Digital Borders: When Your Server Room Becomes a Battlefield

Sovereignty was built for castles and borders. Cyberspace has neither. And international law is scrambling to catch up.

For centuries, sovereignty was straightforward. Your territory ended where mine began. Borders were lines on maps, defended by walls, armies, and awkward border control conversations about whether that salami counts as a restricted item. Then came the internet, and suddenly your government's data could be stolen from a server room in Virginia by someone in St Petersburg whilst they sip coffee in a café in Shanghai.

Welcome to the sovereignty crisis of the digital age, where the rulebook for international law meets technology that couldn't care less about national boundaries.

The Vanishing Border Problem

Here's the uncomfortable truth: cyberspace operates on a completely different logic to physical territory. A cyber operation can disrupt infrastructure, manipulate information, or nick sensitive data across multiple countries simultaneously. Unlike a traditional border violation—where you can point to the tanks rolling across—cyber intrusions often leave no visible trace and can be conducted through intermediaries, compromised systems, or proxies that make identifying the attacker like playing geopolitical Guess Who.

States broadly accept that existing international law applies to cyberspace, including sovereignty, non-intervention, and the prohibition on the use of force. That's the easy bit. The hard bit? Figuring out what those principles actually mean when a 19-year-old with a laptop can potentially cripple a power grid from their parents' basement.

The Attribution Nightmare

Before a state can respond to a cyber operation, it needs to know who's responsible. Sounds simple. It's absolutely not.

Operations can be routed through third-party infrastructure in countries that have nothing to do with the actual attack. Systems can be compromised and used without their owners' knowledge. Attribution becomes a technical puzzle wrapped in a political minefield, and without reliable attribution, legal remedies and countermeasures are nearly impossible to justify.

The UK estimates it's on the receiving end of around ten cyber attacks a week, most by state-sponsored hackers. These attacks don't constitute a use of force and don't reach the threshold for armed conflict. They often leave no physical trace. But they cause significant economic and political damage.

So what can you do about it?

The Great Sovereignty Debate (Or: Why Experts Can't Agree on Anything)

This is where things get properly messy. States fundamentally disagree on whether cyber operations can violate sovereignty as an independent rule of international law, or whether sovereignty is just a principle from which other rules flow.

The Tallinn Manual 2.0, produced by NATO's Cooperative Cyber Defence Centre of Excellence with a team of 19 international law experts, tried to clarify how international law applies to cyber operations. It's become hugely influential—and hugely controversial.

The experts unanimously agreed that sovereignty could be violated by cyber operations causing permanent loss of functionality to infrastructure or resulting in physical damage. But that's where consensus ended. They couldn't agree on whether cyber operations below that threshold—things like data theft, espionage, or manipulation that don't cause physical damage—violate sovereignty.

And that grey zone? That's where most cyber activity actually happens.

Team "Sovereignty Is a Rule" vs Team "No It Isn't"

Some countries argue that any unauthorised intrusion into their systems violates sovereignty. France stated in 2019 that any unauthorised cyber intrusion into French systems would constitute a sovereignty violation. The Netherlands agrees. So does the African Union, which recently rejected the Tallinn Manual's more permissive approach.

Then there's the UK. In 2018, then-Attorney General Jeremy Wright took a remarkably different position. He argued that sovereignty is a principle, not a standalone rule that can be directly violated: "I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention."

Translation: unless a cyber operation reaches the level of coercive intervention—forcing a state to do something or preventing it from acting freely—it's not unlawful under international law. Annoying? Yes. Unfriendly? Sure. Illegal? Not necessarily.

The US Department of Defense initially took a similar view, though different US officials have said different things at different times, because consistency is apparently optional.

Why This Actually Matters (Beyond Legal Nerdery)

This isn't just academic hair-splitting. The ambiguity creates massive strategic risk.

If the threshold for violation is set too low, routine digital activity—intelligence gathering, network reconnaissance, even benign transiting through another country's infrastructure—could be framed as unlawful. The internet would become a minefield of potential international incidents.

If it's set too high, states feel emboldened to conduct aggressive cyber operations without consequence, knowing victims have limited legal recourse. The result? A cyberspace governed by power and capability rather than law.

As Professor Luke Chircop from the University of Melbourne argues, states have been exploiting this legal ambiguity to carry out harmful cyber operations "on the legal margins, with relative impunity, at the expense of peace and stability."

The Enforcement Problem (Or: How Do You Sanction a Ghost?)

Even when you can identify an attacker and prove they've violated international law, enforcing consequences is devilishly difficult.

Traditional responses—diplomatic protests, sanctions, self-defence—are hard to calibrate in cyberspace. Retaliation risks unintended effects on civilian networks or third-party states who had nothing to do with the original attack. And proportionality becomes a nightmare when the scale and impact of harm are difficult to measure.

How do you proportionally respond to data theft? To election interference through information manipulation? To espionage that causes no physical damage but compromises national security?

The UK has argued that states aren't legally obliged to give prior notice before taking countermeasures in response to covert cyber intrusions. The logic? Prior notice would expose sensitive capabilities and undermine the effectiveness of the response.

Which is perfectly reasonable from an operational perspective but raises obvious questions about accountability and escalation.

The Public-Private Muddle

Here's another complication: most of the internet infrastructure states rely on is privately owned and operated. Cyber operations may involve state agencies, criminal groups, or hybrid arrangements that blur responsibility beyond recognition.

This raises awkward questions. How much control do states actually have over digital space within their "territory"? What obligations do private companies have under international law? And when a state-sponsored group uses private infrastructure to attack another country, who's accountable?

Carnegie Endowment notes that international law primarily regulates states, not companies or individuals. But if you can't reliably attribute cyber activity to a state, the whole system starts to wobble.

Where We Go From Here (Spoiler: Nowhere Fast)

UN processes—the Groups of Governmental Experts and the Open-Ended Working Group—have tried to articulate principles of responsible state behaviour in cyberspace. They've produced valuable dialogue and affirmed that international law applies. But they've stopped well short of establishing binding rules.

The result is a legal landscape characterised by strategic ambiguity. States assert their interpretations through practice, shaping the law incrementally rather than through formal agreement. Some call it adaptive. Others call it a recipe for constant low-level confrontation.

And here's the kicker: both might be right.

Overly rigid regulation could stifle innovation and restrict legitimate digital activity. But without clearer norms, cyberspace risks becoming an arena where might makes right and legal accountability is optional.

The Uncomfortable Reality

International law must adapt to technological realities without abandoning its core principles. Sovereignty may no longer be defined solely by physical borders, but it still matters—as a framework for responsibility, restraint, and hopefully stability.

The challenge isn't whether sovereignty applies in cyberspace. It's how it should apply. And whether states can agree on an answer before the next major cyber incident forces the issue.

Currently, the global community is learning by doing, with each cyber attack, response, and attribution attempt slowly building a body of practice that will eventually crystallise into customary law. Or escalate into something nobody wants.

As Tallinn Manual 3.0 gets underway—a five-year project to update the guidance—one thing is clear: the questions aren't getting simpler. Autonomous agents, AI-powered malware, and hybrid warfare strategies are pushing existing legal doctrines beyond their limits.

The law was designed for tanks and borders. Now it's dealing with algorithms and data packets. And whilst international lawyers scramble to update the rulebook, states are already playing the game.