Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

• existing and potential threats to “information security”.
• rules, norms and principles of responsible State behaviour i.e. cyber norms.
• international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5^th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6^th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Critiquing the Definition of Cyber Security under India’s Information Technology Act

Archit Lohani

“Security Measures” by Afsal CMK is licensed under CC BY 4.0

Introduction

As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.

This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).

Under Section 2(1)(nb) of the IT Act:

“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;

This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.

What is Cyber security under the IT Act?

The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008.  The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.

Critique of the IT Act definition

It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.

There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.

To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.

Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.

However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.

The following section examines a few other definitions to illustrate the shortcomings highlighted above.

Key elements of Cyber security

Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.

Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must address interdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.

An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.

When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions of cyberspace and cyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.

Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.

Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.

Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:

• technological solutions
• events
• strategies, processes, and methods
• human engagement; and
• referent objects.

These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.

Conclusion

Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.

Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan^*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

“From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the ‘due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

3. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing it “a clear violation of the rule of non-intervention.”

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

4. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.¹ However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

3. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

4. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21^st century.

2. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

3. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.

Cyber Security at the UN: Where Does India Stand? (Part 2)

This is the second post of a two-part series which examines India’s participation in UN-affiliated processes and debates on ICTs and international security.

The first part offered an overview of how ideological divisions are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In this post, the author evaluates India’s stated positions on ICTs and international security at forums affiliated with the UN.

Author: Sidharth Deb

Introduction

As our digital transformation story has accelerated, Indian authorities have proactively worked on domestic laws, regulations and policies to govern digital and ICT domains. Prominent examples include its net neutrality regime; the 2021 intermediary guidelines and digital media ethics regulations; a soon to be enacted data protection law; and the National Cyber Security Policy, 2013, which is undergoing an overhaul. When it comes to institutional responses, India has, inter alia, operationalised a nodal Computer Emergency Response Team (“CERT-In”), sector specific CERTs, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) to secure critical information infrastructures (“CIIs”), and the National Cyber Security Coordinator within the country’s National Security Council Secretariat.

Conversely, India’s participation at international cybersecurity processes like the United Nations’ Group of Governmental Experts (“GGEs”) and the Open-ended Working Groups (“OEWG”) remains less developed. It does not reflect its status as a digital deciding swing State in cyber norms processes. Some describe it as lacking cohesion, without substantive or long term commitment to advance an international agenda. They have further characterised India’s position as one of silence, ambiguity and prioritising immediate national interest. India has even shied away from supporting multistakeholder led norms packages on international cybersecurity such as the Paris Call for Trust and Security in Cyberspace. And this perceived positional ambiguity is further reinforced by the fact that it supported both Russia’s proposal for the first OEWG and the US’ proposal for the sixth GGE. India has also endorsed Russia’s proposal for an ad-hoc committee for a cybercrime convention under the United Nations General Assembly’s Third Committee on Social, Humanitarian and Cultural Issues.

Indian Statements on International Security and ICTs

Given that India has an opportunity to assume an internationally significant role in international cybersecurity and norms related debates under processes like the 2nd OEWG, this post attempts to extract and infer meaning from India’s seemingly inconsistent and ambiguous positions. This involves an analysis of publicly available evidence of India’s participation in working groups and other forums within the UN. Subsequent takeaways reflect a composite examination of:

1. India’s 2015 Comments to UNGA Resolution 70/237, which endorsed the GGE-developed international framework for responsible state behaviour in the cyberspace;
2. India’s statement at the June 2019 Organisational Session of the first OEWG;
3. India’s 2020 comments on the initial pre-draft of the OEWG’s report. These comments have been taken down from the OEWG website.
4. February 2021 comments/remarks and proposed edits (January 2021) by the Government of India on the zero draft of the OEWG’s final substantive report.
5. India’s statement at the UNSC Open Debate on international cybersecurity (June 2021).

While the Indian delegation participated in the first substantive session of the 2nd OEWG in December 2021, its interventions are, as of writing, unavailable on the OEWG’s website. Based on an overview of the aforementioned statements five key trends emerge.

First, the Indian Government appears to prefer state-led solutions over multistakeholderism to cybersecurity. While broadly highlighting the importance of multistakeholderism within internet governance, India’s 2015 submission at the UNGA has argued that governments play a primary role in cybersecurity since it falls within the umbrella of ‘national security’. India has also made explicit recommendations at the OEWG negotiations to remove references to “human-centric” approaches to replace them with terms like “peace and stability”. Such statements convey a top-down outlook to ICT and cybersecurity policy. India prefers stakeholders play a secondary role in cybersecurity policy as stated in its intervention at the UNSC. The Indian Foreign Secretary, at the UNSC, opined that stakeholders can play an important role in supporting international cooperation on cybersecurity.

Such positions are consistent with the Indian Government’s disposition that technology environments should adhere to the rule of law and policies framed by appropriate government authorities. Even so, domestically, the Indian government has demonstrated a willingness to participate in multistakeholder dialogue (at forums like India IGF) and seek stakeholder inputs on related policy matters.

Second, India aims to bring content, behaviour and speech over social media and the wider internet within the scope of international cyber security. When discussing the scope of cyber/information security, India has repeatedly referred to cyber terrorism, terrorist content, virulent propaganda, inciting speech, disinformation, terror financing and recruitment activities, and general misuse of social media. This is of course consistent with its domestic policy stance on stricter regulations for social media intermediaries under the 2021 intermediary guidelines and digital media ethics code. India has even called for international dialogue and cooperation to counter terror propaganda, remove content and real time support with investigations. It has called upon the international community to recognise cyber terrorism as a special class of cyber incident which requires stronger international cooperation. As discussed in Part 1 of this series, the OEWG may be receptive to broadening the scope of information security to include issues relating to online speech and social media. This is also evidenced by the fact that several States have raised similar issues during the first substantive session of the 2nd OEWG in December 2021.

Third, India appears to prefer an internationally binding rules-based framework on ICTs and cyberspace. This is evident from both India’s 2021 submission to the OEWG, and its 2021 intervention at the UNSC’s open debate on cybersecurity. These submissions confirm that India appears open to a treaty/convention-based pathway to international cybersecurity. At the same time, during the 2021 OEWG negotiations India categorically requested deleting a paragraph which refers to a 2015 proposal for international code of conduct for information security. The 2015 proposal was tabled by UN Member States who are also members of the Shanghai Cooperation Organisation (“SCO”). Notably, India joined the SCO a few months after the bloc tabled its 2015 proposal. The SCO’s proposal was largely steered under Russian and Chinese guidance.

Fourth, Indian interventions have laid heavy emphasis on supply chain security of ICT products and services. India’s interventions focus on two key aspects. First is an emphasis on cybersecurity resilience and hygiene among SMEs and children. The reference to SMEs can be considered an expression of its economic aspirations via digital transformation. Second, India has called for greater international cooperation on matters surrounding trusted ICT products and services, and trusted suppliers of such products and services. This includes mitigating the introduction of harmful hidden functions like backdoors within ICT products and services which can compromise essential networks. To this end, India has even called for the introduction of a new cyber norm relating to a standard for essential security in cyberspace. This position appears to align itself with recent mandatory testing and certification regulations for telecommunications equipment, and a more recent national security directive passed by Indian telecom authorities in response to growing concerns of Chinese presence in Indian telecom and ICT systems. Under this Directive, Indian telecom authorities have launched the ‘Trusted Telecom Portal’ which aims to ensure that Indian telecom networks only comprise equipment which are deemed to be ‘trusted products’ from ‘trusted sources’. Recent reports also reveal that the Indian Government is in the process of establishing a unified national cyber security task force which will set up a specialised sub department to focus on cyber threats in the telecom sector.

Lastly, on the applicability of international law to States’ use of ICTs—despite its participation in five out of six UN GGEs and the first OEWG—India has yet to substantively articulate an extensive position on this topic. Instead, it has made broader calls for non-binding, voluntary guidance from the international community on the application of key concepts within international humanitarian law like distinction, necessity, proportionality and humanity within the context of ICTs. India’s most animated interventions have pertained to jurisdiction and sovereignty. To be clear, it has not engaged on whether sovereignty is a principle or a rule of international law. Instead, it has called on the international community to reimagine sovereignty and jurisdiction—where a new technical basis (beyond territoriality) can allow States to effectively govern and secure cyberspace.

One such basis for sovereignty that India put forth before the OEWG relates to data ownership and sovereignty. It purports that such a philosophical underpinning would endorse people’s right to informational privacy online.  Yet, these positions reflect and seek to legitimise wider trends in digital and ICT policymaking in India. This includes proposals to restrict cross-border data flows for different purposes and its challenges with carrying out law enforcement investigations owing to lethargic international cooperation via the MLAT frameworks.

Conclusion

India’s current engagement with international cybersecurity issues serves as a mirror for India’s domestic political economy and immediate national interests. Given that it occupies a pivotal position as a digital swing state with the second largest internet user base in the world, India could have the geopolitical heft to steer the conversation away from ideological fault lines—and towards more substantive avenues.

However, in order to do this, it must adopt a more internationalised agenda while negotiating in these cyber norms processes. Since it is still early days when it comes to substantive discussions at the 2nd OEWG, and negotiations at other forthcoming processes are yet to commence, the time may be ripe for India to start formulating a more cohesive strategy in how it engages with international cyber norms processes.

To this end, Indian leadership could approach the forthcoming National Cyber Security Strategy as a jumping off point from via which it can refine the Government’s normative outlook to matters relating to international cybersecurity, international law and responsible state behaviour in the cyberspace. The forthcoming strategy could also help the Government of India define how it collaborates with other States and non-governmental stakeholders. Finally, it could help identify domestic laws, policies and institutions that require reform to keep pace with international developments.

Cyber Security at the UN: Where Does India Stand? (Part 1)

Editorial Note: This is a two-part series, which examines India’s participation in UN-affiliated processes and debates on ICTs and international security. 

Part 1 provides an overview of the ideological divisions that are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In Part 2, the author will critique India’s stated positions on ICTs and international security at forums affiliated with the UN. 

Author: Sidharth Deb

Introduction: The International Character of Cyber Threats 

Earlier this month, the United Nations General Assembly’s (“UNGA”) First Committee on Disarmament and International Security (“First Committee”) convened Member-States for the first substantive session of its second Open-Ended Work Group (“OEWG”) on security of, and in the use of, information and communication technologies (“ICTs”). The 2nd OEWG serves as the latest working group under the aegis of the UNGA First Committee on themes relating to ICTs and international cybersecurity. It is notable that in that same week another major cyber vulnerability, in a widely used logging library—the Apache Log4j flaw—threatening global computer systems, came to light. This vulnerability has been described as a major software supply chain flaw which can be used to remotely compromise hundreds of millions of vulnerable devices globally.  

Experts are calling it a cyber pandemic and exploits are already targeting corporate networks globally. More concerning is the fact that nation State-backed hackers have reportedly begun experimenting and launching malicious operations to exploit the flaw. Along with recent incidents like WannaCry, NotPetya, SolarWinds, Colonial Pipeline and the Microsoft Exchange Server, such trends typify a rapidly evolving and increasingly scalable cyber threat landscape which emerge from heterogenous sources. These include States which use ICT capabilities to advance military or political objectives, States-sponsored hacking groups, mercenary technology vendors (developing tools like spyware), and other criminal and/or terrorist non-State actors. To combat these trends the international community must prioritise cyber diplomacy, international cooperation, assistance and baseline harmonisation of jurisdictional efforts as essential prerequisites.  

However, this is challenging since States often have diverging political, economic, developmental and military objectives. Therefore, in order to fulfil the core objective of a peaceful and stable cyberspace, international dialogue on ICT security must successfully navigate both peacetime and conflict paradigms. This includes working around innate complexities conferred via inter-State cyber conflicts. One such challenge relates to the operationalisation of the law of armed conflict within the cyberspace. Keeping these challenges in mind, this post presents an overview of ongoing cyber diplomacy efforts at the UN towards building an international legal and normative framework for responsible state behaviour in the cyberspace. It then evaluates how ideological divisions between countries pose challenges to international consensus and multilateralism. 

The UN, Cybersecurity and the Framework for Responsible State Behaviour 

Against the aforementioned backdrop, the second OEWG commences the next generation of deliberations on the States’ use of ICTs in the context of international peace and security. This Working Group was constituted in accordance with a UNGA resolution (75/240) dated December 31, 2020 and is set to run till 2025. It is open to participation from all 193 UN Member States, and the OEWG’s Chair is in the midst of determining the extent and mechanisms of multistakeholder participation. Both this and the first iteration of the OEWG involve more inclusive participation of the international community as compared to previous Groups of Governmental Experts (“GGEs”) on ICT security, which had only 15 to 25 participating States.  

Given the exponential innovation trajectories of ICT environments and the extended operational timelines, it will be tall order for the 2nd OEWG to fulfil its mandate to identify existing and potential threats to information security. Yet, it is not starting from scratch. Concerted prior work at the GGEs and OEWG, along with subsequent consensus at the UNGA has yielded an international framework for responsible state behaviour towards international cybersecurity. The framework comprises four distinct yet complementary pillars. These pillars include: 

1. International law, including the UN Charter along with existing principles of international law, as it applies to States’ use of ICTs. This was most recently elaborated in the May 2021 consensus report of the 6th GGE.; 

2. Politically determined cyber norms which entail voluntary and non-binding norms, rules and principles of responsible State behaviour during peacetime. The norms, inter alia, include interstate cooperation like exchange of information and threat intelligence; attribution of ICT incidents, respecting human rights; protecting critical infrastructures; securing ICT supply chains; enabling ICT vulnerability disclosures; preventing the misuse of ICTs for cybercrime and international wrongful acts; etc. Cyber norms are meant to promote cooperation and increase predictability, reduce risks of misperception and escalation in the cyberspace, and serve as a first step to the eventual formation of customary international law in the cyberspace. 

3. The other two pillars are confidence building measures and capacity building. These aim to enhance interstate transparency, international and institutional (technical and policy) cooperation, systematise international assistance to implement the voluntary cyber norms framework, and create a baseline of competence and response capabilities across Member States.  

Prima facie these pillars reflect a comprehensive approach in tackling the wide-ranging threats in cyberspace. Yet it does not reflect geopolitical divisions which are emerging within different country blocs. Since cybersecurity’s prominence within the broader scheme of international peace and security continues to increase, it is important to track this aspect of international cyberspace cooperation.  

Ideological Divisions in International Cybersecurity Processes 

Ideological divisions within international cybersecurity processes often reflect similar geographic groupings. One side comprises the US, UK, Estonia and other NATO allies. On the other end of the spectrum, we observe a Sino-Russian grouping which also includes countries like Cuba and Iran. This section highlights four main ways in which ideological divisions are shaping the international cyber diplomacy processes. 

1. Goal of Dialogue: Legally Binding Agreement or Voluntary Politically-determined Norms-based Framework? 

Differences begin at the most fundamental levels of implementation. Consider the means of operationalising the international framework for state responsibility in the use of ICTs. Since the late 90s, the Russian bloc has made multiple proposals for international work towards a binding treaty/convention on international cybersecurity and cybercrime. Such proposals advance Sino-Russian objectives of embedding core principles of internet sovereignty and state-primacy within a rule-based framework of international ICT policy. Interests around sovereignty may have also motivated the Russian proposal to set up the first UN OEWG on ICT Security, which opened up conversations in cybersecurity to all UN Member States. While the OEWG furthers openness, transparency and inclusivity towards norm formulation, the push for expansion in participation is perhaps motivated by an ability to bring more countries with similar ideological positions into the discussions.  

Among other things, their inclusion can create greater momentum to revisit, expand, or create new norms for State activities in cyberspace. The US and NATO bloc has strongly opposed the need for an international treaty based framework citing that such an approach could risk allowing States to negotiate and dilute core principles like openness, interoperability, multistakeholderism and respect for human rights. At a secondary level, it could also lead to greater fetters and regulation of international transnational ICT/internet corporations—which tend to be concentrated in certain jurisdictions.  

2. Disputes on Applicability of International Law 

A prominent example here is the failed negotiations at the 5th UN GGE in 2017. An important point of contention related to whether and how international law—especially international humanitarian law—applies to the cyberspace. In broad terms, NATO allies advocated that the principles of use of force, self-defence, and in situations of conflict, principles of international humanitarian law, should apply to the cyberspace. However, Cuba, serving as a front for the other bloc, opposed this. They argued that this would serve as a tacit endorsement of certain cyber operations and would incentivise escalation/militarisation in the cyberspace. This was the straw that broke the camel’s back, and it cost the international community consensus at the 5th GGE.  

3. Procedural Mechanisms and Modalities of Dialogue  

Since 2017, both the 1st OEWG and 6th GGE successfully adopted consensus reports in March and May 2021 respectively. While they build on prior GGE consensus reports especially the 2013 and 2015 reports, the aforementioned disputes demonstrate the fragility of consensus on international cybersecurity at the UN.  

Even in the run-up to the 2nd OEWG’s first substantive session (December 2021), States have had disagreements on the modalities of engagement. These include whether the OEWG should have broad conversations on all issues simultaneously between Member States, or if the Chair should set up issue-specific thematic subgroups for different aspects of international cybersecurity, etc.  

4. Definitional Scope of Key Concepts including “Information” Security 

Fundamental differences on key concepts like minimum identifiable standards of inter-State conduct, verification, evidence gathering, attribution and accountability among both State and non-State actors, threaten the international framework for peace and stability in cyberspace. A major point of contention which could emerge within the 2nd OEWG relates to its mandate on identifying existing and potential threats to information security. In contrast to the GGEs, the OEWG is increasing its focus on disinformation, defamation, incitement, propaganda, terrorist content, and other online speech/media. This can be discerned from the 1st OEWG’s final substantive report, the Chair’s Summary, and UNGA Res/75/240. The OEWG’s eventual scope of “information security” will also reveal to what extent international policymakers aim to securitise different infrastructure and online public spaces within ICT environments. Given the implications that this could have on principles like openness, interoperability, and people’s fundamental freedoms and human rights, dialogue on this front will be important to track.

Conclusion: The Importance of Digital Swing States 

Substantive fissures threaten multilateral international cooperation in cybersecurity. This risk manifested once with the operation of parallel processes at the 6th GGE and the 1st OEWG. Similar risks of fragmentation could emerge during the 2nd OEWG’s tenure—since there is already an adhoc committee on a cybercrime convention which will commence substantive discussions under the UNGA’s Third Committee in January 2022. States including France, Egypt and others have also made a proposal for an action oriented Programme of Action to advance responsible state behaviour in the cyberspace.  

Given these risks, commentators observe that the role of swing states is integral for international cyber diplomacy to steer the conversations towards more substantive pathways. One such swing State is India. The next post of this two part series will explore India’s engagement with UN-affiliated processes and debates on cybersecurity over time. Through this, we gain greater clarity on India’s definitional approach to cybersecurity, views on multistakeholderism vis-a-vis cybersecurity, supply chain security, and sovereignty in ICT environments.  

France’s Cyber Influence Warfare Doctrine (L2I)

By Ananya Moncourt

On 20^th October 2021, the French Minister of Defense released the French Armed Force’s Cyber Influence Warfare Doctrine (“Lutte Informatique d’influence” in French, abbreviated as L2I). The doctrine lays out a framework for “military operations conducted in the information layer of cyberspace to detect, characterize and counter attacks” and undertake “intelligence gathering or deception operations”. In this blogpost, I highlight and analyze key features of this new doctrine for the conduct of information warfare by the French military.  

Cyberspace in this context is comprised of three inseparable layers– a physical layer (equipment, computer systems, other materials), a logical layer (digital data, software, data exchange flows) and an information or semantic layer (information and social interactions). The applied misuse of the semantic layer can be seen at works in information influence operations that are used to sway public opinion ahead of key elections or on matters of national importance. France has experienced firsthand the perils of such operations in the Macaron Leaks in 2017. 

With the release of L2I ahead France’s presidential elections in April 2022, the legitimisation of  offensive influence operation conduct is consequential. Who is conducting these information influence operations, under what legal constraints, and the justification for doing so in terms of identified threat groups are questions that guide this assessment.

Over the last five years, there has been a gradual shift in France’s diplomatic standing from a defensive approach i.e., the use of force when necessary, to a more offensive and unhesitant preparedness to use force. The relocation of military strategy from a “peace-war-crisis continuum” to a “triptych of competition-contestation-confrontation” in L2I reflects this change clearly. With a guiding maxim to “win the war before the war”, L2I is one part of a three-pronged Strategic Vision, released in November 2021. More broadly, it is the final element of a conceptual framework put forth by the military for acting in the information field – the first was the LID, a defensive IT Policy (2018) and the second LIO, an offensive computer warfare doctrine (2019).  

Identifying Threats 

The root cause for identifying threats in the semantic layer stems from the possibility of information manipulation in cyberspace – a key component of hybrid warfare strategies today. In her speech presenting L2I to the world, Florence Parly (Minister of the Armed Forces) highlighted that “false, manipulated or subverted information is a weapon”. Threats that arise from such weaponisation of information form the subtext of the doctrine that references the authenticity with which modern technologies make it possible to create fake news (deep fakes of false remarks by soldiers in operations and false speeches by politicians for example). These developments are seen as direct threats to the legitimacy and capacities of the French military. 

Two points about the locus of action for influence operations in L2I are significant. One, that L2I operations takes place within a framework strictly limited to military operations outside France’s national territory. Two, that its “theatre of operations” is the information layer of cyberspace. The doctrine also explicitly identifies two threats to the French military – “organised armed groups” and “State actors”. The former includes terrorists’ groups and quasi-states (eg: ISIS/Daesh) who leverage the information layer of cyberspace to fund, recruit and co-ordinate violence. The latter refers to proto-states or State actors using intermediaries whose aim is to destabilize state structures and public opinion by promoting false narratives and undertaking informational attacks.  

The Theatre of the ‘War before the War”: Cyberspace as a Battleground 

L2I deems cyberspace a “fertile breeding ground” for information warfare, due to the ease with which legitimacy can be gained by any individual or group within their established networks online. What merits attention, and further research, is the doctrine’s perceptive articulation of a ‘cognitive dimension’ of the information layer of cyberspace. An outcome of human-computer interactions, it is the emotional, irrational, and legitimate stimulation of people who interact in an online information environment that characterises this ‘cognitive layer’. Under the grammar of the doctrine, susceptibility to disinformation thus becomes an obvious threat in cyberspace. Achieving technological superiority and developing offensive cyber capabilities of the armed forces is presented as a straightforward goal. The doctrine further lucidly presents six characteristics of the information or cognitive layer of cyberspace:  

1] A contraction of time and space: The immediacy of information today combined with its large-scale dissemination promotes interaction and connectivity. The geographic boundaries of information and its protracted transmission have faded away.  

2] Possibility of concealing sources of information: Mastery of related technologies makes it possible to conceal or falsify the origins of information. This anonymity makes the use of cyberspace conducive for purposes of influence by States or groups of individuals. 

3] Information persistence:  Information is difficult to erase in cyberspace because it can be duplicated easily or stored elsewhere. Information can therefore be reused outside of any verifiable context. 

4] Freedom of individuals: Anyone can produce and broadcast information, true or false, without any editorial control in cyberspace. This promotes an unbridled production of information.

5] Technological innovation: Continuous innovation in creation, storage and dissemination of information is a significant feature of cyberspace. 

6] A space modelled by Big Tech: Cyberspace is emerging with major digital operators who, de facto; impose their own regulations and terms. 

The characterization of cyberspace as a “deterritorialised” realm in the doctrine raises the question of whether information warfare can be governed through existing international law frameworks that are based on territorial sovereignty. Nevertheless, respect for international law in L2I is carved out in two distinct spheres. In peacetime, L2I is subject to the United Nations Charter and principles of non-interference, and during times of armed conflict International Humanitarian Law principles of necessity, proportionality, distinction and precaution are highlighted. Further, every operation carried out under L2I is subjected to political and legal constraints outlined by ROE (Rules of Operational Engagement), conceived of to define the circumstances and conditions of implementation.  

It is clear that an inherent contradiction lies in L2I’s recognition of a borderless cyberspace (that is diffusing the boundaries between peace and war times) and the subject of its operations to international laws that are distinct for peace and war times. While it is acknowledged that the functioning of cyberspace is premised on an “entanglement of boundaries” and application of legal provisions is complex, a lack of clarity on the line between a free reign of development of capabilities and the checks and balances necessary for use of these capabilities is evident. This begs the question of what can be considered peace and/ or war time in the information layer of cyberspace, and whether such a distinction is relevant at all. Moreover, determining how territorial sovereignty is defined with regard to state action in this particular layer of cyberspace is an important first step towards developing regulatory guidelines for information influence operations. 

New age combatants for new age threats? 

L2I further outlines a dedicated chain of command under the apex authority of the President followed by the Chief of Staff of the Armed Forces. The post of a General Commanding Officer has been created in recognition of cyber influence operations occurring at the confluence of offensive and defensive strategies. Further, in a multi-disciplinary approach to development of human resources, the doctrine recognises the need for highly specialised skills across disciplines and proposes investment in a cyberwarfare troop comprised of computer graphic designers, psychologists, sociologists, linguists and social media specialists.  

The pervasiveness of information in combination with the interconnectedness of our communication systems and increasingly sophisticated technology capabilities has led to evident potential for exploitation of information in cyberspace. In particular, social media has enabled nation-states to delve into the minds of people, communities and adversaries, to control and push certain narratives while marginalising other kinds of information and perspectives for power. The human mind, intertwined with open societies and networks, can be seen as an emerging battle-space of the future. 

Naturally, what groups are identified as threats and what national agencies are mandated to tackle them in cyberspace are critical. The degree of transparency with which these systemised influence operations, often covert, are sanctioned in a country’s legal framework also has significant geopolitical and human rights implications. This is especially important in democratic political systems where people’s trust in institutions depends on the degree of accountability and transparency built into institutions that undertake influence operations. 

Parallelly, in a major move in India in December 2020, the Ministry of Defense has created a new post of Director General of Information Warfare in light of hybrid warfare, social media realities and future battlefields. The scope of authority and areas of work the office will undertake have not been detailed. As India prepares to strengthen her bilateral defence and security partnership with France, clarity on information operation strategies will improve the quality of such cooperation. As such, what the ‘theatre of operations’ and identified threats groups will be for the Indian military are important questions that require articulation.  

Cyberspace and International Law: Taking Stock of Ongoing Discussions at the OEWG

This post is authored by Sharngan Aravindakshan

Introduction

The second round of informal meetings in the Open-Ended Working Group on the Use of ICTs in the Context of International Security is scheduled to be held from today (29th September) till 1st October, with the agenda being international law.

At the end of the OEWG’s second substantive session in February 2020, the Chairperson of the OEWG released an “initial pre-draft” (Initial Pre-Draft) of the OEWG’s report, for stakeholder discussions and comments. The Initial Pre-Draft covers a number of issues on cyberspace, and is divided into the following:

1. Section A (Introduction);
2. Section B (Existing and Potential Threats);
3. Section C (International Law);
4. Section D (Rules, Norms and Principles for Responsible State Behaviour);
5. Section E (Confidence-building Measures);
6. Section F (Capacity-building);
7. Section G (Regular Institutional Dialogue); and
8. Section H (Conclusions and Recommendations).

In accordance with the agenda for the coming informal meeting in the OEWG, this post is a brief recap of this cyber norm making process with a focus on Section C, i.e., the international law section of the Initial Pre-Draft and States’ comments to it.

What does the OEWG Initial Pre-Draft Say About International Law?

Section C of the Initial Pre-Draft begins with a chapeau stating that existing obligations under international law, in particular the Charter of the United Nations, are applicable to State use of ICTs. The chapeau goes on to state that “furthering shared understandings among States” on how international law applies to the use of ICTs is fundamental for international security and stability. According to the chapeau, exchanging views on the issue among States can foster this shared understanding.

The body of Section C records that States affirmed that international law, including the UN Charter, is applicable to the ICT environment. It particularly notes that the principles of the UN Charter such as sovereign equality, non-intervention in internal affairs of States, the prohibition on the threat or use of force, human rights and fundamental freedoms apply to cyberspace. It also mentions that specific bodies of international law such as international humanitarian law (IHL), international human rights law (IHRL) and international criminal law (ICL) as applicable as well. Section C also records that “States underscored that international humanitarian law neither encourages militarization nor legitimizes conflict in any domain”, without mentioning which States did so.

Significantly, Section C of the Initial Pre-Draft also notes that a view was expressed in the discussions that “existing international law, complemented by the voluntary, non-binding norms that reflect consensus among States” is “currently sufficient for addressing State use of ICTs”. According to this view, it only remains for a “common understanding” to be reached on how the already agreed normative framework could apply and be operationalized. At the same time, the counter-view expressed by some other States is also noted in Section C, that “there may be a need to adapt existing international law or develop a new instrument to address the unique characteristics of ICTs.”

This view arises from the confusion or lack of clarity on how existing international law could apply to cyberspace and includes but is not limited to questions on thresholds for use of force, armed attacks and self-defence, as well as the question of applicability of international humanitarian law to cyberspace. Section C goes on to note that in this context, proposals were made for the development of a legally binding instrument on the use of ICTs by States. Again, the States are not mentioned by name. Additionally, Section C notes a third view which proposed a “politically binding commitment with regular meetings and voluntary State reporting”. This was proposed as a middle ground between the first view that existing international law was sufficient and the second view that new rules of international law were required in the form of a legally binding treaty. Developing a “common approach to attribution at the technical level” was also discussed as a way of ensuring greater accountability and transparency.

With respect to the international law portion, the Initial Pre-Draft proposed recommendations including the creation of a global repository of State practice and national views in the application of international law as well as requesting the International Law Commission to undertake a study of national views and practice on how international law applies in the use of ICTs by States.

What did States have to say about Section C of the Initial Pre-Draft?

In his letter dated 11 March 2020, the Chairperson opened the Initial Pre-Draft for comments from States and other stakeholders. A total of 42 countries have submitted comments, excluding the European Union (EU) and the Non Aligned Movement (NAM), both of which have also submitted comments separately from their member States. The various submissions can be found here. Not all States’ submissions have comments specific to Section C, the international law portion. But it is nevertheless worthwhile examining the submissions of those States that do. India had also submitted comments which can be found here. However, these are no longer available on the OEWG website and appear to have been taken down.

International Law and Cyberspace

Let’s start with what States have said in answer to the basic question of whether existing international law applies to cyberspace and if so, whether its sufficient to regulate State-use of ICTs. A majority of States have answered in the affirmative and this list includes the Western Bloc led by the US including Canada, France, Germany, Austria, Czech Republic, Denmark, Estonia, Ireland, Liechtenstein, Netherlands, Norway, Sweden, Switzerland, Italy, and the United Kingdom, as well as Australia, New Zealand, Japan, South Korea, Colombia, South Africa, Mexico and Uruguay. While Singapore has affirmed that international law, in particular, the UN Charter, applies to cyberspace, it is silent on whether its current form is sufficient to regulate State action in cyberspace.

Several States, however, are of the clear view that international law as it exists is insufficient to regulate cyberspace or cannot be directly applied to cyberspace. These States have identified a “legal vacuum” in international law vis-à-vis cyberspace and call for new rules in the form of a binding treaty. This list includes China, Cuba, Iran, Nicaragua, Russia and Zimbabwe. Indonesia, in its turn, has stated that “automatic application” of existing law without examining the context and unique nature of activities in cyberspace should be avoided since “practical adjustment and possible new interpretations are needed”, and the “gap of the ungoverned issues in cyberspace” also needs to be addressed.

NAM has stated that the UN Charter applies, but has also noted the need to “identify possible gaps” that can be addressed through “furthering the development of international rules”. India’s earlier uploaded statement had expressed the view that although the applicability of international law had been agreed to, there are “differences in the structure and functioning of cyberspace, including complicated jurisdictional issues” and that “gaps in the existing international laws in their applicability to cyberspace” need examining. This statement also spoke of “workable modifications to existing laws and exploring the needs of, if any, new laws”.

Venezuela has stated that “the use of ICTs must be fully consistent with the purposes and principles of the UN Charter and international law”, but has also stated that “it is necessary to clarify that International Public Law cannot be directly applicable to cyberspace”, leaving its exact views on the subject unclear.

International Humanitarian Law and Cyberspace

The Initial Pre-Draft’s view on the applicability of IHL to cyberspace has also become a point of contention for States. States supporting its applicability include Brazil, Czech Republic, Denmark, Estonia, France, Germany, Ireland, Netherlands, Switzerland, the United Kingdom and Uruguay. India is among the supporters. Some among these like Estonia, Germany and Switzerland have called for the specific principles of humanity, proportionality, necessity and distinction to be included in the report.

States including China, Cuba, Nicaragua, Russia, Venezuela and Zimbabwe are against applying IHL, with their primary reason being that it will promote “militarization” of cyberspace and “legitimize” conflict. According to China, we should be “extremely cautious against any attempt to introduce use of force in any form into cyberspace,… and refrain from sending wrong messages to the world.” Russia has acerbically stated that to say that IHL can apply “to the ICT environment in peacetime” is “illogical and contradictory” since “IHL is only applied in the context of a military conflict while currently the ICTs do not fit the definition of a weapon”.

Second level of detail on these questions, especially concerning specific principles including sovereignty, non-intervention, threat or use of force, armed attack and inherent right of self-defence, is scarce in States’ comments, beyond whether they apply to cyberspace. Zimbabwe has mentioned in its submission that these principles do apply, as has NAM. Cuba, as it did in the 2017 GGE, has taken the stand that the inherent right to self-defence under Article 51 of the UN Charter cannot be automatically applied to cyberspace. Cuba also stated that it cannot be invoked to justify a State responding with conventional attacks. The US has also taken the view it expressed in the 2017 GGE, that if States’ obligations such as refraining from the threat or use of force are to be mentioned in the report, it should also contain States’ rights, namely, the inherent right to self-defence in Article 51.

Austria has categorically stated that the violation of sovereignty is an internationally wrongful act if attributable to a State. But other States’ comments are broader and do not address the issue of sovereignty at this level. Consider Indonesia’s comments, for instance, where it has simply stated that it “underlines the importance of the principle of sovereignty” and that the report should as well. For India’s part, its earlier uploaded statement approached the issue of sovereignty from a different angle. It stated that the “territorial jurisdiction and sovereignty are losing its relevance in contemporary cyberspace discourse” and went on to recommend a “new form of sovereignty which would be based on ownership of data, i.e., the ownership of the data would be that of the person who has created it and the territorial jurisdiction of a country would be on the data which is owned by its citizens irrespective of the place where the data physically is located”. On the face of it, this comment appears to relate more to the conflict of laws with respect to the transborder nature of data rather than any principle of international law.

The Initial Pre-Draft mentioning the need for a “common approach” for attribution also drew sharp criticism. France, Germany, Italy, Nicaragua, Russia, Switzerland and the United Kingdom have all expressed the view that attribution is a “national” or “sovereign” prerogative and should be left to each State. Iran has stated that addressing a common approach for attribution is premature in the absence of a treaty. Meanwhile, Brazil, China and Norway have supported working towards a common approach for attribution. This issue has notably seen something of a re-alignment of divided State groups.

International Human Rights Law and Cyberspace

States’ comments to Section C also pertain to its language on IHRL with respect to ICT use. Austria, France, the Netherlands, Sweden and Switzerland have called for greater emphasis on human rights and its applicability in cyberspace, especially in the context of privacy and freedoms of expression, association, and information. France has also included the “issues of protection of personal data” in this context. Switzerland has interestingly linked cybersecurity and human rights as “complementary, mutually reinforcing and interdependent”. Ireland and Uruguay’s comments also specify that IHRL apply.

On the other hand, Russia’s comments make it clear that it believes there is an “overemphasis” on human rights law, and it is not “directly related” to international peace and security. Surprisingly, the UK has stated that issues concerning data protection and internet governance are beyond the OEWG’s mandate, while the US comments are silent on the issue. While not directly referring to international human rights law, India’s comments had also mentioned that its concept of data ownership based sovereignty would reaffirm the “universality of the right to privacy”.

Role of the International Law Commission

The Initial Pre-Draft also recommended requesting the International Law Commission (through the General Assembly) to “undertake a study of national views and practice on how international law applies in the use of ICTs by States”. A majority of States including Canada, Denmark, Japan, the Netherlands, Russia, Switzerland, the United Kingdom and the United States have expressed clearly that they are against sending the issue to the ILC as it is too premature at this stage, and would also be contrary to the General Assembly resolutions referring the issue to the OEWG and the GGE.

With respect to the Initial Pre-Draft’s recommendation for a repository of State practices on the application of international law to State-use of ICTs, support is found in comments submitted by Ireland, Italy, Japan, South Korea, Singapore, South Africa, Sweden and Thailand. While Japan, South Africa and India (comments taken down) have qualified their views by stating these contributions should be voluntary, the EU has sought clarification on the modalities of contributing to the repository so as to avoid duplication of efforts.

Other Notable Comments

Aside from the above, States have raised certain other points of interest that may be relevant to the ongoing discussion on international law. The Czech Republic and France have both drawn attention to the due diligence norm in cyberspace and pointed out that it needs greater focus and elaboration in the report.

In its comments, Colombia has rightly pointed out that discussions should centre around “national views” as opposed to “State practice”, since it is difficult for State practice to develop when “some States are still developing national positions”. This accurately highlights a significant problem in cyberspace, namely the scarcity of State practice on account of unclarity in national positions. It holds true for most developing nations, including but not limited to India.

On a separate issue, the UK has made an interesting, but implausible proposal. The UK in its comments has proposed that “States acknowledge military capabilities at an organizational level as well as provide general information on the legal and oversight regimes under which they operate”. Although it has its benefits, such as reducing information asymmetries in cyberspace, it is highly unlikely that States will accept an obligation to disclose or acknowledge military capabilities, let alone any information on the “legal and oversight regimes under which they operate”. This information speaks to a State’s military strength in cyberspace, and while a State may comment on the legality of offensive cyber capabilities in abstract, realpolitik deems it unlikely that it will divulge information on its own capabilities. It is worth noting here that the UK has acknowledged having offensive cyber capabilities in its National Cyber Security Strategy 2016 to 2021.

What does the Revised Pre-Draft Say About International Law?

The OEWG Chair, by a letter dated 27 May 2010, notified member States of the revised version of the Initial Pre-Draft (Revised Pre-Draft). He clarified that the “Recommendations” portion had been left changed. On perusal, it appears Section C of the Revised Pre-Draft is almost entirely unchanged as well, barring the correction of a few typographical errors. This is perhaps not surprising, given the OEWG Chair made it clear in his letter that he still expected “guidance from Member States for further revisions to the draft”.

CCG will track States’ comments to the Revised Pre-Draft as well, as and when they are submitted by member States.

International Law and Cyberspace: Three Different Conversations

With the establishment of the OEWG, the UN GGE was no longer the only multilateral conversation on cyberspace and international law among States in the UN. Of course, both the OEWG and the GGE are about more than just the questions of whether and how international law applies in cyberspace – they also deal with equally important, related issues of capacity-building, confidence building measures and so on in cyberspace. But their work on international law is still extremely significant since they offer platforms for States to express their views on international law and reach consensus on contentious issues in cyberspace. Together, these two forums form two important streams of conversation between States on international law in cyberspace.

At the same time, States are also separately articulating and releasing their own positions on international law and how it applies to cyberspace. Australia, France, Germany, Iran, the Netherlands, the United Kingdom and the United States have all indicated their own views on how international law applies to cyberspace, independent of both the GGE and the OEWG, with Iran being the latest State to do so. To the extent they engage with each other by converging and diverging on some issues such as sovereignty in cyberspace, they form the third conversation among States on international law. Notably, India has not yet joined this conversation.

It is increasingly becoming clear that this third conversation is taking place at a particularly level of granularity, not seen so far in the OEWG or the GGE. For instance, the raging debate on whether sovereignty in international law in cyberspace is a rule entailing consequences for violation or is merely a principle that only gives rise to binding rules such as the prohibitions on use of force or intervention, has so far been restricted to this third conversation. In contrast, States’ comments to the OEWG’s Initial Pre-Draft have indicated that discussions in the OEWG appear to still centre around the broad question of whether and how international law applies to cyberspace. Only Austria mentioned in its comments to the Initial Pre-Draft that it believed sovereignty was a rule the violation of which would be an internationally wrongful act. The same applies for the GGE, since although it was able to deliver consensus reports on international law applying to cyberspace, it also cannot claim to have dealt with these issues at level of specificity beyond this.

This variance in the three conversations shows that some States are racing way ahead of others in their understanding of how international law applies to cyberspace, and these States are so far predominantly Western and developed, with the exception of Iran. Colombia’s comment to the OEWG’s Initial Pre-Draft is a timely reminder in this regard, that most States are still in the process of developing their national positions. The interplay between these three conversations around international law and cyberspace will be interesting to observe.

The Centre for Communication Governance’s comments to the Initial Pre-Draft can be accessed here.

The Architecture of Cybersecurity Institutions in India

This is an edited excerpt of Part IV and Annexure ‘B’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.

This consolidated organogram is a depiction of cyber security institutions in India as an inter-ministerial and inter-departmental ecosystem. Different ministries and departments are in charge of different aspects of national security in general and cyber security in particular.

The National Security Advisor (NSA) holds a rank equivalent to a Cabinet Minister in charge of the National Security Council Secretariat (NSCS) and is the apex officer relating to national security. The NSA is also in charge of the National Technical Research Organization (NTRO) which is a technical intelligence agency under the Prime Minister’s Office (PMO). The National Critical Information Infrastructure Protection Centre (NCIIPC) was established under Section 70A of the Information Technology Act, 2000 and functions as a unit of the NTRO. 

The National Cyber Security Coordinator (NCSC) is the nodal officer for issues related to cybersecurity, functioning under the PMO along side the NSCS to coordinate with different agencies like CERT-In at the national level.

Our research reveals that the Ministry of Communications, Ministry of Electronics and Information Technology (MeitY), Ministry of Home Affairs (MHA), Ministry of Defence (MoD) and the Ministry of External Affairs (MEA) are most relevant to the establishment, operation and maintenance of technical and administrative ecosystem that enables cybersecurity. The departmental structure of each of these Ministries is outlined below.

Ministry of Communications

The Ministry of Communications consists of two Departments – (i) Department of Telecommunications (DoT) and the (ii) Department of Posts.

The DoT deals with  (a) issues of policy, licensing and coordination matters relating to telegraphs, telephones, wireless, data, facsimile and telematic services and other like forms of communications, (b) standardization, research and development in telecommunications, (c) procurement of stores and equipment required by the Department of Telecommunications and (d) administration of laws including the Indian Telegraph Act, 1885 (13 of 1885), the Indian Wireless Telegraphy Act, 1933 (17 of 1933), the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), among others. Within its ambit is also the Digital Communications Commission, which is responsible for implementing the Government’s telecom policy in all matters relating to telecommunication.

Ministry of Electronics and Information Technology

The Ministry for Electronics and Information Technology (MeitY) deals with all policy matters relating to information technology, electronics and the internet (barring issues relating to licensing of Internet Service Providers, which fall within the mandate of the DoT). Its major functions include (a) the administration of matters relating to cyber laws including the Information and Technology Act, 2000, (b) Promotion of standardization, testing and quality in IT and standardization of procedure for IT application and Tasks and (c) digital initiatives including Digital India, among others.

Significantly, the Indian Computer Emergency Response Team (CERT-In) as well as the Unique Identification Authority of India (UIDAI) are both within its ambit. The Cyber Swacchta Kendra (Botnet Cleaning and Malware Analysis Center) functions under CERT-In.

Ministry of Home Affairs

The Ministry of Home Affairs (MHA) discharges multifarious responsibilities, the important among them being – internal security, border management, Centre-State relations, administration of Union Territories, management of Central Armed Police Forces, disaster management, etc. The MHA continuously monitors the internal security situation, issues appropriate advisories, shares intelligence inputs, extends manpower and financial support, guidance and expertise to the State Governments for maintenance of security, peace and harmony.

Among others, the MHA’s Cyber and Information Security Division (consisting of the Cyber Crime Wing, Cyber Security Wing and Monitoring Unit) as well as some wings of the Department of Internal Security including the Modernization Division of the Police and the Counter Terrorism and Counter Radicalization Division have particular relevance to cyber security.

The Indian Cyber Crime Coordination Centre (I4C) was established as a scheme in 2018 to combat cyber crime in a coordinated and effective manner.

Ministry of Defence

The MoD is comprised of four Departments – Department of Defence (DOD), Department of Defence Production (DDP), Defence Research & Development Organisation (DRDO) and Department of Ex-Servicemen Welfare and also Finance Division.

A new Department of Military Affairs has been created recently, and is headed by the Chief of Defence Staff, General Bipin Rawat. Departments that have particular relevance to cybersecurity, including the newly established Defence Cyber Agency are highlighted.

Ministry of External Affairs

The Ministry of External Affairs (MEA) is responsible for all matters relating to India’s external affairs including consular functions. Departments / activities that have relevance to cybersecurity are highlighted in purple, including international security, counter terrorism and others. The New Emerging and Strategic Technologies (NEST) Division was recently set up as the nodal point for all matters connected to new and emerging technologies including exchange of views with foreign governments and coordination with domestic ministries and departments.  News reports indicate that a major restructuring of the MEA is in the offing.