The European Union has called for all states to publicise their views on how international law applies to cyberspace. To date, primarily European states have shared their national views. The OAS’s Improving Transparency project aims to add more American voices to the conversation. Early results of the initiative highlight the need for greater legal capacity building among states that have recently joined the dialogue over how international law sets the rules of the road for cyberspace.
Cybersecurity threats are now ubiquitous. In just the past few months, a rising number of sophisticated hacking operations have affected critical infrastructure, wide swaths of government institutions and international organisations (IOs) in Europe and beyond. The COVID-19 global pandemic alone has catalysed a new range of cyberattacks on hospitals and a fivefold increase in phishing efforts targeting the World Health Organization. As a result, states have increasingly recognised the necessity of elaborating “rules of the road” for cyberspace, whether to guide their own operations or to better coordinate and cooperate when responding to cyberattacks.
International law has long been one of the key vehicles for regulating the behaviour of states and state-sponsored actors in cyberspace. Today, international law’s application to cyberspace is widely recognised. Building on earlier work by Groups of Governmental Experts on Information Security, the United Nations General Assembly affirmed the applicability of international law in Resolution 266. The European Union has echoed this point as have the G20 and ASEAN. When it comes to international peace and security, however, there are no cyber-specific conventions (and those on cybercrime are limited to regional contexts; the large number of parties to the Council of Europe’s Budapest Convention still represents only a minority of nation states while the African Union Convention has yet to enter into force). As such, international law’s application to cyberspace will largely depend on customary international law (i.e. state practice accepted as law).
State Silence Creates a Vacuum
To date, however, state practice has been sparse. States are reluctant to invoke international law even when accusing other states of targeting them in cyber operations. Several non-state actors – most notably the International Committee of the Red Cross (ICRC) and the independent group of experts who authored the Tallinn Manuals – have sought to fill this vacuum. However, as then-U.S. Department of State Legal Adviser Brian Egan noted in 2016:
“Interpretations or applications of international law proposed by non-governmental groups may not reflect the practice or legal views of many or most States. States’ relative silence could lead to unpredictability in the cyber realm, where States may be left guessing about each other’s views on the applicable legal framework. In the context of a specific cyber incident, this uncertainty could give rise to misperceptions and miscalculations by States, potentially leading to escalation and, in the worst case, conflict.“
As such, it is hard to say that these contributions definitively delineate the contours of international law in cyberspace.
In the absence of a treaty, an accepted treatise or concrete applications in practice, states have begun to make individual “national statements” on the subject. Since 2018, several states have issued such statements. With the exceptions of Australia and the United States, most are European, and include Estonia, France, Germany, the Netherlands and the United Kingdom. The UN General Assembly has encouraged participants in the current UN Group of Governmental Experts to issue statements, and various contributions to the parallel UN Open Ended Working Group touch on the subject. Yet, the application of international law to cyberspace is neither an exclusive project of the UN nor one that should rely primarily on European contributions (or contributions by those states with the greatest cyber capabilities). As the European Union itself has emphasised, all states should have the opportunity – and indeed be encouraged – to delineate and describe their respective positions on how international law operates in the digital environment. Simply put, states need additional opportunities and fora to develop and issue their understandings of the relevant international legal issues.
The Improving Transparency Initiative at the OAS
A project underway in the Inter-American Juridical Committee (IAJC) of the Organization of American States (OAS) aims to afford OAS member states a new venue for developing and articulating such views. Charged with promoting “the progressive development and codification of international law“, the IAJC is one of the OAS’s principal organs, comprised of eleven international legal experts elected by the OAS General Assembly to serve in their individual capacities on relevant issues of public and private international law. Since 2018, the IAJC has pursued a new project entitled “Improving Transparency – International Law and State Cyber Operations”, with one of us – Duncan Hollis – serving as the Rapporteur.
The Improving Transparency initiative has four goals:
- To identify areas of convergence in how OAS member states understand which particular legal rules apply to cyberspace, and how they apply, in order to provide a basis for identifying more precisely the contents and contours of existing international law;
- To identify divergent areas where states do not agree on how international law applies, to create a baseline for further dialogue, reconciliation and clarification;
- To ensure states in the region (and elsewhere) understand areas of convergence and divergence, to limit the risk of inadvertent conflict escalation; and lastly,
- To afford OAS member states an appropriate and active voice in the global conversation on the application of international law to cyberspace.
To date, the Rapporteur has produced four reports, with a fifth due to be released next month. At its core, the project focuses on drafting and distributing a questionnaire for OAS member states regarding international law’s application to cyberspace. With input from the ICRC, the questionnaire sought to gather member state views via ten pressing questions on the application of existing international legal rules and principles; the prohibition on the use of force and the right of self-defence; state responsibility for non-state actors; international humanitarian law; sovereignty; and due diligence. To date, the IAJC has received eight substantive responses. In addition, in June 2020, the OAS Department of International Law hosted a half-day session (under the Chatham House Rule) of legal experts from sixteen member states on this topic.
The most recent public report – the Rapporteur’s Fourth Report from March 2020 – offers some initial takeaways.
- By and large, responding OAS member states agree that international applies to cyberspace, in line with the global consensus. However, there is continuing equivocation, and even some disagreement, over the particularities. For example, two states, Guyana and Guatemala, have suggested that the novelty of cyberspace may make the application of existing international law difficult, even as they express positive support for its application.
- In the context of international humanitarian law, Chile, Peru and the United States agreed that a cyber operation could not qualify as an “attack” if it fails to cause death, injury or direct physical harm. In contrast, Guatemala and Ecuador both responded positively to the idea of delimiting attacks based on functionality losses, rather than death, injury or destruction of property. Guatemala went so far as to suggest that cyber operations can be considered attacks even if they only produce a loss of functionality.
- On the question of sovereignty as a stand
–alone independent rule in cyberspace (as opposed to a background principle that informs other areas of international law like the duty of non-intervention), responding states were divided. Three states – Bolivia, Guatemala and Guyana – clearly articulated sovereignty as its own standalone rule that another state could breach via a cyber operation. Other states, like Peru and Ecuador, were more equivocal, while Chile and the United States suggested the possibility of sovereignty operating only as a principle (albeit without taking that position officially). - A majority of responding states accept the idea of due diligence as a legal rule in cyberspace (i.e. requiring states to respond to activities that violate the rights of another state and that it knows, or reasonably should know, originated in its territory or areas under its control). Chile, Ecuador, Guatemala, Guyana and Peru all take the position that the principle of due diligence is a part of the international law applicable in cyberspace. Bolivia, however, was more equivocal on this point, and statements it has made outside of the OAS suggest that the United States is reluctant to concede due diligence as anything more than a voluntary norm of responsible state behaviour.
As valuable as the information contained in the eight substantive responses to the IAJC’s questionnaire has been, these responses represent the views of less than a quarter of the OAS’s 35 member states. The limited number of responses may reflect the political sensitivity of the topic (i.e. states are reluctant to take positions that may constrain their own cyber operations). At the same time, however, there may be another reason for State silence — a lack of legal capacity to provide official responses. At least some OAS member states may not yet have legal answers to the questions and issues raised by information and communications technologies in international law. And without answers for the relevant legal issues, it is not surprising that states are reluctant to express official positions on how they themselves will apply international law.
Regional Fora Can Build Legal Capacity and Foster Non-European Perspectives
Most discussions of capacity building focus on improving how states understand the relevant technical architecture and what risks and rewards it offers states and other actors. What the IAJC questionnaire suggests, however, is that states and other stakeholders must give more attention to legal capacity building – i.e. ensuring that states have sufficient expertise on the legal issues raised by information and communication technologies to engage in the relevant international legal dialogues, and, indeed, the iteration of customary international law. To be sure, some legal capacity building is already taking place. In the OAS region, for example, the Inter-American Committee Against Terrorism (CICTE) has an excellent track record of providing member states with both technical assistance and opportunities to engage on relevant legal issues. Yet, the IAJC questionnaire makes it clear that more work in this area is essential, both within the region and beyond. Given EU interests in building capacity on cybersecurity issues, there is a clear opportunity for greater support from – and collaboration by – European sources on such efforts.
What would such legal capacity building look like? It could include trainings on technical issues for non-technical experts (including legal counsel to foreign ministries), workshops “gaming” international law’s application through various scenario-based exercises and further collaboration with existing international legal experts in the field. The most impactful capacity building efforts, however, may be in sustaining regional dialogues like those pursued by the OAS. These type of diplomatic exchanges with low stakes and low barriers to entry can set the foundation for the creation of a unified front against the collective threat of under regulated and unfettered state-sponsored cyber operations. Intra-regional dialogues (e.g. between EU and OAS member states) could also advance the existing discourse. In contrast to finger pointing and threatening proportional cyber (or conventional) consequences, articulating state viewpoints within legal – or even normative – language provides a much-needed foundation for efforts to build consensus around what the global governance of cyberspace through international law will actually mean.
The OAS’s IAJC transparency project does not seek to codify or develop international law. Nor does it offer guidance or best practices for states to employ when engaging with outstanding legal questions. Its ambitions are more modest, and yet fundamental: to provide states with new conduits for acquiring necessary information and to facilitate dialogue on how international law actually applies to cyber operations to increase transparency. We believe, moreover, that the OAS experience may have value for other regions and regional bodies, including the European Union. Fostering non-European perspectives will inform existing European perspectives and put them in a broader context. OAS member state views may have value, for example, in signalling to diverging EU member states how other regions and states approach issues (e.g. sovereignty-as-rule) where a European consensus has yet to emerge. At the same time, where OAS member state views overlap with the European consensus, they may provide much-needed evidence for the existence (and content) of customary international law in cyberspace. This is, moreover, not just an exercise for international lawyers. In the end, we believe that greater transparency and capacity building involving international law (whether it occurs in the EU or the OAS or in other regional contexts) can provide states and other stakeholders with greater confidence in the stability and cooperation needed to ensure cyberspace is open, safe and secure.
Thumbnail image: credits to Filip Gielda on Unsplash