Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session (Part II)

Sukanya Thapliyal

Introduction 

In Part I of this two-part blog series, we provided our readers a brief overview and observations from the discussions pertaining to the second reading of the provisions on criminalisation of offences under the proposed convention during the Fourth Session of the Ad-hoc Committee. In Part II of the series, we will be laying down our reflections and learnings from the discussions that were held in regard to: (i) General Provisions; and (ii) Provisions on Procedural Measures and Legal Enforcement. We also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.

1. General Provisions 

Chapter 1 of the Consolidated Negotiating Document (CND) includes five articles: statement and purposes (article 1), use of terms (article 2), scope and application (article 3), the protection of sovereignty (article 4), and protection of human rights (article 5). In the first round of discussions on General Provisions, the Member Countries, the European Union, in its capacity as observer, and the observers for non-member States provided their preliminary views on different provisions so as to allow the Secretariat to identify provisions that enjoy broad support and others where participants held divergent views. 

Round 1 Discussions

1. Points of Agreement  (Advanced to Second Round of Discussions)

A majority of the participants held positive views on the provisions enlisted under the General Provisions. They sought to strengthen several of these provisions. For example: developing countries including Iran, Jamaica (on behalf of the Caribbean Community), South Africa, and Egypt were in favour of a more elaborate and strongly worded provision on technical assistance. Similarly, several countries including, European Union, Japan, USA, Switzerland, New Zealand, Canada, and others sought (i) strong safeguards for protection of human rights and other fundamental freedoms and (ii) mainstreaming of gender perspective and (iii) consideration of persons and groups vulnerable to cybercrime. 

2. Points of Disagreement  (Subject to Co-facilitated Informal Negotiations)

The discussion witnessed divergences in relation to Article 2 (Use of Terms) of the CND. Countries including India and Russia were in favour of usage of the term “ICT” over “cybercrime” as the former is wider in nature and has been used in UN General Assembly-Resolution 74/247 that established the mandate for the Ad-Hoc Committee. On the other hand, countries including the USA, Japan, Israel, and others were in favour of “cybercrime” for being more widely understood and recognised under the domestic legal framework of various countries and already employed under several international legal instruments. The chair, therefore, took up the decision to pursue the deliberation on the said provision in the co- facilitated informal consultations under the able leadership of Mr H.E. Mr. Rapulane Sydney Molekane, Ambassador and Permanent Representative of South Africa to the United Nations, Vienna, and Mr. Eric Do Val Lacerda Sogocio, Counsellor, Permanent Mission of Brazil to the United Nations, Vienna, and Vice-Chair of the Ad Hoc Committee.

3. Co-Facilitated Informal Consultations 

The co-facilitated informal consultations witnessed detailed deliberations on the use of terminologies to be defined under the draft Convention. The deliberations represented initial exchange of views without prejudice to the future informal discussion. They shall continue ahead of, during and beyond the 5th session to allow for a common understanding on key terms in order to facilitate consensus on several provisions throughout the text of the future convention.

Round 2 Discussions

Further, in the second round of discussion on provisions that enjoy wider support, the participants brainstormed on the final language of the provisions. Several Member Countries proposed terms/ phrases and even provisions that they considered more reflective of their needs and preferences. For instance: Member Countries including Russia, Tajikistan and India proposed the usage of “detect, prevent, suppress and investigate cybercrime/ use of ICTs for criminal use” in place of “prevent and combat cybercrime/ use of ICTs for criminal use.” In addition, India also proposed the usage of “the collection and sharing of electronic and digital information/evidence” in place of “collection of electronic evidence”. Further, countries including Malaysia, Honduras and Singapore proposed for “proper balance between the interests of law enforcement and the respect for fundamental human rights” to the provision detailing the Statement of Purpose for the Convention. Similar proposals were made on provisions relating to protection of sovereignty, respect for human rights and scope of the application respectively.

The discussions relating to General Provision at the Ad-Hoc Committee process do not suffer from irreconcilable differences.  Member Countries have showcased a growing sense of convergence on provisions relating to protection of human rights and other fundamental freedoms. There is also a broad support for mainstreaming the gender perspective within the convention. The Member Countries, however, have outstanding work in relation to definitions and use of terms under the proposed convention. 

II. Provisions on Procedural Measures and Legal Enforcement 

Chapter 3 of the CND laid out provisions for – a] investigation and prosecution of offences, b] collection and sharing of information and electronic evidence, c] conditions and safeguards highlighting the need for and importance of the protection of human rights and liberties, insertion of principles of proportionality, necessity and legality and d] the protection of privacy and personal data for the purposes of the convention. The chapter included 16 articles divided into the following six clusters:

1. Cluster 1: provisions on jurisdiction, scope of procedural measures and conditions and safeguards
2. Cluster 2: procedural measures for expedited preservation of stored data; expedited preservation and disclosure of traffic data, production order, search and seizure, real-time collection of traffic data, interception of content, among others.
3. Cluster 3: procedural measures relating to freezing, seizure and confiscation of assets, establishment of criminal records, protection of witnesses and victims, and compensation for damage suffered.

Round 1 Discussions 

1. Points of Agreement (Advanced to Second Round of Discussions)

In the first round of discussions, the Member Parties unanimously recognised the importance of the provisions on procedural measures and legal enforcement and their role in laying the solid foundation for the practical international cooperation and implementation of this convention. The first round of discussions witnessed a broad agreement on the majority of the provisions under Cluster 1, 2 and 3 of CND. 

Furthermore, several Member Parties, Observer States including the European Union, India, Japan, UK, Norway, Canada, Australia, Kenya, and Israel affirmed their support on the inclusion and further strengthening of Article 42 that lays out Conditions and Safeguards that ensure adequate protection of human rights and liberties, including rights and fundamental freedoms arising from obligations under applicable international human rights law. 

Several Participant Countries also highlighted the close correlation between Article 42 and Article 41 (Scope of Procedural Measures) as being inextricably linked to one another and stated that strong procedural measures must be accompanied by robust human rights safeguards. The participant Member Countries and Observer States were broadly in agreement on inclusion of Article 43 (Expedited Preservation of Stored Computer Data), Article 44 (Expedited Preservation and Partial Disclosure of Traffic Data), Article 45 (Production Order), Article 46 (Search and Seizure) and Cluster 3 provisions (Article 50-55) of the CND. 

2. Points of Disagreement (Subject to Co-facilitated Informal Negotiations)

There was disagreement on the inclusion of Article 40 (jurisdiction), Article 47 (Real Time Collection of Traffic Data), Article 48 (Interception of Content Data) and Article 49 (Admission of electronic/digital evidence) respectively. Member Countries and Observer States and other participants including Switzerland, Japan, USA, European Union, Australia, Norway, UK, Canada raised concerns on Article 40 that allowed for extraterritorial jurisdiction of State and jurisdiction over computer data/ digital or electronic information irrespective of place of storage, screening or processing. As per the participant countries and observer states, such a provision is not in consonance with the traditional understanding of jurisdiction and may not be in alignment with Article 4 (Protection of Sovereignty) enlisted in the CND. 

Further, Member States and Observer States including EU, UK, Japan, Australia, and Norway also raised concerns on inclusion of Article 47 and 48 as these significantly interfere with human rights and are considered to be extremely sensitive in nature.  Singapore, in particular, opposed the inclusion of these provisions and stated that its inclusion has a limited utility and is likely to deter states from signing the final convention. India along with USA, Malaysia, Jamaica on the behalf of Caribbean Community (CARICOM) were in favour of inclusion of these provisions. India, in particular, also requested for the definitional clarity on terms such as “traffic data”. Besides, the participant member countries and observer states were disputed on inclusion of Article 49 and stated that the convention on cybercrime is not appropriate to include issues pertaining to admissibility of electronic evidence and is to be dealt under State’s domestic law and judicial rulings. 

3. Co-Facilitated Informal Sessions 

The chair accordingly delegated the discussion on Article 40, 47, 48 and 49 for the co-facilitated informal negotiation process to be undertaken under the leadership of Mrs. Andrea Martin-Swaby (Jamaica) and Mr. Syed Noureddin Bin Syed Hassim (Singapore).

The co-facilitated informal negotiation process underwent detailed discussions amongst participant Member States, Observer States and multi-stakeholders. The co-facilitators informed the Chair of the various developments that took place during the informal negotiation and that the co-facilitators would conduct intersessional bilateral meetings with delegations and convene additional informal negotiations of the Committee at the 5th Session scheduled in April 2023.

Round 2 Discussions 

Subsequently, in the second round of discussions, several newer contributions were made in the context of provisions laying out Conditions and Safeguards. There was also a proposal for additional provision relating to Retention of Traffic Data and Metadata, and Retention of Electronic Information in CND. Further, additional provisions on Cooperation between national authorities and service providers were also proposed and introduced in the CND for further deliberation. 

The CND and deliberations at the Fourth Session of the Ad-Hoc Committee process crystallised a number of interesting submissions and proposals made by the Member Countries over past sessions. The CND enlisted provisions aimed to redress current challenges faced by the legal enforcement agencies by providing appropriate authority allowing for expedited preservation of Stored Computer Data, expedited preservation and partial disclosure of traffic data, search and seizure, real time collection of traffic data, interception of content data, among others. 

The process, however, also witnessed disagreement on provisions relating to the understanding of jurisdiction, cooperation between national investigating and prosecuting authorities and service providers – as evident from the developments that took place in previous sessions. It is likely that the Secretariat and Member Countries will be continuing these deliberations to build consensus over conflicting issues. 

The Way Forward The proceedings at the Ad-Hoc Committee process have arrived at a critical juncture wherein Member Countries have begun text-based negotiations spearheaded by the Chair and Secretariat. The Ad-Hoc Committee will organise the Fifth Session from 11 to 21 April 2023 in Vienna as an immediate next step. The session will conduct text-based negotiations based on CND on the preamble, the provisions on international cooperation, preventive measures, technical assistance, and the mechanism of implementation, and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The upcoming sessions would be crucial in determining whether and how Member Countries would draw consensus and build toward an effective cybercrime convention that caters to the needs and expectations of the wide variety of countries participating in the UN process.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session

Sukanya Thapliyal

1. Background/ Overview 

Last month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the Fourth Session of the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions.  It was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

The three previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and a first reading of the provisions on criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others. (We had previously covered the proceedings from the First Session of the Ad-Hoc Committee here.)

The fourth session of the Ad Hoc Committee was marked by a significant development – the preparation of a Consolidated Negotiating Document (CND) to facilitate the remainder of the negotiation process. The CND was prepared by the Chair of the Ad Hoc Committee keeping in mind the various views, proposals, and submissions made by the Member States at previous sessions of the Committee. It is also based on existing international instruments and efforts at the national, regional, and international levels to combat the use of information and communications technologies (ICTs) for criminal purposes. 

As per the road map and mode of work for the Ad Hoc Committee approved at its first session (A/AC.291/7, annex II), the fourth session of the Ad Hoc Committee conducted the second reading of the provisions of the convention on criminalisation, the general provisions and the provisions on procedural measures and law enforcement. Therefore, the proceedings during the Fourth Session involved comprehensive and elaborate discussions around these provisions amongst the Chair, Member States, Observer States, and other multi-stakeholder groups. 

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the fourth substantive session of the Ad-hoc Committee. Part I of the blog (i) discusses the methodology employed by the Ad-Hoc Committee discussions and (ii) captures the consultations and developments from the second reading of the provisions on criminalisation of offences under the proposed convention. Furthermore, we also attempt to familiarise  readers with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

In part II of the blog series, we will be laying out the discussions and exchanges on (i) the general provisions and (ii) provisions on procedural measures and legal enforcement. 

2. Methodology used for Conducting the Fourth session of the Ad-Hoc Committee. 

The text-based negotiations at the Fourth Session proceeded in two rounds. 

Round 1: The first round of discussions allowed the participants to share concise, substantive comments and views. Provisions on which there was broad agreement proceeded to Round 2. Other provisions were subject to a co-facilitated informal negotiation process. Co-facilitators that spearheaded the informal negotiations reported orally to the Chair and the Secretariat. 

Round 2: Member Countries progressed through detailed deliberations on the wording of each of the provisions that enjoyed broad agreement. 

3. Provisions on Criminalization (Agenda Item 4)

The Chapter on “provisions on criminalization” included a wide range of criminal offences that are under consideration for inclusion under the Cybercrime Convention. Chapter 2 under the CND features 33 Articles grouped into 11 clusters as:

1. Cluster 1: offences against illegal access, illegal interference, interference with computer systems/ ICT systems, misuse of devices, that jeopardises the confidentiality, integrity and availability of system, data or information;
2. Cluster 2: offences that include computer or ICT-related forgery, fraud, theft and illicit use of electronic payment systems;
3. Cluster 3: offences related to violation of personal information
4. Cluster 4: infringement of copyright.
5. Cluster 5: offences related to online child sexual abuse or exploitation material
6. Cluster 6: offences related to Involvement of minors in the commission of illegal acts, and encouragement of or coercion to suicide
7. Cluster 7: offences related to sexual extortion and non-consensual dissemination of intimate images.
8. Cluster 8: offences related to incitement to subversive or armed activities and extremism-related offences
9. Cluster 9: terrorism related offences and offences related to the distribution of narcotic drugs and psychotropic substances, arms trafficking, distribution of counterfeit medicines.
10. Cluster 10: offences related to money laundering, obstruction of justice and other matters (based on the language of United Nation Convention against Corruption (UNCAC) and United Nation Convention against Transnational Organised Crime (UNTOC))
11. Cluster 11: provisions relating to liability of legal persons, prosecution, adjudication and sanctions. 

Round 1 Discussions 

1. Points of Agreement (taken to the second round) 

The first round of discussions on provisions related to criminalisation witnessed a broad agreement on inclusion of provisions falling under Cluster 1, 2, 5, 7, 10 and 11. Member States, Observer States and other parties including the EU, Austria, Jamaica (on the behalf of CARICOM), India, USA, Japan, Malaysia, and the UK strongly supported the inclusion of offences enlisted under Cluster 1 as these form part of core cybercrimes recognised and uniformly understood by a majority of countries. 

A large number of the participant member countries were also in favour of a narrow set of cyber-dependent offenses falling under Cluster 5 and 7. They contended that these offenses are of grave concern to the majority of countries and the involvement of computer systems significantly adds to the scale, scope and severity of such offenses. 

Several countries such as India, Jamaica (on behalf of CARICOM), Japan and Singapore broadly agreed on offences listed under clusters 10 and 11. These countries expressed some reservations concerning provisions on the liability of legal persons (Article 35). They contended that such provisions should be a part of the domestic laws of member countries. 

2. Points of Disagreement (subject to Co-facilitated Informal Negotiations)

There was strong disagreement on the inclusion of provisions falling under Cluster 3, 4, 6, 8 and 9. The EU along with Japan, Australia, USA, Jamaica (on the behalf of CARICOM), and others objected to the inclusion of these cyber-dependent crimes under the Convention. They stated that such offenses (i) lack adequate clarity and uniformity across countries(ii) pose a serious threat of misuse by the authorities, and (iii) present an insurmountable barrier to building consensus as Member Countries have exhibited divergent views on the same. Countries also stated that some of these provisions (Cluster 9: terrorism-related offenses) are already covered under other international instruments. Inclusion of these provisions risks mis-alignment with other international laws that are already employed to oversee those areas.

3. Co-Facilitated Informal Round

The Chair delegated the provisions falling under Cluster 3, 4, 6, 8 and 9 into two groups for the co-facilitated informal negotiations. Clusters 3, 4 and 6 were placed into group 1, under the leadership of Ms. Briony Daley Whitworth (Australia) and Ms. Platima Atthakor (Thailand). Clusters 8 and 9 were placed into group 2, under the leadership of Ambassador Mohamed Hamdy Elmolla (Egypt) and Ambassador Engelbert Theuermann (Austria). 

Group 1: During the informal sessions for cluster 3, 4 and 6, the co-facilitator encouraged  Member States to provide suggestions/views/ comments on provisions under consideration. The positions of Member States remained considerably divergent. Consequently, the co-facilitators decided to continue their work after the fourth session during the intersessional period with interested Member States.

Group 2: Similarly for cluster 8 and 9, the co-facilitators, along with interested Member States engaged in constructive discussions. Member States expressed divergent views on the provisions falling under cluster 8 and 9. These ranged from proposals for deletion to proposals for the strengthening and expansion of the provisions. Besides, additional proposals were made in favour of the following areas – provision enabling future Protocols to the Convention, inclusion of the concept of serious crimes and broad scope of cooperation that extends beyond the provisions criminalised under the convention. The co-facilitators emphasised the need for future work to forge a consensus and make progress towards finalisation of the convention. 

Round 2 Discussions: 

Subsequently, the second round of discussions witnessed intensive discussions and deliberation amongst the participating Member Countries and Observer States. The discussions explored the possibility of adding provisions on issues relating to the infringement of website design, unlawful interference with critical information infrastructure, theft with the use of information and communications technologies and dissemination of false information, among others. 

Conclusion:

Since the First Session of the Ad-Hoc Committee, the scope of the convention has remained an open-ended question. Member Countries have put forth a wide range of cyber-dependent and cyber-enabled offences for inclusion in the Convention.  Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (such as online child sexual abuse or exploitation material, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. Countries must agree on the scope of the Convention if they want to make headway in the negotiation process. 

(The Ad-Hoc committee is likely to take up these discussions forward in the sixth session of the Ad-Hoc Committee 21 August – 1 September 2023.) 

Guest Post: A Positive Obligation to Ensure and Promote Media Diversity

This post was authored by: Aishvarya Rajesh

A positive obligation with respect to a human right is one that requires States to put into effect both preventive measures against violations (through appropriate legislative, judicial or administrative measures) and remedial measures (access to judicial reform once violations have occurred). This piece examines whether ensuring media diversity can be considered a positive obligation on States under Article 19 of the International Covenant on Civil and Political Rights (“ICCPR”), and if yes, what the scope and nature of this obligation is.

Positive obligation on States to create a favourable environment for sharing diverse views  

The right to freedom of speech and expression enshrined under Article 19 of the ICCPR forms the cornerstone of democratic societies. It, along with its corollary freedom of opinion, is vital for the full development of a person and for the true participation in public debate. The ECtHR, in its landmark decision of Dink v. Turkey, has interpreted the right to freedom of expression to include a positive obligation on States to ensure the effective protection of free expression from being wrongfully interfered by private/non-state actors, and for the State itself to create “an enabling environment by allowing for everyone to take part in public debate and express their thoughts and opinions” (¶137). The Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression has also acknowledged that there has been an increasing recognition that States have positive regulatory obligations to promote free speech and expression in online spaces too. The Joint Declaration on Diversity of 2007, a document prepared by several eminent jurists appointed as Representatives or Rapporteurs by the UN, OSCE, OAS, and ACHPR has similarly identified States’ positive obligation to regulate private actors so as to promote diversity in the media and prevent the undue concentration of media ownership.

The requirement for media diversity as a positive obligation on States may also be seen as emanating from interpretations of different international instruments read together, an outcome that has also been reflected in the decisions of different human rights bodies. For instance, a conjunctive reading of Art.19 and Art.2 of the ICCPR (as with the parallel provisions in the UDHR and regional human rights instruments) can be interpreted to show the positive obligation on States to promote media diversity. This interpretation has been endorsed by the Inter-American Commission on Human Rights in inter alia Baruch Ivcher Bronstein v. Peru, (2001) which opined that “…consequently, it is vital that [media] can gather the most diverse information and opinions” (¶149); and by the European Court in Informationsverein  Lentia  and  Others  v.  Austria (1993) noting, “…Such an undertaking cannot be successfully accomplished unless it is grounded in the principle of pluralism, of which the State is the ultimate guarantor…” (¶38).

The positive obligation includes within its ambit an obligation to prevent undue concentration within media eco-systems

A positive obligation on the State to foster an environment where a diversity of ideas and opinions (media diversity) is available to the public can entail a very wide array of obligations on the State. For instance, this raises questions regarding the extent or the scope of this obligation in the regulation of social media intermediaries who have managed to accumulate significant control within the online media space. This sort of control could be seen as giving them the ability to behave in a near monopolistic manner. The Centre for Law & Democracy, in February, 2022 gave their submissions on the Practical Application of the Guiding Principles on Business and Human Rights to the Activities of Technology Companies where they opined inter alia that States can be obligated to undertake measures to promote diversity in an online space that has seen high market concentration by large social media companies.

Concentration within media eco-systems is antithetical to the idea of media diversity

Given that a positive obligation to promote media diversity exists, a necessary corollary of this would be the need to prevent undue concentration within media eco-systems. According to UNESCO, undue concentration in media refers to when one corporate body (or individual) “exercises overall control over an important part of an overall media market”. This would prevent and hinder the ability of people to receive information from multiple sources, which is crucial for the true exercise of the freedom of speech. This is because media monopoly can cloud the ‘marketplace of ideas’, and according to the Special Rapporteur for Freedom of Expression, “leads to the uniformity of the content that they produce or disseminate”. Furthermore according to UNESCO, a media monopoly poses a threat to not just the freedom of expression but by extension also to democracy as it hinders the ability of media to reflect the variety of opinions and ideas generated in the society as a whole.

Obligation to monitor and restrict M&As in the media space

In 2007, the Joint Declaration on Diversity (by the Special Rapporteurs of the UN, OAS and ACHPR and the OSCE Representative on freedom of the media) in broadcasting emphasized the requirement to put in place anti-monopoly (both horizontal and vertical) rules, including ‘stringent requirements’ of transparency enforced through active monitoring. This also covered the need to prevent powerful combinations as a result of merger activity in the media space. The Committee of Ministers of the Council of Europe has emphasized the need for licensing to be made contingent on media platform owners acting in harmony with the requirement to ensure media diversity. UNESCO’s Media Development Indicators, also acknowledge that States are required to prevent monopolies or oligopolies and must take this into account during the provision/renewal of license. The measures that States were required to take to promote media diversity and prevent monopoly were called ‘special measures’ (in the Joint Declaration on the Protection of Freedom of Expression and Diversity in the Digital Terrestrial Transition), going beyond those already existing in commercial sectors, which indicates a recognition of the need to secure media pluralism inter alia through ensuring competitiveness in the space.

Conclusion

A State’s positive obligations under the right to free speech and expression can be viewed as emanating directly from treaty obligations and has also been widely interpreted by a multitude of judicial decisions and eminent jurists. Acknowledging these as sources of international law under Articles 38(1)(a) and 38(1)(d) of the ICJ Statute we can argue that a State’s positive obligations under Art. 19 of the ICCPR and analogous free speech protections under international law must also include within their ambit obligations to ensure media diversity. This includes the protection of both, the rights of the speaker and the audience, under the right to freedom of speech and expression. Some ways in which this can be ensured is through allocation of funds specifically for public interest content and other at-risk sectors; establish holistic and functional market concentration monitoring systems; and also delegate, through co-regulation or self-regulation, a part of the State’s positive obligation directly to the media platforms itself to ensure diversity in its operations. The measures undertaken must be carefully designed and should fulfill the aims of promoting diversity, avoiding monopolistic behaviour, and not put at risk the independence of the media.

Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan^*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

“From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the ‘due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

3. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing it “a clear violation of the rule of non-intervention.”

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

4. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.¹ However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

3. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

4. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Technology & National Security Reflection Series Paper 8: Tallinn Manuals as Law of the States or for the States– a Sola Fide Exploration?

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION

In this post, we evaluate the authoritative value of interpretations of international law expressed in the Tallinn manual with reference to Article 38 of the Statute of the International Court of Justice. 

NATO’s Cooperative Cyber Defence Centre of Excellence (“CCDCOE”) was established for NATO members to coordinate their efforts in the field of cyberwarfare in 2008, in light of the 2007 cyberattacks on Estonia’s critical cyber infrastructure. Given the international nature of cyberspace and consequently cyberwarfare, the CCDCOE convened a group of international experts to analyse how international law can be applied to cyberwarfare. Thus, the Tallinn manual came into existence, named after Estonia’s Capital, in 2013. The group of experts released Tallinn 2.0 in 2017 as a follow up which deals with a much broader field of ‘cyber operations’ instead of cyberwarfare. The original manual involved conflict while 2.0 deals with cyber operations both inside and outside conflict.

As far as the authoritative value of the Manual is in question, it is pertinent to point out that the Manual notes that every rule or assertion may not be a representation of principles of international law. Moreover, neither the rules nor the commentaries of the Tallinn manuals reflect the NATO doctrine or has been adopted as the official position of any State. Thus, prima facie, the Tallinn manuals (including Tallinn 2.0) were an end result of an academic study to determine and restate the lex lata i.e. the law as it exists; and probably deduce the direction of the lex ferenda i.e. as future law should be (although the manuals expressly stated that they avoided any statements or lex ferenda or the preferred policy for States). However, this still leaves the question unanswered about the value it holds today amongst other sources of international law.

Photo by Ministerie van Buitenlandse Zaken. Licensed under CC BY 2.0

THE LEGAL CONUNDRUM ENCIRCLING ARTICLE 38 (1) AND TALLINN MANUAL

Article 38(1) of the Statute of the International Court of Justice is considered as the most widely recognized iteration of sources of international law. It is no debate that the Manuals would fall under 38(1)(d) as the teachings of most qualified publicists as the international group of experts who were involved in their drafting are legal luminaries who are recognized for their contributions in cyber law and international law. 

We must note here that Article 38(1)(d) is different from the rest of the iterations or sources as it is subsidiary to others, i.e., these teachings per se are not law in and of themselves but are rather references that can be looked into for finding the law applicable.Thus, the manuals positing the arguments of the experts is not the law itself. However, they are a helpful source of determining the other authoritative sources of international law because the premise on which the publicists argue an assertion is usually based on a combination of the other three sources enshrined in article 38(1).

The question now becomes whether these manuals have been elevated to the level of customary international law (CIL). In addition to treaties, rights and obligations of States can also be recognized under CIL which is basically ‘evidence of a general practice accepted as law.’ In brief, a norm of CIL can form with State practice, that is the behavior of States with regards to the custom in question, and opinio juris, which is the belief that the State practice is in fact an obligation arising out of the law that is claimed as CIL.¹ This implies that towards formation of a custom, the State practice is the objective element or the manifestation of the subjective element, opinio juris. Interestingly, a minority of scholars also argue that it is not a watertight framework of having both of these elements, and a strong existence of the opinio juris may lead to the creation of a norm of CIL.

With respect to Cyber-operations, jurists hold that it is still too recent a field and there is no consistent State practice. However, most States have expressed the need of cyber-regulation and security via domestic law or through their representatives. The States are also publicly equipped to create or respond to military cyber operations. This amounts to a valid State practice, and even if it has not taken place for a long time but has been uniformly exercised, and there is proof of existence of the opinio juris, it can still validly contribute towards forming CIL.

ON THE QUESTION OF REPRESENTATION 

The question that we now face is whether the Tallinn manuals are a reflection of this global opinio juris. We can analyse from the available evidence and conclude that it may not be the case. To be clear, the international group of experts whose opinions led to the creation of the Manuals participated in their individual capacity– were not representing their country. This is important to note because when a scholar represents a country, they voice or manifest the State’s ‘opinion’ on points of disagreement as we see at the International Law Commission. What Tallinn scholars represent in their individuality or have represented are ideologies such as the Chicago School of Economic Thought or the English School of International Relations but never their State, making the manuals a scholarly exercise rather than a reflection of any opinio juris.

When we talk about representation, another issue which comes up with the manual is that it does not have fair representations from all parts of the world. A few of the biggest players of cyberspace are China and Russia. These States have successfully hacked/controlled their way to becoming important State actors within the cyber realm. Their opinions or voices; and even that of Israel (Israeli experts were on board for Tallinn 2.0), which is a dominant player in cyber-security today or that of Iran, were not taken into consideration. This further takes away from any claims whatsoever that the manuals represent opinio juris of States. The Manuals only take this issue of representation further in circumstances wherein only the military manuals of first world countries are referenced without providing any objective criteria for such selection.

At the same time there are some rules, which arguably do reflect opinio juris of States. For example, “Rule 4 – A State must not conduct cyber operations that violate the sovereignty of another State.” However, it is not the Tallinn manuals that made these laws customary in nature. Instead the manuals merely restate a preexisting custom adding the reference to cyberspace. 

From a content point of view, Pukhraj Singh points out that the manual which was touted to bring clarity to complex questions of cyberspace and law has turned a complete volte-face. Singh highlights that experts disagreed with each other at places providing counter-narratives, and that the manuals jump the gun by over- analogizing with conventional operations. The legal imputation of physical laws, such as the law of armed conflict to cyber-attacks may not always make complete technical sense. At the end of day, cyberspace is an intangible concept of connected computers, and not as physically controllable as how the manuals consider it to be. 

Most cyber-attacks will be done in a clandestine fashion with no clear indication as to which State did it or is responsible for it. The manuals (especially Tallinn 1.0) are not of much help as they simply restate the law on attribution and do not completely fulfil their role of creating practical and acceptable attribution standards (even if it meant holding the US responsible for Stuxnet!).

Moreover, it must be looked into whether the Manuals’ rules have been adopted and followed by various States or not and to what extent. This ascertains whether the States consider themselves bound by the rules of the manual (or is regarded as opinio juris). Now, apart from the disagreements that States have on some rules of the manual, a study done on 11 hostile cyber-operations that happened between 2013-2017 revealed that the manual or its rules were not followed.

CONCLUSION

Thus, with this understanding, we can conclude that while some of the rules restate CIL, the manuals as a whole do not seem to represent the global lex lata or the opinio juris of the States. It may seem that they instead represent the lex ferenda or what the law should be. However, that is also not exactly the case with their many loopholes and misplaced allegiances as they themselves state. 

It can instead be said that the manuals represent a hope or even a viable precedent that an exercise such as this can be undertaken by various other clusters of nations, like EU, SCO, SAARC, OAS or ASEAN. As more and more clusters will come up with their own varying opinions on cyber-space and cyber-operations, the chances of them possibly culminating into a mutual understanding between all States regarding international law applicable to cyberspace becomes more plausible. For this long drawn vision, Tallinn manuals seem to be a worthy starting point.  

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. North Sea Continental Shelf (Libya v Malta) (Merits) [1985] ICJ Rep 13[27].; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996 ICJ Rep 226 [64].; ILC, ‘Draft conclusions on identification of customary international law, with commentaries’ (2018) UN Doc A/73/10 Conclusion 2.  Antonio Cassese, International Law, (2nd edn. OUP 2005), 156.

Technology & National Security Reflection Series Paper 7: Use of Force in Modern Times: Sisyphus’ First World Boulder

Karan Vijay^*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION 

In this post, we discuss a rather contentious point that whether in international law, a mere threat or use of force by a State against another State would give rise to a right of self-defense. 

For context Article 2(4) of the UN Charter provides for all member States to refrain from the threat of or the actual use of force which may threaten the territorial integrity or political independence of any other state. This provision is regarded to have a jus cogens character, i.e., binding on all States as a non-derogable one. Each Member State also has the positive duty to refrain from the use of force against other  States under international law.

Pursuant to Article 51 of the UN Charter, States which face a use of force at the level of an ‘armed attack’ have the right to exercise self-defense. An armed attack is when this force is used on a relatively large scale, is of sufficient gravity, and has a substantial effect. Dinstein states that armed attack presupposes a use of force producing serious consequences, epitomized by territorial intrusions, or human casualties or considerable destruction of critical infrastructure.

Photo by Kyle Glenn on Unsplash. Copyrighted under Unsplash license.

MEMBER STATE’S RIGHT TO SELF DEFENSE

We need to be aware that this right of self-defense does not manifest at every instance of use of force against another State. In certain instances victim States can instead exercise ‘countermeasures’ against the belligerent State. However, when this right of self-defense does manifest, it must abide by the doctrines of necessity and proportionality.

These doctrines were initially laid down in the aftermath of the Caroline incident of 1837, which has inadvertently governed the rules of use of force for nearly two centuries. Herein, the doctrine of necessity posits that an armed attack can only be responded to when there is no other alternative means to seeking viable redressal. Necessity requires that military action should be used only as a last resort. Then, the doctrine of proportionality provides that the size and scope of an armed attack shall determine the overall objective of the defensive responses. This leads to the conclusion that such action will only be towards self-defense and not retaliatory in nature or have a punitive outlook against the aggressor. The counter attack cannot be unreasonable or excessive and can only be carried out to repel or prevent an attack.

Thus, if we were to literally interpret the law, the answer would be that a mere threat or even a use of force that is not of a level of an armed attack does not give rise to the right of self-defense. However, a look at how State practice has shaped this understanding might lead to a different conclusion.

EMERGING FAULTLINES AND EXPANSION OF LEGAL INTERPRETATION OF RIGHT OF SELF-DEFENSE

The United States, with their invasion of Afghanistan for harboring terrorists in 2001 and the subsequent invasion of Iraq in 2003 for allegedly procuring weapons of mass destruction have posited a changed landscape to the  right of self-defense. American actions of ‘self-defense’ completely subvert the legal interpretation of the right being unavailable against threats and conventional use of force. Furthermore, it has led to the emergence of an anticipatory right to self-defense.

At the outset, it is observed that the opinion on the legality of such acts that anticipate armed attacks from threats or other information is divided. Some scholars (usually the ones who have a favorable outlook towards American and/or the Israeli Government actions) argue that the right to anticipatory self-defense is not only in consonance with customary international law but also with article 51 of the U.N Charter.

However, an anticipatory right of self-defense would actually be contrary to the wording of Article 51, since an armed attack must ‘occur’. In any case, Article 51 must be interpreted narrowly containing a prohibition of anticipatory self-defense as one of the purposes of the Charter was to reduce to a minimum the unilateral use of force. At the very least, States claiming the right will have to prove that they face an imminent attack^.. It is ideal to have a ‘clear and convincing’ evidence of the same to avoid situations like that of the invasion of Iraq, which was initiated based on extremely faulty intelligence. 

There are checks and balances enshrined within Article 51 itself to ensure that this does not become a practice. Key mechanisms include the requirement or duty to report immediately to the Security Council when such an act is undertaken, which can act as a limitation on the exercise of self-defense. However, even this duty does not have the power to stop the states exercising such ‘rights’ as reporting to the Security Council is a mere procedural matter, and nonfeasance cannot technically deprive a state of the substantive right of self-defense or invalidate it.

Therefore, it can be said that the scope of the right to self-defense despite fair legal objections may have already expanded to practically include threats or even conventional uses of force not amounting to an ‘armed attack’. What becomes important now is to see how this right of a sovereign state will shape in the future. Towards this, there are two important questions that need to be answered. Firstly, whether this right can be exercised against non-state actors and secondly, can this right be exercised against a cyber-operation?

When the right of self-defense towards non-state actors is considered, the legal position seems pretty clear. The International Court of Justice itself has expressed that the inherent right of self-defense in the case of armed attack by one state is available only against another state.

The general understanding is that Article 51 of the Charter is an exception to the prohibition on the use of force as enshrined in Article 2(4). Given that Article 2(4) refers only to a ‘state’, its exception must also deal with the same. However, some do argue that while Article 2(4) of the Charter, in proscribing the use of force, refers solely to state actors on both sides.  On the other hand, Article 51 mentions a member only as the potential target of an armed attack. This means that the perpetrator of that armed attack is not identified necessarily as a state, especially during these times where it is not just State but non-State entities like terrorists that pose the significant threats to national security concerns of States.

Moreover, regardless of what the law states or what the law should be, the tacit acknowledgement of the Security Council, NATO and EU towards the American invasion of Afghanistan to attack Al Qaeda has given credence to the understanding that self-defense is available against non-State actors. Thus, contemporary state practice (of the first world countries) shows that non-State actors can be behind ‘armed attacks’ which can give rise to self-defense. The ‘pro-democracy’ opinion now states that self-defense against a non-State actor can be justified when the territorial State has manifestly and persistently been unwilling or unable to prevent such attacks in other States, like invasion of Afghanistan on the pretext that if they are harbouring terrorists, they are as liable as the terrorists themselves.

Coming to the second question of whether cyber-operations against a state can give a right to self-defense to that State, it is imperative to determine whether a cyber-operation is an armed attack (as per the prevailing legal view as there is no contrary contemporary state practice yet).

An ‘armed attack’ may not strictly require the use of kinetic weapons, but may, in principle, also be conducted by computers used by hackers. In order to reach this very threshold, the consequences and effects of the cyber-operation in question, must be compared to that of conventional use of force. These operations cannot be isolated or random acts of cyber-attacks and exercising the right against these one-off incidents are excluded from the scope of right to self-defense. Thus, the bar to classify a cyber-operation as an armed attack exists against which a right to self-defense will also exist. However, this bar must be considerably high and will not trigger when hypothetically Indian college students hack a Pakistani bank’s website as a one-off incident.

CONCLUSION

The high standard set is important to ensure that self-defense is not ‘exercised’ in a ubiquitous manner. However, the first world tells us that if the standard is too high and is creating an obstacle towards their political interests, the standard will be disregarded or modified accordingly making an effective set of laws a Sisyphean task. This is what happened to non-State actors, to threats and simple uses of force and will most likely happen to cyber-operations as well. 

Self-defense will be heavily exercised if doing so aligns with the political ideology of the State regardless of what the law states. The law understandably does not allow a State to exercise the right to self-defense against mere threats or even conventional uses of force. However, as we understand from a third-world vantage point of international law, the law is what the first world will allow it to be.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26^th and 27^th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30^th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bello– the principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict. 

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering”

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.

---

*The views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 1: Revisiting Hugo Grotius: A Lawyer or a Strategist for the Dutch Colonial Expansion?

Kushagra Kumar Sahai^*

About the author: The author is a 2021 graduate of National Law University, Delhi. He wrote this reflection paper in his 4th year as a part of the seminar course on Technology and National Security Law.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

Do you think Hugo Grotius is better described as a lawyer or a strategist for Dutch colonial expansion? Explain with reasons, based on the assigned chapter ‘Hugo the Great’ for reading from Oona Hathaway and Scott Shapiro’s book, The Internationalists.

Introduction

To be able to answer the question, one must evaluate the context of the powers that were, and the involvement of Hugo Grotius in the folds of this particular page in history. Grotius’ contributions coincide with the start of European powers attempting to set foot in different continents, with aims of colonisation. In hindsight it serves as an important point in legal history, as it lay on this particular prodigy to legally justify the benefits derived from colonialism, and in this pursuit, he ended up charting out the course to  discover and set up a new branch of law– International Law.

One particular event was instrumental in setting the ball rolling.¹ On 24^th February, 1603, a Portuguese ship Santa Catarina docked off the Strait of Singapore, and was subsequently attacked by three Dutch ships, captained by an individual named Jacob Vans Heemskerck. Subsequently the Dutch East India Company filed a suit before the Amsterdam Admiralty Board  so that they could assert ownership over the ship and its cargo. They stated that the Portuguese were attacking the Dutch in the East Indies in an effort to drive them out of the land and out of the market. It was in retaliation against this that Captain Heemskerck attacked and seized Santa Catarina. The Board sent out notices to the affected parties, and after no response from the Portuguese, the case was decided in favour of the Dutch. This cargo was auctioned off at a great profit. Complaints arose from company investors regarding the nature of the activity Captain Heemskerck had indulged in. To defend the same, Hugo Grotius, a young prodigy was brought in. He composed a lengthy treatise on the nature of law, in the tune to satiate the protests of the investors.

Grotius’ Incentives

I argue that Grotius built his entire case for the benefit of his client; the Dutch East India Company. An interesting point to note is that, the maiden name of his paternal grandmother was  Elselinge Van  Heemskerck. He wasn’t just defending the company, he was also defending his cousin!²

The company was engaging in an act of colonisation, which in the context of this paper, can be succinctly defined as a foreign power exploiting the resources of another country for profit. After having gone over the texts, what seems rather apparent is that Hugo Grotius took the reverse route of logic to build a legal argument;  the conclusion was already presented to him. The point he was expected to prove, which was that the actions of Captain Heemskerck were legally sound and the premise around it. He had been tasked with creating the logic which would justify an act which had already occurred – a fait accompli. To achieve his objective he attempted to delve into the act of war, and the logic around which it should revolve.

Grotius’ Arguments

Grotius built upon the Western thought of the morality of waging war theory, and his own line of thinking came to be known as the ‘Just War Theory‘. He built upon the line of thinking espoused by the likes of Cicero and Thomas Aquinas, drawing upon their argument to construct his theory. On this basis he argued that it is morally justified to wage war if rights have been violated. Extending that line of argument, he stated that war is also justified when rights have been violated, and for the remedy of those rights violations, the use of violence is the only option left. 

This unsurprisingly was used along with the narrative of Portuguese-inflicted terror against the Dutch in present day Java, who were also unsurprisingly involved in the act of seeking out newer lands to exploit and colonise. And because the acts of the Portuguese involved the destruction of Dutch boats and the killing of Dutch men, it was the right of Captain Heemskerck to indulge in an act of rectifying the violation of the rights of the Dutch East India Company. This entailed attacking Santa Catarina. It was, in Grotius’ words,  a “private act of war”, as the Captain was employed by a company and wasn’t a state actor, but he justified it as an act of private war; the primordial act of an individual to protect himself from the unjust acts being perpetrated against him.

The Broader Implications

While the treatise was a complete defence of the singular event of the attack and seizure of the Portuguese ship, it highlighted the problematic nature of the acts that the Dutch East India Company was indulging in regularly. The goods procured by them had uncertain ownership attached to them, due to the nature by which these goods were procured–- which was exploitation in most cases. While Grotius’ treatise established the clear rules of a just war, it also led to an uncertainty of who was just (emphasis added) in a certain case. There was also a power vacuum in who could preside over such cases, and because of this there was a risk of opening  a can of worms, regarding the legitimacy and legality of the procurement of goods by the trading companies which were set up by European powers. As mentioned earlier, the period of Grotius’ exploits coincided with the formative years of European forays into new geographical territories. This meant there was no consolidated legal system to oversee such excursions and resolve ensuing disputes.

In this context, Grotius’ vested interests lay in two parts. The first related to the legitimacy of the sacking of Santa Catarina. And the second, and the more overarching one, the activities and the interests of the Dutch East India company.

This is an explainable reason as to why Hugo Grotius didn’t publish the treatise that he had spent a considerable amount of time composing. He had spent 2 years composing this defence, and in the meanwhile the Dutch had moved on from this conflict onto establishing supremacy over their Spanish counterparts through naval warfare. During this period, he had realised that while it was a sound defence for the sacking of Santa Catarina, there lay an inherent problem with the activities of these trading companies. If unaddressed this problem could have led to an increased legal scrutiny towards the nature of these trading companies, whose mode of operation particularly pertained to trading of goods acquired through what would be regarded as questionable means; exploitation which clearly had traces of colonisation. 

Conclusion

While his treatise is revelatory in nature, serving as a foundational stepping stone to International law, his loyalties lay with the trading company and the protection of his cousin. I argue it exceeded his interests in expounding and upholding the tenets of the law.  With this I conclude that while his work is undoubtedly influential, his activity (or some may even call it inactivity) with regard to colonial forays and colonisation confirm that his motives were aligned with expanding the powers and trading footprint of European trading companies. In this context I conclude that Grotius may be best described as a strategist for the Dutch East India Company first, and a lawyer second.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References

1. Oona A. Hathaway & Scott J. Shapiro, “Chapter 1: Hugo the Great”, The Internationalists: How a Radical Plan to Outlaw a War Remade the World (New York: Simon & Schuster, 2017).
2. Ibid.