Cyberspace and International Law: Taking Stock of Ongoing Discussions at the OEWG

This post is authored by Sharngan Aravindakshan

Introduction

The second round of informal meetings in the Open-Ended Working Group on the Use of ICTs in the Context of International Security is scheduled to be held from today (29th September) till 1st October, with the agenda being international law.

At the end of the OEWG’s second substantive session in February 2020, the Chairperson of the OEWG released an “initial pre-draft” (Initial Pre-Draft) of the OEWG’s report, for stakeholder discussions and comments. The Initial Pre-Draft covers a number of issues on cyberspace, and is divided into the following:

  1. Section A (Introduction);
  2. Section B (Existing and Potential Threats);
  3. Section C (International Law);
  4. Section D (Rules, Norms and Principles for Responsible State Behaviour);
  5. Section E (Confidence-building Measures);
  6. Section F (Capacity-building);
  7. Section G (Regular Institutional Dialogue); and
  8. Section H (Conclusions and Recommendations).

In accordance with the agenda for the coming informal meeting in the OEWG, this post is a brief recap of this cyber norm making process with a focus on Section C, i.e., the international law section of the Initial Pre-Draft and States’ comments to it.

What does the OEWG Initial Pre-Draft Say About International Law?

Section C of the Initial Pre-Draft begins with a chapeau stating that existing obligations under international law, in particular the Charter of the United Nations, are applicable to State use of ICTs. The chapeau goes on to state that “furthering shared understandings among States” on how international law applies to the use of ICTs is fundamental for international security and stability. According to the chapeau, exchanging views on the issue among States can foster this shared understanding.

The body of Section C records that States affirmed that international law, including the UN Charter, is applicable to the ICT environment. It particularly notes that the principles of the UN Charter such as sovereign equality, non-intervention in internal affairs of States, the prohibition on the threat or use of force, human rights and fundamental freedoms apply to cyberspace. It also mentions that specific bodies of international law such as international humanitarian law (IHL), international human rights law (IHRL) and international criminal law (ICL) as applicable as well. Section C also records that “States underscored that international humanitarian law neither encourages militarization nor legitimizes conflict in any domain”, without mentioning which States did so.

Significantly, Section C of the Initial Pre-Draft also notes that a view was expressed in the discussions that “existing international law, complemented by the voluntary, non-binding norms that reflect consensus among States” is “currently sufficient for addressing State use of ICTs”. According to this view, it only remains for a “common understanding” to be reached on how the already agreed normative framework could apply and be operationalized. At the same time, the counter-view expressed by some other States is also noted in Section C, that “there may be a need to adapt existing international law or develop a new instrument to address the unique characteristics of ICTs.”

This view arises from the confusion or lack of clarity on how existing international law could apply to cyberspace and includes but is not limited to questions on thresholds for use of force, armed attacks and self-defence, as well as the question of applicability of international humanitarian law to cyberspace. Section C goes on to note that in this context, proposals were made for the development of a legally binding instrument on the use of ICTs by States. Again, the States are not mentioned by name. Additionally, Section C notes a third view which proposed a “politically binding commitment with regular meetings and voluntary State reporting”. This was proposed as a middle ground between the first view that existing international law was sufficient and the second view that new rules of international law were required in the form of a legally binding treaty. Developing a “common approach to attribution at the technical level” was also discussed as a way of ensuring greater accountability and transparency.

With respect to the international law portion, the Initial Pre-Draft proposed recommendations including the creation of a global repository of State practice and national views in the application of international law as well as requesting the International Law Commission to undertake a study of national views and practice on how international law applies in the use of ICTs by States.

What did States have to say about Section C of the Initial Pre-Draft?

In his letter dated 11 March 2020, the Chairperson opened the Initial Pre-Draft for comments from States and other stakeholders. A total of 42 countries have submitted comments, excluding the European Union (EU) and the Non Aligned Movement (NAM), both of which have also submitted comments separately from their member States. The various submissions can be found here. Not all States’ submissions have comments specific to Section C, the international law portion. But it is nevertheless worthwhile examining the submissions of those States that do. India had also submitted comments which can be found here. However, these are no longer available on the OEWG website and appear to have been taken down.

International Law and Cyberspace

Let’s start with what States have said in answer to the basic question of whether existing international law applies to cyberspace and if so, whether its sufficient to regulate State-use of ICTs. A majority of States have answered in the affirmative and this list includes the Western Bloc led by the US including Canada, France, Germany, Austria, Czech Republic, Denmark, Estonia, Ireland, Liechtenstein, Netherlands, Norway, Sweden, Switzerland, Italy, and the United Kingdom, as well as Australia, New Zealand, Japan, South Korea, Colombia, South Africa, Mexico and Uruguay. While Singapore has affirmed that international law, in particular, the UN Charter, applies to cyberspace, it is silent on whether its current form is sufficient to regulate State action in cyberspace.

Several States, however, are of the clear view that international law as it exists is insufficient to regulate cyberspace or cannot be directly applied to cyberspace. These States have identified a “legal vacuum” in international law vis-à-vis cyberspace and call for new rules in the form of a binding treaty. This list includes China, Cuba, Iran, Nicaragua, Russia and Zimbabwe. Indonesia, in its turn, has stated that “automatic application” of existing law without examining the context and unique nature of activities in cyberspace should be avoided since “practical adjustment and possible new interpretations are needed”, and the “gap of the ungoverned issues in cyberspace” also needs to be addressed.

NAM has stated that the UN Charter applies, but has also noted the need to “identify possible gaps” that can be addressed through “furthering the development of international rules”. India’s earlier uploaded statement had expressed the view that although the applicability of international law had been agreed to, there are “differences in the structure and functioning of cyberspace, including complicated jurisdictional issues” and that “gaps in the existing international laws in their applicability to cyberspace” need examining. This statement also spoke of “workable modifications to existing laws and exploring the needs of, if any, new laws”.

Venezuela has stated that “the use of ICTs must be fully consistent with the purposes and principles of the UN Charter and international law”, but has also stated that “it is necessary to clarify that International Public Law cannot be directly applicable to cyberspace”, leaving its exact views on the subject unclear.

International Humanitarian Law and Cyberspace

The Initial Pre-Draft’s view on the applicability of IHL to cyberspace has also become a point of contention for States. States supporting its applicability include Brazil, Czech Republic, Denmark, Estonia, France, Germany, Ireland, Netherlands, Switzerland, the United Kingdom and Uruguay. India is among the supporters. Some among these like Estonia, Germany and Switzerland have called for the specific principles of humanity, proportionality, necessity and distinction to be included in the report.

States including China, Cuba, Nicaragua, Russia, Venezuela and Zimbabwe are against applying IHL, with their primary reason being that it will promote “militarization” of cyberspace and “legitimize” conflict. According to China, we should be “extremely cautious against any attempt to introduce use of force in any form into cyberspace,… and refrain from sending wrong messages to the world.” Russia has acerbically stated that to say that IHL can apply “to the ICT environment in peacetime” is “illogical and contradictory” since “IHL is only applied in the context of a military conflict while currently the ICTs do not fit the definition of a weapon”.

Second level of detail on these questions, especially concerning specific principles including sovereignty, non-intervention, threat or use of force, armed attack and inherent right of self-defence, is scarce in States’ comments, beyond whether they apply to cyberspace. Zimbabwe has mentioned in its submission that these principles do apply, as has NAM. Cuba, as it did in the 2017 GGE, has taken the stand that the inherent right to self-defence under Article 51 of the UN Charter cannot be automatically applied to cyberspace. Cuba also stated that it cannot be invoked to justify a State responding with conventional attacks. The US has also taken the view it expressed in the 2017 GGE, that if States’ obligations such as refraining from the threat or use of force are to be mentioned in the report, it should also contain States’ rights, namely, the inherent right to self-defence in Article 51.

Austria has categorically stated that the violation of sovereignty is an internationally wrongful act if attributable to a State. But other States’ comments are broader and do not address the issue of sovereignty at this level. Consider Indonesia’s comments, for instance, where it has simply stated that it “underlines the importance of the principle of sovereignty” and that the report should as well. For India’s part, its earlier uploaded statement approached the issue of sovereignty from a different angle. It stated that the “territorial jurisdiction and sovereignty are losing its relevance in contemporary cyberspace discourse” and went on to recommend a “new form of sovereignty which would be based on ownership of data, i.e., the ownership of the data would be that of the person who has created it and the territorial jurisdiction of a country would be on the data which is owned by its citizens irrespective of the place where the data physically is located”. On the face of it, this comment appears to relate more to the conflict of laws with respect to the transborder nature of data rather than any principle of international law.

The Initial Pre-Draft mentioning the need for a “common approach” for attribution also drew sharp criticism. France, Germany, Italy, Nicaragua, Russia, Switzerland and the United Kingdom have all expressed the view that attribution is a “national” or “sovereign” prerogative and should be left to each State. Iran has stated that addressing a common approach for attribution is premature in the absence of a treaty. Meanwhile, Brazil, China and Norway have supported working towards a common approach for attribution. This issue has notably seen something of a re-alignment of divided State groups.

International Human Rights Law and Cyberspace

States’ comments to Section C also pertain to its language on IHRL with respect to ICT use. Austria, France, the Netherlands, Sweden and Switzerland have called for greater emphasis on human rights and its applicability in cyberspace, especially in the context of privacy and freedoms of expression, association, and information. France has also included the “issues of protection of personal data” in this context. Switzerland has interestingly linked cybersecurity and human rights as “complementary, mutually reinforcing and interdependent”. Ireland and Uruguay’s comments also specify that IHRL apply.

On the other hand, Russia’s comments make it clear that it believes there is an “overemphasis” on human rights law, and it is not “directly related” to international peace and security. Surprisingly, the UK has stated that issues concerning data protection and internet governance are beyond the OEWG’s mandate, while the US comments are silent on the issue. While not directly referring to international human rights law, India’s comments had also mentioned that its concept of data ownership based sovereignty would reaffirm the “universality of the right to privacy”.

Role of the International Law Commission

The Initial Pre-Draft also recommended requesting the International Law Commission (through the General Assembly) to “undertake a study of national views and practice on how international law applies in the use of ICTs by States”. A majority of States including Canada, Denmark, Japan, the Netherlands, Russia, Switzerland, the United Kingdom and the United States have expressed clearly that they are against sending the issue to the ILC as it is too premature at this stage, and would also be contrary to the General Assembly resolutions referring the issue to the OEWG and the GGE.

With respect to the Initial Pre-Draft’s recommendation for a repository of State practices on the application of international law to State-use of ICTs, support is found in comments submitted by Ireland, Italy, Japan, South Korea, Singapore, South Africa, Sweden and Thailand. While Japan, South Africa and India (comments taken down) have qualified their views by stating these contributions should be voluntary, the EU has sought clarification on the modalities of contributing to the repository so as to avoid duplication of efforts.

Other Notable Comments

Aside from the above, States have raised certain other points of interest that may be relevant to the ongoing discussion on international law. The Czech Republic and France have both drawn attention to the due diligence norm in cyberspace and pointed out that it needs greater focus and elaboration in the report.

In its comments, Colombia has rightly pointed out that discussions should centre around “national views” as opposed to “State practice”, since it is difficult for State practice to develop when “some States are still developing national positions”. This accurately highlights a significant problem in cyberspace, namely the scarcity of State practice on account of unclarity in national positions. It holds true for most developing nations, including but not limited to India.

On a separate issue, the UK has made an interesting, but implausible proposal. The UK in its comments has proposed that “States acknowledge military capabilities at an organizational level as well as provide general information on the legal and oversight regimes under which they operate”. Although it has its benefits, such as reducing information asymmetries in cyberspace, it is highly unlikely that States will accept an obligation to disclose or acknowledge military capabilities, let alone any information on the “legal and oversight regimes under which they operate”. This information speaks to a State’s military strength in cyberspace, and while a State may comment on the legality of offensive cyber capabilities in abstract, realpolitik deems it unlikely that it will divulge information on its own capabilities. It is worth noting here that the UK has acknowledged having offensive cyber capabilities in its National Cyber Security Strategy 2016 to 2021.

What does the Revised Pre-Draft Say About International Law?

The OEWG Chair, by a letter dated 27 May 2010, notified member States of the revised version of the Initial Pre-Draft (Revised Pre-Draft). He clarified that the “Recommendations” portion had been left changed. On perusal, it appears Section C of the Revised Pre-Draft is almost entirely unchanged as well, barring the correction of a few typographical errors. This is perhaps not surprising, given the OEWG Chair made it clear in his letter that he still expected “guidance from Member States for further revisions to the draft”.

CCG will track States’ comments to the Revised Pre-Draft as well, as and when they are submitted by member States.

International Law and Cyberspace: Three Different Conversations

With the establishment of the OEWG, the UN GGE was no longer the only multilateral conversation on cyberspace and international law among States in the UN. Of course, both the OEWG and the GGE are about more than just the questions of whether and how international law applies in cyberspace – they also deal with equally important, related issues of capacity-building, confidence building measures and so on in cyberspace. But their work on international law is still extremely significant since they offer platforms for States to express their views on international law and reach consensus on contentious issues in cyberspace. Together, these two forums form two important streams of conversation between States on international law in cyberspace.

At the same time, States are also separately articulating and releasing their own positions on international law and how it applies to cyberspace. Australia, France, Germany, Iran, the Netherlands, the United Kingdom and the United States have all indicated their own views on how international law applies to cyberspace, independent of both the GGE and the OEWG, with Iran being the latest State to do so. To the extent they engage with each other by converging and diverging on some issues such as sovereignty in cyberspace, they form the third conversation among States on international law. Notably, India has not yet joined this conversation.

It is increasingly becoming clear that this third conversation is taking place at a particularly level of granularity, not seen so far in the OEWG or the GGE. For instance, the raging debate on whether sovereignty in international law in cyberspace is a rule entailing consequences for violation or is merely a principle that only gives rise to binding rules such as the prohibitions on use of force or intervention, has so far been restricted to this third conversation. In contrast, States’ comments to the OEWG’s Initial Pre-Draft have indicated that discussions in the OEWG appear to still centre around the broad question of whether and how international law applies to cyberspace. Only Austria mentioned in its comments to the Initial Pre-Draft that it believed sovereignty was a rule the violation of which would be an internationally wrongful act. The same applies for the GGE, since although it was able to deliver consensus reports on international law applying to cyberspace, it also cannot claim to have dealt with these issues at level of specificity beyond this.

This variance in the three conversations shows that some States are racing way ahead of others in their understanding of how international law applies to cyberspace, and these States are so far predominantly Western and developed, with the exception of Iran. Colombia’s comment to the OEWG’s Initial Pre-Draft is a timely reminder in this regard, that most States are still in the process of developing their national positions. The interplay between these three conversations around international law and cyberspace will be interesting to observe.

The Centre for Communication Governance’s comments to the Initial Pre-Draft can be accessed here.

The Architecture of Cybersecurity Institutions in India

This is an edited excerpt of Part IV and Annexure ‘B’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.

This consolidated organogram is a depiction of cyber security institutions in India as an inter-ministerial and inter-departmental ecosystem. Different ministries and departments are in charge of different aspects of national security in general and cyber security in particular.

The National Security Advisor (NSA) holds a rank equivalent to a Cabinet Minister in charge of the National Security Council Secretariat (NSCS) and is the apex officer relating to national security. The NSA is also in charge of the National Technical Research Organization (NTRO) which is a technical intelligence agency under the Prime Minister’s Office (PMO). The National Critical Information Infrastructure Protection Centre (NCIIPC) was established under Section 70A of the Information Technology Act, 2000 and functions as a unit of the NTRO. 

The National Cyber Security Coordinator (NCSC) is the nodal officer for issues related to cybersecurity, functioning under the PMO along side the NSCS to coordinate with different agencies like CERT-In at the national level.

Our research reveals that the Ministry of Communications, Ministry of Electronics and Information Technology (MeitY), Ministry of Home Affairs (MHA), Ministry of Defence (MoD) and the Ministry of External Affairs (MEA) are most relevant to the establishment, operation and maintenance of technical and administrative ecosystem that enables cybersecurity. The departmental structure of each of these Ministries is outlined below.


Ministry of Communications

The Ministry of Communications consists of two Departments – (i) Department of Telecommunications (DoT) and the (ii) Department of Posts.

The DoT deals with  (a) issues of policy, licensing and coordination matters relating to telegraphs, telephones, wireless, data, facsimile and telematic services and other like forms of communications, (b) standardization, research and development in telecommunications, (c) procurement of stores and equipment required by the Department of Telecommunications and (d) administration of laws including the Indian Telegraph Act, 1885 (13 of 1885), the Indian Wireless Telegraphy Act, 1933 (17 of 1933), the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), among others. Within its ambit is also the Digital Communications Commission, which is responsible for implementing the Government’s telecom policy in all matters relating to telecommunication.

Ministry of Electronics and Information Technology

The Ministry for Electronics and Information Technology (MeitY) deals with all policy matters relating to information technology, electronics and the internet (barring issues relating to licensing of Internet Service Providers, which fall within the mandate of the DoT). Its major functions include (a) the administration of matters relating to cyber laws including the Information and Technology Act, 2000, (b) Promotion of standardization, testing and quality in IT and standardization of procedure for IT application and Tasks and (c) digital initiatives including Digital India, among others.

Significantly, the Indian Computer Emergency Response Team (CERT-In) as well as the Unique Identification Authority of India (UIDAI) are both within its ambit. The Cyber Swacchta Kendra (Botnet Cleaning and Malware Analysis Center) functions under CERT-In.

Ministry of Home Affairs

The Ministry of Home Affairs (MHA) discharges multifarious responsibilities, the important among them being – internal security, border management, Centre-State relations, administration of Union Territories, management of Central Armed Police Forces, disaster management, etc. The MHA continuously monitors the internal security situation, issues appropriate advisories, shares intelligence inputs, extends manpower and financial support, guidance and expertise to the State Governments for maintenance of security, peace and harmony.

Among others, the MHA’s Cyber and Information Security Division (consisting of the Cyber Crime Wing, Cyber Security Wing and Monitoring Unit) as well as some wings of the Department of Internal Security including the Modernization Division of the Police and the Counter Terrorism and Counter Radicalization Division have particular relevance to cyber security.

The Indian Cyber Crime Coordination Centre (I4C) was established as a scheme in 2018 to combat cyber crime in a coordinated and effective manner.

Ministry of Defence

The MoD is comprised of four Departments – Department of Defence (DOD), Department of Defence Production (DDP), Defence Research & Development Organisation (DRDO) and Department of Ex-Servicemen Welfare and also Finance Division.

A new Department of Military Affairs has been created recently, and is headed by the Chief of Defence Staff, General Bipin Rawat. Departments that have particular relevance to cybersecurity, including the newly established Defence Cyber Agency are highlighted.

Ministry of External Affairs

The Ministry of External Affairs (MEA) is responsible for all matters relating to India’s external affairs including consular functions. Departments / activities that have relevance to cybersecurity are highlighted in purple, including international security, counter terrorism and others. The New Emerging and Strategic Technologies (NEST) Division was recently set up as the nodal point for all matters connected to new and emerging technologies including exchange of views with foreign governments and coordination with domestic ministries and departments.  News reports indicate that a major restructuring of the MEA is in the offing.