The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
6. Processes for Reaching Agreement on the Application of International Law to Cyberspace
160. A number of multilateral, regional and bilateral initiatives have developed in recent years in attempts by states to reach agreement on how international law applies to states’ cyber activities.265 These initiatives have taken various forms including strategic dialogue; political statements; and proposals for the agreement of principles. These state-to-state initiatives, together with a number of multi-stakeholder initiatives, have often been directed at a wide range of aspects of regulating cyberspace, many of which go beyond the issues discussed in this paper. Where the initiatives concerned have addressed the application of international law to state-sponsored cyber intrusions below the use of force, they have not yet gone into much detail as to how international law principles such as sovereignty and non-intervention apply in practice.
UN initiatives
161. In terms of rule-making, the most significant initiative to date has been the UN GGE. As noted above,266 the UN GGE of 2013 and 2015 reached some important conclusions on the law, including that international law and the principles of sovereignty and non-intervention apply to cyberspace. It also reached agreement on 11 voluntary non-binding norms on responsible state behaviour,267 confidence-building measures, and coordinated cybersecurity capacity-building, which have since been endorsed by other states and regional groupings.268 Together, these measures are often referred to as a Framework for Responsible State Behaviour in Cyberspace. But the 2016–17 UN GGE failed to agree a consensus report, amid concerns by some states about the militarization of cyberspace, in particular the application of the rules on use of force and international humanitarian law to states’ activities in cyberspace.
162. In June 2019, a new Open-Ended Working Group (OEWG) of the UN General Assembly started work, as a result of a resolution sponsored by Russia,269 and will report to the General Assembly in September 2020.270 The OEWG has been tasked with studying the existing norms contained in the previous UN GGE reports. The resolution also includes the possibility of ‘introducing changes to the rules, norms and principles of responsible behaviour of States’ agreed in the 2013 and 2015 UN GGE reports.271 It was clear from the OEWG’s first session in September 2019 that most states wish to use the existing recommendations in the 2015 UN GGE report as the starting point for the basis of discussions, but there remains a risk that certain states will push for elements of the existing agreement reached on international law to be undone.
163. The UN General Assembly also agreed to the formation of a new UN GGE, further to a resolution sponsored by the US. The new UN GGE will hold its first meeting in December 2019 and report to the General Assembly in 2021.272 This group of 25 selected UN member states has also been mandated to study how international law applies to state action in cyberspace and to identify ways to promote compliance with existing cyber norms. The results will be submitted in a report to the General Assembly in 2021; the resolution also requests ‘an annex containing national contributions of participating governmental experts on the subject of how international law applies to the use of information and communications’.273 It is hoped that the discussions in both the OEWG and UN GGE will encourage more states to indicate publicly their position on the legal principles and thresholds that they consider to apply in cyberspace. This will promote transparency and predictability, and help to further common understandings.
The new UN GGE has been mandated to study how international law applies to state action in cyberspace and to identify ways to promote compliance with existing cyber norms.
164. The twin-track approach in the UN offers an opportunity for further dialogue among states on these issues. The OEWG, open to all interested UN member states, enables a larger and more diverse number of states to participate. But the overlapping mandates of the two groups reflect the fact that cyber norm-making and enforcement have become a site of geopolitical rivalry, with the risk that the parallel processes will operate in competition or contradiction with one another rather than constructively. There is also a risk that the process and institutionalization of dialogue over ‘norms’ in the cybersecurity area trumps the difficult discussion of how existing international law applies. Given the differences between states in their approaches to how sovereignty applies in cyberspace, including whether it applies as a principle or a legally consequential rule in this area, statements issued by the OEWG and UN GGE with reference to principles will need to be studied carefully. They may not so much clarify the law as paper over important legal differences, each side agreeing with the language but understanding that language to mean something fundamentally different.
Regional state-led initiatives
165. Regional and bilateral initiatives may offer a helpful means of identifying common areas of agreement, as a supplement or complement to the UN processes. During 2019, the UN GGE held consultations with regional groups (the African Union, EU, Organization of American States, OSCE and ASEAN Regional Forum) in advance of the GGE’s first meeting. States have been discussing the application of international law to cyber in a number of other regional forums, including the Shanghai Cooperation Organisation274 and Asian-African Legal Consultative Organization.275
166. Other organizations such as the G7 and G20, OSCE,276 EU,277 OAS and African Union have been debating cyber norms more broadly, including the development of confidence-building measures. Such measures focus on the exchange of information between states; greater transparency in order to deter cyber conflict and reduce the risk of escalation in the event of a cyberattack; capacity-building to strengthen cyber resilience in states; and cybersecurity.
Initiatives involving non-state actors
167. Over the last few years, there has been a proliferation of multi-stakeholder initiatives focused on furthering understanding on what rules should apply to states’ interactions in cyberspace. These initiatives, which involve a range of actors drawn from various sectors including civil society, think-tanks, the tech sector and international institutions, have sought to fill the void left by the silence or ambiguity of most states in this area. They include the work of the Global Commission on the Stability of Cyberspace, a multi-stakeholder body that has proposed principles, norms and recommendations to guide responsible behaviour by all parties in cyberspace;278 the Cybersecurity Tech Accord, which aims to promote collaboration between tech companies on stability and resilience in cyberspace;279 and Digital Peace Now, a campaign to stop cyberwarfare.280 They also include the Tallinn Manual 2.0 and the writings of a number of legal practitioners and academics in this area.
168. Some states have spearheaded multi-stakeholder initiatives, for example President Macron’s ‘Paris Call for Trust and Security in Cyberspace’, which to date has received the backing of 67 states, 139 international and civil society organizations, and 358 private-sector organizations.281 There are also opportunities for non-state actors to contribute to state-led processes, for example at the intercessional meetings of the OEWG and GGE at the UN.282
169. Initiatives by non-state actors benefit from broader understanding of the issues from a range of interested parties without the geopolitics involved in multilateral meetings.283 They also recognize the important role that the private sector can play in detecting or preventing cyber incidents, and the fact that the private sector often owns and manages the critical infrastructure that is frequently the target of state-sponsored cyber operations.
Prospects of reaching agreement in this area
170. In practice, there are a number of obstacles to states reaching agreement on how the principles of non-intervention and sovereignty apply in the cyber context. The first is geopolitics, which is likely to hamper the new OEWG and GGE processes in the UN. In light of this, there is perhaps some value in separate groups of states, academics and civil society coming together to contribute to the processes in a less politically fraught environment. But whatever the modalities of discussion, it has to be recognized that because states’ positions on sovereignty are so different, it is likely to be difficult in practice for states to reach agreement on how sovereignty applies in cyberspace. Apart from the differing position on the law, there is also a practical impediment: because cyber activity is in the toolkit of governments, they will wish to safeguard their ability to use it, rather than setting the bar for unlawful activity too low. There is perhaps likely to be more commonality between states about whether particular state behaviour constitutes an internationally wrongful act, and why, than there is about whether sovereignty is a rule or a principle, and how it relates to intervention.
171. The prospect of states reaching agreement in the form of a treaty on these issues is a long way off, despite calls from many quarters for greater legal certainty.284 Above all the process would take political will, which is currently lacking in this area. It may be easier to reach agreement on specific applications of the law than on abstract principles.285 In the cyber context, the agreements between certain states not to conduct commercial cyber espionage against each other suggest that where there are pressing issues of mutual concern, there may be scope for states to reach agreements on specific issues. In due course, such agreements could potentially pave the way for the development of specific agreements, for example a prohibition on attacking another state’s critical infrastructure.