International stability can be endangered if the fine points of how international law applies to cyber operations are not determined
This piece is part of the series, Technology and Governance: Competing Interests
Both global leaders and international legal experts agree to the position that existing international law applies to cyber operations. While instruments like the final reports of the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the context of international security manifest the commitment of global leaders towards the application of various express provisions and customary practices of international law to cyberspace, international legal experts have expressed their positions across two Tallinn Manuals on the international law applicable to cyber operations. Additionally, case law and advisory opinions derived from the International Court of Justice have proved useful as precedents determining the future debates on the matter.
However, not every single detail of how international law and its specific bodies apply to cyber operations is figured out today. And as Michael Schmitt, the Director of the Tallinn Manual project has put it in a feature article, “the devil is in the details”. In addition to details, one has to account for the divergences across country positions on what constitutes responsible behaviour in cyberspace to fully understand the current global narratives surrounding the applicability of international law, and then accordingly draft a future trajectory. The sixth UN GGE on Responsible State Behaviour in Cyberspace, which concluded with a final report adopted by the UN General Assembly in July 2021, addressed many such divergences by allowing for closed-room deliberations and negotiations amongst 25 countries—including India and the five permanent member countries of the UN Security Council. On a larger scale, the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security—the final substantive report for which was released in March 2021—allowed for the participation of over 140 countries in deliberations surrounding the cyber applicability of international law.
< style="color: #0069a9">While countries like the Netherlands, the US, and France have propagated the concept of protecting the “public core of the internet,” i.e., the protocols and software infrastructure that make the internet a “global commons,” China has dismissed its relevance on grounds that concepts like “Public Core” have yet to gain global consensus.
Some noteworthy divergences that stand out and must be addressed on an international scale are as follows:
On the question of “militarisation of cyberspace,” there is, of course, no denying that there already exist hostilities in cyberspace that may amount to wrongful acts in international law, increasingly so with the proliferation of a ‘cyberpandemic’. One of the most well-known examples, in this regard, is the Petya/NotPetya attack of 2017, a malware cyberattack that drastically impacted digital systems in Russia, Ukraine, China, the US, the UK, and Germany. When research conducted by NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) accredited the attack to a ‘state actor’ on the grounds that the extent of planning and funding that went into it couldn’t have possibly been carried out by a non-state actor alone, the US and UK were quick to carry out public attribution to the Russian Kremlin. NATO Secretary-General Jens Stoltenberg even stated that this could invoke Article 5 of the North Atlantic Treaty on “collective defense”. While the boundaries of self-defense have been widely debated upon in the context of cyber operations, the US position on the matter is quite clear—“when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” This was formulated in Barack Obama’s 2011 International Strategy for Cyberspace, and remains the US policy to this day.
Hence, it is essential that all states recognise the applicability of IHL and IHRL in cyberspace because by its very nature, IHL governs the act of warring parties and checks violent excesses. It does not, however, incite war or promote the idea that armed conflict should exist. This position has been well formulated in the submission made by the International Committee of the Red Cross to the OEWG in 2019, and has been adopted by countries upholding the attitude. Similarly, the inferred applicability of customary instruments like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights in cyberspace means rights like freedom of expression, right to receive education (including using digital means, increasingly in the context of COVID-19), and the right to launch political dissent mandate that human rights law and cyber operations be studied in tandem.
< style="color: #0069a9">While the boundaries of self-defense have been widely debated upon in the context of cyber operations, the US position on the matter is quite clear—“when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”
Cyber Sovereignty, due diligence, attribution, and countermeasures too must be juxtaposed in the context of cyber operations. Tallinn Manual 2.0 provides an excellent explanation as to why due diligence, which requires states to not allow, knowingly, the commission of wrongful acts in cyberspace, is essential for normative action against cybercrimes emanating from a state’s territory. It argues that due diligence is synonymous with the ‘obligation of vigilance’, which is a duty associated with the assumption of sovereignty and territoriality in cyberspace. Consequently, it argues that failure to commit to due diligence should allow invocation of attribution, state responsibility, and subsequently, countermeasures to protect the cyber sovereignty of the attributing state, in specific, and the cyber-community, in general. It also ropes in the question of public-private partnership, given that cyberspace is dominated by non-state actors like social media corporations and cybersecurity providers. Without their cooperation, due diligence is impossible. The common goal to it all, of course, is the protection of the public core of cyberspace.
Like any other, the field of international law in the context of cyberspace is ever evolving and is only set to become more complex as more pending questions are answered. The fact that states participating across GGEs and the OEWG deliberations have found common ground in the establishment of Confidence-Building Measures (CBMs) that focus on creating a best practices repository and a continued exchange of information such as evolving country positions on matters of legal applicability and cyberspace, shows that they assign significance to negotiations on the matter. With the OEWG’s mandate extended up to 2025, both states and international legal experts have new opportunities and challenges to take on, with a possible conclusion being the establishment of a consensus-based treaty mechanism on the applicability and interpretation of international law and its varied sub-bodies in the ICT context. Till such a time, states must work on fostering the implementation of existing norms and principles, as well as on making lawful voluntary efforts towards achieving holistic cybersecurity.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Anushka Saxena is a Research Analyst with the Indo-Pacific Studies Programme at The Takshashila Institution. She can be reached at [email protected].
Read More +
PREV
