In discussions to date about how international law applies in cyberspace, commentators have tended to focus their attention on how the rules on the use of force, or the law of armed conflict, apply to cyber activities conducted by states that give rise to physical damage, injury or death.

But in practice, the vast majority of state cyberattacks fall below this threshold. Far more common are persistent, low-level attacks that may leave no physical trace but that are capable of doing significant damage to a state’s ability to control its systems, often at serious economic cost.

Such cyber incursions might include network disruptions in the operation of another government’s websites; tampering with electoral infrastructure to change or undermine the result; or using cyber means to destabilize another state’s financial sector.

For these kinds of cyber operation, the principle of sovereignty, and the principle of non-intervention in another state’s internal affairs, are the starting point.

A UN Group of Government Experts (GGE) agreed in 2013 and 2015 that the principles in the UN Charter, including sovereignty and the prohibition on intervention in another state’s affairs, apply to states’ activities in cyberspace. The 2015 GGE also recommended eleven (non-binding) norms of responsible state behaviour in cyberspace.

However, states have not yet reached agreement on how to apply these principles. Until recently, there has also been very little knowledge of what states actually do in cyberspace, as they usually conduct cyber operations covertly and have been reluctant to put their views on record.

A new Chatham House research paper analyses the application of the principles of sovereignty and non-intervention to state cyberattacks that fall below the principle of use of force. As well as analysing the application of the law in this area, the paper also makes recommendations to governments on how they might best make progress in reaching agreement in this area.

Existing rules or new rules?

As the research paper makes clear, there is currently some debate, principally between countries in the West, about the extent to which sovereignty is a legally binding rule in the context of cyberspace and, if so, how it and the principle of non-intervention might apply in practice.

In the last few years, certain states have put on record how they consider international law to apply to states’ activities in cyberspace, namely the UK, Australia, France and the Netherlands. While there may be some differences in their approaches, which are discussed in the paper, there also remains important common ground: namely, that existing international law already provides a solid framework for regulating states’ cyber activities, as it regulates every other domain of state-to-state activity.

There is also an emerging trend for states to work together when attributing cyberattacks to hostile states, enabling them to call out malign cyber activity when it violates international law. (See, for example, the joint statements made in relation to the NotPetya cyber attack and malicious cyber activity attributed to the Russian government).

However, other countries have questioned whether existing international law as it stands is capable of regulating states’ cyber interactions and have called for ‘new legal instruments’ in this area.

This includes a proposal by the Shanghai Cooperation Organization (led by Russia and China) for an International Code of Conduct on Information Security, a draft of which was submitted to the UN in 2011 and 2015, without success. The UN has also formed a new Open-Ended Working Group (OEWG) under a resolution proposed by Russia to consider how international law applies to states’ activities in cyberspace.

The resolution establishing the OEWG, which began work earlier this year, includes the possibility of the group ‘introducing changes to the rules, norms and principles of responsible behaviour of States’ agreed in the 2013 and 2015 GGE reports. In the OEWG discussions at the UN in September, several countries claimed that a new legal instrument was needed to fill the ‘legal vacuum’ (Cuba) or ‘the gap of ungoverned areas’ (Indonesia).

It would be concerning if the hard-won consensus on the application of international law to cyberspace that has been reached at past GGEs started to unravel. In contrast to 2013 and 2015, the 2017 meeting failed to reach an agreement.

On 9 December, a renewed GGE will meet in New York, but the existence of the OEWG exploring the same issues in a separate process reflects the fact that cyber norms have become an area of geopolitical rivalry.

Aside from the application of international law, states are also adopting divergent approaches to the domestic regulation of cyberspace within their own territory. The emerging trend towards a ‘splinternet’ – i.e. between states that believe the internet should be global and open on the hand, and those that favour a ‘sovereignty and control’ model on the other  – is also likely to make discussions at the GGE more challenging.

Distinct from the international law concept of sovereignty is the notion of ‘cybersovereignty’, a term coined by China to describe the wide-ranging powers it assumes under domestic law to regulate its citizens’ access to the internet and personal data within its territory. This approach is catching on (as reflected in Russia’s recently enacted ‘Sovereign Internet Law’), with other authoritarian states likely to follow suit.

The importance of non-state actors

In parallel with regional and UN discussions on how international law applies, a number of initiatives by non-state actors have also sought to establish voluntary principles about responsible state behaviour in cyberspace.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder body that has proposed principles, norms and recommendations to guide responsible behaviour by all parties in cyberspace, recently published its final report. The Cybersecurity Tech Accord  aims to promote collaboration between tech companies on stability and resilience in cyberspace. President Macron’s ‘Paris Call for Trust and Security in Cyberspace’ has to date received the backing of 67 states, 139 international and civil society organizations, and 358 private-sector organizations.

It remains to be seen in the long term whether the parallel processes at the UN will work constructively together or be competitive. But notwithstanding the challenging geopolitical backdrop, the UN GGE meeting next week at the least offers states the opportunity to consolidate and build on the results of past meetings; to increase knowledge and discussion about how international law might apply; and to encourage more states to put their own views of these issues on the record.

The International Criminal Court cannot act when crimes are being genuinely prosecuted in a state. The meeting will discuss whether the ICC complementarity rules apply when a state puts restrictions on the prosecution of war crimes committed in particular circumstances or within a particular time period. In this context, the discussion will also cover the extent to which such restrictions are precluded by international obligations such as those in the Geneva Conventions with regard to the investigation and prosecution of war crimes.

Summary

• The 70th anniversary of the adoption of the 1949 Geneva Conventions was commemorated in 2019. But violations of the Conventions and of the 1977 Additional Protocols are widespread.
• Contemporary conflicts have been marked by violations of some of the foundational rules of international humanitarian law (IHL) relating to the protection of the wounded and sick and of providers of medical assistance.
• A further area of IHL that has come under strain and scrutiny are the rules regulating humanitarian relief operations and their application to sieges and blockades.
• War has a huge impact on children, and the treatment of children in armed conflict is another area of the law that requires further attention.
• In the current political climate, it is unlikely that new treaties will be negotiated to address emerging issues or uncertainties in the law.
• Other measures must be explored, including the adoption of domestic measures to implement existing law; support for processes that interpret the law; and initiatives to promote compliance with the law by organized armed groups.
• One overarching challenge is the interplay between IHL and counterterrorism measures. It can undermine the protections set out in IHL, and hinder principled humanitarian action and activities to promote compliance with the law by organized armed groups.

This workshop is the second in a series in the 'Implementing the Commonwealth Cybersecurity Agenda' project. The workshop aims to provide a multi-stakeholder pan-Commonwealth platform to discuss how to take the implementation of the 'Commonwealth Cyber Declaration' forward with a focus on the second pillar of the declaration – building the foundations of an effective national cybersecurity response with eight action points. 

As such, the workshop gathers different project implementers under the UK Foreign and Commonwealth Office’s Cyber Programme, in addition to other key relevant stakeholders from the global level, to explore ongoing initiatives which aim to deliver one or more of pillar two’s action points.

The workshop addresses issues from a global perspective and a Commonwealth perspective and will include presentations from selected partners from different Commonwealth countries.

With continuing instability at Europe's borders, along with uncertainty on future US support for NATO, many European countries are increasing their allocations to defence budgets and to collective European strategic defence. In addition, with non-state armed groups creating instability and threatening civilian lives and livelihoods in proximity to the EU’s borders, various operations have been carried out in conflict theatres in the Middle East, North Africa and the Sahel under the auspices of NATO, the UN, the EU or by single EU member states.

Although European military personnel have been deployed in many regions, with countries becoming more reluctant to deploy ‘boots on the ground’, warfare has been increasingly conducted through remote means. This has led to criticism on the limited transparency and accountability mechanisms at work in these operations, while some have questioned the military effectiveness of such tactics or the capacity and willingness of states to ensure that targets are struck accurately and without impact on civilian populations.

Against this background, the EU has started allocating resources to military research and development projects with a focus on unmanned systems and related technologies. Under the auspices of the European Defence Fund such funding is set to increase, while potential bilateral programmes between some states have also been explored. Despite concerns raised by the European Parliament, the development of these policies and technologies has taken place without significant consideration of what the legal, ethical and military-strategic impact of these instruments might be.    

This event will bring together a range of experts, policymakers and civil society organizations to discuss the technology horizon of European defence investments and policy developments around remote warfare. Participants will discuss the implications of the new EU defence fund, legal, ethical, and transparency issues in military research and development and the position of the EU as a global actor. 

This event is being organized in partnership with PAX Netherlands.

THIS EVENT IS NOW FULL AND REGISTRATION HAS CLOSED.

Internet regulation is increasing around the world creating positive obligations on internet providers and exerting negative unintended consequences on the internet infrastructure. In some ways, most of this regulatory activity is justifiable. Governments are concerned about the increased risk that the use of the internet brings to societies. As a response, many governments have been enacting regulations as their main approach to dealing with these concerns. The main challenge is that most of the current regulations are either ill-defined or unworkable.  

On the one hand, several governments have established procedures that seek to analyze the impacts of new regulatory proposals before they were adopted. However, there hasn’t been enough attention aimed at analyzing regulations after they have been adopted and only a few have measures in place to evaluate the impacts of the procedures and practices that govern the regulatory process itself.

On the other hand, much of the regulation creates unintended consequences to the internet itself. It undermines many of its fundamental properties and challenges the integrity and resiliency of its infrastructure.  

This event discusses current practices in internet-related regulation and the related challenges. Panellists will discuss how governments can enforce regulations that achieve their intended purpose while at the same time protecting the internet’s core infrastructure and its properties, including its openness, interoperability and global reach.