The Application of International Law in Cyberspace: State of Play

October 25th, 2018

On 15 October 2018, a panel discussion entitled “The Application of International Law in Cyberspace: State of Play” took place as a First Committee side event of the General Assembly’s seventy-third session. The Permanent Missions of Austria, Estonia and Mexico co-sponsored the discussion with the Delegation of the European Union (EU) and the EU Institute for Security Studies.

Ambassador Jan Kickert, Permanent Representative of Austria to the United Nations, opened the event by calling for questions concerning not only whether international law applies to cyberspace, but also what additional responses States should consider.

Jacek Bylica of the European External Action Service (EEAS) noted that the EU Institute for Security Studies has been working with civil society and academia to implement a cyber action plan for the EU. He posited that regional confidence-building measures (CBMs) and plans like the 2017 EU cybersecurity strategy could be resources for the preparation of a broader strategic framework for behaviour in cyberspace. Bylica added that some States wish to challenge the multi-stakeholder model for cyber governance—a development with potentially significant consequences for human rights and other areas—and he urged stakeholders to consider means of clarifying State interpretations of existing norms. He concluded by expressing the EU’s hope that an ongoing First Committee discussion on establishing a new group of governmental experts would result in adoption of a consensus resolution on the matter.

Liis Vihul of Cyber Law International discussed cyberspace in the context of international laws, agreements and norms. States, she observed, generally agree that cyberspace is subject to the principles of sovereignty and jurisdiction as well as prohibitions on intervention in the affairs of other States and the use of force. She further contended that in cyberspace, States have the right to apply “countermeasures” to either bring about a lawful situation or de-escalate an unlawful situation. To date, she said, such countermeasures have generally been physical anti-access and area denial operations aimed, for example, at preventing aircraft landings or overflights. She proposed that in cyberspace, a State could lawfully undertake a denial operation as a countermeasure against malicious cyber activity until it receives compensation for harm inflicted.

Vihul separately discussed the rights of States relevant to armed conflict, including their right to defend themselves against armed attacks. The interpretation of these provisions depends on the consequences of an attack or action rather than the specific weapons used, she argued, adding that any State wishing to alter an interpretation of international law must achieve a consensus adoption of its reinterpretation. Noting that Groups of Governmental Experts issued reports in 2013 and 2015 encouraging States to explore how international law applies to the cyber domain, she expressed her own view that a bottom-up approach is most likely to advance relevant international dialogue. Vihul argued that as States achieve clarity on the role of international law in cyberspace, they must also seek to determine whether existing law is sufficient. Some States have begun disseminating their own interpretations of international law without also assessing whether current laws are satisfactory, she noted, adding that some State victims of cyberattacks have not characterized those attacks as violations of international law. Speculating that major cyber powers are unwilling to discuss red lines for offensive cyber activity, she called for various efforts aimed at strengthening the political appetite for action. She said potential activities in this regard might attempt to draw further attention to specific

events, such as a recent cyber incident affecting the Organisation for the Prohibition of Chemical Weapons, which might lead to discussions on the prohibition of cyberattacks on international organizations.

Chris Harland of the International Committee of the Red Cross (ICRC) echoed Vihul’s position that there may be a need for stronger discussions concerning the application of international law to cyberspace. He stated that the Red Cross is concerned with humanitarian costs of cyberattacks, noting that the organization uses cyberspace for communications and logistics and has been subject to cyberattacks. He said States must determine what constitutes an attack and whether attacked data is protected by international humanitarian law (IHL). Harland posited that an effects-based model is the preferred way of making such an assessment, and he noted that ICRC favors a broad interpretation of the term “attack” under IHL that accounts for exceptions such as espionage and jamming. He argued that deleting or tampering with data could cause more harm to civilians than the physical destruction of some objects, and he stressed that ICRC views data as an object protected under IHL.

Isaac Morales of the Ministry of Foreign Affairs of Mexico welcomed statements by other panelists in favor of multilateral responses to extant and emerging threats in cyberspace. He noted recent calls by the United Nations Office Disarmament Affairs and the Secretary-General, including in his Agenda for Disarmament, for prioritization of discussions of the cyber domain. He said international law should be applied to cyberspace with the aim of benefiting academia, activities and individuals, and he advocated for responsible State behavior in cyberspace aimed at guaranteeing freedom of expression and ideas as well as a safe environment for users. Morales noted that relevant discussions have become more frequent in recent months, including in multi-stakeholder fora. He encouraged greater focus on peaceful uses of cyberspace, and he advocated for the development of new or existing mechanisms to improve confidence among Member States about cyber capabilities and intentions. In his view, such CBMs could enhance regional norms and responsible State behavior. Citing examples, he referred to attempts by the Organization of American States to apply counterproliferation norms to cyberspace, including through the designation of local cybersecurity points of contact in each of its member States and through the development of national cybersecurity plans. He further argued that national norms ought to be applied to cyberspace, and he said CBMs can provide technical assistance in this regard. As Morales concluded, he expressed optimism that new, robust conversations on cyber issues would continue to take place at the United Nations.

Heli Tiirmaa-Klaar of the Ministry of Foreign Affairs of Estonia noted that perspectives from academia, intergovernmental organizations and States were represented on the panel. She said the discussion reinforced the idea that cyberspace is not lawless and that international law applies regardless of the weapon used in an attack. She noted that as Member States try to understand how existing laws apply to cyberspace, they are also trying to determine how to enforce applicable laws. She advocated further discussion of the agreed CBMs and voluntary norms contained in the 2013 and 2015 reports by United Nations Groups of Governmental Experts.

Text by Cyrus Jabbari