Year Ahead – The Coming Year’s Evolution in the Law of Cyber Operations
Editors’ note: We are pleased to announce that Articles of War has recently added several thematic editors to our staff. Each editor has contributed a post to this year’s Year Ahead series with thoughts on issues or situations they recommend our readers track over the coming months in their respective field of the law of war. We will resume our usual publications at the conclusion of this series.
As digital technologies continue to develop at breakneck speed, the law often appears to fall ever further behind. Unfortunately, that gap is unlikely to close as the application of international law in cyberspace is not poised for significant evolution in 2025. Despite some advancements, particularly at the regional level, State practice will continue to demonstrate a lack of consensus regarding international law and State cyber operations.
Formal Discussion of Norms and Rules for State Behavior in Cyberspace
In 2025, the UN’s Open-Ended Working Group (OEWG) will continue to make incremental progress in establishing voluntary norms, such as refraining from targeting critical infrastructure and law enforcement cooperation in responding to significant cyberattacks. However, the development of international law in this domain will be challenged by entrenched positions on key issues of disagreement, including the question of creating new binding instruments specific to cyberspace. Nonetheless, significant development will continue to occur within regional bodies such as the African Union and the European Union.
IHL Applicability in Cyberspace Operations During Armed Conflicts
The specific question of international humanitarian law (IHL) applicability in cyberspace will be a key area of contention at the UN OEWG and regional bodies. While State agreement that IHL rules apply to cyberspace operations will continue to expand, the extent to which IHL is viewed as protecting civilian data during armed conflicts will be approached slowly and cautiously. There will be little resolution to the primary questions of defining cyber-attacks and the status of data as an object. One area of advancement will be the increased inclusion of scenario-based explorations of IHL questions by international working groups. Initially, the effect of their inclusion will be limited to defining the primary areas of disagreement with more specificity.
State Practice in Cyberspace
Despite some advancement in academic and diplomatic work, actual State practice in 2025 will only highlight the divergent positions of States. The growing frequency and sophistication of State-sponsored cyber operations—including ransomware attacks on healthcare systems and energy grids—will continue to expose the challenges of achieving consensus. As highlighted by recent reporting on the People’s Liberation Army’s cyber operations, State-sponsored malicious activity against critical infrastructure may not only persist but accelerate, driven by advancements in stealth capabilities and strategic goals. Nevertheless, the international community may draw lessons from the Russia-Ukraine conflict to refine the application of IHL in cyberspace. Included in the legal questions that may see refinement are the status of civilian cyber operators, critical infrastructure protection from cyber operations, and the involvement of neutral parties in cyber defense operations.
Guidelines for the Military Use of Artificial Intelligence
Increased deployment of artificial intelligence (AI) for both offensive and defensive cyber operations will highlight questions regarding accountability and compliance with international law. In 2025, an increased number of States will develop and refine guidelines regarding the responsible military use of AI. As outlined in recent U.S. government initiatives, there is a growing recognition of the need for clear ethical frameworks and oversight mechanisms to govern AI’s application in military contexts. However, not all States are equally invested in these efforts, which may lead to fragmentation in international approaches to AI governance.
Conclusion
In 2025, the evolution of international law in cyberspace will likely remain incremental with significant disparities between diplomatic positions and State practice. Positive dialogue will continue, but persistent disagreement among States on critical issues such as the applicability of IHL, the protection of civilian data, and the regulation of artificial intelligence in military contexts will remain. The most significant advancements will come from agreements in regional organizations and, hopefully, through the increased inclusion of scenario-based explorations as part of inter-State dialogue. Nevertheless, State practice, particularly the continuation of State-sponsored malicious cyber operations, will underscore the urgent need for more binding solutions.
***
Jeff Biller is an Associate Professor of Cyber Law and Policy with CyberWorx, a department of the Office of Research at the United States Air Force Academy (USAFA).
Photo credit: Unsplash
