The near future of international law in cyberspace: Contentions and realities

This piece is part of the series, Technology and Governance: Competing Interests

Both global leaders and international legal experts agree to the position that existing international law applies to cyber operations. While instruments like the final reports of the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the context of international security manifest the commitment of global leaders towards the application of various express provisions and customary practices of international law to cyberspace, international legal experts have expressed their positions across two Tallinn Manuals on the international law applicable to cyber operations. Additionally, case law and advisory opinions derived from the International Court of Justice have proved useful as precedents determining the future debates on the matter.

However, not every single detail of how international law and its specific bodies apply to cyber operations is figured out today. And as Michael Schmitt, the Director of the Tallinn Manual project has put it in a feature article, “the devil is in the details”. In addition to details, one has to account for the divergences across country positions on what constitutes responsible behaviour in cyberspace to fully understand the current global narratives surrounding the applicability of international law, and then accordingly draft a future trajectory. The sixth UN GGE on Responsible State Behaviour in Cyberspace, which concluded with a final report adopted by the UN General Assembly in July 2021, addressed many such divergences by allowing for closed-room deliberations and negotiations amongst 25 countries—including India and the five permanent member countries of the UN Security Council. On a larger scale, the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security—the final substantive report for which was released in March 2021—allowed for the participation of over 140 countries in deliberations surrounding the cyber applicability of international law.

While countries like the Netherlands, the US, and France have propagated the concept of protecting the “public core of the internet,” i.e., the protocols and software infrastructure that make the internet a “global commons,” China has dismissed its relevance on grounds that concepts like “Public Core” have yet to gain global consensus.

Some noteworthy divergences that stand out and must be addressed on an international scale are as follows:

1. From France’s comments on the Initial Pre-Draft of the OEWG report, it can be inferred that it supports effective implementation of already agreed upon norms and principles in cyberspace, than to move towards new, “politically-binding” agreements that specifically refer to Information and Communications Technology (ICT) in laying down relevant legal obligations. A similar approach has been adopted by the US in its comments on the pre-draft, albeit in a stronger manner, arguing that the creation of new normative concepts and the reorientation of the OEWG thereof is futile. However, China in its contribution to the initial pre-draft condemned the stance of the report that the “existing international law, complemented by the voluntary, non-binding norms that reflect a consensus among States, is currently sufficient,” arguing that new realities must be shaped by new normative mechanisms for a more “conducive” international response.

1. The contributions of the European Union, France, the US, and Australia, to both the OEWG report and the 2015 and 2021 GGEs, have affirmed the applicability of international humanitarian and human rights law on cyber operations. However, their stances have met significant opposition from countries like Iran, China, Russia, and Cuba, whose contributions argue that the application of international humanitarian law (IHL) would lead to unnecessary militarisation of cyberspace. This particular divergence contributed significantly to the breakdown of talks at the fifth GGE in 2017, which concluded in the withdrawal of Cuba, China, and Russia from deliberations and the subsequent non-adoption of a consensus-based final report. Noteworthy is the Russian argument on the non-applicability of IHL in the cyber realm, which dismisses ICT as even a recognised “weapon” in international law, let alone a battleground.

1. Another relevant point of contention has been the inclusion of the phrase “Public Core” in say, the final report of the OEWG. Albeit not one that is widespread, the difference is interesting in the context of the second principle of the non-binding Paris Call for Trust and Security in Cyberspace adopted in 2018, as well as the commitments made to keeping the general availability and integrity of the internet intact across the UN GGEs and the OEWG deliberations. While countries like the Netherlands, the US, and France have propagated the concept of protecting the “public core of the internet,” i.e., the protocols and software infrastructure that make the internet a “global commons,” China has dismissed its relevance on grounds that concepts like “Public Core” have yet to gain global consensus.

1. Finally, an important point of divergence is that of attribution and state responsibility. As per the International Law Commission’s 2001 draft articles on Responsibility of States for Internationally Wrongful Acts, attributability of a crime committed under international law to a state is essential to invoke the principle of state responsibility. Even though the draft articles themselves are non-binding, the attribution-state responsibility duo has come to be recognised as customary law. In that context, the two sides of the debate address whether there should exist common norms on attributability and dispute-resolution concerning wrongful acts in cyberspace (as do for other conventional crimes and wrongful acts) or should state sovereignty and the diplomatic right to make a national decision regarding attribution supersede a common approach.

On the question of “militarisation of cyberspace,” there is, of course, no denying that there already exist hostilities in cyberspace that may amount to wrongful acts in international law, increasingly so with the proliferation of a ‘cyberpandemic’. One of the most well-known examples, in this regard, is the Petya/NotPetya attack of 2017, a malware cyberattack that drastically impacted digital systems in Russia, Ukraine, China, the US, the UK, and Germany. When research conducted by NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) accredited the attack to a ‘state actor’ on the grounds that the extent of planning and funding that went into it couldn’t have possibly been carried out by a non-state actor alone, the US and UK were quick to carry out public attribution to the Russian Kremlin. NATO Secretary-General Jens Stoltenberg even stated that this could invoke Article 5 of the North Atlantic Treaty on “collective defense”. While the boundaries of self-defense have been widely debated upon in the context of cyber operations, the US position on the matter is quite clear—“when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” This was formulated in Barack Obama’s 2011 International Strategy for Cyberspace, and remains the US policy to this day.

Hence, it is essential that all states recognise the applicability of IHL and IHRL in cyberspace because by its very nature, IHL governs the act of warring parties and checks violent excesses. It does not, however, incite war or promote the idea that armed conflict should exist. This position has been well formulated in the submission made by the International Committee of the Red Cross to the OEWG in 2019, and has been adopted by countries upholding the attitude. Similarly, the inferred applicability of customary instruments like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights in cyberspace means rights like freedom of expression, right to receive education (including using digital means, increasingly in the context of COVID-19), and the right to launch political dissent mandate that human rights law and cyber operations be studied in tandem.

While the boundaries of self-defense have been widely debated upon in the context of cyber operations, the US position on the matter is quite clear—“when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”

Cyber Sovereignty, due diligence, attribution, and countermeasures too must be juxtaposed in the context of cyber operations. Tallinn Manual 2.0 provides an excellent explanation as to why due diligence, which requires states to not allow, knowingly, the commission of wrongful acts in cyberspace, is essential for normative action against cybercrimes emanating from a state’s territory.  It argues that due diligence is synonymous with the ‘obligation of vigilance’, which is a duty associated with the assumption of sovereignty and territoriality in cyberspace. Consequently, it argues that failure to commit to due diligence should allow invocation of attribution, state responsibility, and subsequently, countermeasures to protect the cyber sovereignty of the attributing state, in specific, and the cyber-community, in general. It also ropes in the question of public-private partnership, given that cyberspace is dominated by non-state actors like social media corporations and cybersecurity providers. Without their cooperation, due diligence is impossible. The common goal to it all, of course, is the protection of the public core of cyberspace.

Like any other, the field of international law in the context of cyberspace is ever evolving and is only set to become more complex as more pending questions are answered. The fact that states participating across GGEs and the OEWG deliberations have found common ground in the establishment of Confidence-Building Measures (CBMs) that focus on creating a best practices repository and a continued exchange of information such as evolving country positions on matters of legal applicability and cyberspace, shows that they assign significance to negotiations on the matter. With the OEWG’s mandate extended up to 2025, both states and international legal experts have new opportunities and challenges to take on, with a possible conclusion being the establishment of a consensus-based treaty mechanism on the applicability and interpretation of international law and its varied sub-bodies in the ICT context. Till such a time, states must work on fostering the implementation of existing norms and principles, as well as on making lawful voluntary efforts towards achieving holistic cybersecurity.

• Media and Internet
• America
• Bhutan
• The Pacific
• East and Southeast Asia
• East Asia
• AI
• cybersecurity
• cyberspace
• digital regulation

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

PREV NEXT