Recent state contributions to the discussion of how international law applies in cyberspace suggest that the cybersecurity dialect of international law is losing sight of the mainstream – that is, how international law is applied outside of the cyber bubble. The fact that states contest certain rules and standards of international conduct when it suits their current interests and ambitions should be taken as a signal not just to ‘correct’ their reading of the contested concepts but, more importantly, to redirect the discussion to the foundations and regularities in international conduct. Instead of speaking of exceptions, how about we focus on normalcy?
The EU Cybersecurity Strategy announced on 16 December 2020 suggests that the EU should develop a position on the application of international law in cyberspace. This provides a great opening for looking more critically at the current efforts. European countries have been eager contributors to the discourse of international law in cyberspace – one after another, most of them have decisively pushed back on illusions that cyber operations cannot violate sovereignty or that there is no obligation of due diligence. But as pertinent as this emphasis is, there is much more to international law than thresholds and responses to violations. For most states, the real concern is not how to conduct cyber operations or how to mount countermeasures online.
An acute challenge in the next digital decade, to borrow a phrase from the new EU cybersecurity strategy, is to come to an agreement as to what constitutes good custodianship of cyberspace: empowering trust, use, and benefit from innovation, connectivity and automation, and not allowing cybersecurity issues to become an impediment to development. COVID-19 is a reminder of the extent to which information and communication technologies (ICTs) contribute to education, research, commerce and political engagement, and how easily the neglect of cybersecurity can deprive societies of these possibilities.
There is quite a lot that international law can offer by way of framing this discussion. That there is not much state practice on use of force, and not many instances of exercising the right of self-defence, testifies to the importance of other rules and principles of international law in state practice – something that states that are not seized by the current ‘heat of the moment’ consider normal and responsible behaviour, and something that even the current protagonists follow most of the time. Duties of prevention, peaceful settlement of disputes, cooperation, good faith and friendly relations are rules and standards of international law that can be directly applied also in cyberspace.
Putting the current discussion in perspective
States in the epicentre of the current power contestation have gone to great lengths in concocting justifications for their conduct (or options of conduct) in order to behave a little short of what might be expected of them. However, arguments that undermine the scope and authority of international law, however lucrative and clever for contingent interests, do not serve the long-term and shared interests of development, prosperity and peace. Moreover, belligerent attitudes and tendencies might start to truly undermine international law, especially where states keep promoting issue-specific interpretations and applications of the provisions of the UN Charter and refuse to frame cybersecurity as a specialised regime. For instance, if we agree that low-intensity and peacetime operations are acceptable under the UN Charter in cyberspace, we agree to these tendencies in every space.
Most states still have not made direct statements about the application of international law. To enrich the debates on the ‘hard issues’ and push back on peacetime cyber operations, ‘non-cyber’ international law expertise and advice should be invited. A more inclusive discussion would allow the conversation to return to the widely accepted and settled ways of implementing the currently contested rules and standards of customary lawand treaty-based obligations. While the content and meaning of contractual norms are easier to identify, especially with the increased treaty-making activity of states in the past few centuries, customary international law enjoys a much longer history and therefore a solid standing in international law.
Should one be looking for a silver lining in the global pandemic we have been facing in 2020, it could be said that exclusive reliance on online services, be it for work or leisure, has impacted the way people think about cyberspace. The universal question of safe access is not only a strong argument for the recognition of the right to internet access as a necessary enabler of all other human rights: it can also be seen as a much-needed incentive to take the cyber-debate out of the exceptional and regrettable ‘armed attack’ narrative and set it against such well-established notions of international law as customary obligations, state responsibility, international liability or amicable resolution of disputes. Any attempt to answer a question on how to keep a nation safe online will result in helpful suggestions on how to apply international law in cyberspace, in its entirety.
Embracing the invisible international law
To strengthen the rule of law in cyberspace and to put international law in service of resilience, cyber conflict prevention and de-escalation of tensions, it is time to include the most important rules and standards of public international law in the conversation. Friendly relations, cooperation, peaceful settlement of disputes and good faith are rare species in international cyber discourse, but make up most of the applications of international law on daily basis. Understanding these concepts may help to convince more states that international law is indeed applicable and useful in cyberspace.
As much as the prohibition of use of force gets discussed in terms of its threshold(s), it really materialises through friendly relations, i.e. by states resolving their differences peacefully, acting in good faith, cooperating with each other, respecting human rights and implementing their sovereignty with due account to other states’ rights. Rather than through thresholds, the prohibitions of intervention and use of force materialise through abstentions and the shared expectation that in the 21st century, states do not pick fights where they can solve issues by other means. The fact that states with diametrically different visions of the world engage in discussions of international cyber law and policy – in the First Committee, in the General Assembly, in regional organisations – is a manifestation of the international law of peaceful settlement of disputes.
While we can debate whether friendly relations or, for that matter, international cooperation are mere goals, principles or rules, there is little doubt that most states cooperate on a daily basis on cybersecurity, to the best of their capacity and abilities. As a matter of fact, cooperation in this field is the cornerstone of national cybersecurity strategies – it manifests in first response and assistance to other states whose infrastructure or online services are under attack. Cooperation also ‘lives’ in collaborative attribution and enforcement of voluntary and non-binding norms.
These concepts of international law – friendly relations, cooperation, peaceful settlement – may seem invisible: they manifest in crises that were prevented, operations that did not happen, wars that were not fought, and devastation and damage that humankind did not suffer. They materialise through the work of international organisations, giving meaning to the potential role of the UN and its various institutions in good cybersecurity governance. These concepts of international law, however, also rest on the leadership of countries, political leaders and scholars.
Debates about the ‘hard’ questions of international law are never going away – deliberations on the red lines of intervention or diligence due under the circumstances simply change with new technologies and power contenders. Every new conflictual relationship leads the contestants to think about the safety nets that the legal concepts of self-defence and other remedies in international law seem to provide. Therefore, it is important to do a political assessment of the weight of the current discussion. It is essential for each state and scholar to be clear about what is at stake, what appears to exist, and what is real. At stake are two things at the same time – the current contestation and the political ideals that each competing power stands for; and the course of international development and progress in which any further contestation will play some, but not the decisive, role.
For countries standing for resilience, conflict prevention and the rule of law, it is essential to put operational issues of international law where they belong: the section of exceptions rather than norms. As much as international humanitarian law and the right to self-defence apply in cyberspace, these rules and standards belong in the playbook of armed forces operating in armed conflict. Operational law should not be the main focus of the dialogue in peacetime. It is time to give an international law framing to what the diplomats and policy makers of even the fiercest contestants are doing most of the time: despite their differences about the world order, and despite fierce technological competition, states meet and negotiate, fail, and negotiate again. Through these efforts, common understanding and meaningful restraint are built an inch at a time.
While it may come as a surprise within the cyber bubble that the UN Charter has more articles than 2(4) and 51, we should start our reading of international law in cyberspace by re-reading the Charter. Even if we just get through the preamble and Article 2(3), it is a worthwhile exercise. If we want international law to truly apply in cyberspace in its entirety, we are bound to further open up the discussion. States are yet to take a lead on how to proceed in fulfilling their international obligations to work through their differences in a peaceful manner, cooperate and exercise human rights online. As commentators have pointed out, the current operational focus on international law in cyberspace is like admiring the world through a pinhole.
About the Author
Joanna Kulesza, PhD, is a tenured professor of law and teaches international law, internet governance and media law at the University of Lodz, Poland. Currently serving as a scientific committee member for the Fundamental Rights Agency of the European Union and vice-chair for the At-Large Advisory Committee of the Internet Corporation for Assigned Names and Numbers, she successfully combines academia with policy work. Since 2020 she has co-chaired the Advisory Board of the Global Forum on Cyber Expertise, working on cybersecurity capacity building. Kulesza, aside from her primary academic involvement with the University of Lodz, has been serving as an expert on human rights online for the Council of Europe and European Commission and is working on various research projects focused on privacy and cybersecurity. Kulesza serves on the Advisory Board of the EU Cyber Direct project.