Despite long-running discussions and several consensus reports, there are a number of issues that remain open.
Does existing international law apply to cyberspace?
There is a broad consensus that international law applies to cyberspace – this includes the UN Charter as expressed in UN GGE reports, reaffirmed by the final OEWG report and the related UN General Assembly (GA) resolutions. More specifically, there is a general agreement that the states have jurisdiction over information and communications technology (ICT) within their territory, and that states should not conduct internationally wrongful acts nor use proxies for such acts.
How does the UN Charter apply to cyberspace?
There is broad agreement that the UN Charter in its entirety applies to cyberspace, which was confirmed by GGE reports and related UNGA resolutions, as well as by the final OEWG report. However, it gets much more complicated when we look at specific articles of the UN Charter and their interpretations.
How does state sovereignty translate into cyberspace?
One of the principles of the UN Charter is self-determination and the equality of states, reflected in Article 2. The 2021 GGE report and the 2021 OEWG report state that sovereignty applies to ICTs, and that states have jurisdiction over ICTs within their territory. There is a consensus that states have an obligation to respect the sovereignty of other states and to refrain from activities that constitute a violation of other states’ sovereignty, including cyber operations that would violate the sovereignty of another country. The question remains as to what responsibilities (stemming from the principle of sovereignty and sovereign equality) are assumed by states. While some states refer to the right of executing jurisdictional authority within the territorial borders of their country (principle of non-interference), others also attach a responsibility of not allowing other actors to use the territory of any given state to conduct malicious cyber activities (i.e. the principle of due diligence as described later). States also struggle with the global reach of cyber activities that do not fit into the traditional definition of sovereignty (i.e. protecting state authority over property and persons within territorial borders). For example, cyberattacks that target extraterritorial data storage (i.e. assert sovereign power over data) often include proxy servers or other tools that render the attackers untraceable (i.e. mask their geographical origin). This can make it extremely difficult to determine whether they involved a cross-border operation that would violate a state’s sovereignty
Non-interference principle: coercion, use of force, or armed attack?
The non-interference principle, derived from the principle of sovereignty, prohibits interference in the internal or external affairs of another state with the intent to employ coercion against that state. Existing and emerging technologies provide states with more opportunities to influence and interfere in the internal or external affairs of other states. In the context of cyberspace, a question arises: When are cyber operations considered coercion, use of force, or an armed attack given that no weapons in the usual (physical, kinetic) sense are used? Most states at the OEWG assess cyberattacks on an individual basis, after considering their effects and whether they are comparable to those of a conventional and prohibited act of violence. One open issue includes defining the thresholds of interference, i.e. at what point can a targeted state respond or have the right to defend itself. The precise boundaries between coercion, the use of force, and an armed attack have not yet been set. The two main points in this regard are the interpretation of Art. 2 (4) of the UN Charter and Art. 51 of the UN Charter. Coercion as economic, diplomatic, or political pressure is not defined under Art. 2 (4) of the UN Charter. In certain cases, however, when evaluated through its effects, it cannot be ruled out that a cyber operation with serious financial or economic impacts may qualify as the use of force. When interpreting the use of force, as described in Art. 2(4) of the UN Charter, international law does not provide a clear definition. Each case is examined individually to establish whether the ‘scale and effects’ are such that an operation may be deemed a violation of the prohibition of the use of force. That being said, the prohibition of the use of force is acknowledged by states at the OEWG and its implementation is a priority at the OEWG discussions. The majority of states at the OEWG also agree that an armed attack does not necessarily have to be carried out by kinetic means to trigger a state’s right to self-defense.
(How) Does the right to self-defence, enshrined in the UN Charter (Art. 51), apply to cyberattacks?
The UN Charter, as the basis of jus ad bellum, grants in Art. 51 the right to invoke individual or collective self-defence if an armed attack occurs against a member state. Yet, what exactly constitutes an internationally wrongful act, a use of force, or an armed attack in cyberspace? What is the threshold of an armed attack? Is it limited to attacks that cause physical damage and injury, or would other effects (financial, environmental, economic, or political) of a cyberattack also count? Should this determination remain the sole responsibility of states – perhaps by considering certain factors such as context, intent, or the severity of effects, as suggested in the Tallinn Manual 2.0? The major stumbling block, however, is the right to self-defence. In particular, should countries that are subject to a cyberattack be allowed to respond by any means, including all-out military options associated with traditional means of warfare? This question was one of the main reasons why the GGE failed to reach a consensus in 2017. The 2021 GGE report concludes that the ‘affected state’s response to malicious ICT activity attributable to another state should be in accordance with its obligations under the UN Charter and other international law, including those relating to the settlement of disputes by peaceful means and internationally wrongful acts.’ Positions on this issue are openly divergent: NATO has confirmed that Art. 5 of its Treaty allows response by any means (including conventional weapons) in the event of a cyberattack against one of its members. Russia finds that the traditional use of force is not a legitimate response to cyberattacks, at least not without the approval of the UN Security Council and in accordance with the UN Charter, which allows the accused party to defend itself before the Security Council. Russia further requests that the sources of cyberthreats are not identified by (attacked) states independently and arbitrarily, without evidence, particularly if this could lead to devastating counter-strikes. Some small states, like Cuba, believe that a cyberattack is not tantamount to an armed attack, and thus, the right to self-defence should not be used in such cases. An additional gray zone is the right to self-defence against armed attacks conducted by non-state actors or state proxies.
In what other ways can countries respond to cyberattacks?
While the right to self-defence may apply once the attack has occurred, what other options does a state have to respond to cyberattacks and deter counterparties from conducting such attacks? Also, should anticipatory self-defence (to deter imminent threats) or even preemptive strikes be considered? For instance, the USA and the EU consider the following actions to be acceptable: The USA believes in a ‘cyber deterrence menu’ of countermeasures that states can take when an attack occurs and to deter further attacks. It additionally supports accountability measures in relation to attackers: private and public attribution, sanctions, deterrence alliances, and even ‘defense forward’ (or preemptive) cyber strikes. The EU has adopted its cyber-diplomacy toolbox and sanction regime as official options to respond to and deter cyberattacks, as well as its Cybersecurity Strategy for the Digital Decade. EU member states have voiced their opinions in national capacities as well; for example, France believes anticipatory self-defence may be allowed, but not preemptive strikes. It also remains an open question whether states should have the duty to notify the state against which they plan to launch countermeasures.
How should attribution of cyberattacks be conducted?
Discussions often turn to the challenge of enforcing the agreed upon rules, be they binding ones, such as international law, or voluntary, such as norms and CBMs. One of the main challenges with holding states accountable for their operations is the complexity of attribution. As we saw in Module 1, an attack may include many layers of techniques that mask its origins. Even if one could provide technical evidence that connects an attack to a certain hacker group, it is a legal challenge to prove the connection between a particular state and a cyberattack. Therefore, rather than responding to a certain incident with evidence and dialogue, states are turning to campaign-like public attribution against other parties There is no agreed-upon methodology on how to establish attribution to cyberattacks. There are divergent views among experts over how reliable current technical means are for tracing the origins of attacks. Certain aspects of intelligence-gathering – such as conventional intelligence activities and cyberespionage for the collection of digital evidence – are understandably kept secret by parties working on attribution. In addition, the lack of transparency over evidence seen in the recent avalanche of mutual public accusations among states adds to the complexity. While the 2015 GGE report (Art. 28f), the resolution that established the OEWG (Art 1.2), and the final OEWG report confirm that the indication of the origin of the attack might not be enough for attribution and that accusations need to be substantiated, the official positions of the main actors are clearly divergent: The USA, its NATO allies, and some of the large internet industry players engage in collective attribution in the form of a joint public naming and shaming of the suspects. Russia sees such an approach as a pseudo-legal concept where a group of countries accuse a third country without disclosing evidence and demand evidence-based attribution. The 2021 UN GGE report also calls for caution in attribution, as it is a complex exercise and such caution can help avert misunderstandings and the escalation of tension between states.
Should due diligence be an obligation?
Due diligence is an obligation of states to prevent their territory from being used for the launch of cyberattacks against other states by state or non-state actors. The norms set in the 2015 GGE report, and reiterated in the OEWG resolution, as well as the 2021 GGE report request countries not to allow their territory to be used for internationally wrongful acts, and to mitigate cyberattacks against the critical infrastructure (CI) of other countries that originate in their territory. The final OEWG report went on to reaffirm the 2015 GGE norms. The 2021 GGE report added that the invocation of the responsibility of a state for an internationally wrongful act involves complex technical, legal, and political considerations. In practice, aside from the norms being voluntary, there may be a number of reasons why their implementation could be limited. For instance, states may only react to attacks, rather than try to prevent them, or they may claim they didn’t know about the attack at all. The EU and its partners believe that due diligence should be a binding obligation (both in cyberspace and beyond) following the International Court of Justice judgment in the Corfu case (1949), and warn that not adhering to it may result in countermeasures by the attacked country. Russia and its partners, on the other hand, oppose due diligence as an obligation in general, and only approve what has been agreed by the GGE.
Are new norms needed?
Are more norms needed at the moment? Or should the focus be placed on the implementation of existing ones? The 2015 GGE report, the resolution that established the OEWG, and the final OEWG report provide room for the development of additional norms over time. Some of the options raised by different parties – with evident divergence in their positions – include norm proposals by the Global Commission on the Stability of Cyberspace (GCSC) such as protecting the public core of the internet, preventing injury to civilians, mitigating the effects during incidents, and protecting electoral systems, as well as norms related to the effects of artificial intelligence (AI) on security, fake news, and disinformation, the protection of core internet infrastructure as public goods, and cybercrime issues, among others.
