Time to Treat Hackers Like Satellites: Why Cyber Needs the Outer Space Rulebook

If you want to understand what’s missing in cyberspace, look up. In 1967, at the height of the Cold War, the international community agreed on the Outer Space Treaty (OST), a legal framework that still governs activity beyond Earth today. The foundational insight of the OST was accountability: if you launch something into space, you’re responsible for what it does.

This principle is made explicit in two provisions. Article VI provides that States bear international responsibility for all national activities in outer space, whether conducted by State agencies or non-governmental entities. Whilst the new Woomera Manual provides much needed nuance to possible interpretations of Article VI, it seems clear that the intent of the provision is to ascribe legal responsibility broadly to private activity – at a bare minimum, a requirement for authorisation and continual supervision. Article VII goes a step further, creating a strict liability regime: if a space object causes damage, the launching State is liable. Fault doesn’t matter. What matters is origin, registration, control, and responsibility.

The 1972 Liability Convention and the 1976 Registration Convention elaborate on this principle, specify procedures for damage claims, and mandate that States must furnish key identifying information about space objects. These instruments reflect an international consensus on the need to regulate responsibility, even if enforcement is uneven.

Why Cyber Needs These Rules

Compare that regime with today’s cyber environment. Ransomware gangs, patriotic hacker groups, and online saboteurs routinely operate from within sovereign borders, often with State tolerance or tacit encouragement. But when the damage spreads, crippling infrastructure, leaking classified data, or disrupting elections, governments disavow any connection: “Not us. Just civilians doing civilian things.” The result is a persistent accountability vacuum.

This is not just a peacetime problem. In armed conflict settings, the legal fog thickens further. It is orthodox to note now that cyber operations increasingly have strategic consequences, including disrupting command-and-control systems or targeting essential civilian services. These activities should, under existing international humanitarian law (IHL), be subject to clear obligations including compliance with the principles of distinction, proportionality, and military necessity.

But within cyberspace, notwithstanding clear principles of State responsibility, attribution is still opaque. When States deny that cyber operations originate from their territory, they also obscure how the law of armed conflict should be applied. Worse still, the decentralised and anonymised nature of cyber capabilities allows States to outsource operations to non-State actors, without bearing the legal consequences that would normally follow in kinetic operations.

The OST offers a compelling alternative. Imagine if cyberspace operated on a similar logic: States would be internationally responsible for harmful cyber operations launched from within their borders, regardless of whether they came from government agencies or private individuals. There would be no need to rely upon the concept of due diligence, imported from international environmental law. The focus would not be on attribution in the narrow technical sense, but on territorial origins, on whether the State has authorised, supervised, or made real efforts to prevent harmful activity.

Acknowledged Complexities

Even in the outer space regime, liability is not always so clear cut. Case studies like the 1978 Cosmos 954 incident or the 2009 collision of Iridium 33 and Cosmo 2251 highlight issues of debris collisions in low Earth orbit. Proving causation, fault, and enforceable responsibility can be extremely complex, despite the formal legal frameworks.

Moreover, the OST’s strict liability principle applies only to damage on Earth or to aircraft, while damage caused in space may still require fault-based determination. This nuance doesn’t invalidate the space model. But it reminds us that law, even when well-framed, struggles in grey zones. Such grey zones are only expanded in cyberspace.

These complexities are actively explored by the Woomera Manual’s authors, who have taken a more cautious approach to State responsibility in outer space, particularly in contexts involving non-government actors. While this post advocates a stronger form of responsibility based on territorial origin and control, it is important to acknowledge that Woomera’s contributors emphasise the difficulties in establishing liability in practice, particularly in Rule 10. They underscore the need for contextual interpretation, especially in light of the operational realities of outer space and the technical difficulties in attribution.

That said, precisely because of these ambiguities, the ambition of the OST regime—its presumption that States must bear ongoing responsibility for activities originating from their territory—remains a valuable normative touchstone. Such a model would close the gap between capability and responsibility. It would encourage States to actively monitor and regulate cyber activity within their jurisdictions, particularly during armed conflict. It would also provide a clearer pathway to reparations, dialogue, and restraint, just as the OST has done for space.

From Orbit to Online

There’s something a bit poetic about borrowing the rules of outer space to fix our problems online. After all, both are vast, hard to police, and full of potential but also risk. The key insight from the OST is this: just because something is complicated doesn’t mean it’s lawless.

So maybe it’s time to stop reinventing the wheel and instead learn from a treaty that’s been quietly keeping the peace above our heads for over fifty years. As we enter a new era of cyber conflict, let’s look not to new metaphors but to existing models that work. Even if imperfect, rules that kept the Cold War cold in space may be just what we need to keep the peace online.

As we navigate an era where armed conflict includes not just drones and missiles but malware and misinformation, the time has come to take the OST seriously, not just as a space treaty, but as a governance template. The rules that kept the Cold War cold in orbit may be just what we need to contain the digital fires of the next one.

***

Dr Samuel White is the Senior Research Fellow in Peace and Security at the National University of Singapore’s Centre for International Law.

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense. 

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published.

Photo credit: NASA via Unsplash