Cybersecurity & Tech

The UN GGE Failed. Is International Law in Cyberspace Doomed As Well?

Arun M. Sukumar
Tuesday, July 4, 2017, 1:51 PM

The fifth edition of the UN Group of Governmental Experts (GGE)—tasked with developing a “common understanding” of how states should behave in cyberspace—failed last week, with several states not agreeing to the final draft report. Still, predictions of the death of international law at the hands of the GGE on cyberspace are greatly exaggerated.

Published by The Lawfare Institute
in Cooperation With
Brookings

The fifth edition of the UN Group of Governmental Experts (GGE)—tasked with developing a “common understanding” of how states should behave in cyberspace—failed last week, with several states not agreeing to the final draft report. Still, predictions of the death of international law at the hands of the GGE on cyberspace are greatly exaggerated.

For lack of consensus, the GGE will not submit a report of its recommendations to the UN General Assembly. The GGE failed because it could not agree on draft paragraph 34, detailing how international law applies to the use of Information and Communication Technologies (ICTs) by states. Some states that refused to endorse this paragraph offered the untenable—and frankly, facetious—rationale that affirming the application of the UN charter principles on the use of force and international humanitarian law would result in the “militarisation” of cyberspace. Others doggedly insisted on including the right to apply “countermeasures” in scenarios that fell below the threshold of the ‘use of force’ in cyberspace, which risks opening the door further for destabilizing conduct. In the end, both sides missed the forest for the trees. The 2016-17 UN GGE had made measurable progress in clarifying certain norms of behavior for state and non-state actors. In the fracas over the paragraph, the participants failed to appreciate that the codification of norms and principles does more for a cyberspace regime than any endorsement of international legal principles.

Consider some of the norms this year’s GGE agreed to prior to deadlocking, as confirmed by two of the negotiators. While the previous GGE concluded that “states should not knowingly allow their territory to be used for internationally wrongful acts”, this group sought and agreed on an understanding of the all-important term, “knowingly”. In the wake of increasing ransomware and zero-day attacks, this GGE agreed to take steps to prevent the proliferation of malicious cyber-tools. It sought to stop the private sector from using cyberspace for offensive purposes against third parties, including those located in another state’s territory. The GGE even came close to acknowledging that cyber attacks affecting properties of the Domain Name System that are critical to its functioning should be considered unacceptable. All of these gains have now been lost in the manufactured controversy over the application of international law to cyberspace.

The controversy is “manufactured” because both the 2013 and the 2015 GGEs declared that “international law, and in particular the Charter of the United Nations,” were applicable to cyberspace. It does not seem to be any country’s position that the right to self-defense—the inclusion of which some states opposed in the current report—does not apply in response to cyber operations that meet the threshold of an “armed attack” under Article 51 of the UN Charter.

In an explanation of its GGE position, Cuba declared that it opposed the :equivalence [made] between the malicious use of ICTs and the concept of ‘armed attack’”. In reality, Cuba and others are concerned that an endorsement of the “right to self-defense” will undermine asymmetric advantages which states that do not enjoy conventional superiority over their adversaries may have in cyberspace. So, Russia, which may be concerned that the United States will retaliate conventionally in response to a cyber operation that it deems to be an armed attack, would have concerns about including the phrase. On the other hand, India, which would want the option to respond to Pakistan’s cyber operations through conventional means, may welcome the express affirmation of a right to self-defense. Other commentators have noted that it is unlikely most cyber operations would cross the high legal threshold of an “armed attack”. However, it is the sovereign prerogative of states to define what qualifies, and a validation of their right to self-defense in the UN GGE serves as a deterrent against conventionally inferior adversaries.

Yet another thorny issue has been the applicability of international humanitarian law (IHL) to cyber operations. In the past, states like China have argued that applying IHL to cyberspace legitimizes military activities in it, which they claim to oppose. This argument, however, is really about military objectives. Countries that are rapidly scaling up their offensive cyber capabilities are buying time to test the effects of new weapons on civilian networks and critical infrastructure. To commit to the applicability of IHL, they fear, would be to foreclose the development and testing of some cyber weapons that may have unintended consequences. One such area of risk is the international legal obligation to distinguish between civilians and combatants. Can cyber weapons, aimed at a combatant’s network, effectively distinguish between its targets and the civilian infrastructure it may have to cross to reach them? Until the contours of this principle has been fleshed out, it is unlikely that many aspirational “cyber powers” will sign up to it.

The political motivations of major powers in the GGE are most apparent when it comes to the issue of “countermeasures,” which draft paragraph 34 referred to as the “right of states to respond to internationally wrongful acts committed through the use of ICTs”. States that have a clear advantage in offensive cyber capabilities, like the United States, insist the GGE recognizes the right to cyber reprisal, but others worry that this may lead to rash responses. Interestingly, the initial drafts of the GGE sought, rather painstakingly, to include scenarios that could trigger countermeasures. Some states’ reluctance to accept them reflected their concern that militarily-advanced countries will frame the rules of the game.

Despite some opposition to draft paragraph 34, it is premature to say that the enunciation of international law in cyberspace is a futile mission. In some respects, the GGE put the cart before the horse by calling for an affirmation of legal principles without detailing them or understanding their consequences for military strategies. The tangible progress that the 2016-17 GGE made in promoting information-sharing channels, furthering research on attribution, and limiting the intervening role of non-state actors in cyber attacks should matter more to states than principled statements on international law. To expend much political capital on a difficult exercise to explain how international law applies, rather than building norms that enable states to perform their legal obligations diligently, was a strategic mistake by the major GGE powers. For those opposing the inclusion of specific legal principles, it should be clear that the tide is turning. Governments today increasingly desire rules that predict state behavior. The GGE’s failure will likely spur states to articulate their own national cyber doctrines and push for bilateral or regional initiatives to “legalize” cyber norms.

The 2016-17 GGE succumbed to the “here and now” concerns of individual states, while letting go of the good work it had done in creating an enabling framework for the implementation of international law. The goals however should not be abandoned; instead the discussion must now shift to a new platform.


Arun M. Sukumar is a PhD Candidate at the Fletcher School of Law and Diplomacy, Tufts University.

Subscribe to Lawfare