For the last 400 years, physical territory has defined international law and politics. The rules on war and state borders were created in relation to a world with real geography and space. Even though the advent of air travel added space above, the concept of sovereignty persisted as a concept of something physical. However, cyberspace is challenging the very notion of sovereignty.

The concept of sovereignty is very old. Arguably it goes back to the Treaty of Westphalia in 1648. There the modern concept of the state was born. Between that Treaty and the 1815 Council of Vienna, the idea that states were defined by fixed, defined, and arguably inviolable physical borders was born.

Modern international law since 1945 is based on the concept of physical sovereignty. This includes human rights law, rules on war and aggression, and so much more.

However, cyber technologies have dramatically changed both social and international relations. Cyber technologies are also challenging important legal concepts that lay down the basis for understanding state and international relations. One such concept is state sovereignty. Hacking into another country’s computer network, or attacking its digital infrastructure is a violation of international law. But in cyber-warfare what sovereign space has been invaded?

Territoriality is the most important aspect of sovereignty, but cyberspace has a borderless nature. Cyberspace can’t be sovereign or to put it simply – can’t belong to one state alone. States can exercise their sovereignty over a part of it, including digital infrastructure, data and activities carried out within its physical territorial borders and, of course, over its residents. However, it might have little power with respect to its data stored in the cloud.

Through men and equipment, it is possible for a state to protect its physical borders, but it is extremely difficult to detect and deter violations of state sovereignty on the Internet.

Violations of sovereignty can only be committed by another state. However, it can be quite complicated to attribute a cyberattack to another state and respond to it. There are a lot of techniques that allow an aggressor to cover their digital tracks. These include IP address spoofing, use of reflector hosts, forgery of MAC addresses and IP addresses, etc.

The idea that state sovereignty extends to cyberspace is problematic because it might be pushed forward by states to limit Internet access, impose censorship, or carry out surveillance operations. However, the reality is that cyberspace is the next frontier and the international community needs to update the rules to address its emergence.

The point that sovereignty can be exercised in cyberspace was adopted by the United Nations in 2015. In addition, the Tallinn Manual 2.0, commissioned by NATO, declares international law applicable to cyber operations, which is often viewed as the most authoritative study on the issue, reflects the view that “the principle of state sovereignty applies in cyberspace.”

In accordance with the Tallinn Manual 2.0, the internal element of sovereignty “presupposes sovereign authority with regard to the cyberinfrastructure, persons, and cyber activities located within its territory, subject to its international obligations.” The document supports the view that state sovereignty extends to data stored in the territory of a state. It was acknowledged in academia that in some circumstances states may exercise prescriptive jurisdiction over such data.

In accordance with the Tallinn Manual 2.0, the external element of sovereignty in cyberspace means, “a state is free to conduct cyber activities in its international relations, subject to any contrary rule of international rule binding on it.” For example, the prohibition of the threat or use of force and interference in the internal affairs of any state is fully applicable to cyber operations.

Another significant thing to discuss here is that sovereignty is not only a state privilege but also a responsibility towards other members of the international community. States have an obligation to not knowingly allow their territory to be used to launch cyberattacks. The principle doesn’t entail any obligation of a territorial state to prosecute those who launch a cyberattack.

A United Nations report in 2015 indicated that “States should also respond to appropriate requests to mitigate malicious [cyber] activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.” Thus, the United Nations holds a view that states have an obligation to cooperate when such a request is made, especially when dealing with those acts that have the potential to threaten international peace and security.

Despite the fact it is accepted that state sovereignty is applicable to cyber-related activities of states there are some practical questions that might arise. Is it really possible for a state to be “fully independent” in cyberspace? Is it physically possible for a state to exercise its powers “to the exclusion of any other State” in cyberspace? It might be quite problematic in practice.

In fact, Internet infrastructure is mostly owned and operated by private companies. Moreover, the most important functions with respect to Internet governance are fulfilled by private companies and non-state organizations. This means that certain state functions are carried out by private companies. Think AT&T or France Télécom. It doesn’t mean that such companies are exempted from any jurisdiction, however, in certain circumstances state power is limited.

In 2021, Russia fined Facebook millions of rubles for the non-deletion of restricted content. The company didn’t pay the fines and since it didn’t have officially established representative offices and affiliates in Russia it was utterly impossible to enforce the decisions made by the Russian courts. The point here is that the inter-relationship of private companies and states transforms the nature of who or what a state actor is, who is a responsible party under international law, and how to enforce rules in cyberspace.

The way private companies operate the Internet is also a point for consideration. Many functions performed by Big Tech companies such as Facebook, Amazon, and Microsoft are based on algorithms and artificial intelligence. Such algorithms can be aimed at predicting the needs of potential customers, moderating content, or performing facial recognition. At the same time, AI and automated decision-making can exacerbate racial, ethnic, gender bias, or discrimination. For instance, in 2019, Amazon’s facial recognition technology was reported to work poorly with female and darker-skinned users. Because of this, a Google photo app misidentified Black people as gorillas.

Thus, despite these issues about private control of cyberspace, it’s generally accepted that state sovereignty extends to cyberspace and cyber-related activity. At the same time, the scope of state sovereignty is challenged in its application to cyber issues. This is predetermined by the nature of cyberspace, the way the Internet is administered and functions, and a large involvement of private actors operating transnationally in the cyber domain. From that point, it’s possible to make two important conclusions.

First of all, state jurisdiction is more limited in the cyber context. As was indicated above, in many cases states can’t ensure enforcement of their laws with respect to companies that operate on their territory but don’t have official representation there.

Secondly, state sovereignty in its application to cyberspace and cyber-related activity should be understood as conferring on states exclusive rights and also exclusive duties with respect to their own populations in terms of human rights protection and also other members of the international community. The latter should include a duty to cooperate in good faith to mitigate malicious cyber activity aimed at the critical infrastructure of another State emanating from their territory. In this regard, it’s not only a moral necessity but also a duty of a state to employ a mechanism for a coordinated multi-stakeholder approach to ensure security, human rights, and rule of law within the context of cyber-related activities, which derives from its cyber sovereignty.

Overall, international law, including the rules on war, so far has been able to adapt to a new cyber reality. But such adaption has forced a rethinking of major international law concepts which are being tested with each new advance of the Internet and technology.