Revisiting past cyber operations in light of new cyber norms and interpretations of international law: inching towards lines in the sand?

This article traces the evolution of interpretations of international law and international cyber norms on responsible state behaviour in cyberspace by reassessing five major – and allegedly state-led – cyber operations: Stuxnet 2010; Belgacom 2013-2014, the Ukrainian power grid 2015, the US presidential election 2016, and NotPetya 2017. Taking recent normative developments and emerging state practices as primary points of refence, it investigates how the current normative landscape can shed light on the nature, (il)legitimacy, and (un)lawfulness of these past operations. For each case, the analysis engages with: i) the elements triggering the violation of norms, principles and international law; ii) the legal and normative significance of recent sources of norms and interpretations of international law; and iii) the legal and political obstacles still lying beyond their application. Taken together, the reassessment of these cyber operations reveals how, in hindsight, the international community has come a long way in calibrating its normative language and practices in calling out irresponsible behaviour in cyberspace. With states taking small, but unprecedented, steps through public attributions and statements on international law in cyberspace, most of the past cyber operations analysed here would arguably feature an attribution in the current climate. At the same time, substantial differences in national interpretations of international law continue to stand in the way of clarity on the terms of its application. In light of this, this article ultimately suggests that cyber norms and the interpretations of international law require further granularity to become ‘lines in the sand’.