International law is a foundational pillar of the modern international order, and its applicability to both state and nonstate cyber activities is, by now, beyond question. However, owing to the unique and rapidly evolving nature of cyberspace, its ubiquitous interconnectivity, its lack of segregation between the private and public sectors, and its incompatibility with traditional concepts of geography, there are difficult and unresolved questions about exactly how international law applies to this domain. Chief among these is the question of the exact role that the principle of sovereignty plays in regulating states’ cyber activities.

Globalization has not conquered sovereignty. Instead, the notion of sovereignty occupies center stage in discussions concerning the normative architecture of cyberspace. On the diplomatic level, the term is generally employed in its broadest sense, one that signifies freedom from external control and influence. For instance, when Western states raise the issue of human rights in cyberspace, those on the opposite side of the negotiating table fall back on sovereignty-based arguments. Mention of sovereignty in consensus documents is consequently often the price that liberal democracies pay to advance their policy priorities, such as individual freedoms and the availability of self-help measures in response to hostile cyber operations.

One of the gentle surprises of the release of the Tallinn 2.0 Manual is that it has prompted a rich debate over the nature of sovereignty in international law. In hindsight, this should not be too surprising. The modern, Westphalian project of international law is built in large measure around the state and its borders. The emergence of a technology that so readily defies those borders was bound to kick up some interpretive dust. And it appears to have done even more than that. Depending on your perspective, the Tallinn translation of international law to the cyber domain has either forced a reconsideration or surfaced a latent dispute over whether sovereignty is a binding rule of international law at all.

Tallinn 2.0 grapples with the application of general international law principles through various hypothetical fact patterns addressed by its experts. In doing so, its commentary sections provide a nonbinding framework for thinking about sovereignty, raising important considerations for states as they begin to articulate norms to resolve the question of precisely what kinds of nonconsensual cyber activities violate well-established international laws—a question that will likely be the focus of international lawyers in this area for some time to come.

In Sovereignty in Cyberspace: Lex Lata Vel Non?, Michael Schmitt and Liis Vihul argue that territorial sovereignty is a primary rule of international law that limits cyber activities. They recognize, however, that not all cyber effects constitute violations of territorial sovereignty, and like Rule 4 in the Tallinn Manual 2.0 and its commentary, they acknowledge a distinct lack of consensus among the Tallinn participants on the critical question of applicable thresholds. Problematically, they do not identify the necessary state practice and opinio juris that would be required to establish either the primary rule that they proffer or the existence and contours of the exception they would recognize.