Hostname: page-component-cd9895bd7-jkksz Total loading time: 0 Render date: 2024-12-26T16:51:23.402Z Has data issue: false hasContentIssue false

On the Shelf, But Close at Hand: The Contribution of Non-State Initiatives to International Cyber Law

Published online by Cambridge University Press:  04 March 2019

Kubo Mačák*
Affiliation:
Senior Lecturer in Law, University of Exeter.
Rights & Permissions [Opens in a new window]

Extract

In late 2018, the New York Times reported that the U.S. Cyber Command had targeted individual Russian hackers in order to deter them from engaging in conduct that could affect the organization and outcome of the U.S. mid-term elections. This unusual preemptive step suggests that states are looking for creative solutions to safeguard their national interests in cyberspace. But to what extent should their conduct be guided by considerations of international law? In this essay, I explore several key aspects of that central conundrum. I argue that (1) we should see cyberspace as an underregulated (but not ungoverned) domain; (2) a main reason for that state of affairs lies in a unique strategic dilemma innate to the cyber domain; and (3) non-state initiatives, including the eponymous “rule book on the shelf,” have a critical role to play in the development of the law in this area.

Type
Essay
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
Copyright © 2019 by The American Society of International Law and Kubo Mačák

In late 2018, the New York Times reported that the U.S. Cyber Command had targeted individual Russian hackers in order to deter them from engaging in conduct that could affect the organization and outcome of the U.S. mid-term elections.Footnote 1 This unusual preemptive step suggests that states are looking for creative solutions to safeguard their national interests in cyberspace. But to what extent should their conduct be guided by considerations of international law? In this essay, I explore several key aspects of that central conundrum. I argue that (1) we should see cyberspace as an underregulated (but not ungoverned) domain; (2) a main reason for that state of affairs lies in a unique strategic dilemma innate to the cyber domain; and (3) non-state initiatives, including the eponymous “rule book on the shelf,”Footnote 2 have a critical role to play in the development of the law in this area.

The Underregulated Domain

In 2019, it is no longer seriously argued that the reach of existing legal rules is or should be limited to the offline world.Footnote 3 On the contrary, the most cyber-active nations have reached a consensus, expressed in two consecutive reports of a UN-mandated group of governmental experts, that international law is applicable to cyberspace.Footnote 4 Although progress in the work of the group halted in mid-2017, both competing visions for its revival (proposed by thirty-six and thirty-one countries, respectively) still fully endorse that baseline agreement.Footnote 5

Additionally, since the 1990s, states have occasionally floated the idea of a global cyber treaty.Footnote 6 Most recently, China, Russia, and several Central Asian nations put forward two consecutive versions of a “Code of Conduct for Information Security.”Footnote 7 However, a few crucial provisions in the Code were off-putting to their Western counterparts. For instance, the duty to cooperate in combating terrorism, separatism and extremismFootnote 8 has given rise to criticism that such a wide formulation might have a negative impact on human rights.Footnote 9 As the United States noted in rejecting the instrument, it “cannot support approaches proposed in the draft Code … that would only legitimize repressive state practices.”Footnote 10

To be sure, repeated failures of proposals with global ambitions underscore Dan Efrony and Yuval Shany's analysis that cyberspace is “exceptionally difficult to regulate.”Footnote 11 Still, it is certainly imaginable that the cyber domain might one day be governed by a global binding agreement. After all, many other areas marked by nonnational spaces and/or shared resources have proved susceptible to such regulation, including Antarctica,Footnote 12 outer space,Footnote 13 or the high seas.Footnote 14 So how likely is it that there is going to be, say, a 2025 Cyberspace Treaty?

Not very. This is due to a complex mix of reasons. The digital domain may still be awaiting its “constitutional moment,” a transformative event that would galvanize states into action and bring their representatives to the negotiating table.Footnote 15 The technology probably keeps evolving too fast to allow for a meaningful consolidation of interests, a necessary precursor to any drafting exercise.Footnote 16 Relatedly, accurate technical attribution of conduct in cyberspace remains a problem,Footnote 17 which in turn undermines potential verification efforts—and why bother drafting a treaty the compliance with which cannot be properly verified?Footnote 18 All these reasons weaken the prospects of a global cyber convention. However, the principal obstacle to state-led lawmaking in the area of international cyber law arguably lies in an unprecedented dilemma posed by the unique nature of cyberspace.

The Glass House Dilemma

Asymmetries of cyberspace mean that the most powerful nations are, in a peculiar way, also the most vulnerable ones. In other spheres of human activity, states that wield the greatest power generally seek the greatest latitude for their actions and thus usually endorse permissive norms of behavior. Conversely, as a rule, weaker states support restrictive norms, seen as shields against their more powerful adversaries. Accordingly, major maritime powers have historically preferred norms that strengthened the freedom of the seas, whereas coastal states have insisted on projecting their sovereignty seawards.Footnote 19

The situation is much less straightforward in the cyber domain. Paradoxically, the more a society relies on its cyber capabilities, the more it becomes vulnerable to malicious cyber operations. On the offensive side, cyber powers may thus prefer permissive rules that would leave some leeway for stone-throwing. But on defense, those same states desperately need restrictive rules to protect the elaborate glass houses they are sitting in. Any development of rules of behavior in cyberspace thus needs to address not only the usual diversity of views held by various states, but also the schizophrenic and sometimes mutually exclusive interests that an individual state may hold.

The best illustration of this dilemma is in the legal qualification of low-level cyber attacks that have come to define our time. Consider, for instance, the statement issued by the British National Cyber Security Centre (NCSC) in October 2018, which attributed a series of cyber attacks against various targets in the United Kingdom and elsewhere to the GRU, the Russian military intelligence service.Footnote 20 It expressly noted that “[t]hese attacks have been conducted in flagrant violation of international law,” but, remarkably, the statement did not explain which specific international obligations had allegedly been breached.Footnote 21

Specifically, the NCSC noted that the GRU was “almost certainly responsible” for accessing e-mail accounts belonging to an unnamed UK-based TV station and for stealing their contents.Footnote 22 Similarly, it considered the GRU “almost certainly responsible” for attempting to compromise computer systems belonging to the Foreign and Commonwealth Office (FCO) and the Defence and Science Technology Laboratory (DSTL).Footnote 23 Such cyber operations can hardly be described as examples of friendly or responsible behavior. However, it is less certain that this conduct actually violated specific rules of international law.

The most obvious argument that the United Kingdom could have relied on, as noted by Jeffrey Biller and Michael Schmitt, is that interference with computer systems on UK territory without its consent violated its sovereignty.Footnote 24 Tallinn Manual 2.0 sets out the framework for such an argument in its Rule 4, which prescribes that “[a] State must not conduct cyber operations that violate the sovereignty of another State.”Footnote 25 However, the Tallinn framework does not equate all interference with a violation. Rather, the experts considered that interference with cyber infrastructure (such as computer systems belonging to a private TV station) would, at a minimum, need to result in a loss of functionality of that infrastructure for the Rule to be violated.Footnote 26 It is unlikely that such effect materialized through the cyber operations against the e-mail accounts of the affected British TV station if they were limited to the exfiltration of data. By contrast, with respect to operations such as those against the FCO and DSTL, the Tallinn commentary considers that “changing or deleting data such that it interferes with … the effective conduct of diplomacy [or] the performance of key national defence activities” could undermine a state's exercise of one of its inherently governmental functions and thus violate its sovereignty.Footnote 27 Depending on the actual or intended effect of those operations, the United Kingdom thus could have argued that Russia violated its rights based on the Tallinn interpretation of the law.

However, earlier in 2018, the United Kingdom expressly repudiated the view that nonconsensual interference in the computer networks of another state amounts to a violation of that state's sovereignty.Footnote 28 Instead, in a speech by its Attorney General, the United Kingdom endorsed the position “that there is no such rule as a matter of current international law.”Footnote 29 This obviously reduced the United Kingdom's room for maneuver when it came to the legal qualification of the alleged Russian cyber operations.Footnote 30 It also likely explains why the NCSC statement did not contain any legal reasoning in support of the accusations.

This example illustrates the difficult dilemma faced by states that use their cyber capabilities in both offensive and defensive ways. In offence, it is in the United Kingdom's interest to “interpret down” the applicable law and assert, as the Attorney General did, that low-level attacks do not violate any existing international legal rules. Conversely, in defense, the United Kingdom's interest is to “interpret up” the law and insist, as the NCSC statement did, that such attacks do amount to violations. These interpretive dances are not only of symbolic value. When a state is the victim of a violation of international law, it is entitled to take action to compel the responsible state to stop, even if that action would otherwise be unlawful.Footnote 31 Any such conduct in response is governed by the law of countermeasures, the applicability of which to cyberspace has been expressly endorsed by the United Kingdom.Footnote 32

The glass house dilemma is a key element of the “perfect storm” of challenges for the regulation of cyberspace described in the lead article.Footnote 33 As the UK example shows, even those states that desire to move away from Efrony and Shany's “policy of optionality”Footnote 34 may find themselves torn between particular interpretations of international cyber law. By contrast, other domains are considerably more linear in terms of specific states’ interests. For instance, as the future Outer Space Treaty was being developed in the 1960s, the dividing lines lay between the capitalist West and the communist East, and between the space-faring nations and states without such capability.Footnote 35 No such clear categories have yet emerged in the complex world of cyberspace.Footnote 36

The Role of the Non-state Actors

Whatever the reason for states’ silence, it has generated a regulatory void, which has in turn prompted other actors to step in. Reflecting the current multistakeholder approach to cyberspace governance,Footnote 37 these actors are quite diverse. In addition to the two Tallinn groups of experts scrutinized in the lead article, they have included think tanks (EastWest Institute or Carnegie Endowment for International Peace), representatives of industry (Microsoft or Siemens), and ad hoc groupings (like the Global Commission on the Stability of Cyberspace (GCSC)).

What connects these efforts is their shared aim to articulate norms of state conduct in cyberspace. For instance, Microsoft called on states to “exercise restraint in developing cyber weapons” and to “commit to nonproliferation activities” concerning such weapons.Footnote 38 The Carnegie Endowment has pushed for a state commitment to refrain from conducting cyber operations that “undermine the integrity of data and algorithms of financial institutions.”Footnote 39 And the GCSC has proposed a norm package on the stability of cyberspace, which includes norms urging states to disclose known vulnerabilities and to enact basic cyber hygiene.Footnote 40

These initiatives serve as “norm-making laboratories” for states.Footnote 41 Ultimately, only states make international law; moreover, there are obvious question marks surrounding the legitimacy of endeavors initiated by private actors.Footnote 42 Still, these initiatives do contribute in important ways to “the pluralisation of international norm-making.”Footnote 43 The proliferation of cyber norms initiatives that are non–state driven but state-oriented gives states a unique opportunity to learn from, engage with, and react to those initiatives. It is these reactions that then become building blocks in the edifice of emerging rules of custom and interpretations of treaty rules—in other words, the law.

Several cyber-active (and predominantly Western) states have recognized the importance of these initiatives. For example, state representatives have described the Tallinn Manuals as “the first step in codifying cyber law,”Footnote 44 as an aid in the creation of national positions on international cyber law,Footnote 45 and as a “roadmap” for state action in cyberspace.Footnote 46 The GCSC has received funding from states including Estonia, the Netherlands, and Singapore. And in November 2018, France launched the nonbinding “Paris Call for Trust and Security in Cyberspace,” which was reportedly crafted jointly with Microsoft, and which more than fifty countries and two hundred other stakeholders subsequently signed.Footnote 47

However, what is more important than such pronouncements is the extent to which states meaningfully engage with the underlying initiatives. Precedents suggest that states do take some non-state-led proposals seriously. For example, the 1994 San Remo Manual on International Law Applicable to Armed Conflicts at Sea has greatly influenced the text of several national military manualsFootnote 48 and, in a submission to the International Court of Justice, the United States expressly stated that it considered most of its provisions to reflect customary law.Footnote 49 It is still early days for the cyber norms initiatives, but paradoxically even a repudiation of their interpretations (like the rejection of the Tallinn Manual's sovereignty-as-rule approach by the United Kingdom) confirms their growing influence. By providing much-needed nuance and granularity, non-state initiatives thus assist states in gradually resolving the glass house dilemma and help foster the international rule of law in the cyber domain.

Conclusion

The fact that a compilation of rules like the Tallinn Manual sits “on the shelves” of legal advisors around the world should not necessarily be seen as a weakness. To borrow an analogy from the culinary world, one doesn't really have to keep the cookbooks on the kitchen stove for them to have an impact on one's gastronomical creations. As long as the chef takes them “off the shelf” here and there and peruses them before beginning the next cooking adventure, they will probably have some influence on what the guests will consume that night. Like cookbooks, rulebooks (and other norms proposals) actually belong on the shelves—what matters is that they are easy to reach.

Footnotes

I am grateful to Ana Beduschi, Curtis Bradley, Ashley Deeks, Maggie Gardner, Fleur Johns, Tomáš Minárik, and Michael N. Schmitt for comments on earlier drafts.

References

3 Cf., e.g., David R. Johnson & David Post, Law and Borders: The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367 (1996).

5 See Draft Resolution: Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, UN Doc. A/C.1/73/L.37 (Oct. 18, 2018); Revised Draft Resolution: Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/C.1/73/L.27/Rev.1 (Oct. 29, 2018). Somewhat surprisingly, both proposals were approved by the First Committee of the UN General Assembly in November 2018.

6 See, e.g., Tim S. Wu, Cyberspace Sovereignty? The Internet and the International System, 10 Harv. J.L. & Tech. 647, 660 (1997) (noting a 1996 French proposal).

9 See, e.g., Leonhard Kreuzer, Disentangling the Cyber Security Debate, Völkerrechtsblog (June 20, 2018).

11 Efrony & Shany, supra note 2, at 652.

12 Antarctic Treaty, Dec. 1, 1959, 402 UNTS 71.

14 UN Convention on the Law of the Sea, Dec. 10, 1982, 1833 UNTS 397.

15 See Anne-Marie Slaughter & William Burke-White, An International Constitutional Moment, 43 Harv. Int'l L.J. 1, 2 (2002).

16 See, e.g., Andrew T. Guzman, How International Law Works: A Rational Choice Theory 129 (2008).

17 See also Efrony & Shany, supra note 2, at 632–33.

18 Jack Goldsmith, Cybersecurity Treaties: A Skeptical View 10–12 (2011).

19 See René-Jean Dupuy, The Sea Under National Competence, in 1 A Handbook on the New Law of the Sea 247 (René-Jean Dupuy & Daniel Vignes eds., 1991).

21 Id.

22 Id.

23 Id.

24 Jeffrey Biller & Michael Schmitt, Un-Caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences, EJIL: Talk! (Oct. 24, 2018).

25 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17 (Michael N. Schmitt ed., 2017) [hereinafter Tallinn Manual 2.0].

26 Cf. id. at 20–21, para. 13. The experts could not agree on the precise threshold at which such loss of functionality constitutes a violation. Id.

27 Id. at 22, para. 16.

28 See Jeremy Wright, Cyber and International Law in the 21st Century (May 23, 2018).

29 Id.

30 Biller & Schmitt, supra note 24.

31 Articles on Responsibility of States for Internationally Wrongful Acts, in Int'l Law Comm'n Rep. on the Work of Its Fifty-Third Session, UN GAOR, 56th Sess., Arts. 22 and 49–53, UN Doc. A/56/10 (2001).

32 Wright, supra note 28.

33 Efrony & Shany, supra note 2, at 652.

34 Id. at 648–49.

35 Cf. Ram Jakhu, Evolution of the Outer Space Treaty, in 50 Years of the Outer Space Treaty 14–18 (Ajey Lele ed., 2017).

36 But see Zhixiong Huang & Kubo Mačák, Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches, 16 Chinese J. Int'l L. 271 (2017).

37 See further Joanna Kulesza, Multistakeholderism: Meaning and Implications, in Human Rights, the Digital Society and Law: A Research Companion (Mart Susi ed., forthcoming 2019).

40 Global Comm'n on the Stability of Cyberspace, Norm Package Singapore (Nov. 2018).

41 See Kubo Mačák, From Cyber Norms to Cyber Rules: Re-Engaging States as Law-Makers, 30 Leiden J. Int'l. L. 877, 894 (2017).

42 See, e.g., Louise Marie Hurel & Luisa Cruz Lobato, Unpacking Cyber Norms: Private Companies as Norm Entrepreneurs, 3(1) J. Cyber Pol'y 61, 67–70 (2018).

43 Jean d'Aspremont, Formalism and the Sources of International Law 222 (2011).

45 Kersti Kaljulaid, President of the Republic Opening Speech at CyCon 2017 (May 31, 2017).

47 Louise Matsakis, The US Sits out an International Cybersecurity Agreement, Wired (Nov. 11, 2018).

48 See, e.g., The Joint Service Manual of the Law of Armed Conflict vii (2004) (noting that the chapter on Maritime Warfare was “based substantially” on the San Remo Manual).

49 Case Concerning Oil Platforms (Iran v U.S.), Counter-Memorial and Counter-Claim, at 130 n.292 (June 23, 1997).