By the end of 2018, almost 90 countries had adopted a national cyber security strategy reports Ann Väljataga, a researcher at Nato CCDCOE in her recent research paper "Tracing opinio juris in National Cyber Security Strategy Documents."
The diverse interpretations of international law in the cyber context is also reflected in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, which provides a starting point for many national strategies.
However, many grey zones remain, and in this comparative analysis of strategy documents from seven countries, Väljataga argues that national cyber security strategies serve as a valuable source of information to explain how states think and interpret the limits of mandatory, allowed and prohibited behaviour in cyber-space.
A hundred years ago Max Weber defined the state as having a monopoly on the legitimate use of physical force, but cyber muddies the waters by being transnational and non-physical but with potentially violent physical outcomes.
Väljataga explains how in these documents states define their views on sovereignty in cyber-space, due diligence and state responsibility, noting that: "Typically the process of preparation of a national cyber-security strategy is similar to legislative drafting: different interest groups are engaged, the greatest common denominator is found, numerous compromises are made and the final result is approved by all the parties. Therefore it is reasonable to look at any legally relevant statement in cyber-security documents as a result of careful deliberation, reflecting the state´s position on sovereignty, reasonableness and attribution in cyber-space."
Looking at the United States, the United Kingdom, the Netherlands, China, France, Russia and Australia, sovereignty was always recognised as the cornerstone of national cyber-security but there was no consensus about the thresholds for use of force and armed attack.
Countermeasures to state-sponsored cyber-attacks were universally viewed as justified, with Western liberal cyber-policy suggesting the possibility of collective and anticipatory countermeasures. "Alongside evolving state practice and opinio juris expressed through other channels, national cyber-security strategies are also opening up and offering legal thinking on attribution."
The report concludes that national cyber-security strategy documents may contain strong evidence of the norms to which the state sees itself as legally bound and they help shed some light on the capabilities each would deem it reasonable to expect it to use to ensure its cyber-security.