Less than a year ago, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (the ‘UN GGE’, for short) famously came to a deadlock in its determination of how international law applies to cyberspace. Comprising 25 states, the GGE was formed to debate the norms applicable to cyber activities in the international sphere – both the law as it stands today, as well as to recommend confidence-building measures amongst states. In 2013, the GGE’s historic pronouncement that international law applies to cyberspace changed the terms of the debate, opening up the question of how the law applies, and in what context.
Let us turn to 2017 to the 5th GGE. The issue concerned cyber warfare. A coalition of states, including the United States, wished the GGE to declare that the international law of war (jus ad bellum and jus in bello) applies to cyber warfare, and that both the inherent right of self-defence and the right to use countermeasures are applicable as well. However, certain other states, such as Cuba (and presumably, Russia and China), felt that such a declaration might lead to the “militarization of cyberspace”, and demurred. Thus, the GGE, which operates on principles of consensus, came to a deadlock, and for the first time since inception, dissolved without a report to show for its extensive deliberations.
This leaves cyberspace with massive lacunae in how international law operates. It is unclear how the norm-building discussions will go forward – and more importantly, where these discussions will be housed. Several suggestions have been raised, including an open-ended working group within the General Assembly, the constitution of a new GGE, and coalitions of similar-thinking states. While the way forward is far from clear, history has left us some examples to look to. But before we enter the how, we will explore the why of international norm-building.
International law is, after all, not a beast that affects our lives – or the lives of our states – on a daily basis, surely? We may wonder loud and angry at the use and effectiveness of international law in governing interstate relations. When, we may ask, has international law ever stopped a war, or recognized an international wrong, or been effective in stopping a state from doing wrong? The answers to these questions fall in the delicate space of international norm-building, and the ways in which states relate to each other.
States are autonomous creatures. Their very existence stems from their ability to be sovereign, to enter into independent, self-initiated relationships with other states, organisations and individuals. For instance, signing on to a bilateral or multilateral treaty is within a state’s prerogative and choice. As noted by the Permanent Court of International Justice in its famous 1927 S.S. Lotus decision, largely, states are free to do as they please, with the exception of some rules that are so universal that states cannot signal their disagreement with them, usually termed as jus cogens.
This, then, is the task of international law – to place boundaries upon the hubris of states to act as they please. It may do this in several ways; the Statute of the International Court of Justice recognizes four sources of international law. Limits may be placed upon state autonomy in the form of treaties, wherein states signal their express consent to norms laid down in the treaty. The Hague Conventions, which place limits on state action in times of war, or human rights instruments, which place duties and responsibilities on states vis-à-vis individuals and organisations, are examples. Of course, states may place reservations on their obligations under treaties, but as they are expressly done, it is a clear indication of the state of the law.
States may also accept limits on their autonomy in the form of customary international law. International custom comprises state acts that, consistently performed over an uninterrupted period of time, coalesce into legal norms. Custom must be accompanied by the belief that the rule is binding on states (called opinio juris). Take, for instance, the three-mile rule in the laws of the sea, where states exert their authority over three nautical miles outward into the sea. It reflects an international custom, as the practice of it is accompanied by opinio juris.
Well, now we know why an ‘international law of cyberspace’ is necessary; it is so we know what the states can and cannot do to each other and their citizens. The how of international law, however, is more complex. By now, it is well-documented that a cyberspace treaty is an imaginary beast. As international law stands today, there is far too little agreement to leave space for a cyberspace treaty. You could argue, of course, that it is too early for custom to develop, and you would be right. It took over two decades of state actions, followed by the International Law Commission’s surprising involvement, for the Law of the Sea to develop, and it is still uncertain that the treaty in entirety represents customary international law.
So how do we populate this open field? How should the international law of cyberspace develop? Of course, there are multiple ways, and states will no doubt offer their own suggestions. I offer two suggestions myself. The first is to get the International Law Commission involved. The ILC has decades of experience codifying international law (both primary and secondary). While a majority of its experience and success has been in the codification of secondary international law (‘rules about rules’, as Hart says), the ILC has also been instrumental in codifying the Law of the Sea, and in bringing to some semblance of coherence the rules on transboundary harm, and diplomatic and consular relations. Of course, primary rule codification by the ILC would most likely need to be confirmed by states in the form of a treaty or a convention, but we need not let that implausible eventuality stop us from our optimism over codification.
Not only this, but the ILC has already codified secondary rules of responsibility and attribution, which are no doubt crucial in cyber-related incidents. While the Tallinn Manual has done a tremendous job of transplanting the rules of attribution (among other primary rules) to cyberspace, we still need rules that are accepted expressly by states.
The second, and perhaps more plausible, suggestion is a form of active “I Spy”. Through their statements following major cyber incidents, states have already begun to give us a sense of what they consider international law boundaries to be. It is clear, from statements, that Russian interference in Estonia and Georgia constitute interferences with state sovereignty, while states have yet to expressly term the Stuxnet incident an act of use of force or an intervention. It is becoming clear that state influence on elections of another state using cyber means may constitute intervention, while the implications of that (countermeasures? threshold for the use of force?) are not yet clear. In sum, the crux of my second suggestion is this: Give it time, and keep an eye on state practice. This may be a space where publicists may genuinely make a difference, especially those with some influence on state apparatus.
Of course, a combination of methods to speed up norm-building will probably serve us best. Unlike nuclear power, we are as yet uncertain of the extent of cyber’s influence and impact. We are learning everyday: The Internet of Things has taught us that we now create a discrete home surveillance network with our gadgets, while Cambridge Analytica has shown that information about us is being used to manipulate our electoral choices. Stuxnet revealed the dangerous extent to which cyber can affect national security, while Estonia showed us that cyber operations are enough to stall a country in its tracks. Much like international law itself, we are still drawing the boundaries of cyber harms. And that is why any single norm-building method will not suffice: it will simply be too slow to keep pace with developments in cyber. And so, let us employ a multitude of methods. Within a year, the landscape of international law norms in cyber will look very different, and if we are observant, we can stay ahead of the developments, even as technology leads the way.