Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session (Part II)

Sukanya Thapliyal

Introduction 

In Part I of this two-part blog series, we provided our readers a brief overview and observations from the discussions pertaining to the second reading of the provisions on criminalisation of offences under the proposed convention during the Fourth Session of the Ad-hoc Committee. In Part II of the series, we will be laying down our reflections and learnings from the discussions that were held in regard to: (i) General Provisions; and (ii) Provisions on Procedural Measures and Legal Enforcement. We also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.

1. General Provisions 

Chapter 1 of the Consolidated Negotiating Document (CND) includes five articles: statement and purposes (article 1), use of terms (article 2), scope and application (article 3), the protection of sovereignty (article 4), and protection of human rights (article 5). In the first round of discussions on General Provisions, the Member Countries, the European Union, in its capacity as observer, and the observers for non-member States provided their preliminary views on different provisions so as to allow the Secretariat to identify provisions that enjoy broad support and others where participants held divergent views. 

Round 1 Discussions

1. Points of Agreement  (Advanced to Second Round of Discussions)

A majority of the participants held positive views on the provisions enlisted under the General Provisions. They sought to strengthen several of these provisions. For example: developing countries including Iran, Jamaica (on behalf of the Caribbean Community), South Africa, and Egypt were in favour of a more elaborate and strongly worded provision on technical assistance. Similarly, several countries including, European Union, Japan, USA, Switzerland, New Zealand, Canada, and others sought (i) strong safeguards for protection of human rights and other fundamental freedoms and (ii) mainstreaming of gender perspective and (iii) consideration of persons and groups vulnerable to cybercrime. 

2. Points of Disagreement  (Subject to Co-facilitated Informal Negotiations)

The discussion witnessed divergences in relation to Article 2 (Use of Terms) of the CND. Countries including India and Russia were in favour of usage of the term “ICT” over “cybercrime” as the former is wider in nature and has been used in UN General Assembly-Resolution 74/247 that established the mandate for the Ad-Hoc Committee. On the other hand, countries including the USA, Japan, Israel, and others were in favour of “cybercrime” for being more widely understood and recognised under the domestic legal framework of various countries and already employed under several international legal instruments. The chair, therefore, took up the decision to pursue the deliberation on the said provision in the co- facilitated informal consultations under the able leadership of Mr H.E. Mr. Rapulane Sydney Molekane, Ambassador and Permanent Representative of South Africa to the United Nations, Vienna, and Mr. Eric Do Val Lacerda Sogocio, Counsellor, Permanent Mission of Brazil to the United Nations, Vienna, and Vice-Chair of the Ad Hoc Committee.

3. Co-Facilitated Informal Consultations 

The co-facilitated informal consultations witnessed detailed deliberations on the use of terminologies to be defined under the draft Convention. The deliberations represented initial exchange of views without prejudice to the future informal discussion. They shall continue ahead of, during and beyond the 5th session to allow for a common understanding on key terms in order to facilitate consensus on several provisions throughout the text of the future convention.

Round 2 Discussions

Further, in the second round of discussion on provisions that enjoy wider support, the participants brainstormed on the final language of the provisions. Several Member Countries proposed terms/ phrases and even provisions that they considered more reflective of their needs and preferences. For instance: Member Countries including Russia, Tajikistan and India proposed the usage of “detect, prevent, suppress and investigate cybercrime/ use of ICTs for criminal use” in place of “prevent and combat cybercrime/ use of ICTs for criminal use.” In addition, India also proposed the usage of “the collection and sharing of electronic and digital information/evidence” in place of “collection of electronic evidence”. Further, countries including Malaysia, Honduras and Singapore proposed for “proper balance between the interests of law enforcement and the respect for fundamental human rights” to the provision detailing the Statement of Purpose for the Convention. Similar proposals were made on provisions relating to protection of sovereignty, respect for human rights and scope of the application respectively.

The discussions relating to General Provision at the Ad-Hoc Committee process do not suffer from irreconcilable differences.  Member Countries have showcased a growing sense of convergence on provisions relating to protection of human rights and other fundamental freedoms. There is also a broad support for mainstreaming the gender perspective within the convention. The Member Countries, however, have outstanding work in relation to definitions and use of terms under the proposed convention. 

II. Provisions on Procedural Measures and Legal Enforcement 

Chapter 3 of the CND laid out provisions for – a] investigation and prosecution of offences, b] collection and sharing of information and electronic evidence, c] conditions and safeguards highlighting the need for and importance of the protection of human rights and liberties, insertion of principles of proportionality, necessity and legality and d] the protection of privacy and personal data for the purposes of the convention. The chapter included 16 articles divided into the following six clusters:

1. Cluster 1: provisions on jurisdiction, scope of procedural measures and conditions and safeguards
2. Cluster 2: procedural measures for expedited preservation of stored data; expedited preservation and disclosure of traffic data, production order, search and seizure, real-time collection of traffic data, interception of content, among others.
3. Cluster 3: procedural measures relating to freezing, seizure and confiscation of assets, establishment of criminal records, protection of witnesses and victims, and compensation for damage suffered.

Round 1 Discussions 

1. Points of Agreement (Advanced to Second Round of Discussions)

In the first round of discussions, the Member Parties unanimously recognised the importance of the provisions on procedural measures and legal enforcement and their role in laying the solid foundation for the practical international cooperation and implementation of this convention. The first round of discussions witnessed a broad agreement on the majority of the provisions under Cluster 1, 2 and 3 of CND. 

Furthermore, several Member Parties, Observer States including the European Union, India, Japan, UK, Norway, Canada, Australia, Kenya, and Israel affirmed their support on the inclusion and further strengthening of Article 42 that lays out Conditions and Safeguards that ensure adequate protection of human rights and liberties, including rights and fundamental freedoms arising from obligations under applicable international human rights law. 

Several Participant Countries also highlighted the close correlation between Article 42 and Article 41 (Scope of Procedural Measures) as being inextricably linked to one another and stated that strong procedural measures must be accompanied by robust human rights safeguards. The participant Member Countries and Observer States were broadly in agreement on inclusion of Article 43 (Expedited Preservation of Stored Computer Data), Article 44 (Expedited Preservation and Partial Disclosure of Traffic Data), Article 45 (Production Order), Article 46 (Search and Seizure) and Cluster 3 provisions (Article 50-55) of the CND. 

2. Points of Disagreement (Subject to Co-facilitated Informal Negotiations)

There was disagreement on the inclusion of Article 40 (jurisdiction), Article 47 (Real Time Collection of Traffic Data), Article 48 (Interception of Content Data) and Article 49 (Admission of electronic/digital evidence) respectively. Member Countries and Observer States and other participants including Switzerland, Japan, USA, European Union, Australia, Norway, UK, Canada raised concerns on Article 40 that allowed for extraterritorial jurisdiction of State and jurisdiction over computer data/ digital or electronic information irrespective of place of storage, screening or processing. As per the participant countries and observer states, such a provision is not in consonance with the traditional understanding of jurisdiction and may not be in alignment with Article 4 (Protection of Sovereignty) enlisted in the CND. 

Further, Member States and Observer States including EU, UK, Japan, Australia, and Norway also raised concerns on inclusion of Article 47 and 48 as these significantly interfere with human rights and are considered to be extremely sensitive in nature.  Singapore, in particular, opposed the inclusion of these provisions and stated that its inclusion has a limited utility and is likely to deter states from signing the final convention. India along with USA, Malaysia, Jamaica on the behalf of Caribbean Community (CARICOM) were in favour of inclusion of these provisions. India, in particular, also requested for the definitional clarity on terms such as “traffic data”. Besides, the participant member countries and observer states were disputed on inclusion of Article 49 and stated that the convention on cybercrime is not appropriate to include issues pertaining to admissibility of electronic evidence and is to be dealt under State’s domestic law and judicial rulings. 

3. Co-Facilitated Informal Sessions 

The chair accordingly delegated the discussion on Article 40, 47, 48 and 49 for the co-facilitated informal negotiation process to be undertaken under the leadership of Mrs. Andrea Martin-Swaby (Jamaica) and Mr. Syed Noureddin Bin Syed Hassim (Singapore).

The co-facilitated informal negotiation process underwent detailed discussions amongst participant Member States, Observer States and multi-stakeholders. The co-facilitators informed the Chair of the various developments that took place during the informal negotiation and that the co-facilitators would conduct intersessional bilateral meetings with delegations and convene additional informal negotiations of the Committee at the 5th Session scheduled in April 2023.

Round 2 Discussions 

Subsequently, in the second round of discussions, several newer contributions were made in the context of provisions laying out Conditions and Safeguards. There was also a proposal for additional provision relating to Retention of Traffic Data and Metadata, and Retention of Electronic Information in CND. Further, additional provisions on Cooperation between national authorities and service providers were also proposed and introduced in the CND for further deliberation. 

The CND and deliberations at the Fourth Session of the Ad-Hoc Committee process crystallised a number of interesting submissions and proposals made by the Member Countries over past sessions. The CND enlisted provisions aimed to redress current challenges faced by the legal enforcement agencies by providing appropriate authority allowing for expedited preservation of Stored Computer Data, expedited preservation and partial disclosure of traffic data, search and seizure, real time collection of traffic data, interception of content data, among others. 

The process, however, also witnessed disagreement on provisions relating to the understanding of jurisdiction, cooperation between national investigating and prosecuting authorities and service providers – as evident from the developments that took place in previous sessions. It is likely that the Secretariat and Member Countries will be continuing these deliberations to build consensus over conflicting issues. 

The Way Forward The proceedings at the Ad-Hoc Committee process have arrived at a critical juncture wherein Member Countries have begun text-based negotiations spearheaded by the Chair and Secretariat. The Ad-Hoc Committee will organise the Fifth Session from 11 to 21 April 2023 in Vienna as an immediate next step. The session will conduct text-based negotiations based on CND on the preamble, the provisions on international cooperation, preventive measures, technical assistance, and the mechanism of implementation, and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The upcoming sessions would be crucial in determining whether and how Member Countries would draw consensus and build toward an effective cybercrime convention that caters to the needs and expectations of the wide variety of countries participating in the UN process.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 3):Confidence Building Measures, Capacity Building and Institutional Dialogue

Ananya Moncourt & Sidharth Deb

“Smoking Gun” by Claudio Rousselon is licensed under CC BY 4.0

• Introduction

In Part 1 this three-part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) we critiqued how the OEWG is incorporating the participation of non-governmental stakeholders within its process. In Part 2 we reflected on States’ (including India’s) participation on discussions under three main themes of the OEWG’s institutional mandate as detailed under para 1 of the December 2020 dated UN General Assembly (GA) Resolution 75/240.

This analysis revealed how lawfare and geopolitical tensions are resulting in substantive divides on matters relating to (a) the definition and identification of threats in cyberspace; (b) the future direction and role of cyber norms in international ICT security; and (c) the applicability of international law in cyberspace. In Part 3 our focus turns to discussions at the second session as it related to inter-State and institutional cooperation. Specifically, we examine confidence building measures, cyber capacity building, and regular institutional dialogue. The post concludes by offering some expectations on the way forward for ongoing international cybersecurity and cybercrime processes.

• Confidence Building Measures (CBMs)

Under CBMs, States focused on cooperation, collaboration, open dialogue, transparency and predictability. These included  proposals operationalising a directory of national point of  contacts (PoCs) at technical, policy, law enforcement and diplomatic levels. Several States suggested that CBMs would benefit from including non-governmental stakeholders and integrating with bilateral/regional arrangements like ASEAN, OSCE and OAS. States identified UNIDIR’s Cyber Policy Portal as a potential platform to advance transparency on national positions, institutional structures and best practices. South Korea, Malaysia and others proposed using the portal for early warning systems, new cyber norms discussions, vulnerability disclosures, and voluntary information sharing about national military capabilities in cyberspace. Other priority issues included (a) collaboration between CERTs to prevent, detect and respond to cybersecurity incidents; and (b) critical infrastructure protection.

CBMs were another site of substantive lawfare. Russia and its allies stressed on the need for objective dialogue to prevent misperceptions. They urged States to consider all technical aspects of cyber incidents to minimise escalatory risks of “false flag” cyber operations. As we have discussed earlier in Part 2, Iran and Cuba argued against States’ use of coercive measures (e.g. sanctions) which restrict/prevent access to crucial global ICT infrastructures. These States also highlighted challenges with online anonymity, hostile content, and the private sector’s (un)accountability.

India focused on cooperation between PoCs for technical (e.g. via a network of CERTs) and policy matters. They espoused the benefits of integrating CBM efforts with bilateral, regional and multilateral arrangements. Practical cooperation through tabletop exercises, workshops and conferences were proposed. Finally, India stressed on the importance of real-time information sharing on threats and operations targeting critical infrastructures. The latter is a likely reference to challenges States like India face vis-a-vis jurisdiction and MLAT frameworks.

• Capacity Building

Consistent with the first OEWG’s final report, States suggested that capacity building activities should be:

• sustainable,
• purpose and results focused,
• evidence-based,
• transparent,
• non-discriminatory,
• politically neutral,
• sovereignty respecting,
• universal, and
• facilitate access to ICTs.

States advocated international capacity building activities correspond with national needs/priorities and benchmarked against internationally determined baselines. The UK recommended Oxford’s Cybersecurity Capacity Maturity Model for national assessments.  States recommended harmonising capacity building programmes with bilateral and regional efforts. Iran and Singapore proposed fellowships, workshops, training programmes, education courses, etc as platforms for technical capacity building for State officials/experts. States suggested UNIDIR assume the role of mapping global and regional cyber capacity building efforts—spanning financial support and technical assistance—aimed at compiling a list of best practices. Disaster and climate resilience of ICT infrastructure was a shared concern among Member States.

Even under this theme Russia and their allies addressed unilateral issues like sanctions which limit universal access to crucial ICT environments and systems. Citing the principle of universality, Russia even proposed the OEWG contemplate regulation to control State actions in this regard. Iran built on this and proposed prohibiting States from blocking public access to country-specific apps, IP addresses and domain names.

India recommended capacity building targeting national technical and policy agencies. It proposed funnelling capacity building through regular institutional dialogue to ensure inclusivity, neutrality and trust. India proposed a forum of CERTs, under the UN, to facilitate tabletop exercises, critical infrastructure security, general cybersecurity awareness campaigns, and cyber threat preparedness. India proposed establishing an international counter task force comprising international experts in order to provide technical assistance and infrastructural support for cyber defences and cyber incident response against critical infrastructure threats. Member Sates requested India to elaborate on this proposal.

• Regular Institutional Dialogue

Several States like France, Egypt, Canada, Germany, Korea, Chile, Japan and Colombia identified a previously proposed Programme of Action (PoA) to facilitate coordinated cyber capacity building. France proposed the PoA assist States with the technical expertise for cyber incident response, national cybersecurity policies, and critical infrastructure protection. States also identified the PoA to maintain a trust fund for cyber capacity building projects, and serve as a platform to assist States identify national needs and track implementation of cyber norms. Prior to the third substantive session, co-sponsors are expected to share an updated version of its working paper with the OEWG secretariat. These States have also proposed that the PoA serve as a venue for structured involvement of non-governmental stakeholders.

In order to harmonise the mandates of the OEWG and the PoA, Canada proposed that the OEWG serve as the venue where core normative aspects are finalised, and the PoA works on international implementation. The Sino-Russian bloc and developing countries expressed concerns about the PoA as a forum for regular institutional dialogue. Iran suggested that the OEWG instead operate as an exclusive international forum on cybersecurity. Cuba and Russia maintained that a parallel PoA would undercut the OWEG’s centrality.

While India’s intervention recognises the importance of regular institutional dialogue, it insists that such interactions be intergovernmental. It recommends that States retain primary responsibility for issues in cyberspace relating to national security, public safety and the rule of law.

• Way Forward

The OEWG Chair aims to finalise a zero draft of its first annual progress report, for consultations and written inputs, approximately six weeks prior to the OEWG’s third substantive session in July 2022. It will be interesting to track how lawfare affects the report and other international processes.  

In this regard, it is crucial to juxtapose the OEWG against the UN’s ongoing ad-hoc committee in which States are negotiating a draft convention on cybercrime. Too often these conversations can be stuck in silos, however these two processes will collectively shape the broad contours of international regulation of cyberspace. Already, we observe India’s participation in the latter is shaped by its doctrinal underpinnings of the Information Technology Act—and it will be important to track how these discussions evolve.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

• existing and potential threats to “information security”.
• rules, norms and principles of responsible State behaviour i.e. cyber norms.
• international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5^th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6^th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills. 

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

• India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
• Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 

Building capacity of CERTs and law enforcement agencies	1. Cybersecurity technology cooperation relevant to CERT activities. 2. Exchange of information on prevalent cybersecurity policies and best practices. 3. CERT-to-CERT Cooperation. 4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building	1. Human resource development including  training of Govt. officials in e-governance. 2. Institutional cooperation among the academic and training institutions. 3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification	1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies. 2. Cooperation in exchanging and developing technology. 3. Standardisation, testing and certification.
B2B cooperation and economic advancement	1. Enhancing B2B cooperation in cyber security. 2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments. 3.Exploring third country markets. 4. Favourable environment for the business entities through various measures to facilitate trade and investment.

Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html

list-bilateral-agreements-in-the-field-of-ictDownload

Second Substantive Session of UN OEWG on International Cybersecurity (Part 1): Analysing Developments on Stakeholder Participation

Ananya Moncourt & Sidharth Deb

“Cyber Attacks” by Christian Colen Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Introduction

On April 1st 2022, the United Nations General Assembly’s (UNGA’s) First Committee on Disarmament and International Security concluded the week-long second substantive session of the second Open-Ended Working Group (OEWG) on the security of and in the use of information and communication technologies (ICTs). This process is the UN’s second OEWG involving all 193 UN Member States on matters relating to international cybersecurity. There have also been six prior UN Group of Government Experts (GGEs) on similar issues.

This post is the first of a three-part series which analyses key developments at the OEWG’s second substantive session in the period between March 28 and April 01, 2022. This piece outlines discussions on a key issue – multistakeholder engagement within the OEWG process.

Readers can view it as a follow up to CCG’s two-part blog series from December 2021 which analysed major international cybersecurity discussions (including the international normative framework) at the UN and India’s participation in these processes. Part 1 begins by providing an overview of the scope of the OEWG’s institutional mandate, the geopolitical background in which the second substantive session was held, and analyses key organisational developments relating to the modalities of multistakeholder participation at the OEWG. It reveals geopolitical differences and where appropriate, spotlights India’s interventions on such issues.

Institutional Mandate

The second OEWG was established by UNGA Resolution 75/240 adopted on December 31, 2020. The resolution describes ICTs as “dual-use technologies” which can be used for both “… legitimate and malicious purposes”. This language within the resolution is curious since this would mean that dual-use technologies are capable of being used in lawful and unlawful scenarios. This is a departure from how “dual-use technologies” are traditionally defined as technologies which have both civilian and military applications and use cases.

Keeping this in mind, the resolution presciently expresses concern that some States are building up military ICT capabilities and that they could play active roles in future conflicts between States. Given their potential threat to national security, Resolution 75/240 establishes a new OEWG for the period between 2021 and 2025 which must act on a consensus basis. The second OEWG is expected to build on the aforementioned prior work of the GGEs and the first OEWG. The OEWG has been assigned a broad substantive mandate which includes:

1. Identifying existing and potential threats in the sphere of information security;
2. further developing the internationally agreed voluntary rules, norms and principles of responsible State behaviour in cyberspace. This entails identifying mechanisms for implementation and, if necessary, introducing and/or elaborating additional cyber norms;
3. developing an understanding of the manner in which international law applies to States’ use of ICTs;
4. capacity building and confidence-building measures on matters relating to international cybersecurity;
5. establishing mechanisms of regular institutional dialogue under the UN.

Resolution 75/240 specifies that aside from a final consensus report, the  OEWG must submit annual progress reports before the UNGA. Relevant to this post, the Resolution also grants the OEWG with the power to interact with non-governmental stakeholders. The OEWG’s Organisational Session in June 2021, States agreed to a total of eleven substantive sessions, the first of which was held in the period of December 13 to December 17, 2021.

Geopolitical Background to Second Substantive Session

At the second substantive session in the last week of March 2022 discussions were hindered by ongoing geopolitical tensions arising out of the international armed conflict owing to the Russian invasion of Ukraine. Cyberspace has played a strategic role within the conflict and has spanned several cyber incidents and operations. This includes strategic information campaigns and online influence operations. Moreover, the conflict has observed strategic incidents and operations which targeted government websites and extended to strategic measures critical information infrastructures across both public and private sectors. Key incidents prior to the session include a prominent attack on a satellite broadband network which affected internet availability for users across different parts of Europe.

The tensions have extended even to technical internet governance bodies like ICANN where for instance, Ukraine made unsuccessful requests to prevent Russian websites/domains from accessing the global internet. And as has been widely reported, the conflict has led to sanctions against Russian financial operators from executing cross-border transactions via globally interoperable ICT systems like the SWIFT network.

Such geopolitical realities mean that the OEWG’s progress which is rooted in consensus was adversely affected. Let us now consider a central organisational issue for the OEWG i.e. modalities of stakeholder participation.

Modalities of Stakeholder Participation

The value of rooting multistakeholderism into internet, ICT and cybersecurity governance is well documented. Most ICT systems are owned, controlled, used and/or managed by non-governmental stakeholders across the private sector and civil society. Field expertise is also largely situated outside of governments. However, under the UNGA First Committee, cybersecurity processes like the GGEs and the first OEWG have operated using state-centric, even exclusive, approaches.

UNGA Resolution 75/240 attempts to buck this trend and grants the OEWG the authority to interact with interested/relevant stakeholders from private sector, civil society and academia. For context, the first OEWG was the first cybersecurity discussion at the UN to involve some limited informal consultations between States and other stakeholders. The final substantive report, dated March 2021, even describes rich discussions and proposals from the multistakeholder community.

Despite this being an improvement upon the GGE model, experts contended that the first OEWG lacked direct or structured multistakeholder involvement. The first OEWG’s dialogue was described as ad-hoc, inconsistent and isolated. Similarly, consultation opportunities at the OEWG were largely limited to an exclusive class of accredited organisations at the UN’s Economic and Social Council (ECOSOC). Stakeholders expressed concern that a repeat of this approach would exclude discipline related field experts, private operators, and other relevant stakeholders. In lieu of this, certain States, regional organisations, non-governmental stakeholders, and individual experts have shared written inputs to the OEWG’s Chair calling for the adoption of modalities which facilitate transparent, structured and formal stakeholder involvement. The proposal put forth the additional option for non-accredited organisations to indirectly engage by sharing their views with the OEWG. To further inclusivity the proposal suggested that stakeholders be allowed to participate in both formal and informal consultations through a hybrid physical/virtual format.

Unfortunately, this issue was not resolved at either the OEWG’s Organisational Session in June 2021, nor its First Substantive Session in December 2021. At these discussions Member States like the EU, Canada, France, Australia, Brazil, Germany, the Netherlands, UK, USA and New Zealand advocated broader, structured, transparent and formal involvement of stakeholders. The transparency component was a point of emphasis for these jurisdictions. This proposal focused on making it widely known, the grounds on which certain States objected against the inclusion of stakeholders within the OEWG. In opposition, the Sino-Russian bloc including Cuba, Iran, Pakistan and Syria opposed extended multistakeholder participation since they believe the OEWG should preserve its government-led character. Russia has proposed formal multistakeholder involvement be restricted to granting consultative status to ECOSOC accredited institutions. These States insisted that informal consultations and written inputs are sufficient means of incorporating wider stakeholder views.

Although in favour of multistakeholder involvement, India’s interventions advocated that the OEWG follow the same modalities as the first OEWG which as described earlier has been criticised on grounds of inclusivity.

Developments on Modalities at Second Substantive Session

As the issue carried forward into the second substantive session, geopolitical tensions have escalated as a result of the Russia-Ukraine conflict. Statements by Australia, Canada, USA, UK, EU, France, Germany and others called upon Russia to stop using cyberattacks and disinformation campaigns. States from this bloc proposed that the OEWG’s programme of work not move forward without an agreement on stakeholder modalities. Iran contended that such a decision would undermine the legitimacy of the OEWG process. Other allies like China, Russia and Cuba argued that stakeholder participation should not come at the cost of substantial discussions. These countries cited Resolution 75/240 as not mandatorily requiring the OEWG to include stakeholders. However, the NATO and other allies of the US argued that delays to their inclusion would undercut stakeholders’ ability to meaningfully participate in the process.

Certain countries like France, Indonesia, Russia and Egypt supported an Indian proposal as a temporary workaround. India refined its earlier proposal and suggested that the OEWG continue the first OEWG’s system of informal consultations for the duration of one year while the issue of stakeholder participation was referred back to the UNGA for a final deliberation. No consensus was reached and consequently the Chair decided to suspend the issue of modalities and switched to issue-specific conversations via informal mode of discussion.

Conclusion: Final Modalities Yield Mixed Results

Three weeks after the conclusion of the second substantive session, the OEWG Chair shared a letter dated April 22, 2022 which declared consensus on the modalities of stakeholder participation at the second OEWG. These modalities will be formally adopted at the OEWG’s third substantive session in July 2022. They state that interested ECOSOC accredited NGOs can participate at the OEWG. Other interested stakeholders/organisations which are relevant to the OEWG’s mandate can apply for accreditation. They can formally participate provided Member States do not object. However, on the transparency front there appears to be a compromise. States must only share general reasons for their objection on a voluntary basis. The Chair will only share this received information with other Member States upon request. This prima facie means a stakeholder will not know why there was an objection against its participation in the OEWG process.

The actual stakeholder involvement will be carried out through two prongs. First, like the first OEWG the Chair will organise informal inter-sessional consultations between States and stakeholders. Second, accredited stakeholders can attend formal meetings of the OEWG, submit written inputs and make oral statements during a dedicated stakeholder session.

The modalities do not clarify if accredited stakeholders can participate virtually. This gap in communication is important since many stakeholders from developing/emerging countries often have limited resources and/or capacities to send contingents to these processes. While this development represents clear strides in terms of inclusivity from prior UN cybersecurity processes, as structured, the modalities could inadvertently exclude stakeholders from smaller countries who have an interest in maintaining a safe, secure and accessible cyberspace.

It remains to be seen if the international community will allocate resources in ensuring all interested stakeholders are present and active at these discussions. Moving forward, Parts 2 and 3 of this series focuses on key discussions which took place in informal mode at the Second Substantive Session of the OEWG. They describe how States (including India) view the substantial issues outlined in the OEWG’s institutional mandate. Part 3 concludes by charting out what to expect in the OEWG’s forthcoming draft of its first annual progress report for the UNGA.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from First Substantive Session

Sukanya Thapliyal

Image by United Nation Photo. Licensed via CC BY-NC-ND 2.0

Earlier this month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

In this blog, we present a brief overview and our observations from the discussions during the first substantive session of the Ad-hoc Committee. Furthermore, we also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

1. Background 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions and was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

Presently, the Budapest Convention, also known as Convention on Cybercrime is the most comprehensive and widely accepted legal instrument on cybercrime which was adopted by the Council of Europe (COE) and came into force in July, 2004. However, the work of the Ad-hoc Committee is significant and can pave the way for the first universal and legally binding instrument on cybercrime issues. The Committee enjoys widespread representation from State and Non-State stakeholders (participation from the non-governmental organizations, civil society, academia and private organizations) and other UN bodies, including the United Nations Office on Drugs and Crime (UNODC), serving as the secretariat for the process. 

The Ad-hoc Committee, over the next two years, is set to have six sessions towards developing this cybercrime convention. The convention is expected to foster coordination and cooperation among state actors to combat cybercrime while giving due regard to the peculiar socio-economic conditions prevailing in the developing and least-developed countries. 

The first substantive session of the Ad-hoc Committee was scheduled for 28 February-11 March 2022 to chart out a clear road map to guide subsequent sessions. In addition, the session also provided opportunity to the Member States to explore the possibility of reaching a consensus on the objective and scope of the Convention, which could provide a general framework for future negotiation without constituting a pre-condition for future stages. 

2. Discussions at the First Ad-hoc committee

The first session of the Ad-hoc Committee witnessed extensive discussions in sessions on general debate, objective and scope of the convention, exchange of preliminary views on key elements of the convention. In addition, a fruitful engagement took place in the sessions dedicated to arriving at a consensus on the structure of the convention (A/AC.291/L.4/Add.4). Member states also reached consensus on  discussion and decision-making on the mode of work of the Ad Hoc Committee during subsequent sessions and intersessional periods (A/AC.291/L.4/Add.6). As the negotiations commenced days after the Russia-Ukraine conflict began, the negotiations proceeded in a tense environment where several Member States expressed their concerns and-inability to negotiate in “good faith” in the light of the current state of play and condemned Russia for the military and cyber operations directed at Ukraine.

A. Scope of the convention: From “Cyber-Enabled” to “Cyber-Dependent” Crimes 

There was complete agreement on the growing importance of ICT technologies, the threat created by cybercriminals, and the need for a collective response within a sound international framework. However, countries highlighted different challenges that range from ‘pure cybercrimes’ or cyber dependent crimes to a broader set of crimes (cyber-enabled crimes) that includes misuse of ICT technologies and digital platforms by terrorist groups, deepfakes, disinformation, misinformation, false narrative, among others. 

While there was a broad consensus on including cyber dependent crimes, there was significant disagreement on whether cyber-enabled crimes should be addressed under the said convention. This divergence was evident throughout the first session with the EU, the US, the UK, New Zealand, Australia, Liechtenstein, Japan, Singapore and Brazil advocating to limit the operation of such a convention only up to cyber dependent crimes (such as ransomware attacks, denial of services attack, illegal system interference, among others). The member states maintained that the said convention should exclude vague and broadly defined crimes that may dilute legal certainty and disproportionately affect the freedom of speech and expression. Furthermore, that the convention should include only those cyber enabled crimes whose scale scope and speed increases substantially with the use of ICT technologies (cyber-fraud, cyber-theft, child sexual abuse, gender-based crime). 

On the other hand, the Russian Federation, China, India, Egypt, South Africa, Venezuela, Turkey, Egypt expressed that the convention should include both cyber dependent and cyber enabled crimes under such a convention. Emphasizing the upward trend in the occurrence of cyber enabled crimes, the member states stated that the cybercrime including cyber fraud, copyright infringement, misuse of ICTs by terrorists, hate speech must be included under the said convention.

There was overall agreement that cybersecurity, and internet governance issues are subject to other UN multilateral  fora such as UN Group of Governmental Experts (UNGGE) and UN Open Ended Working Group (OEWG) and must not be addressed under the proposed convention. 

B. Human-Rights

The process witnessed significant discussion on the protection and promotion of human rights and fundamental freedoms as an integral part of the proposed convention. While there was a broad agreement on the inclusion of human rights obligations, Member States varied in their approaches to incorporating human rights obligations. Countries such as the EU, USA, Australia, New Zealand, UK, Canada, Singapore, Mexico and others advocated for the centrality of human rights obligations within the proposed convention (with particular reference to the right to speech and expression, privacy, freedom of association and data protection). These countries also emphasized the need for adequate safeguards to protect human rights (legality, proportionality and necessity) in the provisions dealing with the criminalization of offenses, procedural rules and preventative measures under the proposed convention. 

India and Malaysia were principally in agreement with the inclusion of human rights obligations but pointed out that human rights considerations must be balanced by provisions required for maintaining law and order. Furthermore, countries such as Iran, China and Russia emphasized that the proposed convention should be conceptualized strictly as a technical treaty and not a human rights convention.

C. Issues pertaining to the conflict in jurisdiction and legal enforcement

The Ad-hoc Committee’s first session saw interesting proposals on improving the long-standing issues emanating from conflict of jurisdictions that often create challenges for law enforcement agencies in effectively investigating and prosecuting cybercrimes. In its numerous submissions, India highlighted the gaps and limitations in the existing international instruments and the need for better legal frameworks for cooperation, beyond Mutual Legal Assistance Treaties (MLATs). Such arrangements aim to assist law enforcement agencies in receiving metadata/ subscriber information to establish attribution and to overcome severe delays in accessing non-personal data. Member states, including Egypt, China supported India’s position in this regard. 

Mexico, Egypt, Jamaica (on behalf of CARICOM), Brazil, Indonesia, Iran, Malaysia also highlighted the need for the exchange of information, and greater international cooperation in the investigation, evidence sharing and prosecution of cybercrimes. These countries also highlighted the need for mutual legal assistance, 24*7 contact points, data preservation, data sharing and statistics on cybercrime and modus operandi of the cybercriminals, e-evidence, electronic forensics and joint investigations. 

Member states including the EU, Luxembourg, UK supported international cooperation in investigations and judicial proceedings, and obtaining electronic evidence. These countries also highlighted that issues relating to jurisdiction should be modeled on the existing international and regional conventions such as the UN Convention against Corruption (UNCAC), UN Convention against Transnational Organized Crimes (UNCTOC), and the Budapest Convention.

D. Technical Assistance and Capacity Building

There was unanimity among the member states to incorporate provisions on capacity building and technical assistance to cater to the peculiar socio-economic conditions of the developing and least-developed countries. However, notable inputs/ suggestions came from Venezuela, Egypt, Jamaica on behalf of CARICOM, India and  Iran. Venezuela highlighted the need for technology transfer, lack of financing and lack of sufficient safeguards for developing and least-developed countries. The countries outlined technology transfer, financial assistance, sharing of best practices, training of personnel, and raising awareness as different channels for capacity building and technical assistance for developing and least-developed countries. 

E. Obligations for the Private Sector 

The proposal for instituting obligations  on non-state actors , including the private sector (with particular reference to digital platforms and service providers), witnessed strong opposing views by member countries. Countries including India, China, Egypt and Russia backed the proposal on including a strong obligation on the private sectors as they play an essential role in the ICT sector. In one of its submissions, India explained  the increasing involvement of multinational companies  in providing vital services in different countries. Therefore, in its view, such private actors must be held accountable and should promptly cooperate  with law enforcement and judicial authorities in these countries to fight cybercrime. Iran, China and Russia further emphasized the need for criminal liability of legal persons, including service providers and other private organizations. In contrast, member states, including the EU, Japan and USA, were strictly against incorporating any obligations on the private sector. 

F. Other Issues

There was a broad consensus including EU, UK, Japan, Mexico, USA, Switzerland and others  on not reinventing the wheel but building on the work done under the UNCAC, UNCTOC, and the Budapest Convention. However, countries, including Egypt and Russian Federation, were skeptical over the explicit mention of the regional conventions, such as the Budapest Convention and its impact on the Member States, who are not a party to such a convention. 

The proposals for inclusion of a provision on asset recovery, and return of the proceeds of the crime elicited a lukewarm response by Egypt, Iran, Brazil, Russia, China, Canada, Switzerland, USA Jamaica on behalf of CARICOM countries, but appears likely to gain traction in forthcoming sessions.

3. Way Forward

Member countries are expected to submit their written contributions on criminalisation, general provisions, procedural measures, and law enforcement in the forthcoming month. These written submissions are likely to bring in more clarity about the expectations and key demands of the different member states. 

The upcoming sessions will also indicate how the demands put forth by developing, and least developing countries during the recently concluded first session are taken up in the negotiation process. Furthermore, it is yet to be seen whether these countries would chart out a path for themselves or get subsumed in the west and east binaries as seen in other multilateral fora dedicated to clarifying the rules governing cyberspace. 

---

Note: 

*The full recordings of the first session of the Ad-hoc Committee to elaborate international convention on countering the use of information and communications (ICTs) technologies for criminal purposes is available online and can be accessed on UN Web TV.

**The reader may also access more information on the first session of the Ad-hoc Committee here, here and here.

Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan^*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

“From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the ‘due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

3. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing it “a clear violation of the rule of non-intervention.”

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

4. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.¹ However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

3. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

4. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Technology & National Security Reflection Series Paper 8: Tallinn Manuals as Law of the States or for the States– a Sola Fide Exploration?

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION

In this post, we evaluate the authoritative value of interpretations of international law expressed in the Tallinn manual with reference to Article 38 of the Statute of the International Court of Justice. 

NATO’s Cooperative Cyber Defence Centre of Excellence (“CCDCOE”) was established for NATO members to coordinate their efforts in the field of cyberwarfare in 2008, in light of the 2007 cyberattacks on Estonia’s critical cyber infrastructure. Given the international nature of cyberspace and consequently cyberwarfare, the CCDCOE convened a group of international experts to analyse how international law can be applied to cyberwarfare. Thus, the Tallinn manual came into existence, named after Estonia’s Capital, in 2013. The group of experts released Tallinn 2.0 in 2017 as a follow up which deals with a much broader field of ‘cyber operations’ instead of cyberwarfare. The original manual involved conflict while 2.0 deals with cyber operations both inside and outside conflict.

As far as the authoritative value of the Manual is in question, it is pertinent to point out that the Manual notes that every rule or assertion may not be a representation of principles of international law. Moreover, neither the rules nor the commentaries of the Tallinn manuals reflect the NATO doctrine or has been adopted as the official position of any State. Thus, prima facie, the Tallinn manuals (including Tallinn 2.0) were an end result of an academic study to determine and restate the lex lata i.e. the law as it exists; and probably deduce the direction of the lex ferenda i.e. as future law should be (although the manuals expressly stated that they avoided any statements or lex ferenda or the preferred policy for States). However, this still leaves the question unanswered about the value it holds today amongst other sources of international law.

Photo by Ministerie van Buitenlandse Zaken. Licensed under CC BY 2.0

THE LEGAL CONUNDRUM ENCIRCLING ARTICLE 38 (1) AND TALLINN MANUAL

Article 38(1) of the Statute of the International Court of Justice is considered as the most widely recognized iteration of sources of international law. It is no debate that the Manuals would fall under 38(1)(d) as the teachings of most qualified publicists as the international group of experts who were involved in their drafting are legal luminaries who are recognized for their contributions in cyber law and international law. 

We must note here that Article 38(1)(d) is different from the rest of the iterations or sources as it is subsidiary to others, i.e., these teachings per se are not law in and of themselves but are rather references that can be looked into for finding the law applicable.Thus, the manuals positing the arguments of the experts is not the law itself. However, they are a helpful source of determining the other authoritative sources of international law because the premise on which the publicists argue an assertion is usually based on a combination of the other three sources enshrined in article 38(1).

The question now becomes whether these manuals have been elevated to the level of customary international law (CIL). In addition to treaties, rights and obligations of States can also be recognized under CIL which is basically ‘evidence of a general practice accepted as law.’ In brief, a norm of CIL can form with State practice, that is the behavior of States with regards to the custom in question, and opinio juris, which is the belief that the State practice is in fact an obligation arising out of the law that is claimed as CIL.¹ This implies that towards formation of a custom, the State practice is the objective element or the manifestation of the subjective element, opinio juris. Interestingly, a minority of scholars also argue that it is not a watertight framework of having both of these elements, and a strong existence of the opinio juris may lead to the creation of a norm of CIL.

With respect to Cyber-operations, jurists hold that it is still too recent a field and there is no consistent State practice. However, most States have expressed the need of cyber-regulation and security via domestic law or through their representatives. The States are also publicly equipped to create or respond to military cyber operations. This amounts to a valid State practice, and even if it has not taken place for a long time but has been uniformly exercised, and there is proof of existence of the opinio juris, it can still validly contribute towards forming CIL.

ON THE QUESTION OF REPRESENTATION 

The question that we now face is whether the Tallinn manuals are a reflection of this global opinio juris. We can analyse from the available evidence and conclude that it may not be the case. To be clear, the international group of experts whose opinions led to the creation of the Manuals participated in their individual capacity– were not representing their country. This is important to note because when a scholar represents a country, they voice or manifest the State’s ‘opinion’ on points of disagreement as we see at the International Law Commission. What Tallinn scholars represent in their individuality or have represented are ideologies such as the Chicago School of Economic Thought or the English School of International Relations but never their State, making the manuals a scholarly exercise rather than a reflection of any opinio juris.

When we talk about representation, another issue which comes up with the manual is that it does not have fair representations from all parts of the world. A few of the biggest players of cyberspace are China and Russia. These States have successfully hacked/controlled their way to becoming important State actors within the cyber realm. Their opinions or voices; and even that of Israel (Israeli experts were on board for Tallinn 2.0), which is a dominant player in cyber-security today or that of Iran, were not taken into consideration. This further takes away from any claims whatsoever that the manuals represent opinio juris of States. The Manuals only take this issue of representation further in circumstances wherein only the military manuals of first world countries are referenced without providing any objective criteria for such selection.

At the same time there are some rules, which arguably do reflect opinio juris of States. For example, “Rule 4 – A State must not conduct cyber operations that violate the sovereignty of another State.” However, it is not the Tallinn manuals that made these laws customary in nature. Instead the manuals merely restate a preexisting custom adding the reference to cyberspace. 

From a content point of view, Pukhraj Singh points out that the manual which was touted to bring clarity to complex questions of cyberspace and law has turned a complete volte-face. Singh highlights that experts disagreed with each other at places providing counter-narratives, and that the manuals jump the gun by over- analogizing with conventional operations. The legal imputation of physical laws, such as the law of armed conflict to cyber-attacks may not always make complete technical sense. At the end of day, cyberspace is an intangible concept of connected computers, and not as physically controllable as how the manuals consider it to be. 

Most cyber-attacks will be done in a clandestine fashion with no clear indication as to which State did it or is responsible for it. The manuals (especially Tallinn 1.0) are not of much help as they simply restate the law on attribution and do not completely fulfil their role of creating practical and acceptable attribution standards (even if it meant holding the US responsible for Stuxnet!).

Moreover, it must be looked into whether the Manuals’ rules have been adopted and followed by various States or not and to what extent. This ascertains whether the States consider themselves bound by the rules of the manual (or is regarded as opinio juris). Now, apart from the disagreements that States have on some rules of the manual, a study done on 11 hostile cyber-operations that happened between 2013-2017 revealed that the manual or its rules were not followed.

CONCLUSION

Thus, with this understanding, we can conclude that while some of the rules restate CIL, the manuals as a whole do not seem to represent the global lex lata or the opinio juris of the States. It may seem that they instead represent the lex ferenda or what the law should be. However, that is also not exactly the case with their many loopholes and misplaced allegiances as they themselves state. 

It can instead be said that the manuals represent a hope or even a viable precedent that an exercise such as this can be undertaken by various other clusters of nations, like EU, SCO, SAARC, OAS or ASEAN. As more and more clusters will come up with their own varying opinions on cyber-space and cyber-operations, the chances of them possibly culminating into a mutual understanding between all States regarding international law applicable to cyberspace becomes more plausible. For this long drawn vision, Tallinn manuals seem to be a worthy starting point.  

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. North Sea Continental Shelf (Libya v Malta) (Merits) [1985] ICJ Rep 13[27].; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996 ICJ Rep 226 [64].; ILC, ‘Draft conclusions on identification of customary international law, with commentaries’ (2018) UN Doc A/73/10 Conclusion 2.  Antonio Cassese, International Law, (2nd edn. OUP 2005), 156.