Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

  1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

  1. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

  1. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

  1. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from First Substantive Session

Sukanya Thapliyal

Image by United Nation Photo. Licensed via CC BY-NC-ND 2.0

Earlier this month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

In this blog, we present a brief overview and our observations from the discussions during the first substantive session of the Ad-hoc Committee. Furthermore, we also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

  1. Background 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions and was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

Presently, the Budapest Convention, also known as Convention on Cybercrime is the most comprehensive and widely accepted legal instrument on cybercrime which was adopted by the Council of Europe (COE) and came into force in July, 2004. However, the work of the Ad-hoc Committee is significant and can pave the way for the first universal and legally binding instrument on cybercrime issues. The Committee enjoys widespread representation from State and Non-State stakeholders (participation from the non-governmental organizations, civil society, academia and private organizations) and other UN bodies, including the United Nations Office on Drugs and Crime (UNODC), serving as the secretariat for the process. 

The Ad-hoc Committee, over the next two years, is set to have six sessions towards developing this cybercrime convention. The convention is expected to foster coordination and cooperation among state actors to combat cybercrime while giving due regard to the peculiar socio-economic conditions prevailing in the developing and least-developed countries. 

The first substantive session of the Ad-hoc Committee was scheduled for 28 February-11 March 2022 to chart out a clear road map to guide subsequent sessions. In addition, the session also provided opportunity to the Member States to explore the possibility of reaching a consensus on the objective and scope of the Convention, which could provide a general framework for future negotiation without constituting a pre-condition for future stages. 

2. Discussions at the First Ad-hoc committee

The first session of the Ad-hoc Committee witnessed extensive discussions in sessions on general debate, objective and scope of the convention, exchange of preliminary views on key elements of the convention. In addition, a fruitful engagement took place in the sessions dedicated to arriving at a consensus on the structure of the convention (A/AC.291/L.4/Add.4). Member states also reached consensus on  discussion and decision-making on the mode of work of the Ad Hoc Committee during subsequent sessions and intersessional periods (A/AC.291/L.4/Add.6). As the negotiations commenced days after the Russia-Ukraine conflict began, the negotiations proceeded in a tense environment where several Member States expressed their concerns and-inability to negotiate in “good faith” in the light of the current state of play and condemned Russia for the military and cyber operations directed at Ukraine.

A. Scope of the convention: From “Cyber-Enabled” to “Cyber-Dependent” Crimes 

There was complete agreement on the growing importance of ICT technologies, the threat created by cybercriminals, and the need for a collective response within a sound international framework. However, countries highlighted different challenges that range from ‘pure cybercrimes’ or cyber dependent crimes to a broader set of crimes (cyber-enabled crimes) that includes misuse of ICT technologies and digital platforms by terrorist groups, deepfakes, disinformation, misinformation, false narrative, among others. 

While there was a broad consensus on including cyber dependent crimes, there was significant disagreement on whether cyber-enabled crimes should be addressed under the said convention. This divergence was evident throughout the first session with the EU, the US, the UK, New Zealand, Australia, Liechtenstein, Japan, Singapore and Brazil advocating to limit the operation of such a convention only up to cyber dependent crimes (such as ransomware attacks, denial of services attack, illegal system interference, among others). The member states maintained that the said convention should exclude vague and broadly defined crimes that may dilute legal certainty and disproportionately affect the freedom of speech and expression. Furthermore, that the convention should include only those cyber enabled crimes whose scale scope and speed increases substantially with the use of ICT technologies (cyber-fraud, cyber-theft, child sexual abuse, gender-based crime). 

On the other hand, the Russian Federation, China, India, Egypt, South Africa, Venezuela, Turkey, Egypt expressed that the convention should include both cyber dependent and cyber enabled crimes under such a convention. Emphasizing the upward trend in the occurrence of cyber enabled crimes, the member states stated that the cybercrime including cyber fraud, copyright infringement, misuse of ICTs by terrorists, hate speech must be included under the said convention.

There was overall agreement that cybersecurity, and internet governance issues are subject to other UN multilateral  fora such as UN Group of Governmental Experts (UNGGE) and UN Open Ended Working Group (OEWG) and must not be addressed under the proposed convention. 

B. Human-Rights

The process witnessed significant discussion on the protection and promotion of human rights and fundamental freedoms as an integral part of the proposed convention. While there was a broad agreement on the inclusion of human rights obligations, Member States varied in their approaches to incorporating human rights obligations. Countries such as the EU, USA, Australia, New Zealand, UK, Canada, Singapore, Mexico and others advocated for the centrality of human rights obligations within the proposed convention (with particular reference to the right to speech and expression, privacy, freedom of association and data protection). These countries also emphasized the need for adequate safeguards to protect human rights (legality, proportionality and necessity) in the provisions dealing with the criminalization of offenses, procedural rules and preventative measures under the proposed convention. 

India and Malaysia were principally in agreement with the inclusion of human rights obligations but pointed out that human rights considerations must be balanced by provisions required for maintaining law and order. Furthermore, countries such as Iran, China and Russia emphasized that the proposed convention should be conceptualized strictly as a technical treaty and not a human rights convention.

C. Issues pertaining to the conflict in jurisdiction and legal enforcement

The Ad-hoc Committee’s first session saw interesting proposals on improving the long-standing issues emanating from conflict of jurisdictions that often create challenges for law enforcement agencies in effectively investigating and prosecuting cybercrimes. In its numerous submissions, India highlighted the gaps and limitations in the existing international instruments and the need for better legal frameworks for cooperation, beyond Mutual Legal Assistance Treaties (MLATs). Such arrangements aim to assist law enforcement agencies in receiving metadata/ subscriber information to establish attribution and to overcome severe delays in accessing non-personal data. Member states, including Egypt, China supported India’s position in this regard. 

Mexico, Egypt, Jamaica (on behalf of CARICOM), Brazil, Indonesia, Iran, Malaysia also highlighted the need for the exchange of information, and greater international cooperation in the investigation, evidence sharing and prosecution of cybercrimes. These countries also highlighted the need for mutual legal assistance, 24*7 contact points, data preservation, data sharing and statistics on cybercrime and modus operandi of the cybercriminals, e-evidence, electronic forensics and joint investigations. 

Member states including the EU, Luxembourg, UK supported international cooperation in investigations and judicial proceedings, and obtaining electronic evidence. These countries also highlighted that issues relating to jurisdiction should be modeled on the existing international and regional conventions such as the UN Convention against Corruption (UNCAC), UN Convention against Transnational Organized Crimes (UNCTOC), and the Budapest Convention.

D. Technical Assistance and Capacity Building

There was unanimity among the member states to incorporate provisions on capacity building and technical assistance to cater to the peculiar socio-economic conditions of the developing and least-developed countries. However, notable inputs/ suggestions came from Venezuela, Egypt, Jamaica on behalf of CARICOM, India and  Iran. Venezuela highlighted the need for technology transfer, lack of financing and lack of sufficient safeguards for developing and least-developed countries. The countries outlined technology transfer, financial assistance, sharing of best practices, training of personnel, and raising awareness as different channels for capacity building and technical assistance for developing and least-developed countries. 

E. Obligations for the Private Sector 

The proposal for instituting obligations  on non-state actors , including the private sector (with particular reference to digital platforms and service providers), witnessed strong opposing views by member countries. Countries including India, China, Egypt and Russia backed the proposal on including a strong obligation on the private sectors as they play an essential role in the ICT sector. In one of its submissions, India explained  the increasing involvement of multinational companies  in providing vital services in different countries. Therefore, in its view, such private actors must be held accountable and should promptly cooperate  with law enforcement and judicial authorities in these countries to fight cybercrime. Iran, China and Russia further emphasized the need for criminal liability of legal persons, including service providers and other private organizations. In contrast, member states, including the EU, Japan and USA, were strictly against incorporating any obligations on the private sector. 

F. Other Issues

There was a broad consensus including EU, UK, Japan, Mexico, USA, Switzerland and others  on not reinventing the wheel but building on the work done under the UNCAC, UNCTOC, and the Budapest Convention. However, countries, including Egypt and Russian Federation, were skeptical over the explicit mention of the regional conventions, such as the Budapest Convention and its impact on the Member States, who are not a party to such a convention. 

The proposals for inclusion of a provision on asset recovery, and return of the proceeds of the crime elicited a lukewarm response by Egypt, Iran, Brazil, Russia, China, Canada, Switzerland, USA Jamaica on behalf of CARICOM countries, but appears likely to gain traction in forthcoming sessions.

3. Way Forward

Member countries are expected to submit their written contributions on criminalisation, general provisions, procedural measures, and law enforcement in the forthcoming month. These written submissions are likely to bring in more clarity about the expectations and key demands of the different member states. 

The upcoming sessions will also indicate how the demands put forth by developing, and least developing countries during the recently concluded first session are taken up in the negotiation process. Furthermore, it is yet to be seen whether these countries would chart out a path for themselves or get subsumed in the west and east binaries as seen in other multilateral fora dedicated to clarifying the rules governing cyberspace. 


*The full recordings of the first session of the Ad-hoc Committee to elaborate international convention on countering the use of information and communications (ICTs) technologies for criminal purposes is available online and can be accessed on UN Web TV.

**The reader may also access more information on the first session of the Ad-hoc Committee here, here and here.

Cyber Warfare: Relevant International Instruments and their Applicability

By Vasudev Devadasan

Yesterday at the launch of the ambitious Digital India Project, the Indian Prime Minister stressed on the need to come up with mechanisms to deal with issues of cyber warfare and cyber security. The relevant part of his speech can be found below.

This post discusses the applicability of certain relevant international instruments to cyber warfare.

Alongside the existing theatres of warfare that include land, air, sea and now space, States are placing increasing emphasis on information, or cyber operations. According to a recent study by the U.N. Institute for Disarmament Research, over 40 States have developed some military cyber capabilities, 12 of which are used for offensive cyber warfare.[i] Unlike the development of space law, which saw four major multilateral treaties signed a mere twenty years after the launch of the first satellite in 1957,[ii] international instruments, and indeed, the very determination of law applicable to cyberspace have been slow. Starting with Michael Schmitt’s, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’,[iii] there has been much scholarly work[iv] on the applicability of international law to cyber warfare, focussing largely on the use of force, self-defence, necessity and proportionality, as well as State attribution and responsibility for cyber attacks. Yet the development of actual instruments or declarations that lay down principles of State behaviour in cyberspace have been few and far between.

International Telecommunications Convention (1994)

The International Telecommunications Convention[v] as the basic treaty and legal basis for the International Telecommunications Union deals with several technical aspects of communications that could, tangentially at least, affect cyber law. Article 35 of the Convention requires all States to abstain from the harmful interference in other nation’s communications networks.[vi] Article 19 of the Convention allows States to cut off private communications that are dangerous to the security of the State,[vii] while Article 20 allows for the suspension of international telecommunications services.[viii] Article 38 also creates several special exceptions for military transmissions.[ix] It is questionable as to whether such provisions would be applicable to cyber warfare as they were framed largely for radio communications and States have indicated that such provisions apply only in peacetime.[x]

In May 2011, the International Telecommunications Union and the U.N. Office on Drugs and Crime signed a Memorandum of Understanding (MoU) to facilitate the establishment of a legislative framework at the national level of member States to counter the problems of jurisdiction and attribution in relation to cyber attacks.[xi]

U.N. General Assembly Resolution 53/70 (1998)

The recognition of the importance and dangers of cyber technologies in the United Nations (U.N.) began in 1998 with a Russian proposal, adopted in General Assembly (G.A.) Resolution 53/70. The Resolution recognises the military potential of information and communication weapons that could be used for purposes running counter to the maintenance of international stability and security.[xii] It called for the definition of basic notions of misuse of information systems and information resources, while, for the first time postulating the development of international principles to help counter information terrorism and criminality.[xiii] The Russian proposal did not receive a significant amount of attention and the United States consistently voted against the proposal arguing that such issues were premature.[xiv]

United States DoD and CRS Reports (1999-2001)

In 1999 the United States (U.S) Department of Defence (DoD) commissioned a report[xv] to analyse the various international legal instruments that might create legal obligations on States during a cyber conflict. After analysing several instruments, including the U.N. Charter, the International Telecommunications Convention and the Vienna Convention on Diplomatic Relations,[xvi] the report concluded that there was a large degree of ambiguity regarding the application of international law to cyber operations, and thus suggested a case by case analysis of every operation with a consequence based approach to determine whether or not a cyber attack constituted the use of force.[xvii] The report also concluded that it was unlikely that there would come into existence a treaty to regulate cyber warfare in the foreseeable future.[xviii]

In 2001 the Congressional Research Service (CRS) submitted a report[xix] to the U.S. Congress analysing the legal framework for State policy on issues of cyber warfare. The report highlighted the emerging threat of cyber warfare and argued that it was an area of national interest. It recommended that the executive branch use of cyber warfare may be of legislative interest and recommended an agency be set up that will have primacy over issues regarding cyber warfare.[xx]

European Convention on Cybercrime (2008)

Although the European Convention on Cybercrime[xxi] largely deals with individual criminal liability for unlawful acts in cyberspace, given the trend towards the use of force against non-state actors in cyberspace, coupled with the lack of a clear threshold as to when States are responsible for cyber operations launched from their territory, Section 2 of the Convention is still worth discussing. The Convention seeks to harmonize national laws relating to cybercrime in the 24 member states, which includes non-European States such as the United States and Australia. Section 2 specifically criminalises illegal access to computer networks, illegal interception of data, data and systems interference, as well the misuse of certain devices.[xxii] The Convention also stipulates that member States shall cooperate with each other to the maximum extent through the relevant legal instruments for international co-operation.[xxiii] This brings into question whether or not cooperation may be limited to the bilateral and multilateral agreements nations have with each other, and the extent to which such cooperation could be delayed on the basis of national law and other arrangements.[xxiv]

U.N. General Assembly Resolution 65/41 (2010)

In 2010 the United States changed its stance and co-sponsored a draft resolution (adopted)[xxv] with close to three dozen countries that dealt with information and telecommunications technology in the context of international security.[xxvi] It follows in the same vein as the Russian proposal of 1998 but notably requested the Secretary General to set up a committee to report to the Assembly’s next session.[xxvii]

U.N Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security (2013)

The report in furtherance of G.A. Resolution 65/41 by the U.N. Group of Experts[xxviii] categorically stated that international law, especially the U.N. Charter[xxix] is applicable and indeed essential to cyberspace.[xxx] It further clarified that the principle of State sovereignty, and the norms that flow from it, including jurisdiction and State responsibility, are applicable to a State’s activities in cyber space within its territory.[xxxi] It stated that States must uphold their legal obligations for wrongful acts committed in cyberspace and must ensure that their territories are not used by non-State actors to launch unlawful cyber operations.[xxxii] It clarified that State’s must address cyber security within the norms provided for under international humanitarian law and the Universal Declaration of Human Rights.[xxxiii] It once again called for further study into norms, rules and principles of responsible behaviour by States in cyberspace.[xxxiv]

Tallinn Manual on the International Law Applicable to Cyber Warfare (2013)

The Tallinn Manual by the International Group of Experts is a project initiated by the North Atlantic Treaty Organisation (NATO) to reflect the international law applicable to cyber warfare. The manual lays down 95 ‘rules’ agreed upon by the Group of Experts to reflect customary international law in the field, along with a commentaries summarising the debates, both concluded and undecided, regarding each rule.[xxxv] As per the Manual’s own introduction, the ‘rules’ reflect lex lata, the law as it exists, and not lex ferenda, or future law.[xxxvi]

Rule 30 of the Manual defines a cyber-attack as “[a] cyber operation whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”[xxxvii] The Group of Experts unanimously agreed that international law does in fact apply to cyber warfare, citing several International Court of Justice (ICJ) opinions, most notably the Nuclear Weapons Advisory Opinion[xxxviii] where the court opined that the Articles of the U.N. Charter reflecting jus ad bellum (the right to wage war) applied to any use of force, irrespective of the weapon in question.[xxxix] The discussions in the commentaries however highlight the difficulties in applying international law norms dealing with conventional warfare, to cyber warfare.

The Manual nonetheless affirms several jus ad bellum norms as being applicable to cyberspace, such as the inherent right to self-defence,[xl] necessity and proportionality,[xli] as well as State attribution.[xlii] While the Manual is inconclusive as to when a State can be held responsible for not preventing a cyber attack launched from or routed through its territory,[xliii] it does permit the use of force against non-state actors in defence of an armed attack.[xliv] The Manual is also inconclusive as to what constitutes the use of force in cyber warfare. The Group of Experts instead lay out a series of non-binding, nonexclusive criteria (to be applied on a case by case basis) to determine the probability that other States will characterise the particular operation as a use of force.[xlv] The criteria are; 1) Severity, 2) Immediacy, 3) Directness, 4) Invasiveness, 5) Measurability, 6) Presumptive Legitimacy, 7) Military Character of the Operation, and, 8) State Involvement.[xlvi]

As a NATO initiative, several Western European countries and the United States have released statements agreeing with aspects of the Manual’s interpretation of international law in the context of cyber warfare.[xlvii] To the extent that these statements corroborate the ‘rules’ established in the Manual, the Manual is in face corroborated by State practice. However, given that the experts were chosen by NATO, and were largely from Western Europe, it is questionable whether the Manual represents a source of international law under Article 38 (1) (d) of the ICJ Statute (teachings of the most highly qualified publicists) as it does not represent the views of publicists from various nations as the provision requires.[xlviii]

Letter to the Secretary General requesting International Code of Conduct for Information Security (2015)

Since 2011 several governments have proposed an International Code of Conduct for Information Security. As of 9 January 2015 this proposal was signed by representatives from China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan.[xlix] The Code has 13 points, amongst which are; respecting the sovereignty, territorial integrity and political independence of all State, refraining from using information and communication networks for purposes running counter to international stability and security, to refrain from using information and communication networks to interfere with the internal affairs of another state, endeavouring to establish supply chains that prevent other States from exploiting their dominant position in information technologies, and, to settle cyber disputes in a peaceful manner without the threat or use of force.[l]


The U.N. Charter excludes economic and political coercion from its definition of the use of force.[li] Yet a cyber attack that were to affect a nation’s stock exchange for example, could cost billions of dollars and could lead to more damage than any actual kinetic attack, while still not qualifying as a use of force under international law. As Schmitt argues, cyber warfare creates effects that were simply not conceivable when the existing law was drafted.[lii] Change in the normative architecture governing international security and the laws of war is inevitable.[liii] While there is a broad consensus as to the applicability of international law to cyber warfare[liv], there are still several open debates as to how exactly this law applies. The Tallinn Manual in itself is a huge step forward in codifying the next frontier of international law, but ultimately international law reflects national interests and there is still a way to go before such interests are sufficiently aligned to propose a comprehensive framework for State behaviour in cyberspace.

[i]United Nations Institute for Disarmament Research, The Cyber Index, International Trends and Realities, UNIDIR/2013/3 available at http://www.unidir.org/files/publications/pdfs/cyber-index-2013-en-463.pdf.

[ii] Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies Outer Space Treaty, Jan 27, 1967, 610 U.N.T.S. 205; 1968 Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space, Dec 19, 1968, 672 U.N.T.S. 119; Convention on International Liability for Damage Caused by Space Objects, Mar 29, 1972, 961 UNTS 187; Convention on Registration of Objects Launched into Outer Space, Aug, 27, 1975, 1023 UNTS 15.

[iii] Schmitt, Michael N., Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative FrameworkColumbia J. Trans Law, vol. 37, 1999, 885-937 available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1603800.

[iv] Barkham Jason., Information Warfare and International Law on the Use of Force, 34 N.Y.U.J. Int’l & Pol. 57, 2001.

[v] Constitution of the International Telecommunications Union, 1994, A.T.S. 28.

[vi] Id. Art 35.

[vii] Id. Art 19.

[viii] Id. Art 20.

[ix] Id. Art 38.

[x] DoD-OGC supra note 8.

[xi] ITU/UNODC (MoU), http://www.itu.int/en/ITU-D/Cybersecurity/Pages/UNODC.aspx (last updated June 1, 2013).

[xii] G.A. Res. 53/70, Developments in the field of information and telecommunications

in the context of international security, Dec 4, 1998, A/RES/53/70 available at http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/53/70.

[xiii] Id.

[xiv] Maurer Tim, ―Cyber Norm Emergence at the United Nations – An Analysis of the UN‘s Activities Regarding Cyber-security?, Discussion Paper 2011-11, Cambridge, Mass.: Belfer Center for Science and International Affairs, Harvard Kennedy School, September (2011) available at http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-final.pdf.

[xv] Department of Defence Office of General Counsel, An Assessment of International Legal Issues in Information Operations (May 1999) available at http://cyber.law.harvard.edu/cybersecurity/An_Assessment_of_International_Legal_Issues_in_Information_Operations.

[xvi] U.N. Charter; Constitution of the International Telecommunications Union, 1994, A.T.S. 28; Vienna Convention on Diplomatic Relations, 1961, 500 UNTS 95.

[xvii] DoD-OGC supra note 8.

[xviii] Id.

[xix] Hildreth, Steven. A, Cyberwarfare, CRS Report for Congress, (June 19, 2001) available at http://fas.org/irp/crs/RL30735.pdf.

[xx] Id.

[xxi] Convention on Cybercrime, Nov 23, 2001, E.T.S. 185.

[xxii] Id. Art 2-6.

[xxiii] Id. Art 23.

[xxiv] Vatis, Michael, The Council of Europe Convention on Cybercrime, in Proceedings of a Workshop on Deterring Cyberattacks 207 (National Academies Press ed. 2010) available at http://cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf.

[xxv] G.A. Res. 65/41, Developments in the field of Information and

Telecommunications in the Context of International Security, Jan 11, 2011, A/RES/65/41 available at https://gafc-vote.un.org/UNODA/vote.nsf/91a5e1195dc97a630525656f005b8adf/e542c8d6e28887a8852577d500585814/$FILE/A%20RES%2065%2041.pdf.

[xxvi] Maurer, supra note 7.

[xxvii] G.A. Res. 65/41 supra note 18.

[xxviii] U.N. General Assembly, Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security, Jun 24, 2013, A/68/2013.

[xxix] U.N. Charter.

[xxx] U.N. General Assembly supra note 21.

[xxxi] Id.

[xxxii] Id.

[xxxiii] Id.

[xxxiv] Id.

[xxxv] Schmitt, Michael N., International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, Harvard Intl Law J. Vol. 54, Dec 2012 available at http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf.

[xxxvi] Kilovaty, Ido. “Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare.” National Security Law Brief 5, no. 1 (2014): 91-124 available at http://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=1066&context=nslb.

[xxxvii] International Group of Experts, Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 30, Schmitt, Michael N (Gen. ed.) (2013) Cambridge University Press available at http://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf.

[xxxviii] Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), (1996) I.C.J. 1.

[xxxix] Schmitt, supra note 30.

[xl] Tallinn Manual, supra note 32, at Rule 13.

[xli] Tallinn Manual, supra note 32, at Rule 14.

[xlii] Tallinn Manual, supra note 32, at Rule 6-8.

[xliii] Kilovaty, supra note 31.

[xliv] Tallinn Manual, supra note 32, at Rule 11.

[xlv] Schmitt, supra note 30.

[xlvi] Schmitt, supra note 30.

[xlvii] Schmitt, supra note 30.

[xlviii] Kilovaty, supra note 31.

[xlix] U.N. General Assembly, Letter Dated 9 January 2015 from the Permanent Representatives of China, Kazakhistan, Kyrgstan, the Russian Federation, Tajikstan and Uzbekistan to the United Nations addressed to the Secretary General, Jan 13, 2015, A/69/723 available at https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.

[l] Id.

[li] Schmitt, Michael N.,The Law of Cyber Warfare: Quo Vadis?, 25 Stan.L.& Pol’y Rev. 269 (2014) available at https://journals.law.stanford.edu/stanford-law-policy-review/print/volume-25/issue-2/law-cyber-warfare-quo-vadis.

[lii] Id.

[liii] Id.

[liv] Tallinn Manual, supra note 32; U.N. General Assembly, supra note 21.

(Vasudev Devadasan is an intern at CCG and a student at the Jindal Global Law School)

Full Text of India’s statement at the 1st Preparatory Meeting for UNGA’s overall review of the implementation of the WSIS Outcomes

Screen Shot 2015-07-01 at 9.31.41 pm

Thank you distinguished co-facilitators for giving me the floor and the opportunity to speak on behalf of my country. We would like to place on record our sincerest appreciation to both the co-facilitators for their abled stewardship of this process and for the well-crafted roadmap that has been placed before us.

At the outset my delegation would like to align itself with the statement delivered by the distinguished representative of South Africa on behalf of the Group of 77 (G77) and China. In identifying areas of cooperation in the WSIS+10 Review Process we should keep the modalities resolutioned as contingent of the Tunis Agenda to utilize ICTs for development and for the benefit of the developing countries. We need to take stock of the implementation of the WSIS action lines in the Tunis Agenda, review the existing mechanisms and update them and provide the necessary course correction to make them relevant for the challenges in the 21st century.

Second, we need to explicitly recognize the lack of follow up on the funding mechanism for the ICTs to implement the Tunis Agenda. There is a need to address capacity building and transfer of technology in keeping with the yet unfulfilled mandate outlined in para 9 of the Tunis Agenda.

Third, the stark gap in the digital divide between the developed and developing world needs to receive our attention. Despite significant advances, 50% of the world’s population, mostly from developing and the least developed countries continues to be denied access to ICTs. The growing gender digital divide, which has become even more sharp and acute in recent years is a related area of concern and needs to be specially factored into the review agenda. There is also a need to go beyond access issues and focus of affordability and multilingualism for inclusive growth and development. The formal launch of the Digital India programme earlier today by the Prime Minister of India seeks to address these and other issues related to digital empowerment of India’s citizens.

Fourth, on the issue of Internet governance it is imperative to acknowledge the platform of the Internet as a global public good where all stakeholders have an equal stake in its functioning and efficiency. India would like to affirm and renew its commitment to the multistakeholder processes. My delegation welcomes the participation of all the relevant WSIS stakeholders in the review process and looks forward to incorporating their inputs to make the IGF more broad based and globalized. At the same time we also think that enlisting and encouraging participation from the developing world in these processes needs particular attention.

Fifth, the mandate of para 69 of the Tunis agenda which had called for the process of enhanced cooperation remains as yet unfulfilled and needs our special consideration. In this context India specially recognizes the need for identifying issues, which have a direct impact on national security and call for enhanced role for governments in dealing with such issues.

Sixth, we need to recognize the need to build a common understanding on the applicability of international rights and norms particularly the freedom of expressioned activities in cyberspace. To ensure better protection of all citizens in the online environment and strike and ideal balance between national security and internationally recognized human rights and to create frameworks so that internet surveillance practices motivated by security concerns are conducted with a truly transparent and accountable framework. Further my government would also like to express a strong affirmation of the principles of net neutrality.

And finally we must keep in mind that our work is taking place in the 70th anniversary year of the United Nations. In this historical year we are also seeking to conclude the post 2015 development agenda and to hold the financing for development conference and the COP 21 meeting on climate change. We need to acknowledge the synergy and inter linkages between the WSIS+10 Review and these three major meetings of the UN system in 2015 and reflect them appropriately in our outcome document.

Co-facilitator madam and sir, our engagement at the WSIS+10 process stems from our deep and substantive understanding of the need to make ICTs truly relevant for the benefit of the entire planet and not just privileged few. Please rest assured of our fullest cooperation and steadfast support in helping you drive this process to its successful conclusion.

Thank you.