CYBERSECURITY & INTERNATIONAL LAW: Navigating the Geopolitical Landscape

By Suleman Yousaf (Pakistan)

The digital domain sees no borders, making it a readily available tool for stat and non-state actors. With the escalation of cyber threats, especially in recent decades, there is a need for a solid international legal framework that can tackle such cyber disputes.

This article will shed some light on international law and its application in cyberspace, the involved players, any significant issues in the application, and the future pathways for cyberspace governance.

International Court of Justice & Its Relation with Cybersecurity:

The current international law doesn’t have any tailored rules to regulate cyberspace. Of course, there are a few exceptions, such as the Budapest Convention and the African Union Convention (not enforced yet).

Though ICJ has yet to address cyberspace due diligence requirements directly, its cases may guide understanding cyber-based applications.

Understanding cyberspace due diligence:

It refers to reviewing the governance, controls, and procedures to make information assets secure. It means that state and non-state actors must assist in identifying and instilling the best cybersecurity practices to boost cyber peace by enhancing the security of networks, computers, and other ICT infrastructure.

These due diligence obligations might exist between states and non-state actors in any capacity. Some legal requirements should originate from a treaty. technical standards, national policies, and private sector norms.

Now, let’s further our discussion with the two cases,

1. Corfu Channel (Duty to warn):

Among the earliest ICJ cases on cybersecurity due diligence was the resolution of the dispute of Corfu Channel in 1947. Two British warships were sunk after hitting mines in the Corfu Channel. This area is an international strait that is located in the waters of Albanian territory.

The British brought the case in front of ICJ with the right of innocent passage and that the Albanian government should have warned the British government about the mines.

The court ruled in favor of the British government and stated that the Albanian government should have informed the British government about these mines.

The same case and ruling can be carried to the cybersecurity realm, where the host state should warn other states operating in their domestic networks that there are vulnerabilities.

The law doesn’t require the host state to identify the vulnerabilities but warn about them. These vulnerabilities should be associated with cyber mines such as logic bombs.

2. Trail Smelter (No Harm principle):

Another dispute that the ICJ addressed was the Trail Smelter dispute involving the emission of hazardous materials across the US-Canadian border. And it was all about what obligations states owe their neighboring states.

This case was about the system of territorial sovereignty and the new jurisdiction conception of the activities that had substantial domestic effects.

The decision, in this case, was that no state has the right to use or allow the use of its territory to cause injuries by fumes to other territories of others, and this is in particular in the case of any severe consequence or injury with clear evidence.

This ruling indicates the no-harm principle (though directed towards environmental harm) and goes parallel with cybersecurity. It means states must prevent domestic activities that might result in serious international consequences. Otherwise, the offending state must mitigate the threat.

  • The Primary Issues:

The primary issues surrounding the application of international law to/in cyberspace can be classified into five categories. These are,

  • Silence:

For several years, determining state practices in cyberspace was complicated as state silence, let alone what the international law had to say about these practices.

But that has changed in the last decade as states have started speaking out. In 2012, the US began highlighting its views in different statements and speeches.

The UK’s Attorney General also gave his statement presenting the country’s views. And in the following years, other European and global states also came up with their views on this issue. These include Australia, the Netherlands, Germany, France, Finland, and Estonia.

There are ongoing efforts at a global level governed by the UN and at the regional level, such as the OAS, to include more states with views on cyberspace international law in their lists. Yet, a vast majority of states remain silent.

  • Existential disagreements:

There are various existential disagreements for states that have taken a stance on applying cyberspace international law. These include any competing claims involving a specific global rule that are entirely excluded or included from cyberspace.

For example, in the context of the UN, a few states have challenged the right to take any countermeasures associated with online activity, the duty of due diligence, the right of self-defense, and the availability of international humanitarian law.

The existence of these legal frameworks in cyberspace has implications for the application of international law. Therefore, it will directly impact how the states may conduct their cyber activities in the case of armed conflicts.

  • Interpretative questions:

International legal rules, such as sovereignty, human rights, and nonintervention, encounter substantial ambiguities in their applications in cyber issues. For example, the duty of nonintervention keeps the external of international affairs safe from coercive intervention from other states.

There’s no decision on what affairs the duty of nonintervention protects and no consensus on what differentiates coercive and non-coercive cyber practices. It is surprising and indicates how slow the overall development has been when addressing the primary issue.

  • Attribution:

For the application of cyberspace international law, determining the identity of any activity under question performed by the responsible entity is mandatory.

Is it a state actor or an actor sponsored by the state, or is it an individual who has portrayed this activity outside the scope of international law?

These identifications are tricky in cyberspace due to various challenges in technical attribution. Hence, pinpointing the origins of any malicious cyber practices is time-consuming.

Apart from that, when states use proxies, attributions become more challenging to show evidence of state control over the proxy actor.

International law has yet to resolve this matter and govern how much control is needed or what evidence should be provided to prove or demonstrate it.

  • Accountability:

Now, attributions of cyber operations directly governed by states or state-sponsored are rising. States who speak out by accusing other states of malicious cyber activities seldom invoke international law.

The absence of international legal order may show that the behavior might be legal even if it is not wanted. On the other hand, naming and shaming haven’t done much to alter the behavior of the accused state, either. Nevertheless, it does assist in clarifying the existence of cyberspace international law and interpreting its meaning.

Some states cooperate to form coalitions to improve accountability with collective accusations and even sanctions. However, such efforts have yet to emphasize invoking the benchmarks and tools (countermeasures) set by international law to measure any malicious cyber activity to address the violation.

Takeaway:

Even as the states move up from their initial stance for addressing the application of international law to govern the behaviors of different actors in cyberspace, they will have to deal with new issues in different forms and at various forums.

Therefore, all stakeholders and states should track down different players and issues while keeping an eye on the bigger picture, and that is to determine whether international law can do more than just address the cyber issues.

Suleman Yousaf (SY), a seasoned writer with a decade of expertise, illuminates diverse niches through the pages of “The Advocate Post.” With a potent pen, SY channels over a decade of writing and editing experience into shedding light on issues deserving of attention. A dedicated storyteller, SY’s work resonates with a passion for meaningful narratives that inspire and inform.

Leave a Reply