Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

  1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.
  1. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

  1. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing ita clear violation of the rule of non-intervention.

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

  1. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

  1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.1 However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.
  1. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

  1. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

  1. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 


*Views expressed in the blog are personal and should not be attributed to the institution.

References:

  1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Technology & National Security Reflection Series Paper 8: Tallinn Manuals as Law of the States or for the States– a Sola Fide Exploration?

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION

In this post, we evaluate the authoritative value of interpretations of international law expressed in the Tallinn manual with reference to Article 38 of the Statute of the International Court of Justice

NATO’s Cooperative Cyber Defence Centre of Excellence (“CCDCOE”) was established for NATO members to coordinate their efforts in the field of cyberwarfare in 2008, in light of the 2007 cyberattacks on Estonia’s critical cyber infrastructure. Given the international nature of cyberspace and consequently cyberwarfare, the CCDCOE convened a group of international experts to analyse how international law can be applied to cyberwarfare. Thus, the Tallinn manual came into existence, named after Estonia’s Capital, in 2013. The group of experts released Tallinn 2.0 in 2017 as a follow up which deals with a much broader field of ‘cyber operations’ instead of cyberwarfare. The original manual involved conflict while 2.0 deals with cyber operations both inside and outside conflict.

As far as the authoritative value of the Manual is in question, it is pertinent to point out that the Manual notes that every rule or assertion may not be a representation of principles of international law. Moreover, neither the rules nor the commentaries of the Tallinn manuals reflect the NATO doctrine or has been adopted as the official position of any State. Thus, prima facie, the Tallinn manuals (including Tallinn 2.0) were an end result of an academic study to determine and restate the lex lata i.e. the law as it exists; and probably deduce the direction of the lex ferenda i.e. as future law should be (although the manuals expressly stated that they avoided any statements or lex ferenda or the preferred policy for States). However, this still leaves the question unanswered about the value it holds today amongst other sources of international law.

Photo by Ministerie van Buitenlandse Zaken. Licensed under CC BY 2.0

THE LEGAL CONUNDRUM ENCIRCLING ARTICLE 38 (1) AND TALLINN MANUAL

Article 38(1) of the Statute of the International Court of Justice is considered as the most widely recognized iteration of sources of international law. It is no debate that the Manuals would fall under 38(1)(d) as the teachings of most qualified publicists as the international group of experts who were involved in their drafting are legal luminaries who are recognized for their contributions in cyber law and international law. 

We must note here that Article 38(1)(d) is different from the rest of the iterations or sources as it is subsidiary to others, i.e., these teachings per se are not law in and of themselves but are rather references that can be looked into for finding the law applicable.Thus, the manuals positing the arguments of the experts is not the law itself. However, they are a helpful source of determining the other authoritative sources of international law because the premise on which the publicists argue an assertion is usually based on a combination of the other three sources enshrined in article 38(1).

The question now becomes whether these manuals have been elevated to the level of customary international law (CIL). In addition to treaties, rights and obligations of States can also be recognized under CIL which is basically ‘evidence of a general practice accepted as law.’ In brief, a norm of CIL can form with State practice, that is the behavior of States with regards to the custom in question, and opinio juris, which is the belief that the State practice is in fact an obligation arising out of the law that is claimed as CIL.1 This implies that towards formation of a custom, the State practice is the objective element or the manifestation of the subjective element, opinio juris. Interestingly, a minority of scholars also argue that it is not a watertight framework of having both of these elements, and a strong existence of the opinio juris may lead to the creation of a norm of CIL.

With respect to Cyber-operations, jurists hold that it is still too recent a field and there is no consistent State practice. However, most States have expressed the need of cyber-regulation and security via domestic law or through their representatives. The States are also publicly equipped to create or respond to military cyber operations. This amounts to a valid State practice, and even if it has not taken place for a long time but has been uniformly exercised, and there is proof of existence of the opinio juris, it can still validly contribute towards forming CIL.

ON THE QUESTION OF REPRESENTATION 

The question that we now face is whether the Tallinn manuals are a reflection of this global opinio juris. We can analyse from the available evidence and conclude that it may not be the case. To be clear, the international group of experts whose opinions led to the creation of the Manuals participated in their individual capacity– were not representing their country. This is important to note because when a scholar represents a country, they voice or manifest the State’s ‘opinion’ on points of disagreement as we see at the International Law Commission. What Tallinn scholars represent in their individuality or have represented are ideologies such as the Chicago School of Economic Thought or the English School of International Relations but never their State, making the manuals a scholarly exercise rather than a reflection of any opinio juris.

When we talk about representation, another issue which comes up with the manual is that it does not have fair representations from all parts of the world. A few of the biggest players of cyberspace are China and Russia. These States have successfully hacked/controlled their way to becoming important State actors within the cyber realm. Their opinions or voices; and even that of Israel (Israeli experts were on board for Tallinn 2.0), which is a dominant player in cyber-security today or that of Iran, were not taken into consideration. This further takes away from any claims whatsoever that the manuals represent opinio juris of States. The Manuals only take this issue of representation further in circumstances wherein only the military manuals of first world countries are referenced without providing any objective criteria for such selection.

At the same time there are some rules, which arguably do reflect opinio juris of States. For example, “Rule 4 – A State must not conduct cyber operations that violate the sovereignty of another State.” However, it is not the Tallinn manuals that made these laws customary in nature. Instead the manuals merely restate a preexisting custom adding the reference to cyberspace. 

From a content point of view, Pukhraj Singh points out that the manual which was touted to bring clarity to complex questions of cyberspace and law has turned a complete volte-face. Singh highlights that experts disagreed with each other at places providing counter-narratives, and that the manuals jump the gun by over- analogizing with conventional operations. The legal imputation of physical laws, such as the law of armed conflict to cyber-attacks may not always make complete technical sense. At the end of day, cyberspace is an intangible concept of connected computers, and not as physically controllable as how the manuals consider it to be

Most cyber-attacks will be done in a clandestine fashion with no clear indication as to which State did it or is responsible for it. The manuals (especially Tallinn 1.0) are not of much help as they simply restate the law on attribution and do not completely fulfil their role of creating practical and acceptable attribution standards (even if it meant holding the US responsible for Stuxnet!).

Moreover, it must be looked into whether the Manuals’ rules have been adopted and followed by various States or not and to what extent. This ascertains whether the States consider themselves bound by the rules of the manual (or is regarded as opinio juris). Now, apart from the disagreements that States have on some rules of the manual, a study done on 11 hostile cyber-operations that happened between 2013-2017 revealed that the manual or its rules were not followed.

CONCLUSION

Thus, with this understanding, we can conclude that while some of the rules restate CIL, the manuals as a whole do not seem to represent the global lex lata or the opinio juris of the States. It may seem that they instead represent the lex ferenda or what the law should be. However, that is also not exactly the case with their many loopholes and misplaced allegiances as they themselves state. 

It can instead be said that the manuals represent a hope or even a viable precedent that an exercise such as this can be undertaken by various other clusters of nations, like EU, SCO, SAARC, OAS or ASEAN. As more and more clusters will come up with their own varying opinions on cyber-space and cyber-operations, the chances of them possibly culminating into a mutual understanding between all States regarding international law applicable to cyberspace becomes more plausible. For this long drawn vision, Tallinn manuals seem to be a worthy starting point.  


*Views expressed in the blog are personal and should not be attributed to the institution.

References:

  1. North Sea Continental Shelf (Libya v Malta) (Merits) [1985] ICJ Rep 13[27].; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996 ICJ Rep 226 [64].; ILC, ‘Draft conclusions on identification of customary international law, with commentaries’ (2018) UN Doc A/73/10 Conclusion 2.  Antonio Cassese, International Law, (2nd edn. OUP 2005), 156.

Technology & National Security Reflection Series Paper 7: Use of Force in Modern Times: Sisyphus’ First World Boulder

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION 

In this post, we discuss a rather contentious point that whether in international law, a mere threat or use of force by a State against another State would give rise to a right of self-defense. 

For context Article 2(4) of the UN Charter provides for all member States to refrain from the threat of or the actual use of force which may threaten the territorial integrity or political independence of any other state. This provision is regarded to have a jus cogens character, i.e., binding on all States as a non-derogable one. Each Member State also has the positive duty to refrain from the use of force against other  States under international law.

Pursuant to Article 51 of the UN Charter, States which face a use of force at the level of an ‘armed attack’ have the right to exercise self-defense. An armed attack is when this force is used on a relatively large scale, is of sufficient gravity, and has a substantial effect. Dinstein states that armed attack presupposes a use of force producing serious consequences, epitomized by territorial intrusions, or human casualties or considerable destruction of critical infrastructure.

Photo by Kyle Glenn on Unsplash. Copyrighted under Unsplash license.

MEMBER STATE’S RIGHT TO SELF DEFENSE

We need to be aware that this right of self-defense does not manifest at every instance of use of force against another State. In certain instances victim States can instead exercise ‘countermeasures’ against the belligerent State. However, when this right of self-defense does manifest, it must abide by the doctrines of necessity and proportionality.

These doctrines were initially laid down in the aftermath of the Caroline incident of 1837, which has inadvertently governed the rules of use of force for nearly two centuries. Herein, the doctrine of necessity posits that an armed attack can only be responded to when there is no other alternative means to seeking viable redressal. Necessity requires that military action should be used only as a last resort. Then, the doctrine of proportionality provides that the size and scope of an armed attack shall determine the overall objective of the defensive responses. This leads to the conclusion that such action will only be towards self-defense and not retaliatory in nature or have a punitive outlook against the aggressor. The counter attack cannot be unreasonable or excessive and can only be carried out to repel or prevent an attack.

Thus, if we were to literally interpret the law, the answer would be that a mere threat or even a use of force that is not of a level of an armed attack does not give rise to the right of self-defense. However, a look at how State practice has shaped this understanding might lead to a different conclusion.

EMERGING FAULTLINES AND EXPANSION OF LEGAL INTERPRETATION OF RIGHT OF SELF-DEFENSE

The United States, with their invasion of Afghanistan for harboring terrorists in 2001 and the subsequent invasion of Iraq in 2003 for allegedly procuring weapons of mass destruction have posited a changed landscape to the  right of self-defense. American actions of ‘self-defense’ completely subvert the legal interpretation of the right being unavailable against threats and conventional use of force. Furthermore, it has led to the emergence of an anticipatory right to self-defense.

At the outset, it is observed that the opinion on the legality of such acts that anticipate armed attacks from threats or other information is divided. Some scholars (usually the ones who have a favorable outlook towards American and/or the Israeli Government actions) argue that the right to anticipatory self-defense is not only in consonance with customary international law but also with article 51 of the U.N Charter.

However, an anticipatory right of self-defense would actually be contrary to the wording of Article 51, since an armed attack must ‘occur’. In any case, Article 51 must be interpreted narrowly containing a prohibition of anticipatory self-defense as one of the purposes of the Charter was to reduce to a minimum the unilateral use of force. At the very least, States claiming the right will have to prove that they face an imminent attack.. It is ideal to have a ‘clear and convincing’ evidence of the same to avoid situations like that of the invasion of Iraq, which was initiated based on extremely faulty intelligence

There are checks and balances enshrined within Article 51 itself to ensure that this does not become a practice. Key mechanisms include the requirement or duty to report immediately to the Security Council when such an act is undertaken, which can act as a limitation on the exercise of self-defense. However, even this duty does not have the power to stop the states exercising such ‘rights’ as reporting to the Security Council is a mere procedural matter, and nonfeasance cannot technically deprive a state of the substantive right of self-defense or invalidate it.

Therefore, it can be said that the scope of the right to self-defense despite fair legal objections may have already expanded to practically include threats or even conventional uses of force not amounting to an ‘armed attack’. What becomes important now is to see how this right of a sovereign state will shape in the future. Towards this, there are two important questions that need to be answered. Firstly, whether this right can be exercised against non-state actors and secondly, can this right be exercised against a cyber-operation?

When the right of self-defense towards non-state actors is considered, the legal position seems pretty clear. The International Court of Justice itself has expressed that the inherent right of self-defense in the case of armed attack by one state is available only against another state.

The general understanding is that Article 51 of the Charter is an exception to the prohibition on the use of force as enshrined in Article 2(4). Given that Article 2(4) refers only to a ‘state’, its exception must also deal with the same. However, some do argue that while Article 2(4) of the Charter, in proscribing the use of force, refers solely to state actors on both sides.  On the other hand, Article 51 mentions a member only as the potential target of an armed attack. This means that the perpetrator of that armed attack is not identified necessarily as a state, especially during these times where it is not just State but non-State entities like terrorists that pose the significant threats to national security concerns of States.

Moreover, regardless of what the law states or what the law should be, the tacit acknowledgement of the Security Council, NATO and EU towards the American invasion of Afghanistan to attack Al Qaeda has given credence to the understanding that self-defense is available against non-State actors. Thus, contemporary state practice (of the first world countries) shows that non-State actors can be behind ‘armed attacks’ which can give rise to self-defense. The ‘pro-democracy’ opinion now states that self-defense against a non-State actor can be justified when the territorial State has manifestly and persistently been unwilling or unable to prevent such attacks in other States, like invasion of Afghanistan on the pretext that if they are harbouring terrorists, they are as liable as the terrorists themselves.

Coming to the second question of whether cyber-operations against a state can give a right to self-defense to that State, it is imperative to determine whether a cyber-operation is an armed attack (as per the prevailing legal view as there is no contrary contemporary state practice yet).

An ‘armed attack’ may not strictly require the use of kinetic weapons, but may, in principle, also be conducted by computers used by hackers. In order to reach this very threshold, the consequences and effects of the cyber-operation in question, must be compared to that of conventional use of force. These operations cannot be isolated or random acts of cyber-attacks and exercising the right against these one-off incidents are excluded from the scope of right to self-defense. Thus, the bar to classify a cyber-operation as an armed attack exists against which a right to self-defense will also exist. However, this bar must be considerably high and will not trigger when hypothetically Indian college students hack a Pakistani bank’s website as a one-off incident.

CONCLUSION

The high standard set is important to ensure that self-defense is not ‘exercised’ in a ubiquitous manner. However, the first world tells us that if the standard is too high and is creating an obstacle towards their political interests, the standard will be disregarded or modified accordingly making an effective set of laws a Sisyphean task. This is what happened to non-State actors, to threats and simple uses of force and will most likely happen to cyber-operations as well. 

Self-defense will be heavily exercised if doing so aligns with the political ideology of the State regardless of what the law states. The law understandably does not allow a State to exercise the right to self-defense against mere threats or even conventional uses of force. However, as we understand from a third-world vantage point of international law, the law is what the first world will allow it to be.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26th and 27th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bellothe principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.


*The views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 1: Revisiting Hugo Grotius: A Lawyer or a Strategist for the Dutch Colonial Expansion?

Kushagra Kumar Sahai*

About the author: The author is a 2021 graduate of National Law University, Delhi. He wrote this reflection paper in his 4th year as a part of the seminar course on Technology and National Security Law.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

Do you think Hugo Grotius is better described as a lawyer or a strategist for Dutch colonial expansion? Explain with reasons, based on the assigned chapter ‘Hugo the Great’ for reading from Oona Hathaway and Scott Shapiro’s book, The Internationalists.

Introduction

To be able to answer the question, one must evaluate the context of the powers that were, and the involvement of Hugo Grotius in the folds of this particular page in history. Grotius’ contributions coincide with the start of European powers attempting to set foot in different continents, with aims of colonisation. In hindsight it serves as an important point in legal history, as it lay on this particular prodigy to legally justify the benefits derived from colonialism, and in this pursuit, he ended up charting out the course to  discover and set up a new branch of law– International Law.

One particular event was instrumental in setting the ball rolling.1 On 24th February, 1603, a Portuguese ship Santa Catarina docked off the Strait of Singapore, and was subsequently attacked by three Dutch ships, captained by an individual named Jacob Vans Heemskerck. Subsequently the Dutch East India Company filed a suit before the Amsterdam Admiralty Board  so that they could assert ownership over the ship and its cargo. They stated that the Portuguese were attacking the Dutch in the East Indies in an effort to drive them out of the land and out of the market. It was in retaliation against this that Captain Heemskerck attacked and seized Santa Catarina. The Board sent out notices to the affected parties, and after no response from the Portuguese, the case was decided in favour of the Dutch. This cargo was auctioned off at a great profit. Complaints arose from company investors regarding the nature of the activity Captain Heemskerck had indulged in. To defend the same, Hugo Grotius, a young prodigy was brought in. He composed a lengthy treatise on the nature of law, in the tune to satiate the protests of the investors.

Grotius’ Incentives

I argue that Grotius built his entire case for the benefit of his client; the Dutch East India Company. An interesting point to note is that, the maiden name of his paternal grandmother was  Elselinge Van  Heemskerck. He wasn’t just defending the company, he was also defending his cousin!2

The company was engaging in an act of colonisation, which in the context of this paper, can be succinctly defined as a foreign power exploiting the resources of another country for profit. After having gone over the texts, what seems rather apparent is that Hugo Grotius took the reverse route of logic to build a legal argument;  the conclusion was already presented to him. The point he was expected to prove, which was that the actions of Captain Heemskerck were legally sound and the premise around it. He had been tasked with creating the logic which would justify an act which had already occurred – a fait accompli. To achieve his objective he attempted to delve into the act of war, and the logic around which it should revolve.

Grotius’ Arguments

Grotius built upon the Western thought of the morality of waging war theory, and his own line of thinking came to be known as the ‘Just War Theory‘. He built upon the line of thinking espoused by the likes of Cicero and Thomas Aquinas, drawing upon their argument to construct his theory. On this basis he argued that it is morally justified to wage war if rights have been violated. Extending that line of argument, he stated that war is also justified when rights have been violated, and for the remedy of those rights violations, the use of violence is the only option left. 

This unsurprisingly was used along with the narrative of Portuguese-inflicted terror against the Dutch in present day Java, who were also unsurprisingly involved in the act of seeking out newer lands to exploit and colonise. And because the acts of the Portuguese involved the destruction of Dutch boats and the killing of Dutch men, it was the right of Captain Heemskerck to indulge in an act of rectifying the violation of the rights of the Dutch East India Company. This entailed attacking Santa Catarina. It was, in Grotius’ words,  a “private act of war”, as the Captain was employed by a company and wasn’t a state actor, but he justified it as an act of private war; the primordial act of an individual to protect himself from the unjust acts being perpetrated against him.

The Broader Implications

While the treatise was a complete defence of the singular event of the attack and seizure of the Portuguese ship, it highlighted the problematic nature of the acts that the Dutch East India Company was indulging in regularly. The goods procured by them had uncertain ownership attached to them, due to the nature by which these goods were procured–- which was exploitation in most cases. While Grotius’ treatise established the clear rules of a just war, it also led to an uncertainty of who was just (emphasis added) in a certain case. There was also a power vacuum in who could preside over such cases, and because of this there was a risk of opening  a can of worms, regarding the legitimacy and legality of the procurement of goods by the trading companies which were set up by European powers. As mentioned earlier, the period of Grotius’ exploits coincided with the formative years of European forays into new geographical territories. This meant there was no consolidated legal system to oversee such excursions and resolve ensuing disputes.

In this context, Grotius’ vested interests lay in two parts. The first related to the legitimacy of the sacking of Santa Catarina. And the second, and the more overarching one, the activities and the interests of the Dutch East India company.

This is an explainable reason as to why Hugo Grotius didn’t publish the treatise that he had spent a considerable amount of time composing. He had spent 2 years composing this defence, and in the meanwhile the Dutch had moved on from this conflict onto establishing supremacy over their Spanish counterparts through naval warfare. During this period, he had realised that while it was a sound defence for the sacking of Santa Catarina, there lay an inherent problem with the activities of these trading companies. If unaddressed this problem could have led to an increased legal scrutiny towards the nature of these trading companies, whose mode of operation particularly pertained to trading of goods acquired through what would be regarded as questionable means; exploitation which clearly had traces of colonisation. 

Conclusion

While his treatise is revelatory in nature, serving as a foundational stepping stone to International law, his loyalties lay with the trading company and the protection of his cousin. I argue it exceeded his interests in expounding and upholding the tenets of the law.  With this I conclude that while his work is undoubtedly influential, his activity (or some may even call it inactivity) with regard to colonial forays and colonisation confirm that his motives were aligned with expanding the powers and trading footprint of European trading companies. In this context I conclude that Grotius may be best described as a strategist for the Dutch East India Company first, and a lawyer second.


*Views expressed in the blog are personal and should not be attributed to the institution.

References

  1. Oona A. Hathaway & Scott J. Shapiro, “Chapter 1: Hugo the Great”, The Internationalists: How a Radical Plan to Outlaw a War Remade the World (New York: Simon & Schuster, 2017).
  2. Ibid.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

  1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
  2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

  1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21st century.

  1. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

  1. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.

Cyberspace and International Law: Taking Stock of Ongoing Discussions at the OEWG

This post is authored by Sharngan Aravindakshan

Introduction

The second round of informal meetings in the Open-Ended Working Group on the Use of ICTs in the Context of International Security is scheduled to be held from today (29th September) till 1st October, with the agenda being international law.

At the end of the OEWG’s second substantive session in February 2020, the Chairperson of the OEWG released an “initial pre-draft” (Initial Pre-Draft) of the OEWG’s report, for stakeholder discussions and comments. The Initial Pre-Draft covers a number of issues on cyberspace, and is divided into the following:

  1. Section A (Introduction);
  2. Section B (Existing and Potential Threats);
  3. Section C (International Law);
  4. Section D (Rules, Norms and Principles for Responsible State Behaviour);
  5. Section E (Confidence-building Measures);
  6. Section F (Capacity-building);
  7. Section G (Regular Institutional Dialogue); and
  8. Section H (Conclusions and Recommendations).

In accordance with the agenda for the coming informal meeting in the OEWG, this post is a brief recap of this cyber norm making process with a focus on Section C, i.e., the international law section of the Initial Pre-Draft and States’ comments to it.

What does the OEWG Initial Pre-Draft Say About International Law?

Section C of the Initial Pre-Draft begins with a chapeau stating that existing obligations under international law, in particular the Charter of the United Nations, are applicable to State use of ICTs. The chapeau goes on to state that “furthering shared understandings among States” on how international law applies to the use of ICTs is fundamental for international security and stability. According to the chapeau, exchanging views on the issue among States can foster this shared understanding.

The body of Section C records that States affirmed that international law, including the UN Charter, is applicable to the ICT environment. It particularly notes that the principles of the UN Charter such as sovereign equality, non-intervention in internal affairs of States, the prohibition on the threat or use of force, human rights and fundamental freedoms apply to cyberspace. It also mentions that specific bodies of international law such as international humanitarian law (IHL), international human rights law (IHRL) and international criminal law (ICL) as applicable as well. Section C also records that “States underscored that international humanitarian law neither encourages militarization nor legitimizes conflict in any domain”, without mentioning which States did so.

Significantly, Section C of the Initial Pre-Draft also notes that a view was expressed in the discussions that “existing international law, complemented by the voluntary, non-binding norms that reflect consensus among States” is “currently sufficient for addressing State use of ICTs”. According to this view, it only remains for a “common understanding” to be reached on how the already agreed normative framework could apply and be operationalized. At the same time, the counter-view expressed by some other States is also noted in Section C, that “there may be a need to adapt existing international law or develop a new instrument to address the unique characteristics of ICTs.”

This view arises from the confusion or lack of clarity on how existing international law could apply to cyberspace and includes but is not limited to questions on thresholds for use of force, armed attacks and self-defence, as well as the question of applicability of international humanitarian law to cyberspace. Section C goes on to note that in this context, proposals were made for the development of a legally binding instrument on the use of ICTs by States. Again, the States are not mentioned by name. Additionally, Section C notes a third view which proposed a “politically binding commitment with regular meetings and voluntary State reporting”. This was proposed as a middle ground between the first view that existing international law was sufficient and the second view that new rules of international law were required in the form of a legally binding treaty. Developing a “common approach to attribution at the technical level” was also discussed as a way of ensuring greater accountability and transparency.

With respect to the international law portion, the Initial Pre-Draft proposed recommendations including the creation of a global repository of State practice and national views in the application of international law as well as requesting the International Law Commission to undertake a study of national views and practice on how international law applies in the use of ICTs by States.

What did States have to say about Section C of the Initial Pre-Draft?

In his letter dated 11 March 2020, the Chairperson opened the Initial Pre-Draft for comments from States and other stakeholders. A total of 42 countries have submitted comments, excluding the European Union (EU) and the Non Aligned Movement (NAM), both of which have also submitted comments separately from their member States. The various submissions can be found here. Not all States’ submissions have comments specific to Section C, the international law portion. But it is nevertheless worthwhile examining the submissions of those States that do. India had also submitted comments which can be found here. However, these are no longer available on the OEWG website and appear to have been taken down.

International Law and Cyberspace

Let’s start with what States have said in answer to the basic question of whether existing international law applies to cyberspace and if so, whether its sufficient to regulate State-use of ICTs. A majority of States have answered in the affirmative and this list includes the Western Bloc led by the US including Canada, France, Germany, Austria, Czech Republic, Denmark, Estonia, Ireland, Liechtenstein, Netherlands, Norway, Sweden, Switzerland, Italy, and the United Kingdom, as well as Australia, New Zealand, Japan, South Korea, Colombia, South Africa, Mexico and Uruguay. While Singapore has affirmed that international law, in particular, the UN Charter, applies to cyberspace, it is silent on whether its current form is sufficient to regulate State action in cyberspace.

Several States, however, are of the clear view that international law as it exists is insufficient to regulate cyberspace or cannot be directly applied to cyberspace. These States have identified a “legal vacuum” in international law vis-à-vis cyberspace and call for new rules in the form of a binding treaty. This list includes China, Cuba, Iran, Nicaragua, Russia and Zimbabwe. Indonesia, in its turn, has stated that “automatic application” of existing law without examining the context and unique nature of activities in cyberspace should be avoided since “practical adjustment and possible new interpretations are needed”, and the “gap of the ungoverned issues in cyberspace” also needs to be addressed.

NAM has stated that the UN Charter applies, but has also noted the need to “identify possible gaps” that can be addressed through “furthering the development of international rules”. India’s earlier uploaded statement had expressed the view that although the applicability of international law had been agreed to, there are “differences in the structure and functioning of cyberspace, including complicated jurisdictional issues” and that “gaps in the existing international laws in their applicability to cyberspace” need examining. This statement also spoke of “workable modifications to existing laws and exploring the needs of, if any, new laws”.

Venezuela has stated that “the use of ICTs must be fully consistent with the purposes and principles of the UN Charter and international law”, but has also stated that “it is necessary to clarify that International Public Law cannot be directly applicable to cyberspace”, leaving its exact views on the subject unclear.

International Humanitarian Law and Cyberspace

The Initial Pre-Draft’s view on the applicability of IHL to cyberspace has also become a point of contention for States. States supporting its applicability include Brazil, Czech Republic, Denmark, Estonia, France, Germany, Ireland, Netherlands, Switzerland, the United Kingdom and Uruguay. India is among the supporters. Some among these like Estonia, Germany and Switzerland have called for the specific principles of humanity, proportionality, necessity and distinction to be included in the report.

States including China, Cuba, Nicaragua, Russia, Venezuela and Zimbabwe are against applying IHL, with their primary reason being that it will promote “militarization” of cyberspace and “legitimize” conflict. According to China, we should be “extremely cautious against any attempt to introduce use of force in any form into cyberspace,… and refrain from sending wrong messages to the world.” Russia has acerbically stated that to say that IHL can apply “to the ICT environment in peacetime” is “illogical and contradictory” since “IHL is only applied in the context of a military conflict while currently the ICTs do not fit the definition of a weapon”.

Second level of detail on these questions, especially concerning specific principles including sovereignty, non-intervention, threat or use of force, armed attack and inherent right of self-defence, is scarce in States’ comments, beyond whether they apply to cyberspace. Zimbabwe has mentioned in its submission that these principles do apply, as has NAM. Cuba, as it did in the 2017 GGE, has taken the stand that the inherent right to self-defence under Article 51 of the UN Charter cannot be automatically applied to cyberspace. Cuba also stated that it cannot be invoked to justify a State responding with conventional attacks. The US has also taken the view it expressed in the 2017 GGE, that if States’ obligations such as refraining from the threat or use of force are to be mentioned in the report, it should also contain States’ rights, namely, the inherent right to self-defence in Article 51.

Austria has categorically stated that the violation of sovereignty is an internationally wrongful act if attributable to a State. But other States’ comments are broader and do not address the issue of sovereignty at this level. Consider Indonesia’s comments, for instance, where it has simply stated that it “underlines the importance of the principle of sovereignty” and that the report should as well. For India’s part, its earlier uploaded statement approached the issue of sovereignty from a different angle. It stated that the “territorial jurisdiction and sovereignty are losing its relevance in contemporary cyberspace discourse” and went on to recommend a “new form of sovereignty which would be based on ownership of data, i.e., the ownership of the data would be that of the person who has created it and the territorial jurisdiction of a country would be on the data which is owned by its citizens irrespective of the place where the data physically is located”. On the face of it, this comment appears to relate more to the conflict of laws with respect to the transborder nature of data rather than any principle of international law.

The Initial Pre-Draft mentioning the need for a “common approach” for attribution also drew sharp criticism. France, Germany, Italy, Nicaragua, Russia, Switzerland and the United Kingdom have all expressed the view that attribution is a “national” or “sovereign” prerogative and should be left to each State. Iran has stated that addressing a common approach for attribution is premature in the absence of a treaty. Meanwhile, Brazil, China and Norway have supported working towards a common approach for attribution. This issue has notably seen something of a re-alignment of divided State groups.

International Human Rights Law and Cyberspace

States’ comments to Section C also pertain to its language on IHRL with respect to ICT use. Austria, France, the Netherlands, Sweden and Switzerland have called for greater emphasis on human rights and its applicability in cyberspace, especially in the context of privacy and freedoms of expression, association, and information. France has also included the “issues of protection of personal data” in this context. Switzerland has interestingly linked cybersecurity and human rights as “complementary, mutually reinforcing and interdependent”. Ireland and Uruguay’s comments also specify that IHRL apply.

On the other hand, Russia’s comments make it clear that it believes there is an “overemphasis” on human rights law, and it is not “directly related” to international peace and security. Surprisingly, the UK has stated that issues concerning data protection and internet governance are beyond the OEWG’s mandate, while the US comments are silent on the issue. While not directly referring to international human rights law, India’s comments had also mentioned that its concept of data ownership based sovereignty would reaffirm the “universality of the right to privacy”.

Role of the International Law Commission

The Initial Pre-Draft also recommended requesting the International Law Commission (through the General Assembly) to “undertake a study of national views and practice on how international law applies in the use of ICTs by States”. A majority of States including Canada, Denmark, Japan, the Netherlands, Russia, Switzerland, the United Kingdom and the United States have expressed clearly that they are against sending the issue to the ILC as it is too premature at this stage, and would also be contrary to the General Assembly resolutions referring the issue to the OEWG and the GGE.

With respect to the Initial Pre-Draft’s recommendation for a repository of State practices on the application of international law to State-use of ICTs, support is found in comments submitted by Ireland, Italy, Japan, South Korea, Singapore, South Africa, Sweden and Thailand. While Japan, South Africa and India (comments taken down) have qualified their views by stating these contributions should be voluntary, the EU has sought clarification on the modalities of contributing to the repository so as to avoid duplication of efforts.

Other Notable Comments

Aside from the above, States have raised certain other points of interest that may be relevant to the ongoing discussion on international law. The Czech Republic and France have both drawn attention to the due diligence norm in cyberspace and pointed out that it needs greater focus and elaboration in the report.

In its comments, Colombia has rightly pointed out that discussions should centre around “national views” as opposed to “State practice”, since it is difficult for State practice to develop when “some States are still developing national positions”. This accurately highlights a significant problem in cyberspace, namely the scarcity of State practice on account of unclarity in national positions. It holds true for most developing nations, including but not limited to India.

On a separate issue, the UK has made an interesting, but implausible proposal. The UK in its comments has proposed that “States acknowledge military capabilities at an organizational level as well as provide general information on the legal and oversight regimes under which they operate”. Although it has its benefits, such as reducing information asymmetries in cyberspace, it is highly unlikely that States will accept an obligation to disclose or acknowledge military capabilities, let alone any information on the “legal and oversight regimes under which they operate”. This information speaks to a State’s military strength in cyberspace, and while a State may comment on the legality of offensive cyber capabilities in abstract, realpolitik deems it unlikely that it will divulge information on its own capabilities. It is worth noting here that the UK has acknowledged having offensive cyber capabilities in its National Cyber Security Strategy 2016 to 2021.

What does the Revised Pre-Draft Say About International Law?

The OEWG Chair, by a letter dated 27 May 2010, notified member States of the revised version of the Initial Pre-Draft (Revised Pre-Draft). He clarified that the “Recommendations” portion had been left changed. On perusal, it appears Section C of the Revised Pre-Draft is almost entirely unchanged as well, barring the correction of a few typographical errors. This is perhaps not surprising, given the OEWG Chair made it clear in his letter that he still expected “guidance from Member States for further revisions to the draft”.

CCG will track States’ comments to the Revised Pre-Draft as well, as and when they are submitted by member States.

International Law and Cyberspace: Three Different Conversations

With the establishment of the OEWG, the UN GGE was no longer the only multilateral conversation on cyberspace and international law among States in the UN. Of course, both the OEWG and the GGE are about more than just the questions of whether and how international law applies in cyberspace – they also deal with equally important, related issues of capacity-building, confidence building measures and so on in cyberspace. But their work on international law is still extremely significant since they offer platforms for States to express their views on international law and reach consensus on contentious issues in cyberspace. Together, these two forums form two important streams of conversation between States on international law in cyberspace.

At the same time, States are also separately articulating and releasing their own positions on international law and how it applies to cyberspace. Australia, France, Germany, Iran, the Netherlands, the United Kingdom and the United States have all indicated their own views on how international law applies to cyberspace, independent of both the GGE and the OEWG, with Iran being the latest State to do so. To the extent they engage with each other by converging and diverging on some issues such as sovereignty in cyberspace, they form the third conversation among States on international law. Notably, India has not yet joined this conversation.

It is increasingly becoming clear that this third conversation is taking place at a particularly level of granularity, not seen so far in the OEWG or the GGE. For instance, the raging debate on whether sovereignty in international law in cyberspace is a rule entailing consequences for violation or is merely a principle that only gives rise to binding rules such as the prohibitions on use of force or intervention, has so far been restricted to this third conversation. In contrast, States’ comments to the OEWG’s Initial Pre-Draft have indicated that discussions in the OEWG appear to still centre around the broad question of whether and how international law applies to cyberspace. Only Austria mentioned in its comments to the Initial Pre-Draft that it believed sovereignty was a rule the violation of which would be an internationally wrongful act. The same applies for the GGE, since although it was able to deliver consensus reports on international law applying to cyberspace, it also cannot claim to have dealt with these issues at level of specificity beyond this.

This variance in the three conversations shows that some States are racing way ahead of others in their understanding of how international law applies to cyberspace, and these States are so far predominantly Western and developed, with the exception of Iran. Colombia’s comment to the OEWG’s Initial Pre-Draft is a timely reminder in this regard, that most States are still in the process of developing their national positions. The interplay between these three conversations around international law and cyberspace will be interesting to observe.

The Centre for Communication Governance’s comments to the Initial Pre-Draft can be accessed here.

Technology and National Security Law and Policy: Seminar Course Curriculum [February-June 2020]

Given the rapidly evolving landscape of international security issues and the challenges and opportunities presented by new and emerging technologies, Indian lawyers and policymakers need to acquire the capacity to engage effectively with national security law and policy. However, curricula in Indian law schools do not engage adequately with issues of national security. National security threats, balance of power, issues of secrecy and political accountability, terrorism and surveillance laws tend to be discussed in a piece-meal manner within various courses or electives.

To fill this knowledge gap within the legal community, the Centre for Communication Governance at National Law University Delhi (CCG-NLU) offered this seminar course to fourth and fifth-year students of the B.A. LL.B. (Hons.) Programme during in February-June 2020..

The course explores interdisciplinary approaches in the study of national security law and policy, with a particular focus on issues in cybersecurity and cyberwarfare. Through this course curriculum, we aim to (1) recognize and develop National Security Law as a discrete discipline of legal studies, and (2) impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The curriculum is split into six modules taught over a period of 12 weeks:

  • Module I: Unpacking ‘National Security’
  • Module II: Introduction to Strategic Thinking – Linking Law and Policy
  • Module III: National Security in the Domestic Sphere
  • Module IV: War and National Security in International Law
  • Module V: Cybersecurity, Cyberwarfare and International Law
  • Module VI: Cybersecurity in India

The course outline and reading list can be accessed here:

The Pegasus Hack: A Hark Back to the Wassenaar Arrangement

By Sharngan Aravindakshan

The world’s most popular messaging application, Whatsapp, recently revealed that a significant number of Indians were among the targets of Pegasus, a sophisticated spyware that operates by exploiting a vulnerability in Whatsapp’s video-calling feature. It has also come to light that Whatsapp, working with the University of Toronto’s Citizen Lab, an academic research organization with a focus on digital threats to civil society, has traced the source of the spyware to NSO Group, an Israeli company well known both for developing and selling hacking and surveillance technology to governments with a questionable record in human rights. Whatsapp’s lawsuit against NSO Group in a federal court in California also specifically alludes to NSO Group’s clients “which include but are not limited to government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities.” The complaint filed by Whatsapp against NSO Group can be accessed here.

In this context, we examine the shortcomings of international efforts in limiting or regulating the transfers or sale of advanced and sophisticated technology to governments that often use it to violate human rights, as well as highlight the often complex and blurred lines between the military and civil use of these technologies by the government.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (WA) exists for this precise reason. Established in 1996 and voluntary / non-binding in nature[I], its stated mission is “to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”[ii] Military advancements across the globe, significant among which were the Indian and Pakistani nuclear tests, rocket tests by India and South Korea and the use of chemical warfare during the Iran-Iraq war, were all catalysts in the formulation of this multilateral attempt to regulate the transfer of advanced technologies capable of being weaponized.[iii] With more and more incidents coming to light of authoritarian regimes utilizing advanced western technology to violate human rights, the WA was amended to bring within its ambit “intrusion software” and “IP network surveillance systems” as well. 

Wassenaar: A General Outline

With a current membership of 42 countries (India being the latest to join in late 2017), the WA is the successor to the cold war-era Coordinating Committee for Multilateral Export Controls (COCOM) which had been established by the Western Bloc in order to prevent weapons and technology exports to the Eastern Bloc or what was then known as the Soviet Union.[iv] However, unlike its predecessor, the WA does not target any nation-state, and its members cannot exercise any veto power over other member’s export decisions.[v] Notably, while Russia is a member, Israel and China are not.

The WA lists out the different technologies in the form of “Control Lists” primarily consisting of the “List of Dual-Use Goods and Technologies” or the Basic List, and the “Munitions List”.[vi] The term “dual-use technology” typically refers to technology that can be used for both civilian and military purposes.[vii] The Basic List consists of ten categories[viii]

  • Special Materials and Related Equipment (Category 1); 
  • Materials Processing (Category 2); 
  • Electronics (Category 3); 
  • Computers (Category 4); 
  • Telecommunications (Category 5, Part 1); 
  • Information Security (Category 5, Part 2); 
  • Sensors and Lasers (Category 6); 
  • Navigation and Avionics (Category 7); 
  • Marine (Category 8); 
  • Aerospace and Propulsion (Category 9). 

Additionally, the Basic List also has the Sensitive and Very Sensitive Lists which include technologies covering radiation, submarine technology, advanced radar, etc. 

An outline of the WA’s principles is provided in its Guidelines & Procedures, including the Initial Elements. Typically, participating countries enforce controls on transfer of the listed items by enacting domestic legislation requiring licenses for export of these items and are also expected to ensure that the exports “do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities.[ix]

While the Guidelines & Procedures document does not expressly proscribe the export of the specified items to non-WA countries, members are expected to notify other participants twice a year if a license under the Dual List is denied for export to any non-WA country.[x]

Amid concerns of violation of civil liberties

Unlike conventional weapons, cyberspace and information technology is one of those sectors where the government does not yet have a monopoly in expertise. In what can only be termed a “cyber-arms race”, it would be fair to say that most governments are even now busily acquiring technology from private companies to enhance their cyber-capacity, which includes surveillance technology for intelligence-gathering efforts. This, by itself, is plain real-politik.

However, amid this weaponization of the cyberspace, there were growing concerns that this technology was being purchased by authoritarian or repressive governments for use against their citizens. For instance, Eagle, monitoring technology owned by Amesys (a unit of the French firm Bull SA), Boeing Co.’s internet-filtering Narus, and China’s ZTE Corp. all contributed to the surveillance efforts by Col. Gaddafi’s regime in Libya. Surveillance technology equipment sold by Siemens AG and maintained by Nokia Siemens Networks were used against human rights activists in Bahrain. These instances, as part of a wider pattern that came to the spotlight, galvanized the WA countries in 2013 to include “intrusion software” and “IP network surveillance systems” in the Control List to attempt to limit the transfer of these technologies to known repressive regimes. 

Unexpected Consequences

The 2013 Amendment to the Control Lists was the subject of severe criticism by tech companies and civil society groups across the board. While the intention behind it was recognized as laudable, the terms “intrusion software” and “IP network surveillance system” were widely viewed as over-broad and having the unintended consequence of looping in both legitimate as well as illegitimate use of technology. The problems pointed out by cybersecurity experts are manifold and are a result of a misunderstanding of how cybersecurity works.

The inclusion of these terms, which was meant to regulate surveillance based on computer codes / programmes, also has the consequence of bringing within its ambit legitimate and often beneficial uses of these technologies, including even antivirus technology according to one view. Cybersecurity research and development often involves making use of “zero-day exploits” or vulnerabilities in the developed software, which when discovered and reported by any “bounty hunter”, is typically bought by the company owning the software. This helps the company immediately develop a “patch” for the reported vulnerability. These transactions are often necessarily cross-border. Experts complained that if directly transposed to domestic law, the changes would have a chilling effect on the vital exchange of information and research in this area, which was a major hurdle for advances in cybersecurity, making cyberspace globally less safer. A prime example is HewlettPackard’s (HP)  withdrawal from Pwn2Own—a computer hacking contest held annually at the PacSecWest security conference where contestants are challenged to hack into / exploit vulnerabilities on widely used software. HP, which sponsored the event, was forced to withdraw in 2015 citing the “complexity in obtaining real-time import /export licenses in countries that participate in the Wassenaar Arrangement”, among others. The member nation in this case was Japan.

After facing fierce opposition on its home soil, the United States decided to not implement the WA amendment and instead, decided to argue for a reversal at the next Plenary session of the WA, which failed. Other nations, including the EU and Japan have implemented the WA amendment export controls with varying degrees of success.

The Pegasus Hack, India and the Wassenaar

Considering many of the Indians identified as victims of the Pegasus hack were either journalists or human rights activists, with many of them being associated with the highly-contentious Bhima-Koregaon case, speculation is rife that the Indian government is among those purchasing and utilizing this kind of advanced surveillance technology to spy on its own citizens. Adding this to the NSO Group’s public statement that its “sole purpose” is to “provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime”, it appears there are credible allegations that the Indian government was involved in the hack. The government’s evasiveness in responding and insistence on so-called “standard operating procedures” having been followed are less than reassuring.

While India’s entry to the WA as its 42nd member in 2018 has certainly elevated its status in the international arms control regime by granting it access to three of the world’s four main arms-control regimes (the others being the Nuclear Suppliers’ Group / NSG, the Missile Technology Control Group / MTCR and the Australia Group), the Pegasus Hack incident and the apparent connection to the Indian government shows us that its commitment to the principles underlying the WA is doubtful. The purpose of the inclusion of “intrusion software” and “IP network surveillance system” in the WA’s Control Lists by way of the 2013 Amendment, no matter their unintended consequences for legitimate uses of such technology, was to prevent governmental purchases exactly like this one. Hence, even though the WA does not prohibit the purchase of any surveillance technology from a non-member, the Pegasus incident arguably, is still a serious detraction from India’s commitment to the WA, even if not an explicit violation.

Military Cyber-Capability Vs Law Enforcement Cyber-Capability

Given what we know so far, it appears that highly sophisticated surveillance technology has also come into the hands of local law enforcement agencies. Had it been disclosed that the Pegasus software was being utilized by a military wing against external enemies, by, say, even the newly created Defence Cyber Agency, it would have probably caused fewer ripples. In fact, it might even have come off as reassuring evidence of the country’s advanced cyber-capabilities. However, the idea of such advanced, sophisticated technologies at the easy disposal of local law enforcement agencies is cause for worry. This is because while traditionally the domain of the military is external, the domain of law enforcement agencies is internal, i.e., the citizenry. There is tremendous scope for misuse by such authorities, including increased targeting of minorities. The recent incident of police officials in Hyderabad randomly collecting biometric data including their fingerprints and clicking people’s pictures only exacerbates this point. Even abroad, there already exist on-going efforts to limit the use of surveillance technologies by local law enforcement such as the police.

The conflation of technology use by both military and civil agencies  is a problem that is created in part at least, by the complex and often dual-use nature of technology. While dual use technology is recognized by the WA, this problem is not one that it is able to solve. As explained above, dual use technology is technology that can be used for both civil and military purposes. The demands of real-politik, increase in cyber-terrorism and the manifold ways in which a nation’s security can be compromised in cyberspace necessitate any government in today’s world to increase and improve its cyber-military-capacity by acquiring such technology. After all, a government that acquires surveillance technology undoubtedly increases the effectiveness of its intelligence gathering and ergo, its security efforts. But at the same time, the government also acquires the power to simultaneously spy on its own citizens, which can easily cascade into more targeted violations. 

Governments must resist the impulse to turn such technology on its own citizens. In the Indian scenario, citizens have been granted a ring of protection by way of the Puttaswamy judgement, which explicitly recognizes their right to privacy as a fundamental right. Interception and surveillance by the government while currently limited by laid-down protocols, are not regulated by any dedicated law. While there are calls for urgent legislation on the subject, few deal with the technology procurement processes involved. It has also now emerged that Chhattisgarh’s State Government has set up a panel to look into allegations that that NSO officials had a meeting with the state police a few years ago. This raises questions of oversight in the relevant authorities’ public procurement processes, apart from their legal authority to actually carry out domestic surveillance by exploiting zero-day vulnerabilities.  It is now becoming evident that any law dealing with surveillance will need to ensure transparency and accountability in the procurement of and use of the different kinds of invasive technology adopted by Central or State authorities to carry out such surveillance. 


[i]A Guide to the Wassenaar Arrangement, Daryl Kimball, Arms Control Association, December 9, 2013, https://www.armscontrol.org/factsheets/wassenaar, last accessed on November 27, 2019.

[ii]Ibid.

[iii]Data, Interrupted: Regulating Digital Surveillance Exports, Tim Maurerand Jonathan Diamond, November 24, 2015, World Politics Review.

[iv]Wassenaar Arrangement: The Case of India’s Membership, Rajeswari P. Rajagopalan and Arka Biswas, , ORF Occasional Paper #92 p.3, OBSERVER RESEARCH FOUNDATION, May 5, 2016, http://www.orfonline.org/wp-content/uploads/2016/05/ORF-Occasional-Paper_92.pdf, last accessed on November 27, 2019.

[v]Ibid, p. 3

[vi]“List of Dual-Use Goods and Technologies And Munitions List,” The Wassenaar Arrangement, available at https://www.wassenaar.org/public-documents/, last accessed on November 27, 2019. 

[vii]Article 2(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast), European Commission, September 28th, 2016, http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf, last accessed on November 27, 2019. 

[viii]supra note vi.

[ix]Guidelines & Procedures, including the Initial Elements, The Wassenaar Arrangement, December, 2016, http://www.wassenaar.org/wp- content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, last accessed on November 27, 2019.

[x]Articles V(1) & (2), Guidelines & Procedures, including the Initial Elements, The Wassenaar Arrangement, December, 2016, https://www.wassenaar.org/public-documents/, last accessed on November 27, 2019.