The second half of the third meeting and the fourth meeting of the second substantive session of the Open-Ended Working Group (the OEWG) discussed international law. In particular, the representatives addressed the issues of the applicability of international law in cyberspace, identifying gaps in international law related to cyberspace, the concept of sovereignty and self-defence, the possible need for a new legal instrument to regulate cyberspace, national positions, a repository of national practices, and capacity building measures.
With respect to the applicability of international law to cyberspace, the majority of countries and participants in this meeting, such as Sweden, Switzerland, Lichtenstein, Brazil, Canada, New Zealand, the United Kingdom, the European Union, Pacific Islands Forum, among others, have declared that the existing international law in its entirety, including international humanitarian law, human rights law, and international criminal law, as well as the Charter of the United Nations are applicable to cyberspace. As was pointed out, the UN General Assembly has already endorsed the view that international law and the Charter of the UN are applicable in cyberspace and are essential for this environment to be open, secure, stable, and peaceful. The 2013 and 2015 GGE reports confirm this position. The majority of countries confirmed that during an armed conflict, cyber activity must comply with the principles of international humanitarian law, including military necessity, humanity, proportionality, and distinction. In support of these arguments and to present the current state of jurisprudence, Australia has presented a non paper on case studies on the application of international law in cyberspace. Switzerland and the United Kingdom welcomed the call by the International Committee of the Red Cross for all states to reaffirm that the international humanitarian law applies to the conduct of cyber operations during armed conflicts.
Italy emphasised that countries benefit from the application of the existing international law in cyberspace, giving the OEWG a stable and solid foundation to build upon.
Finland pointed out in their statement that human rights and fundamental freedoms as enshrined in the relevant international instruments must be upheld equally online and offline. The Czech Republic reiterated that the international human rights law is applicable to cyberspace in its entirety, in particular, the freedom of expression, applicable regardless of frontiers and through any media of one's choice (Art. 19 of the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights). The Czech Republic also stated that the freedom of peaceful assembly and of association (Art. 22 of the UDHR) and the right to privacy (Art. 17 of the UDHR) apply to cyberspace as much as they apply to the physical domain, and that any restrictions implemented on the grounds of national security, public safety, or protection of morals should be clearly and narrowly defined by the law to prevent abuse by authorities.
With regards to the impact of human rights on cybersecurity laws, practices, and policies, Switzerland, Austria, Estonia, New Zealand, Sweden, the Czech Republic, and the Netherlands expressed their support of the newly adopted statement of the Freedom Online Coalition on Human Rights.
The Philippines reiterated the importance for member states to accede to existing regional and international legal instruments that promote the harmonization of laws relating to cybercrime, cybersecurity, and data privacy. This includes the Budapest Convention on Cybercrime and Convention 108 + (Modernised Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data) on the question of enabling an easier cyber incident attribution.
Lichtenstein emphasised the need for a clear understanding of the application of the Rome Statute of the International Criminal Court. Together with partnering states, Lichtenstein has convened a council of advisers composed of leading academics to elaborate how the Rome Statute of the International Criminal Court applies to cyberwarfare. Having a clear understanding of the application of the Rome Statute in place will, according to Lichtenstein, act as an important deterrent to malicious cyber operations and will contribute to ensuring accountability for acts of cyber aggression.
The Islamic Republic of Iran stated that the prevention of the malicious use of information and communications technology (ICT) for offensive purposes should be the main starting point for discussion at the OEWG. Iran emphasised a strong need for developing a complementary, cyber-specific international law which addresses issues such as jurisdiction and conflict of laws.
The Syrian Arab Republic has stated that they are not convinced that the international law is fully applicable to cyberspace.
In addressing the applicability of international law to cyberspace, the representatives were in agreement that the main focus needs to be on clarifying how to apply the existing international law. Identifying gaps in the current regulations and the need for an additional international binding regulation were discussed in detail.
The United States of America pointed out that it is substantially premature to identify gaps in international law if there is no understanding of how each country views its applicability. The USA also recalled that international law is just one component of this framework; responsible state behaviour and voluntary, non-binding norms may not be ready for codification as there are many states that do not feel that they have the capacity to either understand or implement them yet.
Kenya pointed out the need to clarify how these laws can be invoked and applied in relation to cyber-threats, including attribution challenges in cyberwarfare and proxy situations, as well as in the context of autonomous, automated, and artificial intelligence (AI) cyber actors.
Brazil stated that the recognition of the applicability of international law to cyberspace must not be understood as legitimising the transformation of the cyber domain into another arena for a military conflict. To the contrary, this understanding should foster restraint from all states and contribute to the maintenance of a safe, secure, stable, and prosperous ICT environment.
Belgium agreed that the way in which international law is applicable is not always clear. It is supportive of efforts to clarify how international law can be applied by sharing opinions, and perhaps, with guidelines in the future.
Romania pointed out that international law and its application should remain technologically neutral.
According to Kenya, the interpretation and application of international law must be consistent and should not discriminate along the digital divide.
Austria stated that there are indeed gaps, however, not in the rules of international law per se, but in how these rules should be applied and interpreted in the cyber context. Austria’s understanding is that international law in its entirety applies to cyber operations, and they do not believe that a new legally binding instrument is necessary. Similar opinions were voiced by Chile, New Zealand, Sweden, the Republic of Korea, Belgium, the European Union, Fiji (on behalf of Pacific Island States), Italy, the Czech Republic, among others.
The Russian Federation, on the other hand, questioned the applicability of international law in cyberspace, asking what specific law is applicable in cyberspace, and how does the applicability of international law correlate with the voluntary principle. In the example of humanitarian law, the Russian Federation questioned its application in times of peace and in hybrid warfare, especially in relation to civilian perpetrators of cyber-attacks. It also pointed out a lack of recourse in the enforcement of the norms, such as the lack of a cyber court of justice.
Some countries view it as necessary to adopt a new legally binding document to regulate cyberspace. Egypt stated that now is the time to upgrade the status of voluntary recommendations to binding ones to see through their actual implementation and operationalisation. The Syrian Arab Republic called to start negotiations on a new instrument as well.
Indonesia presented its opinion that the existing legal regime does not accommodate the intangible and anonymous nature of cyberspace. According to Indonesia, possible new interpretations and ungoverned issues in cyberspace need to be addressed in an appropriate format, including a legally binding treaty which would not impair new innovation and the development of technology.
The third group of countries took the middle ground. Singapore declared its understanding of countries calling for legally binding instruments in cyberspace (such as Pakistan, Cuba, Syria, and Jordan) to ensure compliance and accountability. At the same time, Singapore also agreed with other countries (such as Australia and the UK) on the need for action against cyber-threats and their view that negotiating a legally binding instrument will be time consuming, during which time cyber-threats will continue to evolve.
South Africa also took the middle ground stating the need for thorough understanding, predictability, transparency, and assurances of recourse. Bangladesh was in agreement with South Africa, being in favour of demonstrating shared commitment towards further strengthening the existing norms in an inclusive and participatory manner.
Participants also discussed the concept of sovereignty, due diligence, self-defence and the application of Art. 51 of the Charter of the UN. There was a general consensus that as a part of sovereignty in cyberspace, states have exclusive jurisdiction over the ICTs located on their territory. Austria pointed out that references to state sovereignty must not be abused to justify human rights violations within a state's borders.
With regards to due diligence, Finland stated that while states must show due diligence in their controlled national territory, doing so does not release them from the observance of other international obligations, such as those relating to human rights.
Brazil underscored that all states should exercise due diligence and seek to ensure that their territory is not used by non-state actors to commit such acts as recognised by paragraph 28 e) of the 2015 GGE report. However, states have different national capabilities to implement this recommendation.
In discussing the right to self-defence according to Art. 51 of the UN Charter, Brazil and India pointed out the lack of an appropriate definition of what would constitute force and/or an armed attack in cyberspace, and what the threshold of cyber-attacks should be to invoke Art. 51. India also pointed out the lack of clarity on the principles of distinction between military and civilian targets.
Brazil addressed the cyber-attacks that are below the threshold of the use of force, and whether the International Law Commission (ILC) Articles on State Responsibility for Internationally Wrongful Acts would be applicable. On the one hand, states and international courts have consistently recognised some of the ILC Articles on State Responsibility, such as the rules for attribution as customary international law. On the other hand, there are still questions regarding the customary status of another set of ILC Articles, such as the one on counter-measures.
Pakistan voiced its concerns on the applicability of Art. 51, as well as the rules of engagement in military conflict in the ICT context, stating that there is a need to adopt international law according to the unique characteristics of the ICT environment.
The Russian Federation stated its opinion that Art. 51 can be applied only in the context of an armed attack, whereas a cyber-attack does not meet this criteria. It called for more discussions on the matter.
Speaking of attribution, the UK considered that the existing legal framework already underpins the state's ability to carry out attribution based on the fact that the state is required to bear responsibility for internationally wrongful acts, voluntary and non-binding norms, co-operation and trust in partners, and the technical, legal, and policy capabilities. The UK can, and does, attribute malicious cyber acts to states, when they believe it is in their best interest to do so, and aligns with the commitment to clarity and stability in cyberspace. According to them, this is a political decision for states based on technical evidence, legal advice, and wider diplomatic and political considerations.
India pointed out the problem of attribution for actions of non-state actors: responsibility will only be attributed if the state either acknowledges and adopts the conduct of the non-state actor as its own, or the state directs or controls the non-state actor.
When discussing the lack of capacity and expertise in some countries in regards to the application of international law in cyberspace, the participants supported the creation of a repository of national practices in international law. This should serve as a source of understanding on how international law applies in different national contexts, to foster common interpretation on how international law applies in cyberspace, and to bolster trust in cyberspace.
By Pavlina Ittelson