Does existing international law apply to cyberspace?
There is broad agreement that international law applies, which is expressed in the reports of the GGE as well as the related UN General Assembly (GA) resolutions; more specifically, states agree that the jurisdiction of a state over the information and communications technology (ICT) in its territory applies, and that states should not conduct internationally wrongful acts attributable to them, nor use proxies for such acts.
Yet, a number of issues remain open:
- (How) Do the established principles of international humanitarian law – humanity, necessity, proportionality, and distinction – apply? The principles were agreed upon by the GGE in 2015, but were not re-iterated in the resolution that established the OEWG, which may signal differences in positions.
- How does international law apply to cyber-attacks in peacetime (as part of a ‘hybrid warfare’)?
- Should discussions include control of arms proliferation, or a more precise use of the Law of Armed Conflict?
- How to deal with the dual-use nature of ICTs – address only the use which endangers peace and security?
How does the UN Charter apply to cyberspace?
There is a broad agreement that the UN Charter applies to cyberspace, which was confirmed by the GGE reports and the related UN GA resolutions. ‘The devil is in the details’, however: the definition of an armed attack and use of force in cyberspace is not clear: Is it limited to attacks that cause physical damage and injury, or would other effects (eg. financial, environmental, economic, or political) of a cyber-attack fall under as well? Should this decision remain under the exclusive responsibility of states – perhaps by certain factors such as context, intent, or severity of effects, as suggested in the Tallinn Manual 2.0? In general, (most) states might not have the incentive to define it, in order to leave the interpretation by each state at its own discretion. This could be particularly beneficial for the strong, developed countries, but small countries may also benefit from the lack of clarity as that leaves them with some advantages of ‘asymmetric warfare’ (ability to conduct high-effect attacks with relatively affordable cyber-means). The major stumbling issue, however, is the right to self-defence.
(How) Does the right to self-defence, enshrined in the UN Charter (Art. 51), apply to cyber-attacks?
In particular, should the countries under cyber-attack be allowed to respond to it by all means, including the all-out military options with traditional warfare means? This question was one of the main reasons – if not the main reason – for the failure of the GGE to reach consensus in 2017 (link). The GGE 2015 report, approved by the UN GA, confirms (Art. 28c) the inherent right of states to take measures consistent with international law (with a note that further study is needed); yet the resolution that established the OEWG does not re-iterate this position. Positions on this issue are openly divergent:
- The North Atlantic Treaty Organization (NATO) confirmed that Art. 5 of its Treaty allows the response by all means (including conventional weapons) in case of a cyber-attack against one of its members;
- Russia finds that the traditional use of force is not a legitimate response to cyber-attacks, at least not without the approval of the UN Security Council and according to the UN Charter, which would allow the accused party to defend itself before the Security Council. It further requests that sources of cyber-threats are not identified by (attacked) states independently and arbitrarily, without evidence, particularly if this could lead to devastating counter-strikes;
- Some small states, like Cuba, believe that a cyber-attack is not tantamount to an armed attack, and thus, the right to self-defence should not be used in such cases.
An additional grey zone is the right to self-defence against armed attacks conducted by non-state actors, or state proxies.
In what other ways can countries respond to cyber-attacks?
While the right to self-defence may apply once the attack has occurred, what other options does a state have to respond to cyber-attacks, and deter counterparties from conducting attacks? Also, should anticipatory self-defence (to deter imminent threats) – or even pre-emptive strikes – be considered?
The USA and the European Union consider the following actions to be acceptable:
- the US believes in a ‘Cyber Deterrence Menu’ of countermeasures that states can take when the attack occurs, in order to deter more attacks, or apply the accountability of the attackers: private and public attribution, sanctions, deterrence alliances, and even ‘defence forward’ (or pre-emptive) cyber-strikes
- France believes anticipatory self-defence may be allowed, but not pre-emptive strikes.
- the EU has adopted its ‘Cyber-diplomacy toolbox’ and ‘Sanction regime’, as official options for political response to – and deterrence of – cyber-attacks.
It also remains open whether states should have the duty to notify the other state against which they plan to launch countermeasures.
How should attribution of cyber-attacks be conducted?
This is probably one of the most complex dilemmas, as it involves a mix of technical, legal, and political aspects. There are no agreed methodologies on how to establish attribution to cyber-attacks; there are divergent views of experts over how reliable current technical means for tracing the origins of attacks are; certain aspects of the intelligence-gathering – such as conventional intelligence activities and cyber-espionage for collecting digital evidence – are understandably kept secret by the parties working on attribution; lack of transparency over evidence in the recent avalanche of mutual public accusations among the states adds to complexity. While both the GGE report (Art. 28f) and the resolution that established the OEWG (Art 1.2) confirm that the indication of the origin of the attack might not be enough for attribution, and that accusations need to be substantiated, official positions of the main actors are clearly divergent:
- the US, its NATO allies, and some of the large Internet industry players, engage in ‘collective attribution’, in the form of a joint public ‘naming and shaming’ of the suspects;
- Russia sees such an approach as a pseudo-legal concept where a group of countries accuse a third country, conducted without disclosed evidence, and demands evidence-based attribution.
When (or which) cyber-operations violate sovereignty?
Both the GGE 2015 report, and the Resolution that established the OEWG, confirm that state sovereignty applies to ICT, and that states have jurisdiction over ICT in their territory. It remains unclear, however, what effect of a cyber-attack qualifies as a violation of sovereignty: in particular, is violation limited to physical damage, injury, and loss of the functionality of systems, or does it include network clogging due to DDoS, or penetration into the networks of sovereign countries (such as for forensics, espionage, or implanting ‘logic bombs’)? In the later case, under what circumstances is interference with inherently governmental functions considered violation of sovereignty? There are ongoing debates on the legal nature of the Draft articles on Responsibility of States for Internationally Wrongful Acts, adopted by the International Law Commission.
Should due diligence be an obligation?
Due diligence is an obligation of states to prevent their territory from being used for launching cyber-attacks by state or non-state actors against other states. Norms set in the GGE 2015 report and reiterated in the OEWG resolution request that countries not allow their territory to be used for internationally wrongful acts, and to mitigate cyber-attacks against the critical infrastructure of other countries that come from their own territory. As with all the GGE norms, this one is voluntary as well; in practice, there may be a number of reasons why its implementation could be limited: for instance, states may react only, rather than try to prevent attacks, or they may excuse themselves by claiming not to know that cyber-attacks have been conducted. the EU and its partners believe that due diligence should be a binding obligation (both in cyberspace and beyond it), following the International Court of Justice judgement in 1949, and warn that not adhering to it may result with countermeasures by the attacked country; Russia and its allies, on the other hand, oppose the due diligence as an obligation in general, and only approve what has been agreed upon by the GGE.
How can state responsibility in cyberspace be applied?
While all of the norms stated in the GGE 2015 report (Art. 13) have been approved by the GA both in a subsequent resolution and the resolution that established the OEWG – which signals the agreement of major actors at least – the challenge on how to enforce them remains. An open question is also who should be in the driver’s seat of the enforcement – the GGE, the OEWG, and/or regional organisations (see below)? It is likely that the GGE will focus on mapping the components required for the implementation of existing norms.
Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? Both the GGE 2015 report and the resolution that established the OEWG provide space for the development of additional norms over time. Some of the options raised by different parties – with evident divergence in positions – include the work on norms proposals of the Global Commission on Stability of Cyberspace (such as the norm related to protecting the public core of the Internet), preventing injury to civilians, mitigation of effects during incidents, protection of electoral systems, but also norms related to the effects of artificial intelligence (AI) on security, fake news and disinformation, the protection of the core Internet infrastructure as public goods, cybercrime issues, and similar.
To what extent should the GGE and the OEWG work on issues beyond their mandate?
Should the GGE and the OEWG deal with issues that do not fall within their mandate directly, but have an impact on their work? While there is a broad agreement on the existing GGE 2015 norm (Art. 13e) related to the protection of human rights, freedom of expression, and privacy, and even preserving the free flow of information which was added to the resolution that established the OEWG (art. 2), a couple of other issues may come to the table:
- Right and duty of states to combat dissemination of false and distorted news, and request for states to abstain from defamatory campaigns, vilification or hostile propaganda – both understood as interference in internal affairs – were officially brought up by the resolution that established the OEWG. This call was introduced by Russia and its allies, which states the importance of ensuring the credibility of information and combating fake news. The USA and its allies, on the other hand, believe that these issues fall under a different legal framework – one related to the freedom of speech – and opt for distinguishing between the security of networks and policing content, as well as between human nature and state-on-state interference on freedoms, and suggest that combating fake news should be addressed through public-private partnerships with the Internet industry.
- Internet governance, particularly in its narrow definition as critical Internet resources (DNS and IP management), as well as combating crime and terrorism, were particularly excluded from the related UN negotiations in the closing clauses of the GGE 2015 report, by suggesting that the UN should lead, but not duplicate efforts undertaken on crime and terrorism, human rights, or Internet governance; the resolution that established the OEWG, however, does not re-affirm this clause.
- Both the GGE 2015 report and the resolution that established the OEWG agree on the norm that requires states to co-operate in combating crime and terrorism. While the US and its allies oppose further discussions on the matter within the OEWG, Russia and its allies might find space for the OEWG to take up their resolution on countering the use of ICT for criminal purposes, adopted by the UN GA in 2018 , in order to build momentum for an overarching international Code of Conduct for cyberspace, proposed earlier .
- Supply chain security has been raised by several states – in particular China, Iran, and India – which may include states sustaining non-discriminatory business environments, upholding unrestricted ICTs development and research, not exploiting their dominant position – resources, technologies, services, and infrastructure – at the cost of the security and stability of other countries, and defining the responsibilities of the private sector for securing the chain and not misusing their monopoly.
- The security of elections has been high on the agenda of global discussions recently. While some western states might consider raising this as a possible norm, it may become a slippery ground for discussion, as it combines the security of the voting infrastructure and the voting environment (including content-related issues such as social media and fake news).
Confidence building measures
Confidence building measures (CBMs) are the second pillar of the international framework under construction, along with norms and capacity building. While the GGE has agreed on a set of CBMs, a major break-through was had by regional organisations, in particular the OSCE. The main open question is: who should be in the driver’s seat of further development and implementation of the CBMs – the GGE, the OEWG, and/or the regional organisations? Russia, for instance, stands that the OEWG should further develop a set of CBMs, unifying the existing ones developed on regional levels, and thus take over this work from them. the US and its allies, on the other hand, believe that regional organisations should continue being the primary driver in the development and implementation of the CBMs.
Capacity building is the third pillar of the international framework under construction. There is a general agreement over the importance of capacity building, and the GGE report as well as regional organisations have suggested certain focus in this regards. The main open questions relate to: how to implement capacity building measures, namely who pays (and should pay) for this; what form this should take; and, who should be the target group(s) – policy-makers primarily, or also other stakeholders, such as industry and the technical community that can help in implementing the CBMs?
There is a broad agreement that the involvement of the private sector in particular, but also academia and civil society, is beneficial. The open question is what the roles and responsibilities of the other stakeholders should be (in this regard, the Geneva Dialogues have provided some guidelines), and how to ensure communication with them, and their effective involvement.
Roles of the GGE and the OEWG
One of the main stumbling stones in the initial phase is who should do what: What should be the focus of the GGE and of the OEWG, respectively? The resolutions that have established the two groups have defined their broad mandates: both the OEWG and the GGE are to work on norms, CBMs, and the applicability of international law to cyberspace, yet, the OEWG is also to discuss establishing regular institutional open-ended dialogue within the UN. In particular:
- The OEWG: According to Russia and its allies, it should revisit the GGE reports – now, together with all 193 states; develop further CBMs and discuss their effectiveness and implementation; establish a permanent entity under the auspices of the UN to discuss cyber issues in the future; and, to develop a draft resolution(s) related to cybersecurity – possibly to be adopted in 2020. The US and its allies, however, see the main role of the OEWG as enabling other states – particularly those that were not part of the GGE process – to better understand the existing normative framework for responsible behaviour that was developed by the GGE, as well as to define the capacity building needs of states and other stakeholders in order to implement existing norms and CBMs; they believe that the development of CBMs should remain the task of regional organisations, while the main venue for future dialogue should also be left to regional organisations, as well as multistakeholder processes like the Paris Peace Forum, IGF, and the like.
- The GGE: The USA and its allies opt for looking into more technical issues on the implementation of the existing normative framework, and in particular, resolving open issues on how international law applies to cyberspace, as well as ways to enforce the implementation of existing norms.