Cybersecurity as increasingly important challenge
September 2021
Multimedia
Author: Rolf H. Weber
Takeaway messages The following article will explain what lawyers can do for the protection of an open, secure, and resilient internet:
• International rules should be further developed with the objective of implementing generally acknowledged cooperation principles.
• Private organisations developing standards need to be incentivised to work on more detailed integrity, resilience, and stability norms.
• Lawyer advising private firms have the task to propose compliance and risk management measures protecting against cyber threats.
Notions of cybersecurity
Cybersecurity refers to the processes and measures protecting networks and data from cyber threats and cybercrimes. So far, no standard or universally accepted definition of cybersecurity exists. The term is often used as a catchword being inexact and standing for an almost endless list of different security concerns and technical perceptions. The International Telecommunications Union (ITU) defines cybersecurity as the collection of tools, policies, security concepts, safeguards, guidelines, risk management approaches, best practices, assurance, and technologies that can be implemented to protect the cyber environment and the assets of the concerned persons/ organisations.1 General security objectives include (a) confidentiality, (b) integrity, and (c) availability, also known as the CIA triad in the information security industry. Confidentiality means that information is not improperly disclosed to unauthorised individuals, processes or devices; integrity refers to information being protected against unauthorised modification or destruction; availability pertains to a timely and reliable access to data and information for authorised users. The International Organization for Standardization (ISO) defines information security as the preservation of confidentiality and availability in its ISO/IEC 27000:2018 standards on Information Security Management Systems.2 Cybersecurity encompasses not only the protection of information and data but also the protection of assets that are noninformation-based and vulnerable to threats.
Cyber threat landscape
Challenges to the security of cyberspace, particularly in the personal and commercial context (for example in the IoT), can be categorised into the threat agents, threat tools, and threat types. While such categorisation is useful for certain legal qualifications, it does not (aim to) paint a comprehensive picture of the very complex nature and characteristics of cyber threats:3 • Threat agents: A wide array of external and internal relations threatens cybersecurity, encompassing Nation states, profit-driven cybercriminals, hackers, extremists, and insiders. The motivations of threat agents vary significantly. Agents act for political reasons (eg engaging in cyber espionage or in political protest); they may further have financial (eg stealing valuable data, such as credit card numbers) or socio-cultural motivations. • Threat tools: The basic security breach tools encompass malware and its variants (ransomware, viruses, worms, Trojan horses, etc) as well as botnets. Malware encompasses any code or software covertly installed on a devicewithout authorisation. Ransomware restricts access to the infected device or system, rendering certain files unusable; cyber attackers demand a ransom, generally in a cryptocurrency, to restore the original integrity of the files. Botnets usually consist of command and control servers and networks of computers infected while malware can be remotely managed. • Threat types: Cybersecurity threats can concern information modification or misuse, information distraction, unauthorised access, data breach, data threat and distributed denial-of-service.
International legal frameworkforcybersecurity
Cybersecurity now routinely tops political agendas. For years, international and regional organisations have tried to develop legal instruments that could develop regulatory standards in the field of cybersecurity prevention. However, only a few efforts have been (partly) successful.4 On the global level, legal instruments intending to combat cybercrime do not really exist. Already five United Nations Group of Governmental Experts (UNGGE) have exchanged ideas and published reports, without agreeing on binding principles. The UNGGE advocated for the application of the UN Charter also to cyberspace which should remain open, secure, peaceful, and accessible. Furthermore, cybersecurity must go hand-in-hand with respect for human rights and fundamental freedoms and States are obliged not to use proxies to commit internationally wrongful acts. The fourth UNGGE (2015) produced a comprehensive report on norms, rules, and principles regarding the behaviour of States in cyberspace as well as with respect to international cooperation, confidence-building measures, and capacitybuilding. Its findings confirmed that the generally acknowledged principles of international law should equally be applied in cyberspace.
Network security
Cybersecurity is also addressed in the International Telecommunication Regulations (ITRs) of the ITU.5 The term was intensively debated during the World Conference on International Telecommunication (Dubai, 2012); on the one hand, some States argued that “secure” should mean “robust” and “safe” (technical functioning), on the other hand the opinion was expressed that security should include the notion of “public order”. The compromise consists in a quite vaguely formulated Art 6.1 of the ITR: Member States shall individually and collectively endeavour to ensure the security and robustness of international telecommunication networks in order to achieve effective use thereof and of an avoidance of technical harm thereto.
Essential national security interests
International trade law (General Agreement on Tariffs and Trade, The General Agreement on Trade in Services) uses the term “essential national security interests”; such interests can be invoked as cross-border trade barriers if the concerns are “essential”. In a recent case, Russia — Traffic in Transit, the World Trade Organization advocated for a nuanced approach by ruling that the existence of the enumerated legal conditions is not self-judging; rather it must be assessed whether the national measure at issue is necessary for the protection of the concerned State’s essential security interests interpreted in good faith.6
Regional Convention
The Council of Europe (CoE) adopted the (Budapest) Convention on Cybercrime in 2001 encompassing now more than 60 ratifying States also outside of Europe (Australia, Canada, Israel, Japan, United States, etc). The main objective of the Budapest Convention is to pursue a common policy against cybercrime by adopting appropriate legislation and fostering international cooperation. The aim of the Convention is to deter actions directed against the confidentiality, integrity, and availability of computer systems, networks and data as well as the misuse of such systems. The most effective security measures should be implemented to prevent unauthorised access to protected infrastructures. Even if the Budapest Convention was the first (ambitious) attempt to harmonise the legal framework for combatting cybercrime, it could not be overlooked that its provisions are partly outdated and in great need of reform since the Internet did not play a substantive role during the negotiations of this legal instrument. Therefore, lawyers around the globe should incentivise their governments to cooperate with the intention to change and update the Convention.
New international advances
In 2019, two newly established expert groups were mandated to come up with further reports in the course of 2021. However, a basic problem consists in the fact that the two mandates do not appear to be coherent. Notwithstanding this assessment, the efforts of the two experts’ groups have already led to the first (preliminary) results: • The “Final Substantive Report” of the Open-ended Working Group (OEWG) on developments in the field of information and telecommunications regarding international security of 10 March 2021 was unanimously adopted on 12 March 2021 (OEWG Report).7 In substance, the OEWG Report does not really put forward new measures (with the exception of the proposal to establish National Contact Points) but pleads for pursuing existing efforts instead of taking specific forward-looking actions. In addition, the OEWG Report flags the necessity of capacity-building measures as an important aspect of international cooperation in order to achieve an open, secure, stable, accessible, and peaceful information and communications technology (ICT) environment.8 • A new Report of the sixth UNGGE has been available as an “advance copy” since 28 May 2021 and is further discussed by the concerned stakeholders.9 The Report contains proposals for (general) norms helping to increase ICT stability and security, however, the norms still need to be transposed into legal (multilateral, national) instruments.
Focus on international legal concepts
In principle, it is not contested that new norms and policies should be developed to enhance the global resilience, stability, and security of the internet. In view of this general understanding, the Global Commission on the Stability of Cyberspace (GCSC) has proposed a comprehensive Cyber stability framework at the occasion of the Internet Governance Forum in November 2019 (Berlin). Such a framework should encompass (1) multistakeholder engagement, (2) cyber stability principles, (3) development and implementation of voluntary norms, (4) adherence to international law, (5) confidence-building measures, (6) capacity building objectives, and (7) open promulgation and widespread use of technical standards ensuring cyber stability.10 This proposal reflects generally acknowledged principles of international law. In particular, the following concepts could be made fruitful for cybersecurity:11 • Global public goods: The idea of guarantying cybersecurity as a public core of the Internet or as a global public good can be perceived as a derivative of a policy concept which addresses developments that benefit humanity as a whole. • Concept of shared spaces: The obligation of peaceful use of resources and the principle of equal rights of all States is derived from legal instruments (Law of the Sea, Air and Space Law) that consider safety and security as a shared resource. • Due diligence: The responsibility principle is linked to the due diligence requirement implying a State’s duty to act with proper care in preventing a violation of international law; the due diligence principle can be seen as a shared element of treaty-based regimes and rules of conduct having a broad scope of application. The above-mentioned international legal concepts (public goods, shared spaces, due diligence) should be operationalised by incorporating them into international and national policies as well as into legislation. In practice, lawyers must take into account that attention is to be paid to these principles in rule-making processes and that a reference to them might also be worthwhile in long-term cross-border contractual relationships.
Need of a cooperative approach
Cybersecurity governance is an objective that should eliminate or at least minimise risks caused by an inappropriate use of cross-border digital infrastructures. Risk prevention and risk mitigation are issues requiring cooperation between States; therefore, the implementation of a broadly understood duty of cooperation as a general legal standard is required. Analogies to existing private standards are possible; for example the mentioned network security provisions and the updated specific security guidelines of ISO/IEC are widely complied with by the concerned industry. Previous experience in the field of cybersecurity has shown that the traditional international law approach operating on the States’ level with multilateral treaties is hardly able to cope with the challenges of combatting interferences with the integrity of the Internet. Therefore, the inclusion of various stakeholders into a new regulatory framework appears to be unavoidable. In concrete terms, the procedures being applicable for the implementation of rules must include all concerned actors in the respective business segment; particularly, self-regulatory mechanisms could be a viable tool. This attempt was undertaken by Microsoft in 2017/18 when suggesting the adoption of an international treaty to guarantee the peaceful use of cyberspace. The proposal to develop a Digital Geneva Convention12 envisaged to implement an international legal instrument similar to the Treaty on the Non-proliferation of Nuclear Weapons and the Chemical Weapons Convention; these international regimes have the objective of limiting vital threats to human existence. However, the Microsoft proposal met the scepticism of many States and it also seems to be unclear to what extent all stakeholders could be included in the arrangement. Further efforts are now undertaken by the Geneva Dialogue on Responsible Business Behaviour in Cyberspace.13 This initiative should contribute to shaping a joint vision regarding the security of digital products/ services and to enhancing those global policy processes which attempt to achieve a trusted, secure and stable cyberspace. The Geneva Dialogue attempts to establish common policy requirements for boosting the security of digital products as well as to improve the feedback loop between corporate efforts and cybersecurity processes that develop norms, regulations, policies, and standards during the ongoing phase 2 in 2021.
Conclusion
To sum up, the so far (incoherent) patchwork of cybersecurity regulations does not really correspond to the political needs; more efforts by all stakeholders are needed in order to implement (i) better guidance for cybersecurity governance and (ii) behavioural rules that are able to design a stable and resilient cyberspace environment. Australia is well-positioned to substantively contribute to the ongoing work of the international expert groups; in addition, the Secretary-General of the OECD as the most prominent organisation in the business field can make his Australian experiences fruitful in this body. Furthermore, Australian Universities are highly recognised around the globe and might influence scientific research in the cybersecurity field.
Footnotes
1. See International Telecommunications Union (ITU), Definition of Cybersecurity, https://itu.int/en/ITU-T/studygroups/com17/ Pages/Cybersecurity.aspx.
2. See International Organization for Standardization, ISO/ IEC 27000:2018, www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed5:v1:en.
3. This text follows RHWeber and E Studer “Cybersecurity in the Internet of Things: Legal Aspects” (2016) 32(5) CLSR 715, 717/18.
4. This chapter is based on R H Weber, Cybersecurity in International Law AAIL (Colloquim, Hong Kong, 2019) 280, 284–294.
5. ITU International Telecommunication Regulations (2012) https:// search.itu.int/history/HistoryDigitalCollectionDocLibrary/1.42. 48.en.101.pdf.
6. World Trade Oraganization Russia – Measures Concerning Traffıc in Transit Report of the Panel DS512 (8 April 2019).
7. United Nations Final Substantive Report A/AC.290/2021/ CRP.2 (March 2021) https://front.un-arm.org/wp-content/uploads/ 2021/03/Final-report-A-AC.290-2021-CRP.2.pdf.
8. R H Weber Cybersecurity Governance — international law as policy driver? (2021) 27 Jusletter IT 59-60.
9. See United Nations Office for Disarmament Affairs, Group of Govermental Experts, www.un.org/disarmament/group-ofgovernmental-experts/.
10. Global Commission on the Stability of Cyberspace Advancing Cyberstability Final Report (November 2019).
11. Above n 8, at 28–49.
12. SeeMicrosoft, www.microsoft.com/security/blog/cybersecuritypolicy/.
13. See Geneva Dialogue, About, https://genevadialogue.ch/.