resource utilized by countries worldwide to navigate the complexities of cyber capabilities has been updated for 2024. The Cyber Law Toolkit serves as an interactive online guide that helps understand the legal dimensions of cyber operations on the international stage. It is a vital resource for governments and military lawyers globally.

This unique project charts key cyber incidents around the world, offering a comprehensive database of national positions on international law concerning cyber operations. Government officials and military commanders often refer to the Toolkit for legal advice before undertaking operations or when devising defenses against potential cyber attacks.

The 2024 update introduces new scenarios and real-world cyber incidents, reflecting pressing contemporary challenges in cyberspace. These include state-sponsored cyber operations, incidents targeting critical infrastructure, and the evolving threat landscape posed by non-state actors.

As more countries publish their positions on international law in cyberspace, the Toolkit also aids those yet to formalize their stances. Its database provides an unprecedented comparative tool for understanding diverse state approaches to applying international law in cyberspace.

The Toolkit features 32 hypothetical scenarios based on real-world examples, each accompanied by detailed legal analysis. These scenarios examine the applicability of international law and the legal questions they raise. Regular updates ensure the Toolkit remains aligned with the latest developments in international law and cyber operations, continuing its tradition of providing fresh insights into global developments and reflecting the latest state practices and expert opinions.

Key contributors to the project include Professor Kubo Macák from the University of Exeter, Tomáš Minárik from the Czech National Cyber and Information Security Agency, and Otakar Horák from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Over 50 external experts and peer reviewers have assessed both individual scenarios and the Toolkit as a whole.

Professor Macák emphasized the Toolkit's importance, stating, “As cyber operations become more integral to military and governmental strategies, understanding the legal parameters is vital. The Cyber Law Toolkit continues to be an essential resource for those navigating these complex issues, offering up-to-date, practical guidance on how international law applies to cyber incidents.”

Among the new scenarios in the update, Scenario 30 focuses on states establishing and countering backdoors in each other's networks. Scenario 31 examines the sharing of degrading content during armed conflict, while Scenario 32 explores whether certain cyber operations could lead to individual criminal responsibility for the crime of aggression.

The repository of real-world examples has grown to include 72 incidents, with recent additions from 2023, such as the cyber incident against a water authority in Pennsylvania, operations against NATO’s aid mission in Turkey and Syria, and the data breach at the International Criminal Court.

The Toolkit also tracks 39 national positions and one common position from the African Union. Notably, several states, including Austria, the Czech Republic, and Costa Rica, have recognized the Toolkit as a valuable resource in formulating their positions. Costa Rica highlighted the Toolkit as a legal capacity-building initiative during its statement at the UN Security Council's open debate on addressing evolving threats in cyberspace in June 2024.

The Toolkit is backed by six partner institutions: the Czech National Cyber and Information Security Agency (NÚKIB), the International Committee of the Red Cross (ICRC), the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the University of Exeter (UK), the U.S. Naval War College (US), and Wuhan University (China).

Looking ahead, the project team is inviting proposals for new scenarios to be included in the 2025 update. Each submission should describe a hypothetical cyber incident and discuss the international legal issues it raises, with a deadline for submissions set for November 15, 2024. Successful authors will receive an honorarium.