Rule of Law in Cyberspace

Mika Kerttunen Opinions

As Montesquieu advocated, the rule of law and separation of powers are necessary to protect citizens and individuals from arbitrary rule by the state. Intensified measures to secure cyberspace risk leading to expert and political decisionmaking being kept outside of public and political debate and scrutiny. Deliberate separation of state cyber agencies and functions strengthens the rule of law, transparency and accountability of cyber and digital affairs.

A household name in European political thought, Charles Louis de Secondat, better known as Baron de Montesquieu, is understandably not the most common protagonist in current cyber-digital affairs. He obviously did not write of cyber-digital issues in his key 1748 work, De l’Esprit des Loix. However, in this post, I argue that Montesquieu’s signature thought, the doctrine of separation of powers, is highly relevant to contemporary European cyber agendas. (That the roots of the doctrine are mainly English and predate Montesquieu, does not undermine the fact that he has become the embodiment of the separation of powers).

Applying Montesquieu’s doctrine suggests two courses of action. The first is deliberate separation, rather than centralisation, of state cyber powers: national incident management, law enforcement, intelligence, military cyberdefence and diplomacy. The second is deliberate and constitutional inclusion of the legislature and public and private sectors in preparation, decisionmaking and cyber action.

Separation of Powers for the Rule of Law

Two main arguments support the separation of state powers. Instrumentally, we may argue that heterogenous handling of complex public issues improves the quality of decisionmaking. Although siloed processes are often mocked, they exist for a reason. Principally, separation of powers serves its original function as a mechanism to ensure the rule of law, preventing the abuse of (executive) power and the lesser fear of militarisation of state affairs. This is achieved through constitutional restraints – both legal and institutional – preventing and disabling the government, government agencies, individual politicians, civil servants, military officers or any faction “from oppressing the rest of the society”. And herein lies the crux of the rule of law: it protects from the potential evil and enemy “within”: both within the system and within the human being. Now, it’s important to remember that evil, in terms of political thought, does not necessarily appear as an intentionally subversive element or as some sort of right- or left-wing fifth-columnist. A well-meaning technocrat will do just fine!

Translated to the cyber realm, whereas cyber awareness, cyber hygiene and cybersecurity are needed to counter criminals, and even occasionally to rein in foreign states and proxy actors, the rule of law and the separation of powers are necessary to protect citizens and individuals from arbitrary rule by the state. Privacy, dignity and the inviolability of political and individual freedoms are as important online as they are in the real world. For liberals, this command is universal, systemic and absolute. It is also impersonal; it is not about any particular government or official being good or bad, per se, but about sustainable rights and freedoms which require precautions be taken against even unforeseeable enemies. Checks and balances are needed, is what the European Commission is saying.

The European Commission Communications on strengthening the rule of law within the EU acknowledges that the rule of law is “a well-established principle” and “well-defined in its core meaning”. A core passage of the Communications aligns with the classical liberal thought outlined above: all public powers always act within “the constraints set out by law, in accordance with the values of democracy and fundamental rights, and under the control of independent and impartial courts.” Moreover, the rule of law is considered “a precondition for ensuring equal treatment before the law and the defence of individual rights, for preventing abuse of power by public authorities and for decisionmakers to be held accountable.” Accordingly, the Commission assessment analyses member states’ adherence to the principle on four factors: justice systems, anti-corruption framework, media pluralism and other institutional issues related to checks and balances. The very existence of this Communications witnesses the erosion of democratic practices and institutions even in liberal democracies.

The Internet has not remained free of oppressive and anti-liberal state action either. Internet shutdowns have become a common reaction to domestic political and social turbulence. Ultimately, both in established liberal democracies and more authoritarian states, cyber- and information security measures prioritise the state over the individual, expert opinions over political ones, decision-making by few over decisionmaking by many and state sovereignty over international obligations. And among those obligations, human rights are some of the most debated.

States are constantly renewing their digital policies and national cyber- or information security strategies. They establish new national security agencies and cybersecurity centres in the name of security and effectiveness. Thus, the cybersecurity governance system is a good point at which to start considering rule of law – and separating state cyber powers.

Separation of State Cyber Powers – and Checks and Balances

What does separation of state cyber powers look like in practice? First, it means acknowledging and strengthening different agencies’ existing and differing mandates and capacities. Instead of merging or consolidating government digital and cybersecurity agencies, we should keep intelligence, law enforcement and computer emergency response entities separated. Such a healthy separation helps to preserve their independence and integrity from political interference, too.

It should be obvious that the armed forces, the monopolistic custodians of state violence, must limit their focus to military defence and play only a supporting role in national cybersecurity. Similarly, foreign policy considerations should not bias or impact, for example, intelligence and technical assessments or digital forensics. This does not undermine the primacy of the political, as the ultimate say is political.

Because of the primacy of the executive branch and its agencies in drafting, preparing and taking action, legislative ex post factum oversight mandates need to be accompanied by direct parliamentary involvement. Many cyber questions which appear to be technocratic – for example, responding to cyberattacks, establishing cyber commands, enhancing digital surveillance – are in fact political and principal by nature. Public debate among parliamentarians and the public offers checks and balances a priori. The ultimate say needs to be political.

Such a dispersed governance system necessitates effective coordination and harmonisation. Cybersecurity cannot be solved in hermetic siloes. Cross-sectorial and -domain communication and information sharing can be achieved by allowing and demanding domestic legislation and by establishing appropriate venues and procedures: for example, scheduled meetings, a shared lexicon and templates and mandatory training and exercises.

Obviously, private sector involvement must also be strengthened. It is a challenge for both public-and private sector actors to share information with their counterparts in a timely and relevant manner. It is also challenging to find the right balance between acting quickly when necessary and following constituted principles. Pre-planned, jointly discussed and exercised measures, such as, principles and procedures of attribution for different levels and sectors, satisfy the demands of both effectiveness and the value-based principles of handling. To make these mandates, authorities, rules and principles sustainable, implementable and accounted, they must be written and anchored in legislation. Those working in cyber affairs can use similar means as those used in developing, employing and overseeing other policies, technical and operational capabilities and human and organisational competences.


In the name of effectiveness and speed, centralised and expert authorities are widely admired. The appointment of ‘Cyber Czars’ may suit some political cultures. However, European political culture is still based on pluralism of thought, transparency of public action and decisionmaking by debate.

The separation of powers is but a tool for the rule of law. Similarly, the rule of law is not just a principle, but a vehicle to achieve the objectives of liberal rule: freedom from fear and favour, justice and, as the European Commission adds, “an internal market, where laws apply effectively and uniformly and budgets are spent in accordance with the applicable rules.” To ensure the achievement of these objectives, power needs to be dispersed among ministries, departments and agencies. This applies to cyber affairs, too. Moreover, it is necessary to deliberately include the legislative, public and private sectors in the political drafting of digital and cybersecurity policies and strategies. Only then can we start expecting pluralism and democratic exchange of ideas to start taking place in cyber-digital affairs.

The field of cyber and digital issues is no less societally important, no less politically relevant and no less essential to power than any other societal, national or international field, such as peace and security, governance, sustainable development or the relationship between the individual and the state. Therefore, ‘pre-cyber’ thinkers such as de Secondat matter. In developing national cyber- or information security, well-meaning procedural development may contradict our foundational political values and principles. Especially when individual rights and freedoms and the continuance of the liberal political order are on the line, it is better to be safe than sorry.

Thumbnail Image credits: @tingeyinjurylawfirm on Unsplash.


About the Author

Mika Kerttunen

Mika Kerttunen is Director of Studies, Cyber Policy Institute, and Adjunct Professor in military strategy at the Finnish National Defence University.

Share this Article