Last week, the 25-member UN “Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security” (GGE) completed its work by adopting a consensus final report. This article examines those aspects of the much-anticipated report that deal with the application of international law to cyberspace. As will be explained, the GGE’s conclusions are both exceptional and cautious.

UN Efforts to Address International Law and Cyberspace

Since 2004, there have been six GGEs on cyber matters, three of which produced reports (2010, 2013, and 2015) that the General Assembly subsequently endorsed. Presumably, the General Assembly will also endorse the 2021 report. Considering the limited number of States represented on the GGE, the Assembly’s endorsement will be an important signal of international approval of the positions expressed in the report.

The 2021 report is of particular importance because the 2016-2017 GGE failed to produce a report, which requires consensus, when disagreement surfaced over the proposed inclusion of the terms “self-defence” and “international humanitarian law,” as well as contentiousness over the right to take countermeasures. The previous two GGEs had produced reports that, for the first time, dealt with key international law rules; the hope was that the 2016-2017 GGE would build on that earlier progress.

With that hope dashed, the United States led an effort to establish a sixth GGE. It proved successful with the General Assembly’s establishment of the 2019-2021 GGE (GA Res. 73/266 (2018)). Brazil chaired the Group, with countries selected to participate based on equitable geographical distribution. As in previous GGEs, all permanent members of the Security Council participated, which, given the tension over cyber matters between China and Russia on the one hand, and Western nations on the other, makes the Group’s achievement of consensus especially noteworthy.

The mandate of the GGE was to:

study, with a view to promoting common understandings and effective implementation, possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building, as well as how international law applies to the use of information and communications technologies by States, and to submit a report on the results of the study, including an annex containing national contributions of participating governmental experts on the subject of how international law applies to the use of information and communications technologies by States, to the General Assembly ….

It has, as will be explained, fulfilled that mandate. Particular attention should be paid to the forthcoming statements on individual member States’ legal views, for those views will be a significant contribution to the body of opinio juris on how customary rules of international law apply in cyberspace.

Alongside the GGE, the General Assembly also stablished an Open-Ended Working Group (OEWG) open to all UN members to address the same issues (GA Res. 73/27 (2018)). Russia led the initiative to create the OEWG, which produced its report in March, together with a compendium of statements by States explaining their position on the final report and a Chair’s Summary. The report itself is somewhat sparse regarding international law. It notes the applicability of international law in cyberspace, reaffirms the requirement of states to seek a peaceful settlement of disputes, encourages the exchange of viewpoints on the matter, and urges capacity building on the subject. The compendium and Chair’s Summary provide greater substantive discussion. Given the OEWG’s treatment of the subject, all eyes were on the pending GGE report.

The GGE Report and International Law

The 2021 GGE is exceptional in the sense that consensus was achieved despite the failure of the 2016-2017 GGE to issue a report, and at a time when tensions between key players are exceptionally high due to the frequency and severity of hostile cyber operations targeting fellow GGE members (ranging from persistent election interference to espionage of unprecedented scale like the SolarWinds incident). Indeed, that significant success led the U.S. representative to congratulate her colleagues on the GGE for their “political will” and to “give a personal nod to the efforts of Vladimir Shin and Wang Lei [her Russian and Chinese counterparts] to help us rise above our differences.” As with the OEWG process, the GGE’s success in achieving consensus is a reason for optimism regarding future efforts by States to identify how international law applies in cyberspace.

Applicability of International Humanitarian Law

The one major substantive step forward – acknowledgment that international humanitarian law (IHL) applies to cyber operations during an armed conflict – is also cause for optimism. Its applicability is hardly news to IHL experts, although some disagreement remains about how IHL governs cyber operations during armed conflicts. Prominent issues include the qualification of cyber-only exchanges as armed conflicts, the meaning of the IHL term of art “attack” in the cyber context, and whether data is an “object” such that an operation that targets civilian data for destruction or deletion violates IHL. But as the ICRC noted in its submission to the OEWG,

[T]here is no question that IHL applies to, and therefore limits, cyber operations during armed conflict – just as it regulates the use of any other weapon, means and methods of warfare in an armed conflict, whether new or old. This holds true whether cyberspace is considered as a new domain of warfare similar to air, land, sea and outer space; a different type of domain because it is man-made while the former are natural; or not a domain as such.

Yet, unexpectedly, IHL’s applicability to cyber operations had been drawn into question during the 2016-2017 GGE when Russia, China, Cuba, and several other countries objected to the inclusion of the term “international humanitarian law” in the aborted 2016-2017 report. This was despite the fact that the previous year’s report had characterized four humanitarian law principles – humanity, necessity, proportionality, and distinction – as applicable in the cyber context, text that could only be interpreted as confirming IHL’s applicability to cyber operations. Cuba explained,

The final draft also made reference to the supposed applicability in the context of ICT [information and communications technology] of the principles of International Humanitarian Law. We cannot accept such affirmation, since it would legitimize a scenario of war and military actions in the context of ICT.

The explanation was counter-normative, for the applicability of IHL to a particular means or method of warfare in no way legitimizes warfare. Therefore, the OEWG addressed the assertion head-on. Its discussions led the OEWG Chair to conclude in his Summary that,

[I]nternational humanitarian law reduces risks and potential harm to both civilians and civilian objects as well as combatants in the context of an armed conflict. At the same time, States underscored that international humanitarian law neither encourages militarization nor legitimizes resort to conflict in any domain.

…[I]t was highlighted that certain questions on how international law applies to the use of ICTs have yet to be fully clarified…. They also include questions relevant to how the principles of international humanitarian law, such as principles of humanity, necessity, proportionality, distinction and precaution, apply to ICT operations. In this regard, some States noted that discussions on the applicability of international humanitarian law to the use of ICTs by States needed to be approached with prudence.

The 2019-2021 GGE adopted exactly that approach, which is unsurprising given the participation by GGE members in the OEWG proceedings.

The Group noted that international humanitarian law applies only in situations of armed conflict. It recalls the established international legal principles including, where applicable, the principles of humanity, necessity, proportionality and distinction that were noted in the 2015 report. The Group recognised the need for further study on how and when these principles apply to the use of ICTs by States and underscored that recalling these principles by no means legitimizes or encourages conflict.

That the term international humanitarian law is included alongside the reference to the principles set forth in the 2015 report confirms that the 2016-2017 debate was devoid of legal substance. Thankfully, attention can now turn to the pressing topic at hand, how IHL governs cyber operations during an armed conflict, whether international or non-international.

Sovereignty

Beyond settling the IHL issue, the GGE was cautious about moving too far beyond the previous GGEs’ achievements in international law. For instance, the debate over whether sovereignty is a primary rule of international law or, as suggested by the UK Attorney General in 2018, only a principle that itself has no binding effect, remains unsettled. The report cites sovereignty multiple times, including demanding respect for the sovereignty of other States, but never explicitly characterizes it as a binding rule, perhaps because of the UK’s active participation in the GGE. While the number of statements by other States confirming its status as a rule has steadily grown (e.g., AustriaBoliviaChinaCzech RepublicFinland, France, Germany, Guatemala, Guyana, Iran, Netherlands, New Zealand, Republic of Korea, Switzerland), the UK seems intransigent (although its positions on other cyber law issues are sophisticated and mainstream).

Due to this impasse, efforts to achieve multinational consensus on the rule, which is the most likely to be violated by hostile cyber operations legally attributable to a State, are proceeding slowly. The one notable exception is a footnote in the NATO Cyber Doctrine acknowledging sovereignty’s rule status, which led the UK to reserve on the footnote, the only NATO member to do so.

As more States confirm sovereignty’s rule status, the discussion will inevitably move on to the real task at hand, identifying those remotely conducted cyber operations that violate sovereignty and those that do not. Notable in this regard is the position of France, which is of the view that “[a]ny unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty.” Whether other States will find the mere causation of effects an appropriate threshold for breach remains to be seen, but at least the matter has been engaged by a major player in cyberspace.

Due Diligence

Also left unresolved by the GGE is the status of a due diligence rule. Israel recently, and surprisingly, took the position that no rule of due diligence applies in cyberspace, arguing that “we have not seen widespread State practice beyond this type of voluntary cooperation [among Computer Emergency Response Teams (CERTS)], and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form.” It joins Argentina in publicly rejecting the existence of the rule. Other States, including BrazilEstoniaFinlandFrance, the Republic of Korea, the Netherlands, and Germany, have taken the opposite position. Most States have yet to take a firm position on the rule’s existence.

Hesitancy to acknowledge due diligence’s status as a binding rule may be, in part, the product of not understanding the many limitations on the rule’s applicability. Due diligence, at least as articulated by the Tallinn Manual 2.0 International Group of Experts (Rules 6 & 7),  is only required when hostile cyber operations that severely affect an international law right of another state are mounted from or through the State’s territory, the territorial State is aware of the operations, the operations are ongoing, and it is feasible in the circumstances for the territorial State to put an end to the offending cyber operations.

Whatever the reason for failure to move the due diligence ball forward, the 2019-2021 GGE, as did its 2013 and 2015 predecessors, treated due diligence as a voluntary, non-binding norm of responsible state behavior: “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.” Usefully, the report discusses the norm, which was not done in 2013 and 2015, and adopted many of the same criteria highlighted by the Tallinn Manual 2.0 experts. This will ease the path towards the acknowledgment of its rule status, which would seem inevitable as States face hostile cyber operations from the territory of other States without being able to legally attribute them to that State, as in the recent Colonial Pipeline and the JBS meat plants attacks. And when a State threatens to take direct cyber action against the non-State actors involved in these and other hostile operations, the soundest legal basis for doing so is likely the territorial State’s breach of its due diligence obligation (should the conditions explained above be met), which opens the door to countermeasures taking the form of cyber operations directly against the non-State attackers (see explanation here).

Countermeasures

Finally, the GGE did not deal explicitly with countermeasures (Articles on State Responsibility, art. 22), which had provoked controversy during 2016-2017 GGE when a reference to the “right to respond to internationally wrongful acts” was proposed for inclusion in the final report.  Nevertheless, the 2021 report adopted the earlier approach when it noted, “An affected State’s response to malicious ICT activity attributable to another State should be in accordance with … its obligations under … international law, including those relating to … internationally wrongful acts.” Since the right to take countermeasures is relatively uncontroversial in international law, even in the cyber context, it is unfortunate that no unequivocal mention was made of this “ground for the preclusion of wrongfulness.”

The most controversial issue regarding countermeasures is whether collective countermeasures are permissible, that is, whether one State may assist another to take countermeasures or, upon request, perform them on the latter’s behalf. Collective countermeasures were not addressed. This was to be expected because States are split on the issue. For instance, while Estonia has made the case that collective countermeasures are lawful, NATO ally France has adopted the opposite position.

Other International Law Principles and Rules

Most of the report’s text on international law reaffirmed positions taken in the 2015 report. In text identical to the latter, the 2019-2021 GGE highlighted the commitment of its members to

sovereign equality; the settlement of international disputes by peaceful means in such a manner that international peace and security and justice are not endangered; refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations; respect for human rights and fundamental freedoms; and nonintervention in the internal affairs of other States.

The report also builds on the 2015 text.  For instance, while the 2015 report merely confirmed the commitment of the GGE members to the peaceful settlement of disputes involving cyber matters  that threaten international peace, security, and justice, the 2021 report points to the requirement in Article 2(3) of the UN Charter and echoes the means of dispute settlement cataloged in Article 33 of that instrument: “negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice.”

It must be cautioned that there are two types of international disputes, those that endanger international peace and security and other international disputes; the GGE report draws them together. Article 2(3) addresses all disputes and requires that they only be handled by peaceful means that do not endanger international peace, security, and justice; it imposes no obligation to seek settlement. Article 33 deals only with the first category of disputes, especially those, including cyber activities, that risk leading to the use of force. Although each situation must be evaluated contextually, clear examples would be the disabling of critical infrastructure or disruption of the national economy by cyber means. In such cases, there is an affirmative duty to seek settlement by peaceful means.

The 2021 report also confirms the 2015 report’s finding that “State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory,” but adds that “existing obligations under international law are applicable to States’ ICT-related activity.” This addition provides a clear textual basis for limitations on a State’s exercise of sovereign prerogatives for reasons ranging from the obligation to respect the sovereignty of other States to that requiring States to respect and protect the human rights of individuals over whom they exercise control. Additionally, the 2021 report emphasizes the right of States to exercise prescriptive jurisdiction by “setting policy and law and establishing” and prescriptive and enforcement jurisdiction by “establishing the necessary mechanisms to protect ICT infrastructure on their territory from ICT related threats.”

As to the well-accepted prohibition on intervention that appeared in both the 2013 and 2015 reports, the 2021 report notes that intervention may be both direct and indirect. For instance, a State could use cyber operations to directly coerce another State, as in manipulating election returns, or to force the will of the latter, as in conducting cyber operations against a vital aspect of a State’s economy to force the State to adopt a particular policy involving its internal affairs. However, the extent to which the coercive effect of a cyber operation may be indirect (as in making it domestically politically unpalatable for a government to adopt a policy) remains unsettled.

For emphasis, the 2021 report now singles out the prohibition on the use of force for individual treatment, but the term self-defense remains absent. However, as in the 2015 report, the 2021 “Group noted again the inherent right of States to take measures consistent with international law and as recognized in the Charter and the need for continued study on this matter.” This can only be a reference to self-defense, for the term “inherent right” is drawn directly from Article 51 of that instrument, the provision on self-defense, and appears in no other Charter article.

Finally, the GGE turns to the law of State responsibility. It “reaffirms that States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.” The first clause confirms that States may be responsible for the acts of non-State actors, most likely when the latter conduct cyber operations pursuant to the “instructions, or direction or control” of the former (ASR, art. 8). The second is a reference to the due diligence obligation, but the word “should” indicates it is a hortatory norm despite its presence (as was the case in 2015) in the international law section of the report. Also hortatory, albeit present in the law section as it was in 2015, is a statement encouraging accusations of unlawful conduct in cyberspace by other States to be “substantiated.” In effect, the two are more appropriately styled as voluntary, non-binding norms of responsible state behavior.

Norms other than International Law

In terms of advancing the norms dialogue, the GGE’s most significant progress came in its development of the eleven voluntary, non-binding norms of responsible state behavior that it had agreed upon in its 2015 report. The 2021 report restates each but adds valuable commentary on their meaning and on means of complying with them.

Additionally, the report devotes significant attention to confidence-building measures that States and regional entities can adopt to reduce the risk of misunderstanding and escalation. These include cooperative measures such as establishing points of contact and engaging in dialogue to transparency measures like the exchange of national views and practices. The GGE also stresses the importance of international cooperation, assisting other nations in maintaining cyber security and responding to destabilizing cyber operations, and capacity building, particularly in the field of international law. In that regard, a number of countries, including Australia, Canada, the Netherlands, and Singapore, now sponsor robust international law capacity-building efforts around the world.

Success?

Absolutely. The 2019-2020 GGE managed to resurrect the most inclusive process by which states consider how international law applies in cyberspace. Of course, one would have hoped for more progress on such issues as sovereignty and due diligence. But the very fact that the key actors in cyberspace are working together again in the aftermath of the relative failure to achieve consensus in 2016-2017 is laudatory. Credit goes to the diligence and open-mindedness of the GGE participants from the member-States.

The GGE is also to be commended for recognizing that significant advances in identifying international law rules and their application in cyberspace were unlikely and therefore dedicating so much attention to the elaboration of its non-binding norms. It has begun to establish the framework for responsible behavior in cyberspace. Over time, some of the norms are likely to be recognized as the binding law that many States consider them. Those that are not already binding law may eventually crystallize into customary international law or authoritative interpretations of existing rules.

Finally, and most importantly, the GGE has “acknowledged that continued discussion and exchanges of views by States, collectively at the United Nations on how specific rules and principles of international law apply to the use of ICTs by States is essential for deepening common understandings, avoiding misunderstandings and increasing predictability and stability. Such discussions could be informed and supported by regional and bilateral exchanges of views between States.” The GGE perceptively observed that “additional norms could be developed over time, and, separately, notes the possibility of future elaboration of additional binding obligations, if appropriate.”

That a great deal of work remains to be done in determining how international law applies in cyberspace is self-evident. Nevertheless, it is encouraging that the member States of the GGE recognize this reality and intend to keep at it. They are to be congratulated.