ArticlesCybersecurityGlobal AffairsInstitute News

Can International Law Contain The Risks of Cyberspace?

By: Touraj Riazi

The presence of cybersecurity threats existed long before governments had officially recognized cyberspace as warfare’s newest domain. After doing so, clarity was seldom present when assessing the implications this held for states and their conduct. Little progress has been made on mitigating the legal uncertainty of a state’s conduct in cyberspace. Ongoing technological advances and prior developments in international cyber law suggest its formation will likely occur in reaction to state conduct in cyberspace instead of in anticipation of it because states do not wish to limit their own potential conduct by regulations at this stage. 

Cyberspace is a relatively novel domain of operations, and some states still do not possess the necessary information and communications technology (ICT) capabilities to conduct  its operations. Still, certain white paper releases (see Canada’s latest National Cyber Security Strategy here), declarations by individual governments (see France’s here) and cooperation amongst allies represent some advances when seeking to establish the legality of state conduct in cyberspace. However, separate conduct by those very states has exacerbated the uncertainty some have exploited for their own advantage.

Are previous proposals for an international consensus on this matter past the point of revival? Can any impetus be provided to new ones? And how will obdurate and opposing states overcome the obstacles that prevented previous efforts to successfully arrive at an agreement? These questions may not be answered immediately, yet they need asking until they are.  

Each of the main and most capable state actors in cyberspace have acknowledged that “international law applies to cyberspace”. Its very acknowledgement has in part provided the impetus necessary to arrive at a consensus regarding what international law applying to cyberspace actually means. Consent generally exists that any cyber operation resulting in kinetic destruction tantamount to an armed attack would violate international law and justify a proportional response. Confusion arises when much of state activity in cyberspace falls short of explicitly violating international principles of sovereignty, intervention, use of force or international human law (IHL). Confusion is compounded when also considering issues of attribution.

This large grey zone is where many states operate today in cyberspace and a change from this current situation in the near future remains unlikely, particularly since the consequent ambiguity can be advantageous to states. Seeking to avoid delving into the esoteric legalities of principles such as non-intervention, sovereignty, or prohibitions on the use of force, it remains important to note that present disagreements over how these principles apply in cyberspace are responsible for preventing a multilateral cyberspace agreement.

The U.N. Group of Governmental Experts (GGE) on “advancing state behaviour in cyberspace” established in 2004, and the Tallinn Manual produced by NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) are two significant international efforts to contain cyberspace risks through international law. While their results may have fallen short of that objective, it’s worth observing why.

After over a decade of work which included two important consensus reports affirming the applicability of international law in cyberspace, the GGE faltered in 2017 when it failed to even produce  a consensus outcome report after meeting. Disagreements that produced this outcome had already revealed themselves in earlier GGE meetings. Michele Markoff, the American representative, was quoted by the press afterwards, stating  that “the reluctance of a few participants to seriously engage on the mandate of international legal issues” prevented a consensus.

One of several concerns held by states like Russia and China was voiced by Cuban representative Miguel Rodriguez during the final session of the GGE in 2017, that accepting the applicability of IHL to cyberspace would “legitimize…unilateral punitive force actions, including the application of sanctions and even military action by states claiming to be the victim of illicit uses of ICTs”. This should not overshadow other, very real, objections arising over differing interpretations of other principles of international law or when to invoke the Law of Armed Conflict in the context of cyberspace.

The Tallinn Manual published by NATO’s CCDCOE is the most comprehensive document to date that details how international law applies to state conduct in cyberspace. Although its contents have been of great assistance in addressing the question at hand, the Tallinn Manual was formulated without any official state participation and has not been endorsed by states either. This circumscribes its international legal value.

Institutions such as the CCDCOE, however, will likely play an important role when a multilateral agreement regulating cyberspace conduct is reached because of their immense research and training activities. In a recent interview Jaak Tarien, current Director of the CCDCOE, acknowledged the “significant concerns within the cyber domain…that nations do not share the most sensitive yet vial data”. Even within NATO, Col. Tarien continued, “there exists a disparity across the Alliance as it concerns the military cyber domain” since “some nations are far more advanced than others”. By serving as a “leveller of playing ground” between NATO members, “hubs of cooperation” like the CCDCOE “advance the good of the Alliance”.

Last year, attempts to revive the GGE format through the U.N. culminated in the first meeting of the Open-Ended Working Group (OEWG) to “address challenges and developments in the field of ICT”. State interests, capabilities, and perceptions of legitimate conduct in cyberspace are currently so divergent that the OEWG is likely to face an outcome similar to the GGE.

Absent any significantly disruptive incidents that may act as a catalyst to arriving at an international consensus in the near future, it seems likely that states will continue to incrementally shape how international law applies to cyberspace through their own behaviour, actions and the precedents they set. In a relatively new domain where technological advances continue to push the limits of possibility, states will find it in their interest not to constraint their own scope of action by international law at this early stage.   

Touraj presently serves the NATO Association of Canada as a Policy Analyst and Editor. He is also completing his M.A. at Sciences Po Paris and will graduate next June. He can be reached at touraj.riazi@natoassociation.ca