By Vasudev Devadasan
Yesterday at the launch of the ambitious Digital India Project, the Indian Prime Minister stressed on the need to come up with mechanisms to deal with issues of cyber warfare and cyber security. The relevant part of his speech can be found below.
This post discusses the applicability of certain relevant international instruments to cyber warfare.
Alongside the existing theatres of warfare that include land, air, sea and now space, States are placing increasing emphasis on information, or cyber operations. According to a recent study by the U.N. Institute for Disarmament Research, over 40 States have developed some military cyber capabilities, 12 of which are used for offensive cyber warfare.[i] Unlike the development of space law, which saw four major multilateral treaties signed a mere twenty years after the launch of the first satellite in 1957,[ii] international instruments, and indeed, the very determination of law applicable to cyberspace have been slow. Starting with Michael Schmitt’s, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’,[iii] there has been much scholarly work[iv] on the applicability of international law to cyber warfare, focussing largely on the use of force, self-defence, necessity and proportionality, as well as State attribution and responsibility for cyber attacks. Yet the development of actual instruments or declarations that lay down principles of State behaviour in cyberspace have been few and far between.
International Telecommunications Convention (1994)
The International Telecommunications Convention[v] as the basic treaty and legal basis for the International Telecommunications Union deals with several technical aspects of communications that could, tangentially at least, affect cyber law. Article 35 of the Convention requires all States to abstain from the harmful interference in other nation’s communications networks.[vi] Article 19 of the Convention allows States to cut off private communications that are dangerous to the security of the State,[vii] while Article 20 allows for the suspension of international telecommunications services.[viii] Article 38 also creates several special exceptions for military transmissions.[ix] It is questionable as to whether such provisions would be applicable to cyber warfare as they were framed largely for radio communications and States have indicated that such provisions apply only in peacetime.[x]
In May 2011, the International Telecommunications Union and the U.N. Office on Drugs and Crime signed a Memorandum of Understanding (MoU) to facilitate the establishment of a legislative framework at the national level of member States to counter the problems of jurisdiction and attribution in relation to cyber attacks.[xi]
U.N. General Assembly Resolution 53/70 (1998)
The recognition of the importance and dangers of cyber technologies in the United Nations (U.N.) began in 1998 with a Russian proposal, adopted in General Assembly (G.A.) Resolution 53/70. The Resolution recognises the military potential of information and communication weapons that could be used for purposes running counter to the maintenance of international stability and security.[xii] It called for the definition of basic notions of misuse of information systems and information resources, while, for the first time postulating the development of international principles to help counter information terrorism and criminality.[xiii] The Russian proposal did not receive a significant amount of attention and the United States consistently voted against the proposal arguing that such issues were premature.[xiv]
United States DoD and CRS Reports (1999-2001)
In 1999 the United States (U.S) Department of Defence (DoD) commissioned a report[xv] to analyse the various international legal instruments that might create legal obligations on States during a cyber conflict. After analysing several instruments, including the U.N. Charter, the International Telecommunications Convention and the Vienna Convention on Diplomatic Relations,[xvi] the report concluded that there was a large degree of ambiguity regarding the application of international law to cyber operations, and thus suggested a case by case analysis of every operation with a consequence based approach to determine whether or not a cyber attack constituted the use of force.[xvii] The report also concluded that it was unlikely that there would come into existence a treaty to regulate cyber warfare in the foreseeable future.[xviii]
In 2001 the Congressional Research Service (CRS) submitted a report[xix] to the U.S. Congress analysing the legal framework for State policy on issues of cyber warfare. The report highlighted the emerging threat of cyber warfare and argued that it was an area of national interest. It recommended that the executive branch use of cyber warfare may be of legislative interest and recommended an agency be set up that will have primacy over issues regarding cyber warfare.[xx]
European Convention on Cybercrime (2008)
Although the European Convention on Cybercrime[xxi] largely deals with individual criminal liability for unlawful acts in cyberspace, given the trend towards the use of force against non-state actors in cyberspace, coupled with the lack of a clear threshold as to when States are responsible for cyber operations launched from their territory, Section 2 of the Convention is still worth discussing. The Convention seeks to harmonize national laws relating to cybercrime in the 24 member states, which includes non-European States such as the United States and Australia. Section 2 specifically criminalises illegal access to computer networks, illegal interception of data, data and systems interference, as well the misuse of certain devices.[xxii] The Convention also stipulates that member States shall cooperate with each other to the maximum extent through the relevant legal instruments for international co-operation.[xxiii] This brings into question whether or not cooperation may be limited to the bilateral and multilateral agreements nations have with each other, and the extent to which such cooperation could be delayed on the basis of national law and other arrangements.[xxiv]
U.N. General Assembly Resolution 65/41 (2010)
In 2010 the United States changed its stance and co-sponsored a draft resolution (adopted)[xxv] with close to three dozen countries that dealt with information and telecommunications technology in the context of international security.[xxvi] It follows in the same vein as the Russian proposal of 1998 but notably requested the Secretary General to set up a committee to report to the Assembly’s next session.[xxvii]
U.N Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security (2013)
The report in furtherance of G.A. Resolution 65/41 by the U.N. Group of Experts[xxviii] categorically stated that international law, especially the U.N. Charter[xxix] is applicable and indeed essential to cyberspace.[xxx] It further clarified that the principle of State sovereignty, and the norms that flow from it, including jurisdiction and State responsibility, are applicable to a State’s activities in cyber space within its territory.[xxxi] It stated that States must uphold their legal obligations for wrongful acts committed in cyberspace and must ensure that their territories are not used by non-State actors to launch unlawful cyber operations.[xxxii] It clarified that State’s must address cyber security within the norms provided for under international humanitarian law and the Universal Declaration of Human Rights.[xxxiii] It once again called for further study into norms, rules and principles of responsible behaviour by States in cyberspace.[xxxiv]
Tallinn Manual on the International Law Applicable to Cyber Warfare (2013)
The Tallinn Manual by the International Group of Experts is a project initiated by the North Atlantic Treaty Organisation (NATO) to reflect the international law applicable to cyber warfare. The manual lays down 95 ‘rules’ agreed upon by the Group of Experts to reflect customary international law in the field, along with a commentaries summarising the debates, both concluded and undecided, regarding each rule.[xxxv] As per the Manual’s own introduction, the ‘rules’ reflect lex lata, the law as it exists, and not lex ferenda, or future law.[xxxvi]
Rule 30 of the Manual defines a cyber-attack as “[a] cyber operation whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”[xxxvii] The Group of Experts unanimously agreed that international law does in fact apply to cyber warfare, citing several International Court of Justice (ICJ) opinions, most notably the Nuclear Weapons Advisory Opinion[xxxviii] where the court opined that the Articles of the U.N. Charter reflecting jus ad bellum (the right to wage war) applied to any use of force, irrespective of the weapon in question.[xxxix] The discussions in the commentaries however highlight the difficulties in applying international law norms dealing with conventional warfare, to cyber warfare.
The Manual nonetheless affirms several jus ad bellum norms as being applicable to cyberspace, such as the inherent right to self-defence,[xl] necessity and proportionality,[xli] as well as State attribution.[xlii] While the Manual is inconclusive as to when a State can be held responsible for not preventing a cyber attack launched from or routed through its territory,[xliii] it does permit the use of force against non-state actors in defence of an armed attack.[xliv] The Manual is also inconclusive as to what constitutes the use of force in cyber warfare. The Group of Experts instead lay out a series of non-binding, nonexclusive criteria (to be applied on a case by case basis) to determine the probability that other States will characterise the particular operation as a use of force.[xlv] The criteria are; 1) Severity, 2) Immediacy, 3) Directness, 4) Invasiveness, 5) Measurability, 6) Presumptive Legitimacy, 7) Military Character of the Operation, and, 8) State Involvement.[xlvi]
As a NATO initiative, several Western European countries and the United States have released statements agreeing with aspects of the Manual’s interpretation of international law in the context of cyber warfare.[xlvii] To the extent that these statements corroborate the ‘rules’ established in the Manual, the Manual is in face corroborated by State practice. However, given that the experts were chosen by NATO, and were largely from Western Europe, it is questionable whether the Manual represents a source of international law under Article 38 (1) (d) of the ICJ Statute (teachings of the most highly qualified publicists) as it does not represent the views of publicists from various nations as the provision requires.[xlviii]
Letter to the Secretary General requesting International Code of Conduct for Information Security (2015)
Since 2011 several governments have proposed an International Code of Conduct for Information Security. As of 9 January 2015 this proposal was signed by representatives from China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan.[xlix] The Code has 13 points, amongst which are; respecting the sovereignty, territorial integrity and political independence of all State, refraining from using information and communication networks for purposes running counter to international stability and security, to refrain from using information and communication networks to interfere with the internal affairs of another state, endeavouring to establish supply chains that prevent other States from exploiting their dominant position in information technologies, and, to settle cyber disputes in a peaceful manner without the threat or use of force.[l]
The U.N. Charter excludes economic and political coercion from its definition of the use of force.[li] Yet a cyber attack that were to affect a nation’s stock exchange for example, could cost billions of dollars and could lead to more damage than any actual kinetic attack, while still not qualifying as a use of force under international law. As Schmitt argues, cyber warfare creates effects that were simply not conceivable when the existing law was drafted.[lii] Change in the normative architecture governing international security and the laws of war is inevitable.[liii] While there is a broad consensus as to the applicability of international law to cyber warfare[liv], there are still several open debates as to how exactly this law applies. The Tallinn Manual in itself is a huge step forward in codifying the next frontier of international law, but ultimately international law reflects national interests and there is still a way to go before such interests are sufficiently aligned to propose a comprehensive framework for State behaviour in cyberspace.
[i]United Nations Institute for Disarmament Research, The Cyber Index, International Trends and Realities, UNIDIR/2013/3 available at http://www.unidir.org/files/publications/pdfs/cyber-index-2013-en-463.pdf.
[ii] Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies Outer Space Treaty, Jan 27, 1967, 610 U.N.T.S. 205; 1968 Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space, Dec 19, 1968, 672 U.N.T.S. 119; Convention on International Liability for Damage Caused by Space Objects, Mar 29, 1972, 961 UNTS 187; Convention on Registration of Objects Launched into Outer Space, Aug, 27, 1975, 1023 UNTS 15.
[iii] Schmitt, Michael N., Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, Columbia J. Trans Law, vol. 37, 1999, 885-937 available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1603800.
[iv] Barkham Jason., Information Warfare and International Law on the Use of Force, 34 N.Y.U.J. Int’l & Pol. 57, 2001.
[v] Constitution of the International Telecommunications Union, 1994, A.T.S. 28.
[vi] Id. Art 35.
[vii] Id. Art 19.
[viii] Id. Art 20.
[ix] Id. Art 38.
[x] DoD-OGC supra note 8.
[xi] ITU/UNODC (MoU), http://www.itu.int/en/ITU-D/Cybersecurity/Pages/UNODC.aspx (last updated June 1, 2013).
[xii] G.A. Res. 53/70, Developments in the field of information and telecommunications
in the context of international security, Dec 4, 1998, A/RES/53/70 available at http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/53/70.
[xiv] Maurer Tim, ―Cyber Norm Emergence at the United Nations – An Analysis of the UN‘s Activities Regarding Cyber-security?, Discussion Paper 2011-11, Cambridge, Mass.: Belfer Center for Science and International Affairs, Harvard Kennedy School, September (2011) available at http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-final.pdf.
[xv] Department of Defence Office of General Counsel, An Assessment of International Legal Issues in Information Operations (May 1999) available at http://cyber.law.harvard.edu/cybersecurity/An_Assessment_of_International_Legal_Issues_in_Information_Operations.
[xvi] U.N. Charter; Constitution of the International Telecommunications Union, 1994, A.T.S. 28; Vienna Convention on Diplomatic Relations, 1961, 500 UNTS 95.
[xvii] DoD-OGC supra note 8.
[xix] Hildreth, Steven. A, Cyberwarfare, CRS Report for Congress, (June 19, 2001) available at http://fas.org/irp/crs/RL30735.pdf.
[xxi] Convention on Cybercrime, Nov 23, 2001, E.T.S. 185.
[xxii] Id. Art 2-6.
[xxiii] Id. Art 23.
[xxiv] Vatis, Michael, The Council of Europe Convention on Cybercrime, in Proceedings of a Workshop on Deterring Cyberattacks 207 (National Academies Press ed. 2010) available at http://cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf.
[xxv] G.A. Res. 65/41, Developments in the field of Information and
Telecommunications in the Context of International Security, Jan 11, 2011, A/RES/65/41 available at https://gafc-vote.un.org/UNODA/vote.nsf/91a5e1195dc97a630525656f005b8adf/e542c8d6e28887a8852577d500585814/$FILE/A%20RES%2065%2041.pdf.
[xxvi] Maurer, supra note 7.
[xxvii] G.A. Res. 65/41 supra note 18.
[xxviii] U.N. General Assembly, Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security, Jun 24, 2013, A/68/2013.
[xxix] U.N. Charter.
[xxx] U.N. General Assembly supra note 21.
[xxxv] Schmitt, Michael N., International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, Harvard Intl Law J. Vol. 54, Dec 2012 available at http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf.
[xxxvi] Kilovaty, Ido. “Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare.” National Security Law Brief 5, no. 1 (2014): 91-124 available at http://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=1066&context=nslb.
[xxxvii] International Group of Experts, Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 30, Schmitt, Michael N (Gen. ed.) (2013) Cambridge University Press available at http://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf.
[xxxviii] Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), (1996) I.C.J. 1.
[xxxix] Schmitt, supra note 30.
[xl] Tallinn Manual, supra note 32, at Rule 13.
[xli] Tallinn Manual, supra note 32, at Rule 14.
[xlii] Tallinn Manual, supra note 32, at Rule 6-8.
[xliii] Kilovaty, supra note 31.
[xliv] Tallinn Manual, supra note 32, at Rule 11.
[xlv] Schmitt, supra note 30.
[xlvi] Schmitt, supra note 30.
[xlvii] Schmitt, supra note 30.
[xlviii] Kilovaty, supra note 31.
[xlix] U.N. General Assembly, Letter Dated 9 January 2015 from the Permanent Representatives of China, Kazakhistan, Kyrgstan, the Russian Federation, Tajikstan and Uzbekistan to the United Nations addressed to the Secretary General, Jan 13, 2015, A/69/723 available at https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.
[li] Schmitt, Michael N.,The Law of Cyber Warfare: Quo Vadis?, 25 Stan.L.& Pol’y Rev. 269 (2014) available at https://journals.law.stanford.edu/stanford-law-policy-review/print/volume-25/issue-2/law-cyber-warfare-quo-vadis.
[liv] Tallinn Manual, supra note 32; U.N. General Assembly, supra note 21.
(Vasudev Devadasan is an intern at CCG and a student at the Jindal Global Law School)