UN OEWG 2021-2025 1st substantive session
13 Dec 2021 00:00h - 17 Dec 2021 00:00h
New York, USA
14 Dec 2021 20:00h - 23:00h
International law and the UN Charter
The discussions on international law and on norms, rules, and principles of state behaviour in cyberspace and their applicability in cyberspace were closely related to the nature of the 2015 and 2021 UN GGE reports and the 2021 OEWG reports.
The majority of the states – Argentina, Australia, Austria, Brazil, Colombia, Costa Rica, Czech Republic, the European Union on behalf of its member states, the candidate countries Montenegro, the Republic of North Macedonia, and Albania, the country of the stabilisation and association process, and potential candidate Bosnia-Herzegovina, as well as Ukraine, the Republic of Moldova and Georgia (EU), Egypt, Estonia, France, Germany, Ireland, India, Indonesia, Israel, Italy, Japan, Malaysia, Mexico, Netherlands, Ukraine (in national capacity), United Kingdom, Philippines, Republic of Korea, Singapore, South Africa, and Switzerland, agreed that the previous UN GGE and OEWG reports, including corresponding UN GA resolutions adopted by consensus, have confirmed that the existing international law, notably the UN Charter in its entirety, international humanitarian law, and international human rights law apply in cyberspace. These states recalled, in particular, the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace.
As such, for these states, the previous reports by the UN GGE and OEWG, and related UN GA resolutions represent an acquis, and are the basis for negotiations at the 2021–2025 Open Ended Working Group (OEWG). These states are now looking to discuss, within the OEWG, how to apply international law in cyberspace and build upon the previous acquis. Colombia suggested that, once the OEWG is able to identify the existence of gaps in the application of international law and ICTs, it can then make progress in developing new norms to fill those gaps. Switzerland and Mexico pointed out that the discussions need to clearly distinguish between the binding international law and non-binding norms.
Israel stated the opinion that, while the international law is applicable to cyberspace, traditional rules of international law, which mainly evolved in a physical world and often in domain specific context, do not always lend themselves to application in the cyber domain, while its certain distinctive characteristics call for further studies. Israel also considers that the concepts of rules and principles of international law which apply in principle to ICTs such as sovereignty, non-intervention, due diligence, state responsibility, attribution, and countermeasures merit further study.
China and Cuba agreed that the general principle of international law based on the UN Charter applies to cyberspace. In the opinion of the Islamic Republic of Iran (Iran), the behavior in cyberspace differs from behavior in the physical world, and the international law applicable to the use of ICTs may be different. However, Iran said that nothing prevents the application of general rules of the UN Charter in the ICT environment. Iraq stressed the importance of international law and the UN Charter, as a point of reference towards creating a safe, open, and enabling environment for activities pertaining to ICTs, and towards eliminating the threats against society.
Need for a new legal instrument
Several states, namely Cuba, China, Iran, Pakistan, and Russia, have called for the creation of a new international legally binding instrument. The main reasons pointed out were the lack of agreement on terminology with respect to ICTs and rights and obligations of states, the existence of unregulated matters or gaps in international law, greater accountability of states, and enforcement. These countries see the UN as the most suitable forum to hold such discussions.
The Republic of Korea, Italy, EU and France have spoken against a new legally binding instrument at this time. The Republic of Korea stated that, while the ultimate desirability of having a set of binding rules governing cyberspace can not be denied, seeking a new legally binding instrument at this stage is both impractical and potentially misleading, since the process itself might give the false impression that there is a legal vacuum in cyberspace. Italy and France pointed out that the focus now should be on the modalities of applying the existing international law.
Art. 51 of the UN Charter: armed conflict and right of self-defence
The discussions further evolved to include specific principles and regulations of the UN Charter.
With reference to Art. 51 of the UN Charter, Singapore pointed out that the right to self-defence applies in cyberspace and is of fundamental importance to small states, and should apply in cyberspace as in the physical world. The Philippines suggested that the OEWG should discuss the aspects of Art. 51 of the UN Charter, specifically the question of what constitutes an armed attack in cyber context and what are the thresholds for invoking the right to self-defence, or implementing countermeasures. Egypt stated that discussing the modalities of Art. 51 of the UN Charter should not divert attention from addressing cooperation to prevent such conflicts from occurring in the first place.
Russia pointed out that the international community has no consensus on the question of qualification of malicious use of ICTs as an armed attack in the sense of Art. 51 of the UN Charter. Consequently, according to Russia, there is no basis for assessment of the legitimacy of the use of ICT, including from the standpoint of international humanitarian law.
Cuba stated that it is unacceptable to have a concept which seeks to equalise a cyberattack with an armed attack and tries to justify the presumed applicability of Art. 51 of the UN Charter. Cuba outright rejected the notion of the automatic application of Art. 51 of the UN Charter in cyberspace.
Responding to Cuba’s statement, Australia noted that there is consensus that the UN Charter in its entirety applies to cyberspace and therefore it follows that Art. 51 of the UN Charter applies to cyber activities which constitute an armed attack and in respect of acts of self-defense carried out by cyber means. Australia further noted that any reliance on Art. 51 of the UN Charter must be reported directly to the UN Security Council, which helps safeguard against the risk of armed escalation.
Australia, Germany, Ukraine, and Switzerland spoke in detail about the attribution of cyberattacks. Ukraine concurred with the previous UN GGE and OEWG reports that states must not use proxies to commit internationally wrongful acts using ICTs, and that states should take all actions to ensure that their territory is not used by non-state actors to commit such acts. It wishes to discuss the question of attribution at the UN.
Switzerland addressed the issue of legal attribution of cyberattacks, underlining that legal attribution is governed by the law of state responsibility and the International Law Commission’s Draft Articles on State Responsibility. Switzerland would like the OEWG to further analyse legal constraints – preconditions and procedural requirements of countermeasures.
Australia also spoke about legal attribution, concurring with Switzerland that the customary law of state responsibility, reflected in the International Law Commission’s Draft Articles on State Responsibility, provides the mechanism for the application of most of international law, including the UN Charter, and details strict rules on attribution, provides what measures state may take in response to unlawful acts, and determines the consequences of internationally wrongful acts, including reparations.
Germany agreed that a sufficient level of confidence is needed for attributing a wrongful act to a state. This applies equally to breaching international law in cyber context and in the physical world. Further, according to Germany, accusations of misconduct should be substantiated by results of extensive technical, contextual, and factual research.
Czech Republic and Switzerland addressed due diligence as a general principle of international law.
International humanitarian law (IHL)
Australia, Brazil, Czech Republic, Estonia, EU, France, Germany, Ireland, Italy, Mexico, the Netherlands, Switzerland, Ukraine, and others specifically confirmed that the international humanitarian law, including the principles of proportionality, distinction, and precaution, applies to the use of ICTs by the states, and should not be misinterpreted as encouraging the militarisation of, or legitimising the use of force in cyberspace. Calling for the OEWG to elaborate how international humanitarian law applies to the use of ICTs by states, they pointed out that it would advance transparency and common understanding among states.
Italy pointed out that the OEWG mandate within the UN First Committee not only fully legitimises, but rather compels the OEWG to discuss how international humanitarian law applies in cyberspace. Switzerland and the Netherlands gave detailed statements on the applicability of the international humanitarian law, stating that the international humanitarian law addresses the realities of war without considering the legality of war, and reduces risks and potential harm to civilians, civilian objects, and combatants in the context of an armed conflict.
Colombia is of the opinion that further study is needed on how the principles of international humanitarian law apply.
Cuba stated that it does not consider the applicability of international humanitarian law relevant to the use of ICTs in the context of international security, since that would entail tacitly accepting the possibility of an armed conflict scenario. According to Cuba, it would contribute to militarising cyberspace and it would be a first step in equalising cyberattack with a traditional armed attack.
International human rights law
Australia, Brazil, Czech Republic, Estonia, EU, France, Germany, Ireland, Italy, Mexico, the Netherlands, Switzerland, Ukraine, and others specifically confirmed that the international human rights law is also applicable in cyberspace. Iraq stressed that human rights and other fundamental freedoms should be respected in the use of ICTs.
The Netherlands gave the most detailed statement on the human rights application in cyberspace. It pointed out that the current acquis states that human rights and fundamental freedoms apply online as well as offline, which means they should be respected, protected, and promoted in cyberspace. According to the Netherlands, the acquis needs operalisation through the work of the OEWG starting with recognition of interdependence and complementarity of human rights and cyber security. Full respect for international human rights law must also be given when designing, developing, and implementing cyber security laws and policies. The Netherlands also brought forward the right to privacy and freedom of expression, the role of the private sector, and risks of human rights violations in cyberspace related to women and vulnerable groups, including human rights defenders, journalists, LGBTQ, children, and ethnic minorities.
The majority of the states agreed that the discussions at the OEWG should explore how international law and its principles apply in cyberspace and build a common understanding of the matter. Sharing national positions on how international law applies in cyberspace was perceived as the way forward in identifying convergences and points for discussion.
Several ways of sharing national positions and exploring how international law applies in cyberspace were discussed:
- The OEWG’s repository of national positions (Israel)
- UNIDIR’s Cyber Policy Portal (UK, France, Italy, Germany, the USA, Canada, Japan, Colombia, Estonia, Brazil, Costa Rica)
- Australian and Mexico’s proposal of a voluntary survey of national views and practices (Austria, Argentina)
- Study on how international law applies to states’ use of ICTs (Switzerland)
- Referring the question to the International Court of Justice and the International Law Commission to establish their views on the matter (South Africa)
- UN in general (Singapore)
- Cyber Law Toolkit and Tallinn Manual 3.0 (Estonia)
- At the regional level, in addition to the international one (Costa Rica)
Throughout the session, the states emphasised the need of capacity building on the subject of international law.