State behaviour in cyberspace: a new challenge for the international community
Published on 13 March 2018
Updated on 05 April 2024
Updated on 05 April 2024
As fast as digital technologies have developed, means have been found to exploit their vulnerabilities. Accordingly, states have found a new ground for geopolitical meddling in cyberspace. Whereas legislative measures for addressing cyber-criminality were developed quickly, the willingness of states to engage in discussions on how to regulate their own behaviour in cyberspace has been less forceful. At the beginning of 2017, Microsoft’s President and Chief Legal Officer, Mr Brad Smith, historically called on states for the need of a Digital Geneva Convention ‘to govern states’ behavior in cyberspace.’
Our study on state behaviour in cyberspace, part of the TradeLab clinic at the Graduate Institute of International and Development Studies (IHEID), analysed Microsoft’s proposal, and consequently explored the prospects and challenges of a convention on cybersecurity. While Microsoft’s proposal identifies existing gaps in the current legal framework, our study has found that, in reality, states are well aware of these gaps, but they have kept a vague posture when it comes to defining how international law should regulate governmental activities in cyberspace.
We summarise here the results of our research: first, in the 2015 UNGGE consensus report, states drafted rules similar to Microsoft’s proposed principles, but labelled them as voluntary norms; second, states largely do not comply with these voluntary norms; third, states do not significantly complain about the violations of these voluntary norms by other states. All together this suggests that the time is not ripe for states to engage in a cyber-diplomacy effort leading to a binding instrument yet.
What emerges from a comparative study of the Microsoft rules and the UNGGE norms is that, while significantly overlapping on substance, Microsoft envisions the rules to be binding, while states speak of voluntary norms. In fact, the 2013 UNGGE consensus report stipulated that international law is applicable in cyberspace, but then the 2015 report outlined ‘voluntary norms of responsible state behaviour during peacetime’ (emphasis added). It was left unclear whether these norms are directly derived from international law, but the explicit language indicating voluntary applicability, and the qualification as ‘responsible behaviour’ rather than lawful behaviour, strongly suggest that the states intended to create no liability for failing to respect these norms. Moreover, the 2013 UNGGE consensus report underlines that these norms ‘do not seek to limit or prohibit action that is otherwise consistent with international law’, so that room has been left for actions that do not comply with the voluntary norms, but that would still allegedly comply with international law. The threshold at which the non-compliant conduct is also unlawful, however, was not explicated. This means that it is relatively clear what the content of cybersecurity norms should be, yet there is not a willingness to consider these as part of binding international law.
Why defining a clear legal framework matters: three case studies and the (lack of) response from the international community
In our research, we analysed three cyber events of significant scale, where state actors were directly or indirectly involved. The events are the StuxNet virus of 2010, the Sony Picture Hack of 2014, and the WannaCry worm of 2017.
In our research, we identified the key features of the incidents, and assessed these against Microsoft’s rules and the 2015 UNGGE norms. Remarkably, these events could have been avoided or could have generated liability, by reference to the above-mentioned rules and norms.
Thus, keeping in mind that no state has been held accountable for these events, it emerges that Microsoft’s rules and the UNGGE norms spot tangible gaps in the existing legal framework. Yet, states continue to adopt a non-responsible behaviour in cyberspace, contrary to the norms that they have themselves crafted. Even more worryingly, these situations have not been taken as an opportunity for condemnation by the international community, which could have clarified how and why these conducts were to be considered unlawful. Lacking cyber-specific identifiable state-practice, and consistent opinio juris, it is difficult to understand what the application of international law in cyberspace truly entails for states’ behavior, and how compliance with the UNGGE voluntary norms could gain traction. Thus, what emerges is that states would likely be reluctant to join a negotiating table on binding norms applicable in cyberspace anytime soon.
The difficulty of finding an agreement is also confirmed by the fact that the UNGGE was not able to adopt a consensus report in 2017. This was due in part to some states calling back into question the extent to which international law applied to cyberspace, with some especially contesting whether the regime of state responsibility and the right to self-defense applied at all. As the case may be, we highlight that Cuba suggested opening a Working Group of the General Assembly to create a new binding instrument after the failure of the 2017 UNGGE.
A suggested way forward
We suggest that it could be useful to think of cyber-threats as if they were an externality, such as environmental pollution. As environmental law seeks to strike a balance between economic interests and protection, or as intellectual property law between the interests of innovators and the public interest, so cybersecurity faces a dilemma between innovation and security. In these cases, creative regulation that could take into account a range of different interests has been the key to stimulate compliance and favour the development of effective regulatory frameworks. Similarly, cybersecurity may need to find its own system without simply attempting to borrow from existing laws.
We consider that further dialogue and a quest for unconventional tools to achieve more responsible state behaviour in cyberspace remain necessary to create a stable cyber environment in the long run. In particular, we suggest that a more engaged co-operation between states and the private sector is necessary in order to achieve efficient and universally harmonised solutions that cover all the different issues that arise in relation to cybersecurity. We therefore believe that a multi-stakeholder discussion on a potential Tech Accord, as proposed by Microsoft, and the institution of a third-party entity with governance powers, could constitute a productive way forward. If the majority of tech companies were to adhere to and implement a self-regulating instrument, it could have the potential of exercising political pressure on states, encouraging further discussion on the issue of cybersecurity. Indeed, the Tech Accord itself could be used as a basis for a multistakeholder discussion involving states, the private sector, and civil society, as cybersecurity is a concern that touches upon private and public interests together.
Francesca Casalini and Stefania Di Stefano are master’s student in International Law at the Graduate Institute of Geneva.
Subscribe to Diplo's Blog
Zero-day disclosure
Thank you Francesca and Stefania, your analysis and comparison of the two mentioned proposals is sound and fair. I would just like to quickly try and sketch out a potential proposal for an international binding regulation which would move the process of regulating cyberspace forward.
I believe that the most pressing issue is the nation states weaponization and stockpiling of software errors and vulnerabilities – the notorious 0-day exploits. These are the technical means of cybernetic systems destruction and data theft.
We need to devise a mechanism for encouraging nation state actors to disclose software vulnerabilities. This way, when a new vulnerability is detected and disclosed, software systems can be patched and upgraded, minimizing the offensive capability of other actors who know of that same vulnerability. Due process should be followed, ie. notifying the technology vendor before disclosure and making sure they will be able to issue a patch.
I wonder if it would be feasible to create a global cybersecurity fund, 0-day market and clearing house in the existing UN system that would enable nation states to buy security notifications about vulnerabilities (for software they use) from that institution, but also enable them to sell their own 0-days.
This is a fresh idea, and I will try to refine it more, but I do think that this is an interesting approach that needs more looking into.
Filip