Has International Law done enough to govern cyberspace?

Obed Ooei

Follow us on LinkedIn

18 Nov 2022
Topics
  • Compliance and Regulation

Introduction

Cyberspace has become a front of mind topic for many countries. In Australia alone, investments into cyber protection have sung to the tune of over $1.9b to be spent over the next decade, and this is expected to increase as the political context grows in complexity. Ongoing tension between states and attribution issues concerning cyber actors are two of some of the key drivers. We often hear about cyber warfare, cyber conflict, cybercrime, and hostile nation-states, but apart from the occasional sanction and name-and-shame tactics employed by more vocal states, cybercrime is seldom taken to International Courts. This article will seek to summarise some of the key events in the last half century which have shaped cyberspace operations, describe three barriers as to why it remains difficult for International Law to govern cyberspace, and what the future of international cyberspace governance may look like.

Definitions

Cyberspace: the notional environment in which communication over computer networks occurs.

Cyber warfare: the hostile actions by a nation-State or international organisation to attack and attempt to damage another nation’s computers or information systems.

(Cyber) attribution: the ability to accurately allocate responsibility (and thus identity) of a cyber attack to an attacker or group of attackers.

Key events in the last half-century

Diplomatic approaches to cyberspace were not established overnight. Just as technology is constantly shaping and being shaped by the events of the world, International Relations surrounding cyberspace were and are still being shaped by global events. There are some notable events to highlight:

1970s: The use of computers became common - creating the concept of a 'network of networks' now known as the Internet. The domain of operations concerning this Internet is called cyberspace.

1982: Arguably the first ever ‘cyber-attack’ which resulted in kinetic destruction. Malware implanted by US Intelligence to ‘upgrade’ pipeline control software resulted in a trans-Siberian pipeline explosion in the Soviet Union. This intel was released and known in popular culture through ‘The Farewell Affair’.

1984: The Cult of the Dead Cow (cDc) was born. The cDc was the first non-state organisation who used cyberspace to influence the world – public and private – towards better cyber governance. Under the cDc umbrella, the organisation brought the term ‘hacktivist’ to life. Hacktivism sought to apply human rights to the Internet by arguing for the free access of information. The group would then release programs which exploited the weaknesses of computer systems, and thus the companies which created them.

1997: ‘Eligible Receiver’ was an internal exercise initiated by the US’ Department of Defence (DoD). The exercise simulated infiltration into Pentagon systems using only publicly available computers and software. Hackers were able to take control of multiple command centre computers, power grids and emergency systems in nine major US cities. More troubling was that no one believed they were under attack for the first three days of the exercise.

2001 & 2004 (effective): The Budapest Convention on Cybercrime was the first international treaty that mandated cooperation between participating states for the harmonising of national laws and the sharing of information for law enforcement against cyber crime. This meant that participating countries were able to ‘request’ pieces of evidence from each other, so long as it related to the prosecution of cyber crime. The Convention has been criticised by states and authors for its effect onto state sovereignty and the possibility of illegitimate information access, however is still seen as an important step in compelling a multilateral regulation of cyber crime (Clough, 2014). Australia officially signed the treaty in 2016, and the Convention is undergoing revision to reflect a more modern understanding of the internet and the global context.

2003: A decentralised and highly controversial hacker community named ‘Anonymous’ was born. With the core intent of protecting the ordinary citizen’s privacy, the community often used brute force cyber attacks against organisations they perceived to be corrupt. Anonymous has been criticised by the likes of cDc as their methods were contradictory to the ‘hackitivism’ movement, as brute force tactics to shut down or deny systems went against the principle of free access to information.

2009-2010: Operation Aurora attacked major organisations such as Google, Adobe, Morgan Stanley and Dow Chemical. It was suspected that the espionage attack generated from China, and had reportedly resulted in loss of intellectual property. Although denied, this is considered a historic incident by a Nation-as-hacker (Council on Foreign Relations, 2010.; handwiki.org, 2021).

TODAY: Most states and international organisations have affirmed that existing international law should apply to the use of information and communication technologies by states, but there is no clear direction as to how law should apply in cyberspace.

The course of diplomatic discourse

Current thought and discourse on how international law should apply to cyberspace vary in ways. Three of the more dominant schools of thought fall under liberal institutionalism, cyber-libertarianism and statism – definitions on the right. Whatever the school of thought, it should be appreciated that they echo a need for cyber-governance in the international realm. Although the motivation exists, discussion is still rich and in progress as to how this governance should look. The diplomatic journey has been long and contested, and the following three reasons may explain why.

Definitions

Liberal Institutionalism: the belief that domestic and international institutions play central roles in facilitating cooperation and peace between nation-states.

Cyber-libertarianism: the belief that cyberspace and the digital realm constitute spaces of individual liberty and of self-governance – without tyranny or oppressive rule from any actor or bodies of actors.

Statism: the belief that nation-states play the core role in shaping diplomacy and establishing national and international law.

Ambiguity and relevance issues in existing International Law

In traditional law, acts of war and the use of force are associated with kinetic forces – missiles, guns, entrance of troops into foreign territory. How do you attribute this to a cyber-attack? Much of media and general rhetoric behind cyber warfare is that two or more actors (state or non-state) are engaging in constant back and forth conflict, deploying all sorts of cyber weaponry to steal, deny or incapacitate information systems. If aggressive cyber-attacks did result in these or are found to coincide with territorial invasion, the actor may be subject to condemnation under the traditional law against force and armed attack. However, very rarely do these attacks result in kinetic destruction or denial of a critical infrastructure. The typical ‘why’ behind cyber-attacks is driven by espionage tactics – something that had always existed before cyberspace and something that even international relations today cannot clearly condemn. The current system allows a state to apply sanctions or other diplomatic means to deal with espionage, but resorting to deportation of spies and sanctions become difficult when cyber espionage can take place anywhere in the world – how effective is it to enforce a ban on a 20-year-old state actor to enter foreign soil that they never had the intention of entering? Espionage seems to be a permitted rule within International Relations, and as long as a cyberattack falls below the definition of forceful and does not interfere with another state’s sovereignty, states can do very little to prohibit cyber operations.

State silence and inaction during and after a cyber-attack

Closely tied with the above, the fact that there is no clear guidance in international law on what constitutes as unlawful in terms of a cyber-attack, states rarely bring to attention instances of cybercrime. Where espionage is just another norm, states will just accept that cyber-attacks for the sake of espionage is just the same culprit utilising a different medium. Another reason, however, could be that using terminology such as cyber warfare can inflate the situation to be more hostile than it is. This hostility, if escalated, can result in further damage to an already troubled diplomatic landscape between states trying to get along with one another. Naming and shaming can often result in further breakdown of relations, and have devastating effects on trade agreements, foreign aid, and other socio-cultural sentiment.

Attribution and accountability issues concerning ‘anonymous’ actors

Unlike a missile or another kinetic medium, it is increasingly difficult to attribute actors behind a cyber-attack, and thus there is ambiguity in who should be held accountable. There are two reasons why attribution is difficult in cyberspace. International law is limited in that it attempts to govern the relations between state actors. There is limited scope in defining what it would mean when non-state actors engage in malicious attacks. We know that cybercriminals are not always tied to or supported by a state, but even if they are under “state control”, would the state confess their involvement and risk escalation? The other attribution problem is that technology continues to grow in sophistication, and methods to mask activities are diverse. From a technical standpoint, trying to trace actors using IP addresses may be difficult when Virtual Private Networks (VPNs) or other masking tools are deployed to cover digital footprints.

Conclusion and Outlook

Traditional means of warfare which are more kinetic and tangible may be better dealt with through international law and its mechanisms, due to their more attributable nature. This is comparable to the tenebrous characteristic of cyber espionage and warfare, where obscurity of actors and motivations make it difficult to predict and punish. Navigating cyberspace is made even more difficult as cybercrime can and will affect just about anyone who has access to a connected device. Threat vectors are inherently high, as cybercrime spans borders, and exploit the unpredictability of human behaviour and inconsistency in human awareness of cyber safety. All of these speak a considerably higher threat in the context of impact and likelihood behind a cyber-attack, when compared with traditional physical methods. For these reasons, there is a considerable need to establish appropriate governance mechanisms over cyber space which can be accepted by international communities spanning states, private industries, and everyday citizens.

We have observed throughout history the evolution of global policies in governing conflict, and this somewhat extending to cyber space. However, as cyber governance continues to evolve, the following three considerations must be explored.

This article has described the current cyberspace landscape in the lens of International Relations, and presented some difficulties behind why governing cyberspace has been difficult. Some historical events which help highlight this complexity have also been referenced. As the global community develops its understanding of cyber security, it must do so in conjunction with establishing the right mechanisms for effective governance. The world will expect change, and governments must realise the benefit of political discourse that is multilateral, to build a stronger stance on a space that affects and is affected by all.


References

  1. Brangetto, P. and Kert-Saint Aubyn, M., 2015. Tallinn 2015 Economic aspects of national cyber security strategies Project Report. [ONLINE] Available at: https://ccdcoe.org/uploads/2018/10/Economics-of-cybersecurity.pdf. [Accessed 01 November 2021]
  2. Clough, J., 2014. ‘A world of difference: the Budapest Convention on Cybercrime and the challenges of harmonisation’, Monash University Law Review, vol. 40, no. 3, pp. 698-736.
  3. Council on Foreign Relations. 2010. Operation Aurora | CFR Interactives. [ONLINE] Available at: https://www.cfr.org/cyber-operations/operation-aurora. [Accessed 01 November 2021]
  4. Operation Aurora – HandWiki. 2021. Operation Aurora – HandWiki. [ONLINE] Available at: https://handwiki.org/wiki/Operation_Aurora. [Accessed 01 November 2021].
Has International Law done enough to govern cyberspace?
Download the article

You may also like

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?