Full Text

In the early weeks of October 2020, sprawling across 100 countries, an enhanced form of cyber weapon called a botnet began positioning itself to influence the U.S. Presidential election.1 Nicknamed Trickbot, the weapon was a for-rent botnet that had surreptitiously implanted malicious software into nearly 250 million systems across the globe, massing computing power through hundreds of millions of "zombie" computers.2 Through its continent-spanning, decentralized design, Trickbois threat structure aggregated worldwide computing power.3 As it began directing that computing power toward U.S. voter registration and electronic polling infrastructure, U.S. Cyber Command (USCYBERCOM) identified the botnet's activities.4 United States Cyber Command quickly "flooded" Trickbois systems by deploying software into information infrastructure spread across the planet.5 That act preemptively cut off Trickbois opportunities to influence election computer infrastructure and helped preserve the integrity of the ensuing election.6 However, in undertaking its operation, legal advisors at USCYBERCOM had to confront a key, unsettled legal question7: Could the United States take preemptive action against a cyber threat located on other countries' soil without those foreign states' consent?

The Trickbot disruption operation was not the first time USCYBERCOM had confronted this question in a publicly-known operation. In Operation GLOWING SYMPHONY, which took place four years prior, U.S. cyber operators remotely infiltrated Islamic State (ISIS) militants' computer networks, data storage accounts, and smartphones located in at least five countries.8 The Islamic State had been utilizing systems in these particular states to store and disseminate propaganda.9 Upon gaining access to those foreign systems, U.S. cyber operators deleted troves of propaganda material, severed the terrorists' access to data, and dropped software into programs to deplete batteries and disrupt hardware functionality.10 As such, Operation GLOWING SYMPHONY presented the same critical question of international law as the Trickbot disruption operation: Is consent or other justification required before undertaking cyber operations in computer systems located in another state?

Despite the "un-territorial" nature of most cyber activities,11 some states have taken the position that cyberspace is governed by a universal law of trespass flowing from the broader concept of territorial sovereignty, a principle that recognizes a state's internal control over its territory.12 Accordingly, government leaders and their legal advisors must analyze whether territorial sovereignty operates as a binding rule of exclusion under international law, thereby requiring consent...