Securing the Cybersphere
Collective action needed to provide legal protection for the domain
Herman Finley/Daniel K. Inouye Asia-Pacific Center for Security Studies
“While a peaceful cyberspace provides us with many opportunities, the potential for malicious cyber activities by state and non-state actors to create instability and mistrust in international relations is increasing,” according to a statement released by the chair of the Global Conference on CyberSpace 2015, held in April 2015 at The Hague, Netherlands. Given the almost daily negative activities in cyberspace, few would argue with that quote. The question is: Will nations work together as a community to address this disturbing trend?
The answer is maybe. In the face of limited international agreement on what is unacceptable behavior in cyberspace, some nations have begun to build advanced capabilities to deter or respond to cyber activities. At the same time, to secure the opportunities of a peaceful cyber environment, many nations have begun the long process of codifying restrictions on destructive cyber behaviors.
This article will first look at the current status of international cyber law. Then, it will highlight some of the issues involved in creating international law. Last, it will consider possible future options for the region.
Globally, few treaties specific to cyber activities exist. Foremost is the 2004 European Union’s Convention on Cybercrime, known as the Budapest Convention. While it focuses on crime, many of the principles embodied in the convention may be applicable to other aspects of cyber activities. Forty-eight nations have ratified the treaty, including Canada, Japan, the United States, Australia and Sri Lanka from the Indo-Asia-Pacific region. It has met with significant opposition from India, China and Russia. Beyond the Budapest Convention, the Shanghai Cooperation Organization (SCO) states have signed an International Information Security Agreement. Additionally, elements of the International Telecommunications Union’s constitution and regulations govern some aspects of cyber activities.
In addition to these few sources of treaty law, there are ongoing efforts focused on building consensus and norms that may eventually develop into customary or treaty law.
The United Nations has established a Group of Government Experts (GGE) to consider international norms related to cyberspace. The current GGE includes Indo-Asia-Pacific experts from China, Japan, Malaysia, Pakistan, Russia and the United States. In its 1995 report, the GGE reiterated that existing international law fully applies to cyberspace.
The North Atlantic Treaty Organization (NATO) is spearheading its own effort at building consensus. The April 2015 Global Conference on CyberSpace, attended by 80-plus nations, was the third in a series. It created the Global Forum on Cyber Expertise (GFCE) to address a fundamental weakness of many nations — cyber expertise. One of the first fruits of the GFCE was an initiative by the United States, Japan and Australia on preventing and combating cyber crime in Southeast Asia. The initiative consists of four activity areas: capacity building, prevention, framework support and cooperation.
NATO’s Cooperative Cyber Defence Centre of Excellence is pursuing a nonbinding body of understanding about the relationship between law and cyberspace. The center’s Tallinn Manual on the International Law Applicable to Cyber Warfare is the most developed scholarly work attempting to codify cyber law principles. The manual focuses primarily on cyber activities in the legal context of armed conflict. The next edition of the manual (known as Tallinn 2.0) will look at peacetime activities and is due out in late 2016.
In January 2015, the SCO proposed a voluntary “International Code of Conduct for Information Security” to the U.N. General Assembly. Codes of conduct generally are not considered international law unless the signatories agree to be bound by the code, and/or the code includes sanctions for noncompliance.
The Indo-Asia-Pacific region is beginning to shift its regional debate from cyber crime issues to broader issues of state activities in cyberspace.
The Association of Southeast Asian Nations (ASEAN) Regional Forum (ARF) has a number of ongoing activities related to cyber legal issues. Malaysia and the European Union hosted the March 2016 ARF Workshop on Operationalizing Confidence Building Measures for Cooperation during Cyber-Incident Response. The workshop focused on transparency, cooperation and behavior to reduce the risk of conflict in the event of disruptive national or international cyber security incidents. More than 120 international experts attended, including representatives from Australia, Burma, Cambodia, China, Indonesia, Japan, New Zealand, Philippines, Singapore, South Korea, Thailand and Timor-Leste.
South Asian nations have not yet achieved the same degree of cooperative approach. According to the former finance minister of Nepal, Dr. Madhukar SJB Rana, the South Asian Association for Regional Cooperation “is totally unprepared to cope with the security threats emanating from the emerging world order. The newest security threat is cyber security.”
The Interpol Global Complex for Innovation opened in Singapore in September 2014 and aims to become a dedicated center of expertise on cyber crime as part of Interpol’s global program.
Bilateral efforts are complementing multinational approaches. Indonesia and China are working on an agreement to cooperate on cyber security with a focus on four areas of human resource development: awareness, capacity building, joint research and joint operations. A U.S.-China forum on cyber crime was held in December 2015, with a second round in June 2016. After the meeting, Guo Shengkun, China’s public security minister said, “China and the U.S. have important shared interests in ensuring cyber security and are fully capable of turning their differences and frictions into bright spots for cooperation,” according to Chinadaily.com. In October 2015, ASEAN and Japan held the eighth in a series of information security policy meetings.
Individual nations are also pursuing cyber laws. There is not space here to recount those activities; rather, the reader is referred to the review of selected Indo-Asia-Pacific national efforts in the BSA report: Asia-Pacific Cybersecurity Dashboard: A Path to a Secure Global Cyberspace.
Two issues dominate national efforts to create politically and culturally acceptable cyber laws. One issue is who has responsibility for specific categories of cyber activities within the government: civil agencies, the military or the police? The other involves protecting human rights issues of privacy, association and freedom of expression while appropriately dealing with online crime.
Before turning to future options, consider how international law is made and some technical characteristics of cyberspace that will shape that process.
In general, international law is created through (1) formal treaties (such as the U.N. Charter or the Budapest Convention) that are binding on the states that become parties to them, (2) customary practices and (3) the general principles of law among civilized nations. The formulation of international law is also reflected in secondary sources, such as international judicial decisions and notable scholarly works.
In addition to the treaties mentioned earlier, the primary bodies of law applicable to cyber activities include the U.N. Charter, the law of armed conflict (sometimes referred to as international humanitarian law) and the law of state responsibility. From these, nations derive general legal concepts that would apply equally to emerging technologies such as those in cyberspace. These include: jus ad bellum (the law that applies to resorting to the use of force), jus in bello (the law that applies to the conduct of armed conflict), sovereignty and territorial integrity, nonintervention, and a state’s responsibility for due diligence in preventing third parties from using their territory or assets to attack their states.
While an international consensus exists that these long-standing sources of international law apply to cyber activities, some characteristics of cyber technologies raise questions about the unique conditions under which such laws apply. One such unique issue is attribution. How can nations know who did what? There are significant technical difficulties in achieving legally actionable clarity on this; states are often left with strong circumstantial evidence that only allows a tentative assertion of guilt. Without clear attribution, it may be difficult for a victim state to determine what response options are legally available in the face of malicious cyber activities or even cyber attacks.
International humanitarian law restrictions on the use of force may apply to cyber actions during armed conflict. For example, law of armed conflict principles such as proportionality and discrimination may limit cyber attacks on critical civilian infrastructure such as power or financial systems, as well as electro-magnetic pulse actions, if employed indiscriminately. An additional question is when a cyber activity can cause such harm that a state may lawfully respond with a use of force. Until such issues are clarified, even if attribution is clear, it will be difficult for states to determine if international humanitarian law applies. It remains to be seen whether the Tallinn 2.0 manual will consider such questions in its treatment of international law and peaceful cyber issues.
The principles of sovereignty and territorial integrity underlie much of international law, but how these principles apply in cyberspace remains unclear. For example, does a cyber activity through multiple computers in multiple nations impose on each of those nations responsibilities under the due diligence principle? If an individual or nonstate organization uses cyberspace to cause significant harm to a state’s interests, does that state have legal rights to counterattack the perpetrator without the consent of the state in which the perpetrator resides?
Finally, the speed at which technology is developing stresses our ability to respond with timely legal solutions that are specific enough for enforcement and sufficiently “socialized” to be acceptable to the broad international community.
Actions that would enhance the creation and enforcement of cyber-related law in the future fall into three broad areas: developing a foundation for customary law through national laws, state practices and cooperative international programs; building capacity for nations to enforce their own laws and to cooperate internationally; and continuing to work toward the goal of clarifying legal understandings related to cyber activities.
Given the sovereignty-based international legal system, the passage of national cyber laws could be an indicator of emerging consensus and the eventual development of customary international law. The process of passing national laws necessitates clarification of terms, jurisdictions and enforcement mechanisms. Such laws will provide the justification for enforcement activities aimed at securing national cyber boundaries and for funding capacity building. Additionally, forming laws and enforcing them (in other words, state practice) will support the development of customary international law. It would also be useful for more regional nations to publish national cyber security strategies to further establish norms of state practice.
The need to build capacity for enforcement and international cooperation suggests a number of options for regional consideration. Many nations lack access to expertise on cyber security and therefore lack capacity to effectively write or enforce national law. It might be feasible and useful to create a regional process to build and share expertise with the GFCE. Regional organizations such as ASEAN and the South Asian Association for Regional Cooperation could support creation of a lexicon of regional commonly agreed definitions of terms associated with cyber activities. Such an agreed set of terms would assist cooperative efforts to respond to cyber incidents.
Increasing the frequency and depth of regional representation in groups such as GGE, GFCE and the Global Conference on CyberSpace will help reduce concerns about international law being created without sufficient input from the region. Increasing public and official awareness of cyber issues will help generate “ripeness” for the body of law to grow. Unless there is a widespread sense of urgency, courts and diplomats will defer meaningful action.
An additional step forward is to highlight that cyberspace should not be viewed primarily as a warfare domain, but rather as a global shared space that requires positive actions by individual states as well as mutual cooperation. More technically capable nations may have to accept limitations on their potential actions to support a larger interest in a robust, protected cyber environment that supports the free flow of information to the benefit of economies and societies.
As the region moves forward on some of these suggestions, it will be good to keep in mind that the road will be long and difficult. Progress will not be fast but, in the greater context, is occurring faster than we might expect. The time is ripe for collective action to legally protect cyberspace for the benefit of the region and the globe.