No consensus report resulted from the yearlong negotiations of the 5th United Nations Group of Governmental Experts (GGE) on the Developments in the Field of Information and Communications Technologies (ICTs). As the meeting drew to a close in June, the 25 government officials ended their work with a disappointing acknowledgement that final attempts to report on areas of agreement related to norms and confidence building measures had ultimately failed, leaving the future of the GGE unclear. There was agreement, however, on the reason for the breakdown: disagreement over fundamental aspects of international legal rules. However disappointing the outcome may be for establishing norms for cyberspace, the result says more about the UN political process of seeking agreement on the nuances of international rules and their interpretations then it does about the potential to establish non-binding norms for cyberspace.
So what do the divisions over the interpretation of international law, as illustrated within the GGE discussions, mean for the future development of international law in the context of cyber operations?
Over the course of the GGE meetings that began in 2004, a number of governments had occasion to articulate their positions and acceptance of the applicability of existing international law to the cyber domain. In the five years between the 1st and 2nd GGE meetings, significant cyber events took place that had significant influence on the work of the group and highlighting its importance. In 2007 Estonia suffered a cyber incident with national security impact and in 2008 Georgia was the target of cyber attacks preceding kinetic conflict.
In 2013, for the first time, the GGE reached consensus on the issue of international law with its final report confirming, “international law, particularly the UN Charter, is applicable and essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”
In 2014 the 4th GGE was established, expanding the number of experts from 15 to 20. The new mandate for the group included a call to build on the focus of international law in the 2013 report, wherein members agreed on the following: that international law applied in cyberspace, sovereignty applied to state actions in cyberspace, law of armed conflict principles of distinction, necessity and proportionality applied (although the report avoided using the words “law of armed conflict”), states should not use proxies to conduct wrongful acts in cyberspace, and states should respect and protect human rights in cyberspace.
From its earliest mandates, the principle area of focus for the GGEs was the promotion of a dialogue among states on norms to reduce collective risk, protect critical infrastructure, and establish confidence and capacity building measures. The process had been surprisingly successful, by 2015, having produced over a dozen principles for responsible state behavior in cyberspace. Ultimately, however, by 2017, the GGE was unsuccessful in reaching agreement on the application, development and interpretation of international law in the context of cyber activities.
As the GGE moved from general statements about broad principles of international law in the 2013 report to more specific pronouncements on international legal rules in the 2015 report and eventually seeking agreement on the implications for the applicability of these rules in the 2017 report, tension over international legal issues increased, with states taking divergent positions on the law.
A contributing factor that complicated the legal discussions was that the experts were not independent experts, international lawyers or technical cyber professionals, they were government officials – longtime diplomats mainly drawn from foreign ministries. The result was that GGE meetings became a platform for states to take positions and seek to negotiate favorable terms of agreement instead of a forum for expert study and, ultimately, recommendations and advice for the Secretary-General.
Signs of fundamental disagreement among the GGE members about the details of how international legal principles applied began to emerge almost as soon as the ink was dry on the 2015 report, with some states seeming to back track on the vague commitments made in the report regarding the right to self-defense as well as general principles related to the laws of armed conflict.
In negotiating the language for the 2015 report, the U.S. sought to include a reference to Article 51 of the UN Charter, which authorizes a state to, either individually or collectively, use force in self-defense if it suffers an armed attack. Such agreement would legitimize a military response, whether cyber or kinetic, to a cyber attack that reached the requisite level of harm under international law. But any mention of the words “self-defense” or Article 51 within the report was blocked by objecting states.
Not surprisingly, by the 2017 negotiations, there were three areas of contention over the law: the right of self-defense, the law of countermeasures, and international humanitarian law. There was opposition by some experts – particularly those from Russia, China and Cuba – to explicitly including the term self-defense within the report. The objecting states expressed concerns that mentioning the term within a report could increase the militarization of cyberspace, equating cyber attacks with armed attacks as defined under the UN Charter, and permitting the more cyber capable states to use force against hostile actions by other states while the less capable states would be at a disadvantage, unable to take such measures. The U.S. and others supported language on the right to take countermeasures in response to an internationally wrongful act committed through the use of ICTs, but again the language was rejected by objecting states. As a political position, it is understandable that weak states would object to the use of cyber countermeasures because they would rarely be able to induce strong states to comply with international obligations by violating their own obligations in response.
These positions, while politically reasonable and arguably potentially politically necessary, are not legal positions. It is universally accepted under international law that states have the right of self-defense if an armed attack has taken place, no matter what type of weapon is utilized in conducting the attack, as long as the threshold for an armed attack as been reached. Furthermore, under the law of countermeasures, states injured by the wrongful actions of another state are authorized to respond with proportionate countermeasures to induce the state back into compliance with its international obligations and make reparations for injuries suffered.
It is not so surprising, therefore, that a group of government officials from countries with vastly different levels of cyber capabilities would come to the GGE meetings with different interests in mind when discussing international law, how that law can be utilized, manipulated and developed in a fashion that would increase the security of the individual official’s country as well as its projection of power and influence in cyberspace. Furthermore, the lack of clarity on the very meaning of the legal terms under discussion within the group, such as sovereignty, armed attack, use of force, and intervention, understandably made reaching agreement on the broader legal principles of self-defense and countermeasures, the understanding of which is based on the analysis and parameters of the previously mentioned legal terms, especially challenging. For instance, without an understanding of whether, how, and when the sovereignty of a state is violated by a cyber operation or what it means to coercively interfere through cyber means in the internal affairs of a state, it would be difficult to definitively conclude, as a matter of law, that the state has the right to respond using countermeasures.
Ultimately, the legal discussions were used to pursue the political purposes of the states, distort, and even confuse the meaning and applicability of the already existing international rules, and distract from the work on agreement on norms.
As for the future of discussions on international law, a lesson from the GGE process would dictate that any such discussions should in some fashion be segregated from the political process of negotiating non-binding norms. Potential options for the further study of the international legal issues relevant in the cyber context, within the UN system, could include a mandate to the International Law Commission, created for the purpose of encouraging the progressive development of international law and its codification, to take up the topic for review; the establishment of a Legal Sub-Committee to the GGE, composed of international legal experts, tasked to analyze the details of the relevant international law in support of the work of the GGE, as was done in 1959 with the creation of a Legal Sub-Committee to the Committee on the Peaceful Use of Outer Space. A more informal effort could be based on the UN Institute for Disarmament Research (UNIDIR) holding workshops bringing together international lawyers and the GGE experts to discuss the application of international law in cyberspace, as UNIDIR did on one occasion in 2016.
Alternatively, outside of the UN, states could proceed with bi-lateral negotiations on specific aspects of cyber activities that may be ripe for agreement among like-minded states. Topics could range from the non-targeting of critical infrastructure to identifying thresholds for what would constitute an armed attack in cyberspace, and establishing legal criteria for enabling recourse by states to countermeasures as a reaction to violations of obligations, to mention a few. Such agreement could potentially evolve into legally-binding arrangements among a larger number of states.
Whatever ultimately becomes of the GGE process, the negotiations over norms and the study of the applicability of international law in the cyber context, there is little doubt that international law will develop in the context of state activities in cyberspace just as it has done over the centuries in other areas of newly developed international law. Indeed, the most probable trend for the prescription of state activities in cyber will be through the gradual progress of establishing shared expectations. As states operate in cyberspace and respond to hostile cyber activities against them, a process of claims and responses will emerge that can lead to normative change. Over time, the accumulated practice of states in this manner, accepted as law, can come to be legally binding on all states.
Unlike 10-20 years ago when international lawyers had an almost purely speculative approach in the earliest phase of the development of the law for cyberspace, today there is a reasonably settled point of departure from which the law can evolve. Today, there is a more reasonable balance between “what is” and “what may be.” Because of the tireless work of the GGEs and other groups, the “what is” in cyberspace includes a significant proportion of authoritatively recognized legal principles upon which further developments can be grafted as more experience becomes available, as states conduct activities in cyberspace, and as a larger measure of international agreement is reached.