State behaviour in cyberspace: moving away from a military discourse
Updated on 07 August 2022
Microsoft has acknowledged that ‘the world needs new international rules to protect the public from nation state threats in cyberspace, and that ‘in short, the world needs a Digital Geneva Convention’.
Mr Brad Smith, President and Chief Legal Officer of Microsoft, has acknowledged that the idea of a Digital Geneva Convention, as the name betrays, takes inspiration from the 1949 Geneva Conventions (GCs). Smith explains this analogy by affirming that, as the first responders during the battle of Solferino (the battle that inspired the creation of the ICRC) were the doctors of the respective armies and the civilian volunteers that worked with them, today, in the context of cyberattacks, the first respondents with the expertise are tech companies.
This piece would like to stress that this analogy cannot be taken too far, and that it might actually be problematic, as it assimilates state-led cyber-operations to armed conflicts. Moreover, as already highlighted in the previous blog post, there is a need for cybersecurity to be developed as a separate system, without simply attempting to borrow from existing laws or any other legal regimes. For these reasons, we suggest that it is necessary not to articulate cybersecurity concerns against an international humanitarian law (IHL) background.
Why the peacetime qualification should be disregarded
The Microsoft proposal specifies that the rules it envisages would be applicable in times of peace, and it would therefore leave the regulation of cyber-activities to the realm of IHL if the threshold of armed attack is attained. Indeed, the ICRC considers that IHL is already capable of regulating cyber-warfare (see this example). At the same time, by making this specification, Microsoft underlines that its Digital Geneva Convention would govern behaviour in cyberspace in scenarios that remain well below the use of force or armed attack (which triggers the laws of war).
Since it remains unclear when a cyber-operation attains the level of armed attack for the purposes of IHL, and since the aims pursued by Microsoft’s proposal are largely different from those pursued by the laws of war, it would seem more appropriate to re-think the Microsoft proposal as an instrument that would seek to establish a system of Internet governance, and that does not aim at affecting or replacing any other existing legal regime. It could simply represent the acknowledgment that there are new phenomena that are in need of regulation. In this sense, the ‘peacetime’ qualification does not add value, and generates a risk that the proposed rules would be considered displaceable in times of war, whereas the particular relationship that exists between the state and the private sector in the cyber realm would persist even during an armed conflict. For these reasons, we suggest removing the peacetime qualification altogether.
Why the underlying ideological underpinnings of the Digital Geneva Convention are different than those of IHL
The ideological underpinnings behind the GCs are different than the ones behind Microsoft’s proposal, as the former are driven by the need to balance military necessity and the protection of civilians in the context of armed conflict, whereas the latter, as explained in the previous section, would also be applicable in a context that does not amount to armed conflict. This underlying difference leads to a series of difficulties when trying to frame the issue of state-led cyber-operations within a military discourse.
This quagmire is mostly evident when trying to transpose the principle of distinction, one of the basic principles of IHL, in the context of Microsoft’s proposal. The principle of distinction is based on the presupposition that there is a category of people that is always a lawful target, the military, and another category of people that enjoys protection from attacks, the civilians. This idea that combatants and military objectives are targetable at all times during armed conflict, finds its rationale in the principle of military necessity, which arises from a state of hostilities. States can use lethal force against human beings, and destroy military targets, as a matter of warfare.
Obviously, in the case of cyber-operations, the distinction would have to be made between categories that are different than those recognised by IHL. However, a similar notion of distinction, and of different categories of people and objects, currently does not exist in peacetime, as in times of peace all people are human beings entitled to the same rights and protections. In this context, the notion of military target simply has no raison d’être. While, from a theoretical point of view, it is possible to infer that Microsoft’s proposal seeks to operate a distinction between the private citizen and governmental objects (which allegedly are the main target of state-led cyber-operations), in practice, it is not obvious to predict that states would be willing to introduce the principle of distinction in a potential legal instrument applicable outside of hostilities, as this would imply that some categories of objects or people would become lawful targets of cyber-operations in peacetime.
Put simply, the result of a transposition of the principle of distinction in the context of cyber-operations would amount to transforming the digital space into a battlefield per se, and certain hostile acts in international relations could no longer be considered as wrongful acts. Aside from the dubious compatibility of such a scenario with existing international law, transforming cyberspace into a space where hostile acts can be lawfully executed, is manifestly undesirable from a policy perspective as well, if anything, for the evident risk of escalation that would emerge.
As we have seen, framing the regulation of state-led cyber-operations within a military discourse is not desirable. Moving away from a military discourse is necessary for two reasons: first, technology creates new legal challenges that are unregulated by the current international regulatory framework, and, second, the principle of military necessity, one of the ideological underpinnings of IHL, is not always applicable in cyber-operations.
Francesca Casalini and Stefania Di Stefano are master’s student in International Law at the Graduate Institute of Geneva.