International law is a key pillar of the international rules-based order, but policymakers and academics don’t agree on key points of how it should be applied in cyberspace. The debate tends to be focused on how the rules and principles of international law should be interpreted and applied in this context. But it may be time to refocus the debate on a new question: what really requires consensus from the states and what issues should be left up to unilateral interpretation by individual states?
On Friday, 22 May 2020, an Arria-formula meeting of the United Nations Security Council (UNSC) focusing on cyber stability, conflict prevention and capacity building was convened online by UNSC President Estonia. The applicability of international law was one of the core topics of this meeting and most participating states addressed it in their declarations. On the sidelines of this event, a group of international lawyers released the Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector, to reiterate that rules and principles of international law protect medical facilities against cyber threats. These recent developments underscore the fact that international law, and in particular the Charter of the United Nations, is the backbone of international relations and is crucial for maintaining international peace and security. More importantly, it also provides an appropriate framework for addressing cybersecurity threats and incidents related to the current pandemic. Yet, it is also necessary to highlight that some states seem to favour the application of non-binding norms of responsible behaviour in cyberspace, at the expense of the rules and principles of international law. The United States, for instance, recently declared it has “zero tolerance for malicious cyber activity designed to undermine US and international partners’ efforts to protect, assist, and inform the public during this global pandemic” and reaffirmed its support for a “framework of responsible state behavior in cyberspace”. Surprisingly, this statement makes no reference to international law, only to norms of responsible behaviour.
The applicability of international law to cyberspace and cyber operations has been a matter of controversy. For a long time, the question of whether cyberspace is a new Wild West where existing rules and principles of international law, if not international law itself, do not apply was contentious. However, this question has since been settled in both the academic literature and state practice: international law applies to cyberspace and cyber operations.
Yet, international law continues to be a key focus of ongoing international negotiations and academic debates, as highlighted, for instance, by the recent UNSC Arria-formula meeting. Having agreed that it does, in fact, apply, legal scholars and advisors are now debating how its rules and principles apply to cyberspace. There is significant debate over how the rules or principles of international law should be interpreted and applied. This is a source of disagreement and conflict between states, and debate over the application of specific rules and principles has transplanted the concept of “lawfare” to the cyber context. Indeed, in addition to actual debates and disagreements, this conflict has seen a certain level of instrumentalisation of international law as well as of norms of responsible behaviour.
Asking the Right Questions
This situation leads to the key question: which rules or principles of international law should be applied in cyberspace and how? Questions about the applicability of international law and those about specific application of the rules and principles of international law may seem closely related. Yet, there is no universal agreement about which rules or principles of international law should be applied in this context, or about their content or limitations. Since the vast majority of the rules and principles of international law are vague, actors to whom international law applies find themselves with a lot of leeway in its interpretation and application.
Therefore, the question that really needs to be asked is the following: where is a broader agreement between states needed, and what should instead be left to unilateral interpretation by individual states? This question is too often ignored. The Tallinn Manual on the International Law Applicable to Cyber Operations is a good illustration of how these lines could be drawn in practice. The “rules” of the Tallinn Manual can be seen as points that should be agreed upon by the international community, while its “commentaries” cover issues that should be left up to interpretation by the states. The example of the Tallinn Manual serves only as an illustration of how the lines could be drawn, not as a reference for the content of each category.
To avoid misunderstandings, states should agree on two additional aspects. First, they must accept that consensus on the interpretation of specific rules or principles of international law may also be achieved through non-binding norms. Second, after deciding what rules should be agreed upon and further developed into international law, states will need to clarify whether this development should be conducted at the global, multilateral, regional or bilateral level.
United in Diversity
Once the right questions start being asked, it may become apparent that difficult choices need to be made. For instance, interpreting the application of the rules and principles of international law to cyber operations may require a certain level of adaptation. In addition, the subjects of international law, particularly states, may have different – if not downright divergent – interpretations of certain specific rules or principles of international law.
In fact, the UN resolution establishing the still-working UN Group of Governmental Experts (GGE) requested that participating states submit their own views regarding how international law should be applied to cyberspace. As a result, some states have publicly declared their positions, however, more states, notably those not taking part in this current GGE, need to express their views publicly as well. The Open-Ended Working Group (OEWG) expected to deliver its report in June this year might be a useful platform for states (as well as regional organisations like the EU) to present and discuss their approaches. Such a general discussion could also play an important role in legal capacity building and allow for the identification of specific needs in terms of legal and strategic cooperation. To this end, the proposal to invite all states to fill out a National Survey of Implementation of UNGA Resolution 70/237 as part of the OEWG final report, made by a group of states led by Australia and Mexico, is commendable.
Sovereignty in Cyberspace
The complexity of the debate surrounding the principle or rule of state sovereignty makes it a good test case. Sovereignty in cyberspace is one of those concepts where the debate is far from settled. Before proceeding, it may be necessary to determine whether a universal consensus around it is needed at all – perhaps states should be allowed to define their approach unilaterally instead.
First, the nature of “sovereignty” is not settled. Sovereignty is a general principle of international law from which certain rules are derived, including the prohibition of the violation of territorial sovereignty. Both rules and principles are sources of international law (see article 38 of the Statute of the International Court of Justice). Rules refer to the actual norms of international law, deriving notably from treaties or customary international law. Principles refer to the more abstract notions from which rules flow. While states agree on the existence of a general principle of sovereignty, they have divergent opinions on the rules flowing from that principle. While some states and scholars consider sovereignty a principle of international law in the cyber realm (e.g. United Kingdom), others argue that it is a rule (e.g. France).
Second, there is no consensus on what constitutes state sovereignty in cyberspace. For instance, there is debate over whether states are entitled to exercise sovereignty over data located on computers belonging to other entities which may or may not be inside the state’s territory. The confusion is amplified by conflation between sovereignty as a political concept and sovereignty from the international law perspective.
Third, there are multiple definitions of what constitutes a violation of territorial sovereignty when it comes to cyber operations. The three main perspectives are:
- Any cyber operations penetrating a foreign system or producing effects over it constitute a violation of sovereignty. This is, for instance, the French approach.
- A cyber operation penetrating a foreign system constitutes a violation of sovereignty only if it meets a threshold of harm. This is the approach adopted in the Tallinn Manual 2.0 and by the United States.
- Territorial sovereignty cannot be breached by a cyber operation unless it constitutes a violation of the principle of non-intervention. This is, for instance, the British approach.
This is just one example of the diversity of opinions on issues related to international law and cyberspace. Similar discussions surround, for instance, the definition of the use of force in cyberspace and whether cyber operations that don’t cause physical damage can still amount to a prohibited use of force.
Mind the Gap
Some states and commentators have suggested that the challenges of this situation would be best addressed by an international treaty, given the unique characteristics of cyberspace and the variety of different interpretations of how international law should apply to it. Cuba and Russia, for example, argued as much in their comments on the OEWG pre-draft report. The adoption of a new legally binding instrument may be justified in the future, after the international community identifies specific problems and gaps that cannot be solved by the lex lata (existing law). Then, it will be necessary to decide whether filling these gaps is best left up to the states, unilaterally, or best addressed by the adoption of new consensual rules or principles of international law or non-binding agreements.
The European Union and its member states have made their position on the applicability of existing international law to cyberspace clear. They have also repeatedly expressed their view that a new treaty is not needed on these matters.
While individual member states retain full control over issues pertaining to their national security – and the interpretation of international law is at the core of many such decisions – the EU can do more to set an example for the rest of international community. The recent Declaration by the High Representative Josep Borrell, on behalf of the European Union, on malicious cyber activities exploiting the coronavirus pandemic is an interesting step in that direction. By calling upon every country to exercise due diligence, an international law principle, the EU and its member states shift the burden of responsibility for action from a hypothetical responsible actor (with all the political frictions implied) to the state. States must take all necessary and feasible measures to mitigate and stop cyber operations using their territory, regardless of whether the cyber operation is perpetrated by the state where it originates, another state or a non-state actor. To go further, the EU could, for instance, provide a platform for a collective effort to clarify member states’ views on how the rules and principles of international law apply to cyberspace. Such efforts have been already undertaken in less integrated regions, such as Latin America, where the Organisation of American States took steps to map the views of its members. Such an exercise would make the EU as the whole better prepared to promote its positions internationally and strengthen its image as a global player committed to “upholding, updating and upgrading the rules-based global order“.
