On June 23, after years of slow yet meaningful progress in developing State consensus regarding the application of international law norms to cyberspace, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (otherwise known as the Group of Governmental Experts, or GGE) collapsed. The rejection by a small number of States that includes Cuba and, reportedly, Russia and China, of the final report’s proposed text was counter-productive and irresponsible. At issue were three additions to a list of cyber-relevant legal principles and rules that had been agreed to by the GGE in 2015: 1) the right to respond to internationally wrongful acts (a veiled reference to countermeasures); 2) the right to self-defense; and 3) international humanitarian law. Since no international lawyer can, in 2017, deny their applicability to cyber activities, the failure of the GGE can only be interpreted as the intentional politicization in the cyber context of well-accepted international law norms.
The GGE process concerning cyberspace began in 2004 and has consisted of five such groups. Initially, 15 countries made up the GGE, but by 2016 that number had grown to 25; the five permanent UN Security Council member States (P5) have always been involved. Two GGE’s produced reports reflecting some consensus on legal matters. In 2013, the third GGE report provided in part that,
International law, and in particular the Charter of the United Nations, is applicable ….
State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities….
State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms ….
States must meet their international obligations regarding internationally wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs.
The fourth moved the discussion forward, albeit cautiously, by observing, inter alia, that:
States have jurisdiction over the ICT infrastructure located within their territory.
In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States.… States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms.
[T]he Group noted the inherent right of States to take measures consistent with international law and as recognized in the Charter.
The Group notes the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction;
States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.
States must meet their international obligations regarding internationally wrongful acts attributable to them under international law.
Building on this consensus, in late 2015, the General Assembly tasked a fifth GGE “to study, with a view to promoting common understandings, … how international law applies to the use of information and communications technologies by States, as well as norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building….”
The issues that subsequently divided the GGE were objectively legal soft-balls. Although both the 2013 and 2015 reports had expressly cited the applicability and relevance of the UN Charter in maintaining international peace and stability, the right of self-defense as enshrined in Article 51 had been a source of heated debates in all of the sessions leading to their adoption. Indeed, faced on the one hand with the western States’ insistence on explicitly referring to the availability of self-defense measures in response to cyber armed attacks, and some other States’ refusal to do so, the 2014-2015 GGE compromised by “recalling that the Charter applies in its entirety,” an implied endorsement of Article 51.
But international lawyers will of course know that exclusion of States’ right of self-defense in the cyber context is a untenable notion as a matter of international law, one that runs counter to the ICJ’s conclusion in the Nuclear Weapons Advisory Opinion that the right applies to “any use of force, regardless of the weapons employed.” While the precise threshold for an “armed attack,” the condition precedent to application of the right, remains unsettled in the cyber context, the validity of the right in the face of cyber operations crossing that threshold, wherever it might lie, is not.
Cuba’s explanation, which is the only one publicly available from the States that objected to inclusion of a reference to self-defense, asserts that the draft report’s text “aimed to establish equivalence between malicious use of ICTs and the concept of ‘armed attack’, as provided for in Article 51.” Yet, it is clear that very few malicious cyber operations would ever amount to armed attacks and it is hard to imagine that any State would ever suggest such an across the board equivalence. Again, the explanation for the opposition to mention of self-defense cannot be found in the law itself.
The matter of countermeasures is somewhat more nuanced. Countermeasures are actions or omissions that would be unlawful but for the fact that they respond to an internationally wrongful act of another State and are designed to cause the latter to comply with its legal obligations. In the cyber context, the paradigmatic example is a hack-back in response to another State’s unlawful cyber operation, such as a violation of sovereignty or intervention in the target State’s affairs. The International Law Commission recognized the existence of countermeasures in its Articles on State Responsibility, which purport to reflect customary international law in great part. All of the experts who participated in the Tallinn Manual 2.0 process accepted the applicability of countermeasures to cyber operations.
As a principal matter, it would be possible to exclude countermeasures from the ambit of responses to cyber operations constituting international wrongful acts. This is because the State responsibility regime is residual; it accepts lex specialis rules that differ from the general rules of responsibility, examples being the WTO and outer space responsibility regimes. Yet, the GGE members opposing the implied reference to countermeasures have not argued that a lex specialis of cyber responsibility exists or otherwise offered a plausible argument supporting non-applicability of the right to take countermeasures.
Opposition to both self-defense and countermeasures reportedly rested in part on the practical difficulties of attribution. But this confuses factual challenges with legal standards. States are required to act as reasonable States would in similar circumstances when resorting to self-defense; in some circumstances, the lack of sufficient technical evidence, the risk of spoofing, and other obstacles to reliable attribution will preclude acting in self-defense. And as to countermeasures, the standard is higher still. A State that engages in countermeasures on the basis of misattribution, even when that attribution was reasonable, will itself have committed an internationally wrongful act. These are demanding thresholds that should allay many factual attribution concerns.
What may have motivated the opposition on this basis is that some States, such as Cuba, lack the technical wherewithal of more advanced States to reliably attribute hostile cyber operations and therefore will be less able to establish the necessary basis for resorting to self-defense or taking countermeasures. That is a operational reality that may drive their political positions, but one that is irrelevant to the existence of the legal norms.
Finally, concern was expressed by Cuba, and likely by a few others, that self-defense and the taking of countermeasures countenanced “unilateral action” and that cyber incidents involving States should be resolved through multilateral dispute settlement mechanisms. This is a wildly optimistic perspective, one that is simply unrealistic given the complexities of cyber operations. Moreover, States are not going to accept an interpretation of the law that effectively surrenders both their authority to respond to hostile cyber operations by means of countermeasures (which may not be conducted collectively) and their inherent right of individual self-defense. On the contrary, the nature of the cyber domain would tend towards an interpretation of international law that afford victims, not offenders, the advantage.
The desire of some States to exclude the application of the entire body of IHL in cyberspace is even more curious. During the previous GGE, the same issue had arisen. The decision was taken to avoid express mention of international humanitarian law and instead merely “note” the applicability of the principles of “humanity, necessity, proportionality and distinction.”
In explaining opposition to the express mention of IHL, the Cuban representative opined, “the supposed applicability in the context of ICT of the principles of international law… would legitimize a scenario of war and military actions in the context of ICT.” This assertion runs counter to the long-standing acceptance of IHL’s application to new means and methods of warfare. Indeed, China, Russia and Cuba are Party to Additional Protocol I, Article 36 of which obliges them to review new weapons and methods of warfare for compliance with IHL. It is unclear how this obligation would not attach to cyber operations during an armed conflict that could, for instance, injure or kill individuals.
States cannot simply wish away their legal obligations under IHL treaty and customary international law. The Cuban contention that the mere applicability of IHL “legitimizes” war confuses the jus in bello with the jus ad bellum. The former, which encompasses IHL, governs how armed conflict is to be conducted. It applies irrespective of whether a party to the conflict has violated the prohibition on the use of force in Article 2(4) of the UN Charter and customary law. Applying IHL to cyber operations during an armed conflict has nothing to do with the legality or legitimacy of a conflict.
Reduced to basics, the States concerned have put forward what are essentially political arguments that make little legal sense. The real legal challenge lies in determining when and how the aforementioned rights and legal regimes apply in the unique cyber context, questions Russia, China and the other recalcitrant States have deftly sidestepped. Quite aside from the unfortunate obstacle to progress that their approach presents, it amounts to poor policy choice on their part. They have, for instance, forfeited the political capital that would prove beneficial if they have to engage in self-defense against cyber attacks in the future or find themselves needing to take countermeasures to terminate unlawful cyber operations directed at them. And if IHL does not apply to cyber operations taking place in the context of an armed conflict, they will be forced to apply the stricter human rights regime when they engage in cyber operations during such conflicts.
It is unclear why these States have adopted a regressive approach on these specific issues, but continue to accept international law’s applicability more generally. Perhaps they see the process as zero-sum in nature and want to avoid the perception that “the West” gets to dictate the rules of the game for cyberspace. Or perhaps the answer is legal-operational in the sense that they want to deprive the West of a legal justification for responding to hostile cyber operations that they themselves launch. Although the deprivation would apply equally to them, the States concerned are less frequently the target of unlawful cyber operations mounted by other States and therefore the benefits thereof would arguably outweigh the costs. And finally, opposition to acknowledging basic and irrefutable legal notions may reflect the current dismal state of relations outside the cyber realm. These may be “softball” legal issues, but right now everyone is playing “hard ball.”
The United States Deputy Coordinator for Cyber Issues at the State Department aptly summed the situation up succinctly following collapse of the GGE process,
I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions. That is a dangerous and unsupportable view…. A report that discusses the peaceful settlement of disputes and related concepts but omits a discussion of the lawful options States have to respond to malicious cyber activity they face would not only fail to deter States from potentially destabilizing activity, but also fail to send a stabilizing message to the broader community of States that their responses to such malicious cyber activity are constrained by international law.
This begs the question of “what next”? Perhaps the most promising initiatives have been undertaken by the Dutch. As part of the so-called “Hague Process,” which facilitated State input into the Tallinn Manual 2.0 project, that country is sponsoring an ambitious global training program and a State consultation process that builds on the Tallinn 2.0 legal groundwork. Other efforts that present an opportunity to highlight the centrality of international law in cyberspace include the Global Commission on the Stability of Cyberspace, the upcoming Global Conference on Cyberspace in India, and another series of UNIDIR workshops on international cyber security issues. Whether these efforts will bear fruit remains to be seen. But at least the intransigence of certain States regarding the legal norms governing cyberspace is being viewed by certain other States as a reason to redouble efforts; that is extremely promising.