If you’re talking about international law and cyberspace, it’s hard to find a better person to talk to than Ambassador Marja Lehto, who wrote the recent Finnish position paper on the issue. A renowned international lawyer, Dr Lehto served as the Finnish expert in the tense 2016-2017 UN GGE. In 2016, she was elected to the International Law Commission of the UN (ILC) for the term of 2017-2021 with 175 votes, the highest vote total of the entire election.
While turbulent, 2020 seems set to close with a positive prognosis for international law and cyberspace for the EU. Convincing the international community that international law can be usefully applied in cyberspace has been one of the main goals of European cyber policy. National statements on the subject have become an instrument for supporting this proposition and in recent weeks several have been added to the count.
To reflect on what has been achieved and what is ahead, I sat down with Ambassador Marja Lehto. It would be hard to find a better conversation partner on this topic: Lehto is not only the main author of the recent Finnish position paper on international law and cyberspace, she was also the Finnish expert in the tense 2016-2017 UN GGE, is the Senior Expert on Public International Law in the Legal Service of Ministry for Foreign Affairs of Finland and is a member of the International Law Commission.
A clear contribution to international law in cyberspace
I skipped my questions on international law – Lehto’s paper stands out for its clarity, conciseness and thoughtfulness, as illustrated by the way it frames its views on sovereignty and the obligation of due diligence.
The UK caught the international law community by surprise by concluding in 2018 that interference in the computer networks of another state without its consent would not constitute a violation of international law unless it crosses the threshold of prohibited intervention. The UK is also mute on the question of due diligence, something that has come to divide the United States and the United Kingdom from other like-minded states.
France, acknowledging due diligence as a binding obligation under international law and taking the view that a cyberattack may constitute a violation of sovereignty, limits the discussion of applicability of international law to cyber operations against France. The Estonian position is significant in its political constructivism – it evades the issue of sovereignty as a rule and frames due diligence carefully, without explicitly referring to the obligation itself. The Netherlands, although positing that countries “may not conduct cyber operations that violate the sovereignty of another country”, add that “the precise boundaries of what is and is not permissible have yet to fully crystallise”. The recently shared Czech view on sovereignty is relatively progressive, regarding a cyber operation a violation of Czech sovereignty if it interferes with any data or services which are essential for the exercise of inherently governmental functions and thereby significantly disrupts the exercise of those functions. The statement provides the example of “distributing ransomware which encrypts the computers used by a government and thus significantly delaying the payment of retirement pensions”.
The Finnish position on international law and cyberspace is as clear and unambiguous as one can get on these issues. In the context of cyber operations and sovereignty, it summarises: “below the threshold of prohibited intervention, all states have an obligation to refrain from acts that violate the territorial integrity or political independence of other states”. The position paper also explains why this question is important: “Agreeing that a hostile cyber operation below the threshold of prohibited intervention cannot amount to an internationally wrongful act would leave such operations unregulated and deprive the target state of an important opportunity to claim its rights. … Compared to a violation of sovereignty, the requirement of coercive nature and that of domaine réservé make the threshold of prohibited intervention considerably higher. This underlines the importance of continued understanding of sovereignty as not only a principle but also an independent primary rule of international law”.
What is at stake?
My conversation with Lehto underlines the gravity of this question: if we agree with that sovereignty cannot be violated by cyber operations, or fail to take a stand on the issue, we essentially say that there are no legal consequences for such operations. “This a quite scary for a small state”, says Lehto. Addressing opposing views on due diligence, she continues: “It is not comprehensible that states would have no obligation whatsoever to take efforts to ensure that cyber activities within their territory or jurisdiction do not seriously harm other states”.
“This should be a serious concern for the like-minded”, she explains. “Excluding cyberspace from the scope of application of such a long-standing rule as that prohibiting violations of sovereignty comes dangerously close and gives implicit support to the claim that existing international law does not apply in cyberspace absent specific regulation”. The same, she says, goes for due diligence: “I have not seen a credible legal explanation of the position that due diligence is not binding in cyberspace. I would like to repeat the same concerns I mentioned regarding the issue of sovereignty. If we say that a rule is applicable in general but not in cyberspace, we are undermining our own argument in favour of existing international law”.
I wonder whether shared international understanding of the discussed concepts of international law can get any better than what Finland has just said. It is hard to imagine better clarity and predictability even outside the fervently contested cyber issues, in a new (cyber) treaty and, unfortunately, in some states’ actual behaviour. Are we reaching the end of the road in the discussion about international law in cyberspace?
Lehto assures me that there is still space for improvement. A solid common position has yet to be formed even among the EU countries. The international dialogue about basic points and principles would benefit from a more detailed analysis of differences, which, of course, is hard in an abstract conversation. These positions are not the end of the conversation, just the opening statements.
She’s right again: although states have offered their views on how international law applies in cyberspace, very few actual legal qualifications have been made between governments when it comes to actual cyber operations. Consequently, states have offered very little as justification for their own cyber operations. Continuing the exchange and building our understanding of how international law could be used to achieve a more cybersecure world is therefore essential. This will help close the awareness and implementation gaps that some states are currently using to their advantage. Low awareness of international law and low international pressure provide latitude for cyber operations. Waiting for state practice to confirm or reverse current positions is part of the job for an international lawyer. I can fully relate to what Lehto says: “there is an unnecessary uncertainty about state behaviour in cyberspace because of the reluctance of certain big states to subscribe to the existing rules. Having a common view of the rules that apply to state behaviour, whether online or offline, would in that sense make the world safer”.
Even if all states followed the Finnish position on international law, many global cybersecurity issues would persist. If states expect public international law to solve all cybersecurity issues, their trust is misplaced. Achieving resilience against cyber incidents and building the capacity to investigate and attribute malicious and hostile activities requires support from domestic law. The intertwinement of security and economic issues, as well as the central role of ICTs in international development, suggest that further answers need to be sought in international economic law. Furthermore, law cannot replace the technical professionalism, political goodwill and individual vigilance all needed to secure our dealings both offline and online. In other words, much needs to be achieved through, for instance, CERT cooperation, greater user awareness and domestic legislation.
At the end of our interview, I am reminded how significant it is that the UN GGE, after years of hard debate, was able to confirm that international law and the UN Charter are applicable to state uses of ICTs. Cybersecurity is not the first context in which some states hope to remake international order from scratch. To promote existing international law over an unknown alternative, the like-minded must convince the world of not just of its applicability but also its usefulness. Every time international law is used as a pawn to achieve contingent national interests, there is more reason to call for the negotiation of a new regime.
What comes next?
When Lehto looks ahead to the next “season”, she hopes for a more detailed analysis of state positions and a search for common ground, at least among the EU member states. She admits that the rather abstract nature of the current discussion of international law makes it difficult to draw conclusions. A really significant achievement would be the like-minded states being able to formulate a meaningful common position on international law that could inform, inspire and convince states around the world to follow a similar path. It is especially troublesome, in this context, that European statements on the intersection of international law and cyberspace remain focused on how international law applies to cyber operations – largely bypassing the role of international law in conflict prevention, international cooperation and peaceful settlement of disputes. It is also unfortunate that the statements are tainted by current interests rather than motivated purely by the long-term benefits of strong international law. Current participants in the discussion have paid too little attention to the potential of friendly relations or good faith in cyberspace.
Our conversation leaves me wondering: can we expect new plots from the next season, for instance a comprehensive study of international law in the context of cybersecurity? Will more actors speak up in support of a clearer and stronger role for international law in cybersecurity? Will the new season feature new themes, like peaceful settlement of international disputes or friendly relations in cyberspace? Are the liberal democracies going to be able to convince the world of the usefulness of existing international law to prevent cyberconflict? Or should we be prepared for a retreat towards increased doubt in the usefulness of existing international law? There is so much to look forward to in the next season.
About the Author
Eneken Tikk is affiliate researcher of the Erik Castrén Institute of the University of Helsinki and the Executive Director of the Cyber Policy Institute. She is co-editor of the Routledge Handbook of International Cybersecurity (2020) and the editor-in-chief of the International Journal of Digital Peace and Security.