Elizabeth Wilmshurst CMG QC
Well, good evening, and welcome those of you who are here in person and all of those online. In May 2018, Chatham House was delighted to welcome the then Attorney General of England and Wales, Jeremy Wright, to speak on the UK’s position on international law in cyber. That was the first time that the UK’s views on the subject had been put down on record and the speech was quoted extensively in international fora and on the internet around the world. We are so pleased, therefore, that the government has decided again to choose Chatham House to give their current views on international law in cyberspace and that we have the present Attorney General here with us today. It’s very welcome and, of course, of crucial importance that the government is aiming to set its policy on cyber within the International Rule of Law.
Just a word about the format. The meeting’s not under the Chatham House Rule. It’s on the record and will be recorded and I hope there’ll be a link available. The Attorney will give us the keynote speech and when she leaves, I’ll be joined by four distinguished panellists who are here to discuss the matter further and to answer questions. For those of you who are attending online, please feel free to submit questions as we carry on the meeting, use the Q&A function if you would.
Let me now introduce and welcome The Right Honourable Suella Braverman QC MP, Attorney General for England and Wales and Advocate General for Northern Ireland. Appointed to the post in February 2020, she was, in 2018, Parliamentary Under Secretary of State at the Department for Exiting the European Union. Attorney, we really look forward to your speech [applause].
The Rt Hon Suella Braverman QC MP
Thank you, Elizabeth, for that introduction. It’s fantastic to be here today. I very much remember, fondly, coming to Chatham House to watch lectures here as a young Lawyer and I very much enjoyed speaking as a Brexit Minister in 2018, here, to an audience about the Trade Dimensions of Leaving the European Union. And I’m very pleased to be here today to build on what my friend and colleague, Jeremy Wright, Former Attorney General, spoke about some years ago, Cyber and International Law. I’m also very grateful to the esteemed panel of experts that we’ve got tonight to follow on with the discussion.
In 1982, on a visit to Japan, Margaret Thatcher presented a ZX Spectrum to the Japanese Prime Minister. “This is a small home computer,” she told the bemused Premier, before purposely pressing a button on the keyboard, which changed the screen to reveal a game of chess. Although by the end of the decade, the British entrepreneur, Sir Clive Sinclair, had sold 2½ million units of his ZX in the UK, for most people, the personal computer was always just a bit of fun. Why would you painstakingly key in your contacts when you already had an address book?
40 years on, it’s hard to understate our reliance on computers. Just imagine how Margaret Thatcher would have reacted in 1982 if you had told her that the small electronic box in front of her would require defence from a dedicated state agency with a budget running into billions of pounds? And as a sound fiscal Conservative, she may have been tempted to knock it off the table, rather than showcase the British creation around the world.
Once novel uses of cybertechnology, like making a medical appointment or shopping online, have now become routine and sometimes unavoidable, and since an event occurring in cyberspace can have real-world consequences, it’s clear that it requires increasing levels of international co-operation, as can be seen in the India-UK Cyber Statement, agreed during the Prime Minister’s visit there. Such agreements help states to trade goods, services and ideas and cyberactivity is also now a part of how some disputes or tension between countries playout.
Our reliance on cyber has, of course, created huge challenges. Events over the past ten years, in particular, have demonstrated the vulnerability of critical sectors to disruptive state cyberactivity, perhaps most notoriously in 2017, NotPetya cyberattack, which masqueraded as ransomware, but served principally to disrupt, effecting in particular, Ukraine’s financial, energy and government institutions. But its indiscriminate design also caused wider disruption across the globe, costing firms in sectors of industry as varied as shipping, food production, pharmaceutical research, advertising, hundreds of millions in recovery costs. More recently, Microsoft reported that shortly before Russian’s illegal evas – invasion of Ukraine, the Russian main intelligence directorate, the GRU, targeted destructive malware against hundreds of systems across Ukraine, affecting the IT, energy and financial sectors.
I was in Ukraine last week, visiting my colleague, the Ukrainian Prosecutor General, Iryna Venediktova. I’m honoured to have been working with her for a few months now, supporting her work in prosecuting war crimes. I went to Ukraine with Sir Howard Morrison QC, eminent Lawyer and Former Judge, who is bringing invaluable expertise and support to the Ukrainians in their vital mission to secure justice for victims of these atrocious crimes in Ukraine, and this ongoing conflict in Ukraine has demonstrated, on the part of Russia, a callous disregard for established international rules. However, the unprecedented and united international response in support of Ukraine has also reinforced the value of having a framework that makes clear when state action is unlawful.
Cyber is very much part of this conflict. As Sir Jeremy Fleming recently noted, “We have seen cyber in this conflict and lots of it.” The UK, US, EU and other allies announced last week that Russia has been behind a series of cyberattacks, since the start of its illegal invasion, the most recent attack being on a communications company, Viasat, in Ukraine, which had a wider impact across the continent, disrupting windfarms and internet users in Central Europe. Putin is also waging a dangerous disinformation war, hiding the truth from the Russian people.
Commentators often talk in hushed tones of cyber weapons, with little understanding of what they are or of the rules which govern how they are used. This misunderstanding means that we can see every cyber incident as an act of warfare, which threatens to bring down the modern world around us, and it’s not uncommon for even seasoned observers to think in this way, as they speak of cyber as “A new battlespace where no rules apply.” But cyberspace is not a lawless grey zone. International law governs and plays a fundamental role in regulating cyberspace, which is why today I want to set out how the UK considers international law to apply in cyberspace during the peacetime, against the backdrop of the Prime Minister’s Integrated Review and the government’s National Cyber Strategy, with particular focus on the rule of non-intervention, its application to key sectors and avenues for response.
I’m focusing on the law applicable in peacetime, because the UK has already set out that cyber operations are capable of breaching the prohibition on the threat or use of force, and that the applicable law in armed conflict applies just the same to the use of cyber as – cyber means as other means of waging war. And I want to be clear that in the same way that a country can lawfully respond when attacked militarily, there is also a basis to respond and options available in the face of hostile cyber operations in peacetime.
The UK was one of the very first states to articulate publicly its views on the application of international law in cyberspace. I will build on what Jeremy Wright QC, when he was Attorney General, in May 2018, said here in Chatham House. At that time, it was considered necessary to set out the fundamentals of the UK view, that the rules-based international order extends to cyberspace and that there are boundaries of acceptable state behaviour in cyberspace, as there are anywhere else.
More recently, in June 2021, the UK published a statement as part of the United Nations Group of Governmental Experts’ process, setting out the ways in which international law applies in cyberspace, and the UK continues to attach importance to states clearly setting out their views like this. Significantly, that UK statement concluded by noting the importance of “moving beyond discussion of general concepts and principles, and to be clear about what constitutes unlawful conduct in those sectors, which are most vulnerable to destructive cyber conduct.”
One of the Integrated Review’s stated goals is for the United Kingdom to, and I quote, “shape the international order as it develops in future frontiers.” Cyberspace stands out amongst these futures frontiers. The National Cyber Strategy priorities include “Promoting a free, open, peaceful and secure cyberspace” and international leadership and partners will be essential in shaping and strengthening the international cyber governance framework to deliver those objectives. Partnerships like the Quintet of Attorneys General, with my counterparts in Australia, New Zealand, Canada and the United States, are vital to achieving this objective.
The United’s – United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies. We want to build on increasing activism by likeminded states when it comes to international cyber governance. This includes making sure that the legal framework is properly applied to protect the exercise of powers derived from the principle of state sovereignty, to which this government attaches great importance from external coercion by other states. The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by states will bring greater clarity about when certain types of robust measures are justified in response.
The rule on non-intervention. Turning now to the law, one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention. Customary international law is the general practice of states accepted as law. As such, it is not static. It develops over time, according to what states do and what states say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs states’ behaviour.
A well-known formulation of the rule of non-intervention comes from the International Court of Justice in its military and paramilitaries’ activities judgement. According to the court in that case, all states, or groups of states, are forbidden from intervening, “directly or indirectly in internal or external affairs of other states. A prohibited intervention must accordingly be one bearing on matters in which each state is permitted, by the principle of state sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.”
The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of state conduct in cyberspace during peacetime. It serves as a benchmark by which to assess lawfulness, to hold those responsible to account and to calibrate responses. This rule is particularly important in cyberspace for two main reasons. Firstly, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to state sovereignty. As long ago as 1966, the UK made clear its position that “The principle of non-intervention as it applied in relations between states, is not explicitly set forth in the United Nations Charter, but flows directly, and by necessary implication, from the prohibition of the threat or use of force and from the principle of the sovereign equality estates [means of states].” For years later, in 1970, the UK set out its view that “Non-intervention reflected the principle of the sovereign equality of states” and that these principles were equally valid and inter-related. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.
States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point last year, in June, namely, that “Any prohibition on the activities of states, whether in relation to cyberspace or other matters, must be clearly established in international law.” The general concept of sovereignty, by itself, does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct, going beyond that of non-intervention. What matters, in practice, therefore, is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground, which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyberactivity, which traverses multiple international boundaries millions of times a second.
Second, the rule of non-intervention is also of increasing relevance due to the prevalence of hostile state activity by states that falls below the threshold of the use of force or is in the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which states can define behaviour as unlawful.
Having identified the importance on the role – the rule on non-intervention, I now turn to the threshold for its application. The fact that behaviour attributed to another state is unwelcome, irresponsible or, indeed, hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offensive behaviour must be coercive. Coercion was rightly described in the military and paramilitary activities case as, “The very essence of a prohibitive – prohibited and intervention.”
It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information gathering and influencing activities that states carry out as part of international relations. But what exactly is coercion? Some have characterised coercion as, “Forcing a state to act differently from how it otherwise would,” that is compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another state’s election or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.
But I want to be clear that coercion can be broader than this. In essence, an intervention in the affairs of another state will be unlawful if it is forcible, dictatorial or otherwise coercive, depriving a state of its freedom of control over matters, which it is permitted to decide freely by the principle of state sovereignty. While the precise boundaries of coercion are yet to crystalise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive when – where – even where it might not be possible to point to a specific course of conduct, which a state has been forced into or prevented from taking.
Of course, in considering whether the threshold for prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disrupted state activity, which are likely to be unlawful in cyber space. It’s therefore important to bring the non-intervention rule to life in the cyber context through examples, illustrative examples, of what kinds of cyber behaviours could be unlawful in peacetime, to move the focus to the types of coercive and disruptive behaviours that responsible states should be clear are unlawful when it comes to the conduct of international affairs in peacetime. And being clear on what is unlawful means we can then be clearer on the range of potential options that can be lawfully taken in response. That is the kinds of activity, which would require legal justification, for example, as a proportionate response to prior illegality by another state. This is crucial in enabling states to act within the law, whilst also taking robust and decisive action.
With that in mind, today I’m going to set out new detail to illustrate how this rule applies in practice, a non-exhaustive list to move this discussion forward. I’ll cover four of the most significant sectors that are vulnerable to disruptive cyber conduct: energy security, essential medical care, economic stability, and democratic processes.
Ensuring the provision of essential medical services and secure and reliable energy supply to a population are sovereign functions of a state. They are matters in respect of which international law affords free choice to states. The integrated review highlights the interconnected nature of the global health system and the importance of building resilience to address global health risks. COVID is a clear example. Likewise, energy security is recognised as including “protection of critical national infrastructure from cybersecurity risks.”
Covert cyber operations by a foreign state, which coercively restrict or prevent the provision of essential medical services, or essential energy supplies, would breach the rule on non-intervention. Of course, every case needs to be assessed on its facts, but prohibited cyberactivity in the energy and medical sectors could include disruption of systems controlling energy, medical transport, for example, telephone dispatches, causing hospital computer systems to cease functioning, disruption of supply chains for essential medicines and vaccines, preventing the supply of power to housing, healthcare, education, civil administration, and banking facilities and infrastructure. Causing the energy supply chain to stop functioning at national level, through damage or prevention of access to pipelines, interchanges, or – and depots, or preventing the operation of power generation infrastructure.
Turning to economic stability, covert cyber operations by a foreign state that coercively interfere with a state’s freedom to manage its domestic economy or to ensure provision of domestic financial services crucial to the state’s financial system, would also breach the rule on non-intervention. Such cyber operations could include disruption to the networks controlling a state’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation, or disruption to systems, which support lending, saving and insurance across the economy, and lastly, democratic processes.
Free and open elections, using processes in which a population has confidence, are an essential part of the political system in democratic states. All states have the freedom to make their views known about processes in other countries, delivering hard, sometimes unwelcome, messages and drawing attention to concerns. This is part and parcel of international relations. However, covert cyber operations by a foreign state, which coercively interfere with free and fair elections, or electoral processes, would constitute a prohibited intervention. Again, every activity needs to be considered on its specific facts, but the activities could include operations to disrupt the systems, which control electoral counts to change the outcome of an election, operations to disrupt another state’s ability to hold an election at all, for example, by causing systems to malfunction, with the effect of preventing voter registration.
I hope that these illustrative examples will assist in the future when considering what is unlawful in cyberspace. I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a state is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, state direction or control of non-state actors who undertake cyber operations of the kind I’ve described today, would also represent unlawful conduct by that state, in line with international law on state responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a state is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang, than it would be for the unlawful actions of an armed group or a corporation.
If a state carries out irresponsible, hostile or unlawful cyberactivity, what then are the options available to the victim state? Now, there are a wide range of effective response options available to impose a cost on states carrying out irresponsible or hostile cyberactivity, regardless of whether the cyberactivity constitutes an internationally unlawful act. These kinds of measures, referred to as acts of ‘retortion’ in international law, could include economic sanctions, restrictions on freedom of movement, exclusion from international groupings, and wider diplomatic measures. So, there are always options available to stand up to unacceptable behaviour, and you do not have to look far to see how the impact of taking these kinds of measures is amplified when acting alongside other likeminded state.
Let me be clear. This means that when states like Russia or China carry out irresponsible or hostile cyberactivity, the UK and our allies are always able to lawfully take action, whether or not the activity was itself unlawful. Today, that might be in response to hostile cyberactivity occurring in Ukraine. Tomorrow it could be a response to hostile activity in Taiwan.
Where a state falls victim to unlawful cyberactivity carried out against it by another state, it may also be appropriate to pursue remedies through the courts. Current events in Ukraine have demonstrated the continued relevance of fora like the International Court of Justice, in the context of the wider response. The UK has accepted the compulsory jurisdiction of the ICJ, and we are – and we encourage others to do so likewise.
Beyond this, under the international law doctrine of countermeasures, “A state may respond to a prior unlawful act in ways which would, under normal circumstances, be unlawful, in order to stop the offending behaviour and ensure reparation.” The UK has previously made clear that “Countermeasures are available in response to unlawful cyber operations by another state.” It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option, in order to bring unlawful behaviour in cyberspace to an end. However, some countries simply do not have the capability to respond effectively by themselves in the face in hostile and unlawful cyber intrusions. It is open to cons – it is open to states to consider how the international law framework accommodates, or could accommodate, calls by injured state for assistance in responding collectively.
I focus today on the application of international law to cyberspace, but I also want to touch on the broader context. Applying the international law framework to this new frontier is just one part of a wide-ranging international effort by the UK and other likeminded states, to promote a free, open, peaceful and secure cyberspace. There are a range of additional measures currently being taken domestically and internationally to counter harmful behaviour in cyberspace, improving cyber resilience essential to reducing cyberattacks and their real-world impact.
Over the last decade, the UK has delivered a wide range of interventions aimed at strengthening the UK’s cyber resilience, including, through the creation of a National Cybersecurity Centre, the NCSC. Resilience is a core element of the UK’s national cyber strategy. My colleague, the Chancellor of the Duchy of Lancaster, spoke last week at the Annual Cyber UK Conference, about the importance of resilience, how this is something we all need to take responsibility, across the public and private sectors, to ensure that the benefits of technology are felt by everyone.
States have always had a duty to protect their external border from foreign attack, but cyber has, in a sense, increased the size of that border by an unimaginable factor. Viewed this way, the UK’s external border is no longer just around the corners of Great Britain and around Northern Ireland. It is located in every household and every business in the country. But just because the scale of the challenge has increased, it does not change our fundamental duty to protect citizens, families and businesses from the array of threats present in cyberspace.
The UK has also developed a cutting-edge capability to carry out cyber operations, to keep ourselves and our friends and allies protected from those who seek to harm us. That’s the National Cyber Force. The National Cyber Force draws together personnel from intelligence and defence in this area, under one unified command, for the first time. It can conduct offensive cyber operations, flexible, scalable measures to meet a full range of operational requirements and, importantly, the National Cyber Force operates under an established legal framework. Unlike some of our adversaries, it respects international law. It is important that democratic states can lawfully draw on the capabilities of offensive cyber and its operation not to be confined to those states which are content to act irresponsibly or to cause harm. This goes to the heart of how the UK operates as a responsible cyber power.
The role of law enforcement is also important. The Police and National Crime Agency are focused on addressing the cybercrime threat here in the UK. Our domestic legislation, such as the Computer Misuse Act, enables the prosecution of criminals attacking our computer systems, and I have no doubt we will ensure that the law here in the UK will continue to evolve as the threat does. Law enforcement authorities are also working together across the globe, including on the basis of international agreements, such as the Budapest Convention. This encourages a common approach to cybercrime, adopting appropriate domestic criminal law frameworks and fostering international co-operation. And closer co-operation in the criminal justice space means that ransomware gangs cannot act with impunity.
Co-ordination between states, in a more general sense, is also crucial in responding to hostile state activity in cyberspace and imposing a cost on those who seek to abuse the freedom and opportunity that technological progress has provided them. States are developing more sophisticated and co-ordinated diplomatic and economic responses. This can be seen in the response to the recent operation targeting Microsoft Exchange servers, where 39 partners, including NATO, the EU, and Japan co-ordinated in attributing hostile activity to China. It can also be seen in the response to the Russian SolarWind’s hack, which saw co-ordinated US, UK and allied sanctions and other measures.
Working with states to reach shared agreement on prohibitive behaviours for key sectors, like those I’ve set out today, will help us to move beyond theoretical discussions around sovereignty and non-intervention and to help define what responsible cyber power means in practice. When taken in collaboration with other efforts, improving resilience, promoting cybersecurity, international co-operation and having the operational capability to respond effectively to those seeking to harm us, international law can help us all to realise this vision of a free, open, peaceful, and secure cyberspace.
You’ve done well to stick this far. I’m closing and I will make a few final remarks. International law matters in cyberspace if we don’t shape the rules here, and if we don’t have a clear framework to counter hostile activity in cyberspace and if we don’t get cybersecurity right, the effects will be likely to be felt more often and in hugely disruptive ways by ordinary people. It’s vital and it’s urgent. For example, a single cyber breach in 2020 cost a local council here in the UK and estimated £10 million in recovery costs and significantly disrupted services provided to the local community for months by shutting down IT systems and stopping the council from carrying out property purchases within the borough.
Championing a cyber governance framework that is founded in international law means that we can also provide a secure foundation for international partnerships on technology, to unlock the potential of fields such as artificial intelligence and quantum computing. The UK and its allies are at the forefront of this work.
Earlier this year, the Foreign Secretary concluded a Cyber and Critical Technology Partnership with her Australian counterpart, to strengthen global technology supply chains and to promote the UK’s positive technology vision. Providing further detail on how international law applies in cyberspace, as I’ve sought to do today, will help us to more effectively callout the most egregious hostile state behaviour as unlawful, and the UK will continue to callout behaviour, both irresponsible and unlawful.
Our approach will also encourage more agile and decisive international action in response to specific threats, using our full freedom of manoeuvre within the law. It will help all states understand the parameters and thresholds of lawful or unlawful action. It will serve to avoid inadvertent or damaging escalations and our approach will enable us to do these things in close partnership with the many other states who share our ambition to shape and strengthen the international order in future frontiers. Thank you [applause]. Thank you, Elizabeth [applause].
Chatham House Staff
[Pause] If you want, just there.
Elizabeth Wilmshurst CMG QC
We’ve got it, cool. Great.
The Rt Hon Suella Braverman QC MP
Thank you very much.
Elizabeth Wilmshurst CMG QC
Brilliant, thank you. Yes. Good, well, there we have it, “International law matters,” and I’m quoting there. I’m now introducing our four distinguished panellists. In no particular order, Douglas Wilson, who’s Director General at the Attorney General’s office, previously spent 4½ years at GCHQ as Director of Legal Affairs and International Relations. Shehzad Charania, Director of Legal Affairs and International Relations at GCHQ, now, currently, and he joined GCHQ after five years at the Attorney General’s office. So, we have two senior officials here, so any questions you have on the speech that has just been read, these are the guys.
Then we have Dr Simon Mehdian-Staffell and I didn’t meet you in order to – before, so that I could ask you how to pronounce your name, so apologies if I didn’t. Now, he is UK Government Affairs Manager at Microsoft and I asked him, in an email, “What does that mean?” and he said his role includes “working with policymakers on current and future technology policy and regulation.” He previously worked within a couple of government departments. And then, finally, Harriet, Harriet Moynihan. Until very recently, she was the Acting Director of the International Law Programme here at Chatham House and she’s the Author of Chatham House’s research paper, The Application of International Law to State Cyberattacks, Sovereignty and Non-Intervention. So, four very distinguished panellists.
I’ve had some questions online, but if people want to keep on putting them in, they’re welcome. I’m going to ask questions of the panellists myself, but if anyone in the audience, as we speak, really thinks that their question is absolutely spot on what we’re talking about, then I’ll take it. But we haven’t begun yet, sir, but I’ll look for you with my eye.
Right, I’m going to start with Doug, and I really want to – and there, too. It was really welcome to hear the government’s position on international law in cyber and we heard that, as well, four years ago. It’s quite strange for the government, unusual, not strange, unusual for the government to put out its views on international law in the abstract, as opposed to one specific incident. So, tell me the drivers behind this really welcome setting out of the government’s position.
Douglas Wilson OBE
Thanks, Elizabeth, and a pleasure to be here. I think – I mean, the Attorney covered this, to an extent, in her speech, but I would highlight three, sort of, overlapping and inter-related factors. You know, it was four years ago, I think almost to the day, that Jeremy Wright was giving his speech here at Chatham House and, you know, in those four years, we have not been idle.
I was tasked by the AG and by my boss at GCHQ, who’s sitting in the front row, so I’d better be careful to reflect what he said honestly, but to go out and make the case for the legal framework that underpins some of the capabilities, in order to demonstrate what being a responsible cyber power meant, in practice. With the domestic legal framework, following on from the Investigatory Powers Act, and with working with colleagues across government, in the FCDO, in G – and obviously, I was at GCHQ at the time, in the Attorney General’s Office at the time. There’s a wealth of talent and little me tasked to go out, listen to academic expertise. We attended a num – a huge number of seminars, most recently Professor Dapo Akande’s Oxford Process. But prior to that, I think you chaired a number of seminars here at Chatham House, listening to colleagues from other countries, listening to academics, practitioners, and trying to get a sense of both what we’d said in the speech in 2018 and how other countries saw it, how other interlocutors saw it.
And some months ago, we came to the conclusion that there were, sort of, three drivers to make another intervention in this space. And the first one was that we – our observations from that engagement were that a number of countries, at least, were potentially arriving at that very similar destination by different routes. In fact, I think Harriet should take the credit for her paper really identifying this. Regardless of whether you look at something as a non-intervention and a sovereignty perspective, you can often – Lawyers working on a practical problem will often come up with the same conclusion, the same destination. Is something lawful there that’s happening to us, or not? And so, that was our experience, the destination was the thing that mattered, not necessarily the route. So, we thought, “Let’s talk about destinations more prominently.”
The second driver was, really, a sense that while there was a lot of commonality in this space, as the Attorney referenced in her speech, there were still some areas where there were areas of uncertainty or gaps that could usefully be narrowed or potentially even bridged. And an example of that would be if you look at the countries that do espouse a rule of sovereignty, the content of that rule, in their views, can be substantially different.
And then, the final driver, and this came out of Sir Jeremy’s speech at Cyber UK, the Chancellor of the Duchy of Lancaster’s speech, and from the Attorney’s speech, I hope, and that’s the sense that it’s – this is a really big problem. It’s a global problem that we’re dealing with. International law as a global set of rules has to have something to say about it and has to be able to apply clearly, with a degree of certainty, and on a global basis.
They’re the key drivers that we thought it was useful to make another intervention in this space, and we hope it contributes to moving the debate forward to talk about the impact in a really practical way in specific sectors.
Elizabeth Wilmshurst CMG QC
Thank you very much. With apologies to those in the audience who are not Lawyers, I really would like, just for a little bit, to get down into the weeds of international law here, because of course, the Attorney was talking about that, and one of the weeds is the doctrine of sovereignty. And now, I want to turn, again, to you, Doug, if you don’t mind. The Attorney repeated the existing position of the government that damaging cyber operations are not to another government. They don’t infringe on the sovereign another – of another state, unless they comprise non-intervention. And I think I’m right in saying that the UK is in a fairly small minority of states in taking that view. One commentator, Mike Schmitt, has been so rude as to say that “Indeed, the UK seems intransigent on this point,” and then he graciously says, “although its positions on other cyberlaw issues are sophisticated and mainstream.” Could you explain why the UK is still in a minority on this point, if indeed, it is?
Douglas Wilson OBE
Thanks. I’ll certainly give it a go because…
Elizabeth Wilmshurst CMG QC
Sorry.
Douglas Wilson OBE
Forgive me.
Elizabeth Wilmshurst CMG QC
And if I might – may just add, I know you say that “If we all agree something is wrong, it doesn’t matter whether it’s a violation of sovereignty or non-intervention,” but that reminds me a bit of doing something, which various people think is wrong, and the Police say, “You’re going to be prosecuted. I don’t know what for, it doesn’t really matter, we all agree it’s wrong.” Anyway, your turn.
Douglas Wilson OBE
Well, no, I would say that in a number of situations, even some of the fundamental rules of international law, like the use of Vellum, there are countries which can have differing views on the application of it, but still arrive at the same answer in certain scenarios.
I mean, well, this has been, obviously, a theme of the engagement that we’ve done over the last few years and, you know, I’ve really tried to, sort of, boil down the view as I see it. Obviously, the view of the British Government is as stated in statements of the Attorney tonight and of four years ago, but you know, but the starting point is international law has a number of principles, of which sovereignty is, of course, a very prominent one and it has different, sort of, faces. But it’s from those principles that specific obligations emerge and they’re not always neat or coherent and, certainly, alongside the principle of sovereignty, there is a principle of territorial integrity. And certainly, as we looked at the caselaw across government, we can see a heavy degree of overlap between the two. But from those principles, specific obligations emerge relating to the physical control of state territory and, of course, I think the primary examples of that would be the prohibition on the use of force and the prohibition on intervention in domestic affairs. Other examples exist over flight, maritime passage, enforcement jurisdiction by another state within your territory.
So, from analysing that range of specific obligations, flowing from sovereignty or – to territorial integrity, we couldn’t see our current specific legal prohibition forbidding once they are conducting espionage or certain other kinds of cyber effect below the level of a prohibited intervention. And we think it’s not sufficient just to say, “Well, if you, by extrapolation, look at sovereignty in cyberspace, then you can identify a specific prohibition,” and that’s especially so when, as I said before, the substantive content of – or any rule in sovereignty is contestable. If you look at the statements that have been put out, if you look at, say, the French statement and the more recent Canadian statement, they come to very different answers on what the content, the substantive content of a rule in sovereignty might be.
Now, I think the way we’re trying to put it is that such a prohibition and the content of it could be made in treaty, it could emerge over time in customary international law, and the way the UK position is framed is intended to indicate openness to the progressive development of the law in that way. But, you know, I would come back to the starting point that international law isn’t a system of coherent rules that all fit together and it certainly – as I say it, a personal view, that such gaps are a feature of the system, not necessarily always a bug.
Elizabeth Wilmshurst CMG QC
Thank you. Harriet, do you have anything to add to that?
Harriet Moynihan
I think that Doug’s analogy of the, sort of, journey and ending up at the same destination, but “different routes,” is a good one. So, I think it’s important for us to explore those different routes and go through that legal analysis, but at the same time, states have to be practical. They have to reach some certainty, reach positions themselves about whether something’s unlawful or not, and those conclusions will help guide what their response options are, including whether or not they can resort to countermeasures.
So, I do think there’s some real value in this, sort of, practical approach, which seems to be emanating from the Attorney’s speech, where we’ve got, you know, very concrete examples of what the UK considers to be a violation of international law in cyberspace, going down to actual technical equipment, like telephone dispatches, which really, kind of, open up the debate to say, “Okay, where are the boundaries here and what do we think – you know, what do other states think? How are they going to respond to this?” And some of the examples we’ve seen in the last few years, including in the context of COVID, with egregious attacks on healthcare and hospitals, are, I think, so egregious that we don’t necessarily need to even get to the lower threshold of sovereignty. There are some very concrete examples out there, some of which were listed in the Attorney General’s speech, about – that I think would reach the threshold of intervention.
Another point, I suppose, is that the debates on this issue started in quite an academic way, certainly through the Tallinn Manual, through my own paper, really with abstract constructs on, “What is non-intervention, what is sovereignty?” noting the facts that they are quite closely related. But perhaps a better starting point is what is an unlawful act? What do we think about all these terrible cyber activities that are going on around the world? And if we can agree, as states, and hopefully, non-state actors should have an important role on this, too, if we can reach an agreement that that is an unlawful act, then that’s perhaps more important than getting into the intricacies of whether something’s a principle or a rule.
Elizabeth Wilmshurst CMG QC
Thank you. Now, here’s a concrete example, because someone has asked it online, Kevin Heller, “What if terabytes of classified documents are exfiltrated from a government computer by another state’s intelligence agencies, but the computers are not harmed in any way? Would that state be violating international law?” I’m going to ask you this matter.
Shehzad Charania CBE
Fine. Well, hi, Kevin, good to see you. I actually gave him the link to this event yesterday and I’m now regretting that heavily. Anyway, so, look, he’s written an article on this very issue, called, In Defence of Absolute Sovereignty, which I highly commend, I should say, even though it’s at the opposite end of the spectrum of the UK position. And Kevin’s argument is that “There is no threshold for sovereignty.” In other words, you violate international law by any intrusion on another state’s sovereignty, and hence, his example, which he would say would violate the rule of sovereignty. What I would say to that that is a minority view and it’s a minority view because it’s too easy, I think, to caricature this idea of the UK, on the one hand, as not accepting sovereignty as a rule, and every other state, on the other side, accepting such a rule.
If you look at Brazil, for example, who will say that “Mere interception of communications,” Kevin’s example, “is a breach of sovereignty, accepting sovereignty as a rule.” But then, you go to The Netherlands and Canada, on the other hand, who are much closer to our position, the UK position than they are to the Brazilian position, even though they both purport to accept sovereignty as a rule.
Elizabeth Wilmshurst CMG QC
I see. So, the answer is some people think this and some people think that. So, the UK would not think that an operation against data, which didn’t affect the – even if it was a huge operation against data…
Shehzad Charania CBE
Yeah.
Elizabeth Wilmshurst CMG QC
…would infringe international law?
Shehzad Charania CBE
The UK does not think that – no is the answer to that, as a direct answer. But I would also just go on to say that espionage, more generally, is not considered to be a violation of international law by pretty much every state. Every state has intelligence agencies. It would be odd if it would – it was considered to be so, and I know that Kevin doesn’t accept that position. But that is the position of every state, every capable state, that has an intelligence agency.
Elizabeth Wilmshurst CMG QC
Good, thank you. That was very clear. Now, we have got some questions. I’m sorry that the lighting is such that I cannot see you. So, these questions are directly on point, I’m sure. Why not just give the one who’s just there, just closest to you and – yes? Sorry, and if you wouldn’t mind speaking into the mic and…
Umar El-Hadran
Yeah.
Elizabeth Wilmshurst CMG QC
…giving your name and affiliation.
Umar El-Hadran
Yeah, my name is Umar El-Hadran, I’m from Pakistan and my question for – about the international law is that Putin has attacked the Ukraine and we all support Ukraine, so is that only is discussed that there as some countermeasures, which UK Government can impose on Russia because of the violation of the international law and the breach of the sovereignty of Ukraine. So, my question is that UK Government has fully imposed those sanction on Russia, which are available in the international law. If yes, then there comes energy crisis and inflation and burden on the citizens of the UK. So, what are the options available with the UK Government to facilitate the citizens? And if those sanctions are not fully implemented on Russia, so what are the hurdles? Thank you so much.
Elizabeth Wilmshurst CMG QC
Thank you, and there’s a gentleman here [pause]. Goodness, we have got very lovely microphones. But there.
Euan Grant
Oh, sorry, it’s over there. Thank you very much. The name’s Euan Grant. I was the old Customs and Excise’s Intelligence Analyst for Transnational Organised Crime and the ex-Soviet State. In my subsequent working for international organisations, I saw time after time, after time, opportunities missed to recognise proxy actions, above all the Wagner Group and Wagnerism.
My question is based on, well, all the panellist’s comments, but particularly Mr Wilson, about the differing approaches of, you mentioned, Canada and France. Without naming national names, ‘cause I know that’s a bit sensitive, are there any areas of society, technology and wider business and resilience who you feel are particularly up to the game, or are there particular sectors where they’re lagging in resilience? Thank you.
Elizabeth Wilmshurst CMG QC
Sir, that’s a resilience question, thank you. Let’s have your question, because you’ve been waiting a long time. In the front.
Demi Huston
I’m Demi Huston, a member of Chatham House. I am a Defence Lawyer based in London. My question isn’t on international high-risk, the Attorney wasn’t still here to ask this question direct. Under international law, can it ever be justified to intervene in another country? That’s part A of the question. Part B of the question, the same question, can sanctions ever be justified and are they intervention or not? Thank you.
Elizabeth Wilmshurst CMG QC
Thank you very much. Now, some of those questions go a little further than our subject matter this evening, but we will try to deal with them a bit later. I want to just pick up the resilience question, if I may, which is, really, very much our subject matter. I don’t know whether to turn to you, Simon. Are you sufficiently resilient?
Simon Mehdian-Staffell
I don’t think it was a question for me, but…
Elizabeth Wilmshurst CMG QC
Not a question for you.
Simon Mehdian-Staffell
…I can have a stab.
Elizabeth Wilmshurst CMG QC
Well, Shehzad, it’ll go to you.
Shehzad Charania CBE
Okay, right.
Elizabeth Wilmshurst CMG QC
You can add anything, if you would like.
Shehzad Charania CBE
Oh, sure. So, I think what I would say on resilience, and I’m sure the audience knows that the National Security – National Cybersecurity Centre is part of GCHQ. What I would say on resilience and, in particular, linking it back, if I may, to the Attorney’s speech, these four areas that she talked about: energy, medical, financial, and elections, these were chosen because of the impact of a breach of the non-intervention threshold, as being so grave, so serious as being a violation of international law in the conditions that were set out. That doesn’t, however, equate to the idea that these are technically vulnerable sectors. It’s merely about the impact that a breach of the non-intervention principle in those sectors would have. So, that’s probably what I’d say on resilience. At some point we might want to link up questions around resilience and the conflict in Russia-Ukraine, but I won’t pre-empt anything on that now.
Elizabeth Wilmshurst CMG QC
Thank you. I want to turn to the question of responses to unlawful acts, which were discussed briefly by the Attorney General, and one of the questions here that has come in is on countermeasures. Countermeasures are acts, which would otherwise be unlawful in international law, but which are responding to an unlawful act. And the question that’s put is, “Are collective countermeasures, in the UK’s view, lawful?” And the Attorney just touched on that, but in a very gentle way, “It is open to states,” she said, “to consider how international law accommodates, or could accommodate, calls by an injured state to respond collectively.” I don’t know if you’d like to expand on that, Shehzad.
Shehzad Charania CBE
Sure. I think, actually, in direct response to the question, the answer is as the Attorney put it, which is not saying yes or no. It’s saying that this is an area that is ripe for consideration. And to date, four, and now five, I guess, states have given a view on the question of collective countermeasures. So, on the one hand, you have France and Canada saying that they do not think that the law is sufficiently developed to accommodate a regime of collective countermeasures. You then have, probably, Estonia, which is the most forward leaning, advocating for such approach and you have New Zealand and the UK in the same place, which is, essentially, saying, you know, “We need to look at this.” And I think the reason we need to look at this is because the State Articles on – the Draft Articles on State Responsibility that deal with countermeasures were drafted in 2001 and the drafters, at that point, which had been working on them for 40 years previously, would not have considered the idea of cyber and the consequences around that, or the implications around that.
So, on the one hand, you have a regime, which is that – which is with respect to self-defence in response to an armed attack, where a victim state is able to call upon friends and allies to respond collectively. So, think Kuwait calling on its allies, including the UK, to respond to the invasion of Iraq in 1990. So, you have that as a possible collective response. On the other hand, on the other side of the spectrum, you have what the Attorney talked about with respect to retortion, which are cyber intrusion – which is – which occurs in a situation where there is a cyber intrusion, which falls below the threshold of a prohibited intervention, but where states can still respond collectively.
So, you have this, kind of, gap in the middle, where a victim state who suffers a violation of international law, by way of a breach of the prohibited intervention threshold, where we need to really consider what the options are for that state. And it doesn’t – you know, it seems something that we absolutely need to look at if, with respect to an armed attack, a state can call upon an ally, if with respect to an intervention or an intrusion falling below the prohibited intervention level, it can call upon an ally, but in this middle category it can’t. And it’s important because, you know, what you have is a potential situation where a state might say, “Well, this is, in fact, an armed attack,” when it’s clearly not, but it’s calling it an armed attack because it wants assistance from another state,” and that is highly escalatory. On the other hand, if there is no regime of collective countermeasures, it, potentially, leaves quite serious breaches alone and unable to be remedied.
So, just to repeat, it’s not to say, in any way, that the UK today has suddenly announced that it thinks there should be a regime of collective countermeasures, but rather it would like to consider this further as to whether international law should develop in this way. And it’s interesting, because when Doug talked about the Oxford process, I think, on cyber protections, that looked at countermeasures last week, one of the comments in that meeting was about whether there should be “a lex specialis,” so a special regime, “related to cyber with respect to countermeasures.” And I think that sim – that reflects a point I made at the very start, which is that the drafters of the State Responsibility Articles and the countermeasures regime, wouldn’t have conceived of the kind of state threats that we’re dealing with today.
Elizabeth Wilmshurst CMG QC
Thank you, and Harriet, do you have anything to add? I think that the UK has actually retreated. Didn’t they say in 2018 that they believed in collective countermeasures? Anyway, Harriet.
Harriet Moynihan
I don’t think anything was said then, but it’s interesting that I think 17 or 18 states have come out with their views on countermeasures, but only a few, as Shehzad said, have actually talked about collective countermeasures. It’s a very pressing issue. I think it, you know, in real life, it’s coming up. It needs to be discussed and I think that this is, obviously, an invitation. The Attorney’s giving invitation to states to do more of that discussion, which is welcome, because the law was left open by the International Law Commission as a matter of progressive development. So, I think the time is right.
Clearly, the law needs to be thought about quite carefully. I don’t think we should just throw the Articles on State Responsibility out of the window; some useful conditions there. The point about countermeasures and the spirit of that – of those rules is that they’re exceptional, that they should be used with great restraint and moderation. And I think if we are venturing into the realm of collective countermeasures where, essentially, groups of states can violate the law, albeit in response to a prior violation of the law, then we need to make sure that there are criteria, conditions, guardrails, that will ensure that it’s done with restraint and with the spirit of countermeasures that the ILC envisaged.
And I’m sure that the discussions that the states will go on to have will be analysing how can we import that spirit? Because while Shehzad, I think, and, indeed, the Attorney General, made good policy arguments for collective countermeasures, the fact that so many states can’t respond themselves, the fact that there could be, therefore, a large enforcement gap because there is this huge persistent threat of very egregious cyberattacks, we also have to balance the policy arguments on the other side, the risk of potential escalation, the risk of abuse. So, I’m sure, all of these factors will be considered, not just amongst states, but as Doug and Shehzad have referenced, in sort of, multistakeholder groups that bring in the Microsofts, the civil societies, which we’re seeing through both organisations like the Oxford Process. Which is, incidentally, the Government of Japan, Microsoft and Oxford University, the Tallinn Manual, which is going through its third intera – iteration, and other discussions, including in the Open-ended Working Group, which is trying to bring in more civil society and non-state actors.
Elizabeth Wilmshurst CMG QC
Thank you, and your reference to the private sector, I want to turn to Simon, finally. What’s the role of the private sector in all of this?
Simon Mehdian-Staffell
Thank you, yeah, and thank you very much for having me. Well, I suppose the discussion and the flow of the discussion has shown that very much of this is for governments and states, and that’s absolutely right. And I’m very pleased, and we’re very pleased, that the UK is taking this position and showing their leadership on the issue.
Harriet’s pointed to some of the work that Microsoft have been doing, but also, Harriet pointed to the point around the risk, I suppose, of ambiguity if there’s not consensus. That’s one of the reasons why Microsoft have been real, kind of, vocal champions for the need for greater co-ordination, greater consistency, in terms of defining rules, norms and how they’re applied, and that’s why we very much welcome what the Attorney General and the UK are, kind of, doing, in terms of leading that international conversation.
Microsoft, I wouldn’t claim to represent the private sector or the technology sector in general, but Microsoft have taken a role trying to advocate for increased clarity on international rules and norms. We’ve done that through the Oxford Process, through the Paris Call, which you might also have been involved in, and why do we do that? I suppose we’ve been doing that because, ultimately, a lot of the issues that the Attorney General was talking about are issues that are impacting all of our customers. So, when we talk about the resilience issues, the issues that are potentially crossing some of the thresholds that the Attorney General was talking about, they’re issues that they’re impacting our customers and our customers are relying on us for those services every day. And so, you know, this is – means that we have to think very deeply about how are we providing that resilience for our customers?
And a lot of that thought, clearly, is technical. It’s about software and hardware, it’s about operational security and that includes work that we do in collaboration with the UK Government. But it does also – what we, sort of, think of as the third pillar, after technical and operational security, it does also involve thinking about international rules, law, how they’re applied. And clearly, we, sort of, need to take the lead of government in doing that and – but we do find that we, sort of, need to play some role.
If I may come back to the speech, I think that one of the areas where, potentially, the private sector and Microsoft also play a role, is around this issue of the data that’s required to make some of those definitions. And so, when we’re looking at issues like attribution, and we’ve heard examples of that already today, where Microsoft, again, have been, kind of, very public in attributing cyberattacks to nation states, and co-ordination and some of the attributions that have happened more recently, for example, Viasat, you know, that – the need for co-ordination across states and across the private sector to make some of those attributions. I think, again, that’s an area where we, at Microsoft, think we’ve got a role, because we have a lot of data.
We see trillions of signals every day. We’re able to give assessments of why we think that some of that data is relevant to some of the kinds of issues and threats that the Attorney General was speaking to. And so, I think when we think about things like attribution, making assessments of whether some of those thresholds are crossed, it’s not for us to make those determinations, but it is for us to, kind of, be involved in sharing that data and collaborating. And the more, kind of, consistency, as Harriet was, sort of, moving onto, in terms of consistency between states and in partnership with us and with the, kind of, multistakeholder model, I think is very important.
Elizabeth Wilmshurst CMG QC
Thank you very much, indeed. We have a question right at the back.
Bob Akimamian
Thank you very much for taking my question and thank you to your panel. I’m – I want to discuss…
Elizabeth Wilmshurst CMG QC
Sorry, your name?
Bob Akimamian
Bob Akimamian, I’m a Political and an Economic Analyst. On the question of legislating and enforcement, we’ve seen that with the drug trade, the enforcement is very little on – sanction on rogue nations is very little. So, my question is, what is the point of legislating on a crime when the funding for enforcement is not secure? And why, before legislation, we do not apply the cost-benefit of any law before actually putting it into force?
Elizabeth Wilmshurst CMG QC
Thank you, and I think the question of law, or legislation, is one that is coming up in the questions, as well, because there is a suggestion from the questions that rather than lay down strict rules, we should rely on caselaw and looking to what the Judges do. I think in this area, when we’re talking about international law, we’re not really, at this moment, talking about a treaty encapsulating all of this law. Indeed, there is a treaty, sorry, a treaty proposal. Henry – Harriet, perhaps you could talk about it, what the Russians would like us to do, because I mean, that is…
Harriet Moynihan
In relation to…
Elizabeth Wilmshurst CMG QC
…one approach, isn’t it, that you write – put it all into a treaty?
Harriet Moynihan
Yes, and so…
Elizabeth Wilmshurst CMG QC
Does – yeah?
Harriet Moynihan
And the UN process, as many will know, which is the group of government experts as it was, and now with the Open-ended Working Group, which has continued the work of the Open-ended Working Group and gov – group of government experts, there have been different views about how to, I suppose, take forward international agreement on international law in cyberspace. And certain states, including Russia and China, have proposed a treaty, which I suppose in international law is like a legislative instrument. At the moment, we don’t have that, apart from the Budapest Convention, in Relation to Cybercrime, which the Attorney General mentioned. So, we’re in the realm of customary international law.
And the idea of a treaty in any area of law is something that takes usually years to get a consensus on. So, it’s a very, sort of, on – long process. It’s also something that requires political will from states and in the current geopolitical climate, I think is extremely unlikely that there would be any prospect of a treaty in this area, because states have very different views. And there’s also, I think, the argument that current international law, the whole body of international law, applies in cyberspace. That’s been found and upheld by the UN, by member states, by many international organisations and regional organisations, and therefore, there’s a query about whether there really needs to be a treaty in this area, because I think there is some quite productive debate going on about how these existing rules of international law and custom apply. And I think there’s real traction and real progress being made by looking at their application in practice, and speeches like today, which really get into, sort of, the weeds and the granularity of it. And I think they show that the current rules do apply quite well, can be adjusted for the purposes of cyberspace and that quite a lot of progress has been made over the last five years in that realm, without, in my view, needing to get into, you know, very politically fraught and longwinded discussions on treaties.
Elizabeth Wilmshurst CMG QC
Thank you. Another question back here.
Hugo Barker
Hi, Hugo Barker. I’m particularly interested in the jurisdiction of states in the cyberspace. It’s something the Attorney General touched on. I think there’s an interesting question when we get to the idea of the metaverse. Is where does statehood start and where does it stop and what obligations do states have in the metaverse and where do they, kind of, interact with it, and how does international law interact in a virtual space? And an add-on question that may be a bit cheeky is, do you think a virtual state could exist, something that is entirely online, has the rights and the obligations of a state, and how do you think other states should interact with that?
Elizabeth Wilmshurst CMG QC
Okay, purely because of the time, I’m going to take your first question on jurisdiction and I’m going to add to it another question, which comes online, from Glenn Gurstell, who is really talking about what happens within the state. If there are lots of private actors within the state who are carrying out cyber ops outside the state, to what extent does that state, knowing that it’s got all these wicked private organisations – “at what stage is the state itself responsible under international law?” Who would like to take those questions? Doug, we haven’t heard from you recently.
Douglas Wilson OBE
Sure, I mean, in answer to the question on the metaverse, I’m tempted to say give us four years and come back here and we’ll have another speech exactly on that point. But I do think, what with the application of the principles and rules and obligations that were covered in the Attorney’s speech tonight and four years ago, actually would apply to many aspects of the metaverse. And your talk about a kind of, crypto state, you know, I think international law would be challenged by that because of the lack of a territorial components and – but it’s certainly an interesting concept.
In – on the idea about attribution, I think the…
Elizabeth Wilmshurst CMG QC
Sorry, I put the question wrongly. I think it’s really about due diligence. Why – when is a state responsible for what goes on in its territory by other people?
Douglas Wilson OBE
Well, I think it’s both, isn’t it? It’s about attribution and due diligence and if it – you know, there are plenty of situations – if you look at the recent actual attributions by states like the UK, or other allies, you’ll see situations where the attribution to a state has been classic state responsibility rules on attribution, and it’s a state – it’s a proxy actor carrying out activity at the direction or control of a state. It might be that a state is unwilling or unable to take action against it.
But in terms of due diligence, that’s a – you know, there’s a lot of discussion about that. In fact, there’s a very good article on it in a recent International Law Quarterly, by a member of AGO, Neil McDonald, who’s sitting over there, all embarrassed. And that actually looks at the real practical impact of due diligence and surveys the law in other areas where we have specific provisions of treaties that ask its – in the various sectors, for countries to do certain things and to keep their own house in order. And what we don’t have is that in cyberspace, yet, and I think when it comes to both the existence of such a rule and really, crucially, its content, it’s something where states and for democratic states, their elected representatives, it’s something where they need a voice. So, it’s – that’s, if you like, the basis for the UK’s, I would say, sort of, cautiousness or scepticism on there being a principle that’s evident right now and the content of which is clearly understood and shared amongst states.
Elizabeth Wilmshurst CMG QC
Thank you. I want to turn now to Ukraine, because it’s obviously in all of our minds. Simon, what are you seeing, in terms of cyb – of the cyber dimension to the conflict in Ukraine, and how does it impact this discussion?
Simon Mehdian-Staffell
Well, completely – we’ve already heard Jeremy Fleming’s quote today, “We’ve had cyber in this conflict and lots of it.” I completely agree with that. This morning we had another speech today. Microsoft President, Brad Smith, gave a speech in London where he…
Shehzad Charania CBE
Not at Chatham House?
Simon Mehdian-Staffell
Not at Chatham House, at a Microsoft Envision event.
Shehzad Charania CBE
Oh, that’s…
Simon Mehdian-Staffell
So, we’ve had quite a day of big speeches, and he talked about how “We see Ukraine as the first major hybrid war.” And he’s pointed out that that’s a real historically significant shift, in terms of how we’re seeing warfare playing out, but also the implications of how that’s playing out for the cyber domain in peacetime, as well, and very relevant to the speech this evening. And as Brad pointed out earlier, some of the first shots were fired in cyberspace and we saw that through some of the recent reporting that we’ve done.
So, we’ve put a big report out on what we’ve seen in Ukraine over the last few weeks, but there’s been lots of others, as well, from companies, as well as some of the great reporting that’s been done by the Ukraine Government. So, a few weeks ago we were talking about 237 distinct operations, 40 destructive attacks, and when we’re talking about destructive attacks, importantly, very much crossing – we’re going well beyond some of the thresholds talked about in the speech tonight, but also crossing multiple different kinds of sectors, different kinds of technology.
So, destructive attacks against the energy sector, which were referred to in the speech, and our report was referred to in the speech, but then, also, multiple sectors being attacked and crossing technologies and crossing sectors. And that, kind of, hybrid nature is important, particularly when we’re thinking about definitions and thresholds and at what point something would be considered to be considered an armed conf – an armed attack or, indeed, in peacetime, with some of those techniques and tactics, how multiple tactics used at once would be tracked.
So, the hybrid nature of what we’re seeing in war is clearly important. I could – there are so many different implications, I’d suggest looking at – listening to Brad’s speech to hear lots more of them, but maybe if I just point to three. The first I would highlight is that IT, clearly, is sustaining a huge amount of the government in – the government’s ability to operate and then wider infrastructure within Ukraine. And the implications of that, I think, potentially, people had not realised until the rapid shift that had to be taken within the start of the conflict, to keep Ukraine, essentially, online.
So, Microsoft did a lot of work, which again, we’ve included in some of our public reports, talking about how we, essentially, shifted the Ukraine Government to the Cloud, multiple government departments used from on premise servers to the Cloud. And so, the role of service providers, like Microsoft, in that – in keeping the government functioning, is really a sort of, wakeup call in this question of, sort of, resilience for a government and also for critical sectors and a really powerful example of the challenge, which clearly, that’s, in a warfare example, but has real implications for times of peace, as well.
And the second one I’d point to is this question of, who are the players in that conflict? Who are the, kind of, key in – people in the frontline, if you like, who are needing to respond to that conflict? In Ukraine, as well as, you know, people obviously involved in the military fighting, IT Administrators sometimes were responsible for keeping some of these critical sectors online and are, in a sense, in the frontline of that cyber domain conflict. And again, clearly, that’s got implications for thinking about people in those kinds of roles and people, you know, running and managing services in other conflicts and in peacetime.
And the third one, just quickly, just to point to, is the interplay between these cyber campaigns and the disinformation campaigns and other kinds of tactics, as well. And so, there was a point made earlier about information theft, or even potentially, you know, information warfare, being outside of the definition. But what we’ve seen in Ukraine is a real interplay between those tactics. So, we’ve seen, for example, prepositioning of malware on government systems in advance of then exploiting that malware early on, wiper malware, for example, before then going in later and exploiting that malware. But also, we’ve seen prepositioning of disinformation and then, later, going back to reference that disinformation. So, similar tactics, potentially for the same objective, but very different kinds of disciplines and tactics being used. So, that crossover between disinformation and cyber I’d point to, as well, as being a thing.
Elizabeth Wilmshurst CMG QC
Thank you. Shehzad, I bet you know something about this.
Shehzad Charania CBE
So, I think what I would say on this is that the National Cybersecurity Centre has been particularly interesting on this, because up ‘til – you know, certainly in the early days and the first few weeks of the conflict, there was lots of discussion about why we haven’t seen any cyber. What – you know, there was this, kind of, perhaps far-fetched expectation that this would be ‘Cybergeddon’ in today’s era. The NCSC has been clear that we have seen cyber and the Microsoft report that the Attorney referred to and that Simon’s just talked about, is very clear on that, as was Jeremy at Cyber UK last week. What NCSC have said is that “We have seen what we would have expected to see.”
Elizabeth Wilmshurst CMG QC
You’re meaning cyber operations by Russia against…?
Shehzad Charania CBE
Yes, exactly, “We have seen what we would have expected to see.” So, there was a lot of intent demonstrated in the build-up to the invasion. There have, or there has been, attributions made, subsequently, just last week the Viaset attribution made by UK, US and its allies. And that, you know, that’s a particularly interesting attribution, because it really goes to – I think it’s to some sense, what we were talking about being a responsible cyber power, where you saw the – as with NotPetya, you saw the spill-over effects extending all the way into Europe, into Germany, into Poland.
So, I think it’s – just to repeat that point that the NCSC have made, we have seen cyber in this conflict, we’ve seen what we would’ve expected to see, but it’s important to note, too, that one of the reasons it hasn’t been so much worse in the cyber context is because of Ukrainian resilience. And over the years, probably since 2014, actually, when we first started seeing these mass cyber intrusions, the UK, US, partners in industry, have worked with Ukraine to bolster their resilience. So, that is a big part, I think, of why the cyber intrusions, the cyber fallout, hasn’t been worse than what we’ve seen.
Elizabeth Wilmshurst CMG QC
Thank you. Anything to add? No. We’re going to close now. I’m sorry that I haven’t been able to pick up all of the questions online and I’m sorry we haven’t been able to answer the questions, which go beyond our scope. But I hope you’ll join me now with thanking, very much, our panellists, and I hope you will convey our thanks to the Attorney General [applause].