International tension over alleged nation-state backed cyber attacks on governments and the private sector has been mirrored with the recent failure of a United Nations advisory body to come to a consensus on what rights states have to reply to online incidents.
It’s a failure that a Canadian government official on Tuesday called regrettable and a backwards step considering two previous meetings of the group over the past decade were able to reach consensus on cyber norms of behavior and release a final report.
However, this time some unnamed countries refused to agree that some principles of international law apply in cyberspace, which would have put some limit on states’ use computing power after a computer attack on legal issues such as the inherent right of self-defense. But some countries are apparently willing to equate a cyber attack with an armed attack and feel they can respond using any kind of force.
The issue of the applicability of existing international law is important: Some think cyberspace requires new treaties to limit what countries can do to another online, but it would simplify things if existing law could be used to prosecute or at least limit the effort of offenders. That, however, needs international agreement.
Officially, Global Affairs Canada said Tuesday that “we regret that the UN Group of Governmental Experts was unable to agree to a consensus report, as some did not agree to language that affirms that existing UN Charter provisions. The UN Charter promotes stability both by deterring malicious acts and by confirming that there are constraints on state actions.”
But in an interview for background a government official said the lack of consensus on international law is “a bit of step backwards” because the 2014-2015 round of the GGE did include such a statement.
Still, he doubted the failure of unanimity on a final text means it will be open season for countries to engage in cyber war. “I don’t think so because this [committee’s work] is non-binding,” he said, “but it is serious in the sense that we believe that all countries should accept certain rules of behavior in cyber space.”
Imran Ahmad, national leader of the cyber security law practice at the Canadian law firm of Miller Thomson LLP and a member of advisory board of the Canadian Advanced Technologies Alliance’s (CATA) cyber security council, called the failure “not surprising.” Obviously some states want to reserve the right to be able to retaliate, either overtly or more likely covertly, he said in an interview.
It’s hard to say whether state-sponsored cyber attacks will increase because the GGE group has failed to reach a consensus, he also said. But, he noted several years ago alleged state-sponsored attacks mainly dealt with the theft of information, whereas the more recent trend is disruption of government and corporate operations.
Word of the failure of the GGE came out last week when the United States’ delegate to the Group issued a statement saying it would be a troubling and potentially destabilizing signal” for the GGE to release a report “that does not take a clear position on the applicability of these bodies of international law” to states’ use of information and communications technologies on the Internet.
Despite years of discussion and study, some participants continue to contend that is it premature to make such a determination and, in fact, seem to want to walk back progress made in previous GGE reports,” Michele Markoff, the U.S. State Department’s deputy co-ordinator for cyber issues, said in the statement. “I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions. That is a dangerous and unsupportable view, and it is one that I unequivocally reject.”
The Group of Experts was first formed in 2004 to study how international legal rules and principles apply to the use of ICTs. While their reports – when they agree — aren’t legally binding, some have been adopted by the UN General Assembly.
Membership of the Group has changed over the years, although it always includes the U.S., Russia and China. This most recent session, for 2016-17 included Canada.
The issue of what are the government norms of behavior in cyber space is complicated. Its two previous (for 2012-13 and 2013-14) reports the Group of Experts included the principle that existing international law applies to the digital space to reduce risks to international security, and developed recommended norms and principles of responsible behaviour of states in cyberspace. (See this link to the 2013 report, which recommended further study to promote common understandings on how such norms apply to state behaviour and the use of communications technology by countries.
In 2015 the GGE added three new norms of behavior, including that states not target each others’ critical infrastructure during times of peace; that first responders (such as computer emergency response teams, or CERTs) not be targeted; and that if a state suffers a malicious incident from a group in another country and requests remediation help from the attacking state it won’t be denied.
In its submission to the Group last year, Canada said it was “pleased to see a clear affirmation by states [in previous reports] of the applicability of international law in cyberspace as the cornerstone for norms and principles for responsible state behaviour.”
Among existing international legal instruments relevant to cyberspace are International Human Rights Law and International Humanitarian Law, the position paper said.
Some observers suspect that the resistance to allowing international law to apply in cyberspace, and allowing the right of self-defence, is mixed with the problem of accurately attributing the source of an attack.
According to Digital Watch, a newsletter of the Geneva Internet Platform, while previous GGE reports will remain valid and applicable, the failure this time to reach consensus means group’s future is uncertain. In its absence, states may move more towards bilateral agreements, it notes, such as the recently reached agreement between Canada and China where both countries promised their governments wouldn’t try to steal data from commercial companies.
The newsletter also quotes current GGE chair Karsten Geier of Germany there was some agreement during the just concluded session on issues such as emerging risks (including the use of cyberspace by terrorists), capacity-building measures to be undertaken, and confidence-building measures and norms (including raising awareness among senior decision-makers, conducting exercises, defining protocols for notifications about incidents, warnings when critical infrastructure is attacked, and preventing non-state actors from conducting cyber-attacks).
And the failure to agree on a final text doesn’t mean negotiations are over. The newsletter quoted Geier as saying most experts agreed
they could work further on final changes to create an approved text.