International law experts worry that the recent failure of a United Nations Group of Government Experts to reach unanimity on cyber law may lead to more state-backed online assaults.
“It’s certainly not positive this has happened, when you’re getting down to whether international law even applies (in cyberspace),” Kenneth Watkin, a retired Brigadier-General and former Judge Advocate General of the Canadian Forces said in an interview Monday.
The failed session could prompt some countries to think the ambiguity in international law has increased their flexibility in launching cyber probes against perceived enemies.
Watkin, an expert on the law of armed conflict, was careful to refrain from saying the failed session could lead to more “attacks,” noting that word has a certain meaning in international law. Instead he prefers to use the word “activity.”
“It certainly doesn’t mean there will be less,” he added.
But he also believes countries that were part of the Group of Government Experts (GGE) will continue talking. Many, he added, may follow international law or accepted norms of behavior in cyberspace, such as not launching a computer attack that damages critical infrastructure.
On the other hand Michael Schmitt, chairman of the Stockton Center for the Study of International Law at the United States Naval War College and project director of the Tallinn Manual, an extensive book on the applicability of international law in cyberspace, said the failure is “disappointing in a big way to those of us in the field, primarily because the agreement that was to be reached was hardly over issues that were in my view controversial as a matter of law.”
Refusing to accept the right of countries self-defence and applicability of humanitarian law to cyber operations is “like refusing to accept the world is round,” he said.
They were reacting to the failure for the first time in several sessions of the GGE to agree that some principles of current international law apply in cyberspace. The Group, with an expanding number of countries, has been meeting since 2004 to agree on how laws and rules limiting conventional war – such as an “armed attack” and the right to self-defense – apply in the cyber world.
Two previous closed door rounds produced unanimity. And while the reports aren’t binding law in themselves they have been adopted buy the UN and are treated as agreed upon norms of behavior. However, in the session that ended at the end of June some unnamed countries reportedly refused to agree to some wording that would equate a cyber attack with an “armed attack.”
One interpretation is a fear that equating the two would mean a country could respond to a cyber attack with bombs and an invasion. Another interpretation, however, is that by not agreeing to a definition countries have the freedom to launch and respond to cyber attacks any way they want.
That’s Schmitt’s worry. What’s going on now – with Russia allegedly behind the hack and leak of email from the U.S. Democratic Party and cyber attacks on Ukraine’s power grid, North Korea allegedly crippling South Korea’s banking system and China allegedly stealing information from Canada’s National Research Council “alarming.”
While espionage isn’t illegal in international law, there are too many gray areas in the law, Schmitt says, which is making cyberspace “unruly.”
These gray areas include
— What activity is a breach of national sovereignty? Obviously, destroying a power plant’s computer system qualifies. But what if a nation-state only manipulates data? Or only causes enough mayhem that power is out until systems are reset – say, a few hours?
–Where does the UN Charter’s right to self-defence kick in? The Charter’s Article 51 says a nation can act after an “armed attack.” Is a cyber attack on critical infrastructure an armed attack? Is it an armed attack if it merely maps a critical system but doesn’t destroy data? If it erases systems in a hospital and people die?
–Do countries have a responsibility for due diligence in cyber? Under current international law countries have an obligation to ensure their territories are not used by other countries or criminals to to the detriment of other states. Does it apply if a service provider in a country is used by a third state to host an attack?Does due diligence include preventive hunting for threats, or only reacting after threats have started?
–And arguably the trickiest, do the existing rules defining legal attribution of an armed attack apply in cyberspace? Without attribution, who can a victim country launch a response against?
This matters for a number of reasons: If the threshold for defining a cyber “armed attack” is high it will keep tensions low and encourage nations to respond to incidents with civil remedies like boycotts or expelling diplomats – as President Barack Obama did after U.S. intelligence agencies determined Russia was behind the Democratic Party hack.
On the other hand a low threshold might encourage cyber warfare, which has the “benefit” of being less physically violent than a bomber attack. That may be the preference of some countries. “In an asymmetric world cyber can be a great leveler,” notes Watkin, meaning a country doesn’t have to have a large military force to conduct cyber activity.
There isn’t a complete blank slate, Schmitt emphasizes. International law experts who have participated in the Tallinn process (named after the capital of Estonia, where meetings were first held) agreed some 154 rules apply to cyberspace, he said – although there isn’t complete agreement on how they apply (Yes this is an attack, but is the country’s legal response a counter-attack or a boycott of goods?)
Some mistakenly believe because there’s no global cyber treaty there’s no international law in cyberspace. But the unanswered questions leave room for mischief. “Until we get consensus of the gray areas and about what the appropriate responses are when there are violations of international law, it benefits a state to play around there,” Schmitt said.
Meanwhile both Schmitt and Walkin hope countries will continue to try an narrow their differences. Watkin notes that cyber law may end up the same as the Law of the Sea covering maritime disputes– a convention that not all countries have signed but one which is respected. A lot of controversial activity on the Internet is criminal or espionage and not cyber warfare, he also argues.
In the end the world is better off with consensus on international law as it applies to cyber space, Walkin said. “One of the great things about adoption of the UN Charter I would argue is that it has been a restraining influence on states regarding the use of force.”
Schmitt notes the Netherlands has launched what is called the Hague Process (after a conference held in the Hague), which encourages countries to increase their knowledge of international cyber law and to make negotiations less political. And, he said, if there is still no unanimity countries can still loudly and individually say where they stand on the applicability of existing international law.
”What I tell states is the sky has not fallen with the failure of the GGE,” Schmitt said. “Hopefully these processes will be re-invigorated, hopefully initiatives like the Dutch Hague Process will get traction. But nothing prevents your state from setting forth its position with regard to cyber norms, and it would be a positive move to do so.”
Canada signed the 2012-2013 report of the GGE on the applicability of international law in cyberspace, seeing it “as the cornerstone for norms and principles for responsible state behaviour.” Canada was a member of the Group that year.