5th Meeting of the first substantive session of the Open-Ended Working Group (OEWG)

Event report

The fifth meeting of the first substantive session of the Open-Ended Working Group (OEWG) started and the representative of Japan took the floor saying that cyberspace must not be a lawless zone. States should be bound by international law in cyberspace and there should be consequences to their actions. Japan considers that the existing national law, including the inherent right of self-defence, the UN Charter, and International Humanitarian Law (IHL) is applicable in cyberspace. Also, based on state responsibility, a state may take various counter-measures against a cyber-attack that constitutes an internationally wrongful act, in order to urge the responsible state to comply with its obligations; countermeasures of course should be proportionate. The rule of law should be maintained through the deterrence of malicious cyber activities.

The representative of India highlighted that there is no consensus on the applicability of IHL to the cyber domain. The lack of a definition of the term ‘cyber-attack’ makes the application of IHL difficult, particularly with respect to the legal status of participants in an armed conflict, the legal protection of persons and objects during an armed conflict, and responsibility for the violation of IHL. There is a need to develop a consensus on the definition of cyber-attack and the threshold of cyber-attack for invoking the right to self-defence under Article 51 of the UN Charter. In addition, he noted that it is important to have a consensus on the definitions of cyber sovereignty, jurisdiction in the information and communications technology (ICT) domain, data sovereignty, cyber weapon, cyber conflict, cyber crime, and cyber terrorism.

The representative of Switzerland welcomed the statement made by the International Committee of the Red Cross (ICRC) yesterday, and stressed that cyber operations conducted in times of armed conflict cannot be conducted in a legal void. Applying existing IHL to cyber operations does not legitimise or encourage the militarisation of cyberspace. Instead, it regulates the use of cyberspace by imposing important restrictions. He mentioned the contribution of the Geneva Dialogue on Responsible Behaviour in Cyberspace. These expert discussions are aimed at providing more clarity on the practical application of the legal norms that apply in cyberspace.

The representative of Liechtenstein noted that cyberspace is already governed by international law, including, in particular, the UN Charter in its entirety, as well as other bodies of international law. Currently, we rely mostly on analogy and customary international law to regulate cyber behaviour, but we also need to align international criminal justice with 21st century challenges, looking into the extent to which the Rome Statute in particular, applies to cyberwarfare. Having appropriate Rome Statute interpretations in place can act as an important deterrent to cyber-attacks and ensure accountability for aggression committed by cyber operations.

The representative of Malaysia spoke on the problem of attribution, and the danger of applying the right to self-defence in the case of misattribution. Malaysia reiterated their suggestion to explore the possibility to collectively develop a universal attribution mechanism under the auspices of the United Nations, which would be trustworthy and recognised by all member states. In this mechanism, due diligence is one of the most important elements that should be included to prevent any wrongful attribution, and decrease the risk of cyber conflict escalation.

The representative of Singapore said that international law provides great predictability and stability in the way cyberspace actors behave. He then shared Singapore’s experience since passing their Cybersecurity Act in 2018. The act establishes a legal and institutional framework for the oversight and maintenance of national cybersecurity in Singapore, with an emphasis on the proactive protection of critical information infrastructure against cyber-attacks.

The representative of the Republic of Korea expressed concerns that legal regulation could hinder the development of technology, because creating legal frameworks takes a long time. He expressed hope that the OEWG’s efforts will find more concrete recommendations on how international law applies to cyberspace.

The representative of the United Stated underlined that the Geneva Conventions remain some of the very few universally ratified international treaties. They are not only a powerful articulation of IHL, but they have also become synonymous with ethical behaviour in war. The United States has recognised that these important protections for civilians and civilian objects continue to apply when conflict is carried out in cyberspace. At the same time, the most destructive and destabilising activities by states in cyberspace fall below the level of armed conflict in their use of force. However, reaffirmation of the applicability of IHL does not invite future conflict, but rather, reminds states of the great responsibility to respect and protect civilians in the event of armed conflict.

Finally, she stated that further work on capacity building will help address the challenges of attribution, but that from the legal perspective, the law of state responsibility provides the standards for attributing acts, including cyber acts to states. Importantly, this body of law makes clear that states cannot escape responsibility for their internationally wrongful cyber acts by perpetrating them through proxies.

The representative of Egypt noted that exaggerated focus on whether IHL application will spur cyber conflict, as well as legal controversies and attribution challenges, might divert the OEWG’s attention from addressing the right questions. Their attention and efforts should be focused on elaborating specific rules on what states should and should not do in the ICT environment, with a view to preventing conflict and enhancing co-operation and mutual trust.

The representative of Argentina said that it is up to the OEWG to move ahead with definitions and recommendations on states’ understanding of how international law should be applied, and arrive at a common understanding – not only with respect to the principles – but also with respect to the level of expected conduct. It must be recognised that despite the fact that various groups and regions may develop frameworks for their own understanding, the essential interest of international community continues to be at a greater level of global consensus. She added that the cybersecurity agenda should be interlinked with the international legal framework applicable to the protection and promotion of human rights.

The representative of Canada suggested several practical steps that will help advance a shared understanding of international law. First, states can submit position papers outlining their views on international law as part of the work of the OEWG. Second, all states can make submissions to the Secretary General under the resolution that created this group. Third, the experts who make up the UN GGE have also been invited to submit their national views on international law as part of the GGE process – this will provide another avenue for states to explain and clarify their views.

Moreover, she suggested focusing on identifying and responding to the needs of member states in developing national expertise and building their own national capacity; enhanced knowledge at the national level is a prerequisite for an informed discussion among states.

The representative of China was concerned that in applying the law of armed conflicts, we might be sending the wrong political message: it is equivalent to formulating the rules of cyberwar. It is nothing but a nice way of recognising its legitimacy, and might even offer some states the missing piece of the puzzle for launching a cyberwar. The applicability of jus ad bellum and jus in bello in cyberspace has many legal and technical difficulties, such as, how to prevent major powers from taking advantage of their technological strength and abusing the right to self-defence, using this right as an excuse to attack other states. Cyber conflicts among states, and particularly among major powers, will not bring about a winner. In short, a cyberwar cannot be won, and must never be fought. Instead, the key issue is to recognise the applicability of the UN Charter, including principles such as sovereign equality, refrain from use of – or threat of use of – force, settlement of international disputes by peaceful means, and non-intervention in the internal affairs of other states. He hopes that the current OEWG will also include such content in their final report.

The representative of the Netherlands brought attention to the Geneva Conventions that apply to armed conflict, and asked how they work in a situation below the threshold of armed conflict. He asked the Chairman about the possibility of providing a sort of legal opinion that would explain the contours of the area that the OEWG have to look at when clarifying the applicability of international law, instead of having an abstract discussion.

The representative of New Zealand said that given the limited time-frame of the OEWG, we need simple and practical steps, and that the group should focus on providing guidance and support to ensure that all countries understand – and have the tools and capacity they need in order to support – the norms that all agreed on in 2015. In doing this, the OEWG should also welcome the important views of civil society and academia.

The representative of Cuba stated that we must refuse the misuse of ICTs. It is not acceptable that we seek to draw an equivalence between the misuse of ICTs and the concept of armed attacks in article 51 of the UN Charter. He also said that the existing convention against cybercrime does not have universal application because it was not negotiated at the UN and has limits for Cuba. He considered that the applicability of IHL could be a deadly blow to the collective security system, and it would undermine the principle of peace set out in the Charter.

The representative of Chile recalled that some of the questions raised by the delegates were already addressed by the International Court of Justice, saying that it is not just the means used, but rather, the consequences that determine whether it is a cyber or non cyber-attack. However, violent acts under the Geneva Convention are not restricted exclusively to non cyber-attacks. The core points when it comes to determining whether an attack is taking place are the consequences originated by the act per se, which may be violent. A practical case with respect to a cyber operation is an attack against data. This can be qualified as a military or civilian target. The 1976 protocol to the Geneva Conventions and the Red Cross Convention states that an attack must be visible and tangible, and from that perspective, data would not be qualified as a target per se, because it is intangible. However, we must bear in mind that an attack carried out exclusively on data could possibly lead to adverse consequences affecting the civilian population, which ultimately makes it a violent act.

The representative of Australia put forward the definition of a cyber-attack: a deliberate act in cyberspace to manipulate, disrupt, degrade, or destroy computers or networks, or the information on them, which would include data. Importantly, the end result is that it seriously compromises our national security, stability, and economic prosperity. With respect to the IHL, she disagreed with the Chinese delegate, saying it is not an indication of wanting to create rules of cyberwarfare. Instead, they want to put in place rules to make the ICTs that are essential for security and economy off limits, even in a situation of armed conflict. Finally, she claimed that advances in technology will eventually allow us to make the right attributions. For the OEWG, she sees value in continuing to focus on building states’ capacity to address questions of attribution, from both the technical and the legal perspective, to deepen understandings of the existing frameworks, namely the 2015 UN GGE report.

The representative of Costa Rica agreed with the proposals put forward by Canada. He added that it is also important to study what has already been done in this respect at the regional level.

The representative of Mexico said that multilateralism is the only way, in the long term, of determining the legitimate and peaceful use of cyberspace, the possibilities offered by ICTs as enablers of development, and the protection of human rights in cyberspace. The UN has important tools and institutional apparatus to deal with maintaining and building peace, as well as disarmament; all these tools can be extrapolated to cyberspace.

The representative of the Russian Federation expressed solidarity with the positions of India, China, Malaysia, Egypt, and Cuba. He noted that even if it were confirmed a hundred times over that international law applies to cyberspace, there would still be problems in applying it. He suggested drafting a convention for cyberspace. Right from the outset, Russia was in favour of adapting international law, not changing it or abrogating it, but adapting it appropriately to the realities of the cyber world. What complicates the applicability of international law is the fact that not all states have recognised cyber-attacks as armed attacks. A number of countries have the doctrine of a ‘preventive cyber strike’ and they proclaim their right to strike first. This leads to competition to get the absolute best first strike, thus making cyberwar inevitable. In conclusion, he mentioned the need to create a standing body that will deal with all international cybersecurity issues.

The representative of Iran also claimed that insisting on the application of existing international laws should not be seen as a green light to some countries to apply their offensive cyber capabilities against other countries. Iran expects the OEWG to highlight the rights of the states with respect to the use and governance of ICTs. He also agreed with Russia that we need a specialised body, within the UN system or a subsidiary body to the OEWG, with enough expertise to answer the question of whether or not existing international law is enough, and whether we need new laws in order to assure that the ICT environment is not used for malicious purposes, and cyber conflicts are prevented.

The representative of the United Kingdom reiterated that IHL was not developed to encourage traditional warfare, but rather to regulate it, and by the same token, confirming that the applicability of IHL to cyberspace, as the UN GGE report clearly states, does not encourage or invite cyberwarfare. It regulates it and it confirms important protections. He proposed going further as individual states, each setting out their own understanding of how international law applies in cyberspace. It would help promote transparency and provide predictability, and further develop common understandings.

The representative of Egypt said that it is quite puzzling when delegates argue that we do not need binding rules or that we cannot develop binding rules. He said that binding rules and norms are needed, but that how we start implementing these principles to particular scenarios in the ICT environment is what the OEWG needs to discuss.

The representative of Chile took the floor to remind everyone that the International Court of Justice could tell us a bit more about the applicability of IHL in cyberspace.

The representative of Estonia pointed out that Estonia has already undertaken many efforts to answer this question in making the Tallinn manuals. She stressed that IHL in its essence is not an enabler of conflict, but aims to accommodate behaviour which is acceptable for the international community as a whole. In that regard, we should also ask if the notion of applicability of international humanitarian law in other domains has ever led to an immediate armed conflict. She said that historically, all conflicts so far have involved activities in many domains simultaneously. Therefore, in case of military conflict, cyber means will be just one of many. However, there is no clear definition of cyberwarfare.

The representative of Syria also expressed the need to find a mechanism, or a standing body, that would be in charge of monitoring developments in the use of ICTs – be these existing threats, or emerging threats – and their implications for international security.

The representative of Brazil reiterated that recognition by the UN GGE report of the applicability of international law is not a legitimisation of cyber conflict, nor would it be incompatible with the objective of preventing the breakout of cyberwarfare. However, this recognition is not sufficient to regulate the conduct of states in cyberspace. There is a need for further clarification on how exactly international law applies to cyberspace, including means of adopting specific rules, norms, and principles of a legally binding nature.

The representative of Israel reminded all that international law develops when general state practices are accepted as law. At this juncture, when practices regarding the cyber domain are still unclear, one should tread very cautiously in reaching conclusions about how international law applies. Bearing in mind the primacy of states in the identification of international law, it is important that states continue to discuss their views and opinions regarding the application of international law to the cyber domain in order to achieve greater clarity.

The representative of Australia took the floor to say that we need a backup plan for what happens if we are unable to prevent cyber conflict, thus we need to consider the applicability of IHL.

The representative of France favoured the applicability of IHL to cyberspace.

The representative of Colombia also expressed the need for binding norms and principles for states. She pointed out that we have to look at the work that is being carried out regionally on confidence building measures, not only in Latin America, but also in other regions.

The representative of Pakistan pointed out that we cannot simply address all problems by importing the existing body of international law into the cyber sphere. Fundamental questions on the applicability of international law in cyberspace have yet to be addressed; simple reaffirmation of the applicability of existing international law to cyberspace is not sufficient. We need to think about questions involving the principles of humanity, proportionality, distinction, and military necessity, which must be thoroughly discussed.

The representative of Norway also confirmed the country’s commitment to the idea that IHL should be applied to cyberspace.

The representative of Belgium noted that the OEWG is actually a useful instrument for effective multilateralism that should be the driving force towards a mutual consensus and understanding of the applicability of international law.