Earlier this year at Chatham House, I attended the London book launch of The Tallinn Manual on the International Law Applicable to Cyber Warfare (Schmitt, Michael, ed.; Cambridge University Press, 2013). This is a fascinating work written by an independent group of expert international lawyers at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia.
The book falls into the category of work that lawyers call a "restatement" of law. The expert group decided to describe the rules of cyber warfare law as they exist today. This was a careful analysis based on existing treaties and precedent, and not a "wish list" for laws that they believe should be written. As such, it represents the collective expression of the expert group's opinion about how existing public international law would address questions of cyber warfare. (The book is not, however, an official statement of NATO policy.)
The collective opinion of the expert group is expressed as a series of 95 "Rules". These are about 1-3 paragraphs each. To be reported as a "Rule" the entire group had to reach consensus on the relevant wording. Each Rule is then supported with extensive commentary that helps to highlight the legal argument for the Rule and how it can be interpreted, and also shines a light on related issues on which the expert group did not reach a consensus.
When I opened my fresh new copy of the book, I found the following statement on the first page of Chapter 1:
Section 1: Sovereignty, Jurisdiction, and Control
Rule 1 - Sovereignty
A State may exercise control over cyber infrastructure and activities within its sovereign territoryThe commentary to Rule 1 includes the following:
10. In the cyber context, the principle of sovereignty allows a State to, inter alia, restrict or protect (in part or in whole) access to the Internet, without prejudice to applicable international law, such as human rights or international telecommunications law. The fact that cyber infrastructure located in a given State's territory is linked to the global telecommunication network cannot be interpreted as a waiver of its sovereign rights over that infrastructure.As with any other aspect of international law, the sovereign state is the starting point in understanding how laws apply to cyber activity. To my way of thinking, this is simply the latest refutation (if any more were needed) of the cyberspace fallacy: the fallacy that no law applies to cyberspace.
Bottom line? Borders still matter. As measured by the standards of international law, a sovereign State retains authority with respect to infrastructure "within its sovereign territory". Of course that State may be obliged by treaties or other international law to exercise its authority in a certain manner, but sovereignty remains the first principle from which everything else flows.