One could say that the wish list for cyber-peace was already written in 2015, when states agreed on some rules of behaviour in cyberspace - including that existing international law applies to it. Are we good to go? Not so fast. The devil is in the details: The positions of states on what exactly this means for various cases of cyber-attacks and accusations stand across the sides of the abyss. Geo-political tensions crumble the edges further. Will two groups of diplomats – from the GGE and the OEWG – manage to build a real bridge? Expectations are moderate, but hopes are high – as the alternative is a cyberspace that turns into a real battlefield.
In Part 1 we introduced the two processes - the GGE and the OEWG - and their main differences. What are the open issues on the agenda? Prior GGE reports, in particular the one from 2015, set the foundation for all the subsequent discussions. Some parties – notably the US and its allies – refer to this foundation as the cyber-stability framework (in the making), inviting others to adhere to it and to implement the agreed-upon measures. In reality, however, there are many open questions that remain unresolved before we observe practical success.
- How do existing international laws apply to cyberspace? In particular, (how) do international humanitarian laws and international human rights laws apply?
- How does the UN Charter apply to cyberspace? In particular, how can the concepts of sovereignty, ‘use of force’ and ‘armed attack’, or self-defence be defined in cyberspace?
- When (or which) cyber-operations violate sovereignty?
- In what other ways can countries respond to cyber-attacks?
- How should the attribution of cyber-attacks be conducted?
- Should (and can) due diligence be an obligation in cyberspace?
- How can state responsibility in cyberspace be applied?
- Do we need additional norms of state behaviour? And how can the existing norms be implemented?
What are the roles and responsibilities of non-state actors – in particular the private sector, technical community, and civil society – in developing and implementing norms and CBMs?
Rift in positions
An analysis of the official statements at the first substantial meeting of the OEWG already maps the initial positions of a number of states on some of these questions. By simplifying the positions on a grading scale – from clear support for a cause (such as the applicability of humanitarian law, or the need for an international treaty) to opposition (with some nuances) – allows us to visually map these positions.
In particular, a number of countries have a clear position that international humanitarian law applies to cyberspace, while a number of others clearly oppose this, warning that applicability would mean the militarisation of cyberspace. In between these positions, several countries – such as India and Pakistan – are cautious, and are asking for further research and discussions on the details of such issues, while a few others – namely Chile and Brazil – confirm applicability but are requesting additional clarifications.
The right to self-defence was already a big stumbling stone for a consensus of the fifth GGE in 2017. For some countries – such as Australia, Japan, and most of their western allies – the applicability of Article 51 of the UN Charter (the inherent right of self-defence in case of an armed attack) to cyberspace is clear. Other countries worry that this could transform cyberspace into a military zone. Some, like Malaysia, warn that the right to self-defence may be dangerous in the case of misattribution, and call for clarifying attribution issues first.
In general, small and developing countries are concerned that cyber-attacks that originate from their territory – either under guidance or approval of state institutions, or due to poor network security on the national level which opens a space for third parties to co-ordinate cyber-attacks, or even due to erroneous or malicious attribution by others – could trigger severe responses, in particular by powerful states. While most discussions revolve around possible tensions between powerful actors (particularly the P5 countries), or possibly the response of these actors to attacks that originate in smaller ones, it is important to consider the risks of escalation in regions where conflict is already present or possible.
Related: For more about the challenges of attribution, you may look at the recording and the summary of the web discussion:
All of the currently established norms and CBMs are of voluntary nature, thus states should adhere to them, but are not bound. Some states, in particular the EU, Australia, the US, and their other western allies (although not all have reflected upon this issue directly at the OEWG), believe that the full applicability of existing international law, combined with the adherence to developed norms and CBMs, represents a sufficient international cyber-stability framework, and that there is no need for additional binding mechanisms, especially as it is not possible to reach consensus on an international treaty anytime soon. A number of other countries – such as Chile, Brazil and Columbia – believe that while the current framework is useful, new binding mechanisms will need to be gradually introduced to complement it. Another group of countries that includes Russia, China, and others are openly looking to develop an international treaty on cyberspace, possibly based on the resolution proposed by Russia and its partners from the Shanghai Cooperation Organisation.
Given the developments on another global treaty proposal on cybercrime – also proposed by Russia – it is possible that the push for an international treaty on cyberspace will strengthen. The OEWG could play a role in accelerating this process, but it is certain that such negotiations would be long and tiresome, played at the highest possible level.
A number of states, in their statements at the first OEWG meeting, raised cybercrime as an issue that should be part of the discussions at the OEWG, and of norms-shaping dialogues in general. Several others, on the other hand, were clearly against having cybercrime on the discussion agenda of the OEWG, stipulating that there are other fora where this topic is being discussed.
It is worth re-emphasising that the visualisations above are not only simplified, but also take into account only the statements by participating states at the first substantial meeting of the OEWG. Therefore, these visualisations currently serve as mere indicators of trends. As time passes, however, other statements and official positions will also be taken into consideration, and the visualisations will be updated on the Digital Watch page to become more representative.
Getting into the nitty-gritty
Already, new developments are being reported that will shape the discussions, particularly at the GGE, where there are more in-depth discussions on how international laws apply.
Following its mandate (Res 73/266), which requires states to provide contributions on how international law applies to cyberspace, France and the Netherlands have publicly presented their very detailed positions. In June, the French Ministry of Defence published a white paper clarifying its position on the application of international law in regard to military operations in cyberspace, and in particular how France understands the application of international humanitarian law and the UN Charter in times of peace and war. In October, the Foreign Minister of the Netherlands followed that up with a very detailed Dutch public position, looking into, among other issues, their understanding of the concept of sovereignty in cyberspace, the nuances of defining use of force and armed attack depending on the effects of the cyber attack, the obligations of due diligence, the applicability of human rights law, and others. There is hope that the two countries may have set such detailed public positioning in motion, and that we will hear from other GGE members in the near future as well.
Related: For more about the challenges of the applicability of international law, you may look at the recording and the summary of a web discussion:
The joint statement issued at the end of September by the US State Department, and affirmed by 26 other countries – this includes its Five Eyes partners, 18 out of 28 EU states (including Germany and France), as well as Norway, Japan, South Korea, and Columbia – in essence does not stipulate anything new, except for the pledge for further collective attribution and response to acts that are contrary to the agreed-upon global framework (in which countermeasures will be ‘transparent and consistent with international law’).
Proposals for new norms have also been tabled by various parties. Most notably, the final report by the Global Commission on Stability of Cyberspace re-iterates their proposal for eight new voluntary norms, related to not attacking the public core of the Internet nor electoral infrastructure, not tampering with products or services, not using general ICT resources as botnets or similar tools, promoting disclosure of vulnerabilities, prioritising product security, enhancing cyber hygiene, and preventing the engagement of non-state actors in cyber-operations. In addition, China has proposed several possible new norms in its official submission to the first meeting of the OEWG, in particular related to the security of supply chains. This includes preventing states from exploiting their dominant position in infrastructure and core technologies in order to undermine other states’ control over goods and services, and not using national security as a pretext for limiting the export of high-tech products.
Interestingly, even the annual global Internet Governance Forum (IGF), which just concluded in Berlin, has put a lot of focus on cyber-norms. Cybersecurity sessions at the IGF were dominated by discussions related to the development and implementation of norms, the challenges of the applicability of international law to cyberspace, possible approaches to better attribution, and ways to embed broader perspectives – in particular human rights – into high-level discussions at the UN. As an open multi-stakeholder forum, the IGF has the potential to extend the dialogue between decision-makers and the technical community (including CERTs), the private sector (particularly Internet and online-service providers, software and hardware vendors, and security companies), and civil society organisations (especially human rights advocacy groups, and research and capacity-building organisations). In general, the roles and responsibilities of different stakeholders in regard to shaping and implementing norms and CBMs – already discussed to some extent in the Geneva Dialogue on Responsible Behaviour in Cyberspace – will be increasingly important to clarify and follow up on.
Related: For more about what responsible behaviour in cyberspace is, and what the roles of the private sector and civil society could be, you may look at the recording and the summary of the Geneva Dialogue for Responsible Behaviour in Cyberspace web discussions:
Which of the many ideas and proposals will find their way on the GGE and OEWG agendas? Time will show. One thing is certain: we can expect some very interesting discussions in the years ahead. Whether the New Year’s wishes of cyber-diplomats come true – such as an effective compromise on the final report(s) – will depend solely on if the negotiators have good will and did their homework.