DiploFoundation, with the support of Microsoft, organised the web discussion: Applicability of international law to cyberspace: Do we know the rules of the road? This webinar was the second in the series of cyber-diplomacy web discussions, following the web discussion, Cyber-armament: A heavy impact on peace, economic development, and human rights. The series of web discussions aims to map trends; introduce challenges; clarify open issues on the negotiation table; outline processes where discussions are happening; and explain how all of us can get involved. Robin Geiss (Glasgow Centre for International Law and Security [GCILS]) and Deborah Housen-Couriel (CLO and VP Regulation, Konfidas Ltd.; Adjunct Law Professor, Hebrew University of Jerusalem; Research Associate, ICT Herzliya) joined us to discuss the applicability of international law to cyberspace. The discussion was moderated by Dr Jovan Kurbalija (Executive Director of DiploFoundation and Head of the Geneva Internet Platform [GIP]).
Kurbalija explained that the webinar aims to reduce the misunderstandings between the international legal and technical community by explaining the core international legal concepts that apply to cyberspace in the simplest way possible.
Geiss noted that there is a power struggle for tech supremacy, which plays out in the digital sphere and in the sphere of artificial intelligence (AI). It leads to competing visions of Internet governance - should it be based on a multistakeholder approach that promotes fundamental freedoms and human rights; or should it be a state-controlled, almost exclusively state-driven, multilateral process that favours sovereignty. The various contests and conflicting interests have led to an inflation of processes - panels, commissions, two parallel UN processes - dealing with cyberspace. The issue of responding to malicious cyber activity has been at the forefront of these discussions. However, drawing the line between allowed and prohibited cyber activity is of more importance to international law. Cyber activities do not fit into the established legal framework, as it was drafted against the backdrop of the Second World War;shaped and developed throughout the Cold War; and served to prevent physical damage and stop powerful states from coercing other states. However, activities in cyberspace are not coercive but manipulative activities - manipulation is the new coercion of the 21st century. These subtle, manipulative activities are difficult to deal with with the established paradigm. They encompass manipulative activity in the political sphere (e.g. election manipulation), the technical sphere (e.g. infrastructure manipulation), and manipulation of economic processes - activities that can, over time, have a detrimental effect on entire societies.
Housen-Couriel stated that we are behind the curve - international law is not being developed for cyberspace, and states are slowly clarifying their positions. The work of the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) is not lawmaking work. It is a normative international law project, but it does not create binding norms. More attention should be given to norm building activities of non-state actors in cyberspace, the development of standards, and terrorism in cyberspace.
Geiss noted that international law needs to adjust; new interpretations are needed, and pressure points need to be addressed. It is easy for states to agree to slogans such as ‘international law applies online just as it does offline’. However, they have differing views of how sovereignty, which is a foundational principle of international law, can be transposed into cyberspace. The technological setup of cyberspace is developing fast, and states encounter difficulties in keeping track of the developments and articulating their positions. This is why many states have remained either silent or vague regarding their positions in international law. Without clear positioning from states, it is hard for lawyers to predict how the law and customary law will develop and be applied. The more states publicise their positions, the more cyberlaw moves forward. Nevertheless, there is an increasing clarity on how international law will play out in cyberspace; for example, if a cyber-attack reaches the threshold of an armed attack, Article 51 of the Charter of the UN would apply, and the attacked state would have the right to self-defence.
Housen-Couriel acknowledged that it is impossible to develop norms without involving the private actors, as they permeate all areas of our daily lives. She argued that we need to think more broadly about what a non-state actor is and widen it to include individuals: ethical hackers, non-ethical actors, and users. As a conservative lawyer, she would include non-state actors in norm development through confidence building measures (CBMs), as they are not dependent on any treaty, custom, or high-level of agreements on norms, yet they widen the circle to individuals.
Geiss agreed that the views of private actors need to be included in the process. Including private actors does not necessarily mean that they would be allowed to shape international law, it can also mean regulating them which is a good starting point for human rights law. Individuals on the Internet are both consumers of services and data, and data providers. The best paradigm to protect individuals is the human rights regime, which needs to be better incorporated into company policies and the cyber domain.
Attribution in cyberspace - difficult but possible
Geiss underlined that attribution in cyberspace is difficult, but not impossible as commonly perceived. In many cases it just takes time, which is similar to high-level security incidents in other fields (e.g. the downing of Malaysia Airlines Flight 17). Combining the tracing of a certain cyber operation with additional circumstantial evidence, human intelligence, previous experience gained, and the motives behind a certain operation can make it possible to attribute cyber operations. Many cyber operations are part of a larger cyber campaign, which makes it easier to establish a clear chain of evidence. However, Geiss noted that the time needed to make attribution in cyberspace is not congruent with reactive models that exist in international law, such as the right to self-defence.
Housen-Couriel emphasised that international law allows a self-defence response that is not restricted to cyberspace: response to an internationally wrongful act can be undertaken in cyberspace or in physical space. The applicable toolkit does not differ from the toolkit already known in traditional international law. Housen-Couriel highlighted the importance of the steps of due diligence in cyberspace for preventing malicious acts states have undertaken. The definition of due diligence in cyberspace is still debated. In her opinion, state responses should not be called ‘hack-backs’, but traditional terms such as ‘retorsion’ and ‘self-defence’. She also noted that the question of preventive self-defence is on the rise on the international agenda with developments regarding Huawei equipment and incidents and offences on the supply chain of cyber equipment and services.
The statements of France, the Netherlands, the UK and the USA are a great effort towards transparency in state positions regarding their positions, noted Housen-Couriel. However, how these statements will translate into actual state practice remains to be seen.
Geiss noted that the positions of France and the Netherlands are in many parts in alignment with the UK and the USA, but they also differ quite significantly - France and the Netherlands have acknowledged state sovereignty as a rule. International law was not prepared for new variations of power projections where one state can launch into the sovereign space of another state. Additionally, it remains unclear what the threshold for a cyber-attack to be defined as a violation of another state’s sovereignty is. Questions of surveillance, data flows, hacking into another state’s systems, and cyber-armament are also questions where international law has to answer. The positions of France, the Netherlands, the UK and the USA clarify where these states draw the line when it comes to these issues.
Picking up on the topic of the use of force, Housen-Couriel stated that cyber-attacks on data - which do not cause actual impact on physical property, injury or loss of life - are still undefined. As human beings, we have not defined our relationship to data - is it a weapon, a target, a relationship, a possession, an aspect of our personality, or an aspect of our nation's capacities. International law could examine what constitutes critical infrastructure in cyberspace, and include databases, data collections, and data systems in the understanding of critical infrastructure. Additional protections, either under due diligence rules or rules of state responsibility, could then be given to these elements.
International law has not yet developed to cover due diligence, state responsibilities, etc. Housen-Couriel stated a perfect example would be a malevolent cyber activity operation enabled in active war, which is not covered by insurance policies. The insurance community does not know how to quantify cyber damage yet, and will continue to be unable to do so until it collects enough actuarial data on how cyber systems are impacted or can make impact.
The next web discussion in the series is Traceability and attribution of cyber-attacks: Who did it? Registration for the event is open.