The Internet has enhanced freedom of communication, ignored national borders, and removed time and space barriers. But the Internet sphere was never a law-free zone. Already ICANN’s “Articles of Incorporation” (1998) constituted that the management of critical Internet resources has to take place within the frameworks of “applicable national and international law”. And in 2015, all the 193 UN member states confirmed the general applicability of international law in cyberspace. Nevertheless, the issue is part of an ongoing international controversy.

The basic agreement is overshadowed by fundamental disagreements on the “How”. The UN Charter, UN conventions on international humanitarian law and human rights, and many other universal legal instruments have been negotiated in the pre-digital age. Now, different parties have different interpretations in the digital age, including how the existing legal instruments should be applied in today’s interconnected world. Is hacking into foreign networks a “use of force”, forbidden by Article 2.4 of the UN-Charter? And if yes, would such an attack trigger article 51, which defines the right of self-defense, and allow a “hack back”? Can “Cyber sovereignty” be extended beyond national borders? Who decides on the “attribution” of a cyberattack? What about a “drone war” where people are killed using joysticks, networks, and facial recognition software? Should there be a moratorium or even a ban for Lethal Autonomous Weapon Systems (LAWS)? Are there mechanisms for the peaceful settlement of cyber disputes? How does “digital mass surveillance” violate the human right to privacy? What is the role and the legal status of non-state actors, acting as curators for content control or proxy-hackers? Online theft of intellectual property is illegal, but what about state-sponsored online-espionage?

For years, those disputes and other controversial law-related cybersecurity issues have been on the agenda of the 1st Committee of the UN-General Assembly and its two sub-groups, the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG). To bring more light into the legal grey zones of cyberspace, the OEWG convened in December 2020 a series of multistakeholder expert seminars, starting on December 4, 2020, with a special session on “International Law”. The Japanese Cyber Ambassador Takeshi Akahori and Prof. Dapo Akande from Oxford University co-chaired the meeting. Liis Vilhul, Marietje Schaake, Harriet Moynihan, Sheetal Kumar, Jan Neutze, Duncan Hollis, Tilman Rodenhäuser and others testified. It was an excellent high-level discussion among policymakers and legal experts. It confirmed the existing agreements, but it also reconfirmed the existing disagreements.

Capacity Building: What about some Cybersecurity books under the Christmas Tree?

There is no shortage of expert knowledge about the threats in the digital world. The risks of the militarization of cyberspace are well known. As some speakers outlined, more than 60 countries have now developed offensive cyber-capabilities. However, governments are far from a consensus, creating a legal framework, and minimizing the risks for a digital disaster. Even shocks like COVID-19 seem to produce more intergovernmental controversies, not less. Experts have no problems agreeing that attacking data centers of hospitals, medical research institutes or supply chains for vaccines is unacceptable and should be treated as an illegal action. However, such attacks are taking place without any consequences.

Do diplomats and policymakers really understand the threats of escalating cyberattacks and their cascading side effects? Could enhanced capacity building, as discussed in the OEWG, help limit risky behavior in cyberspace?

The short answer to the second question is probably “yes”. Capacity building is a good idea. Nobody can refuse it. It can help to build trust among adversaries. But it also needs a political will.

Enhanced legal knowledge is available. We have the “Global Forum on Cyber Expertise” (GFCE), databanks, archives and many academic books. And we do have the Tallinn Manual 2.0, something like the “Cybersecurity Bible”. Reading books—in particular between Christmas and New Years’ Eve—makes a lot of sense. Wouldn’t it be a good idea to put some new books under the 2020 Christmas Trees? Here are four recommendations from the 2020 edition:

Francois Delerue: Cyber Operations and International Law

The book “Cyber Operations and International Law”, published by the Cambridge University Press, was written by Francois Delerue, a researcher from the Institute for Strategic Research of the Paris-based Ecole Militaire (ISREM). It offers a comprehensive analysis and a systematic examination of attribution, lawfulness, and remedies regarding the cyber activities of state and non-state actors. He makes it clear that in the 2020s, the militarization of the Internet is a fact, and “cyberspace is considered to be another domain for military activities”.

According to Delerue, state-sponsored cyber operations take “a mosaic of forms and serve an array of purposes”. But he also argues that cyberwarfare is often in the center of the public discussion and is not only ill-defined but also just the “tip of an iceberg”. The majority of state-sponsored cyber activities occur below the threshold of cyberwarfare. They do not produce “death and destruction” in enemy states, but they can create chaos and confusion in societies.

Delerue recommends looking beyond the “prohibition of the use of force” principle and analyzes deeper consequences of the violation of other jus cogens principles of the UN-Charter as territorial sovereignty or the principle of non-intervention. Delerue argues that “international law does not leave States helpless against cyber operations, even when the right to self-defense cannot be invoked. He makes it clear that “the perpetrating State has to provide full reparation for the damage caused by its cyber operations.” He analyzes states’ responsibility if their territory is used for the transit or launch of cyber operations by third parties.

In this context, he offers a very useful concept for the controversial issue of “attribution”. He distinguishes between “attribution to a machine, to a human and to a State” and proposes a variety of specific procedures and how to identify and react to unfriendly actions. Delerue also makes clear that there is a distinction between state-sponsored cyber operations and cybercrime. “State cybersecurity and private cybersecurity are covered by two different legal frameworks”.

Matthias Kettemann: The Normative Order of the Internet

Kettemann is with the Leibnitz Institut in Hamburg. His book is published by the Oxford University Press. He tries to “decomplexify and demystify” Internet regulation and offers a “sophisticated multilayered model of a comprehensive and nuanced regulatory order” between “utopian ideals” and “technocratic pessimism”. He says that there is no “Grundnorm” within the Internet Governance Ecosystem. The legal framework for the Internet is “hybrid in nature” and consists of several interconnected layers. It is a complex of norms, values and practices that relate to the use and development of the Internet.

He discusses Lawrence Lessig’s the “Code-is-Law-Slogan” and concludes that “code does not just appear, it is written in processes (that can be regulated) by coders who can be subjected to norms, employed by companies with values and targets to be debated in public forums, with aims and functions that can be measured against the finalities of the normative order of the Internet.” And he concludes that “protocols therefore have politics” and “norms need to be consistently applied to their development and implementation”. This finding, he adds, also applies “to algorithms and algorithmic decision-making, including selection and recommendations logics that have clear implications for rights and freedoms”. He supports the multistakeholder model but recognizes that this model - as it stands now in 2020 - “suffers from substantial conceptual deficits.”

In his summary, he states: “The rule on (and of) the Internet must protect rights and values online (the Internet’s nomos), legitimize the exercise of private and public authority (through stabilizing the nomos normatively and through narratives) and ensure a fair distribution of basic goods and rights as they relate to the Internet, including Internet access and access to Internet content.”

Niels ten Oever: Wired Norms

Niels ten Oever has worked for many years with the human rights organization “Article 19”. His “Wired Norms: Inscription, resistance and subversion in the governance of the Internet infrastructure” is based on his dissertation, which he defended in summer 2020 at the University of Amsterdam. He analyzes the interrelationship between technical arrangements and legal norms, particularly in human rights. He looks into policies and practices of three technical organizations—ICANN, IETF and the Regional Internet Registries (RIRs)—and identifies frictions between the multilateral Internet Governance regime, which regulate public policy issues (as privacy or information content) and self-regulatory multistakeholder and private Internet governance regimes, which are dealing with technical issues (as Internet protocols, standards, domain names and IP addresses).

He concludes that one should not see this friction as a “structural misalignment” but as “mutually beneficial”. While states may not want to focus on the interconnection and innovation of technologies, transnational corporations do not need or want to develop their own policies and standards vis-a-vis social and legal norms. He argues for a “wiring of norms” and hopes that cross-pollination between the two regulatory worlds could produce “alternative routes to govern the Internet.”

Dennis Broeders & Bibi van den Berg: Governing Cyberspace

“Governing Cyberspace: Behaviour, Power and Diplomacy”, published by Rowman & Littlefield in 2020, is based on papers presented at a conference on responsible behavior in cyberspace in November 2018 in The Hague. It includes papers like “Electoral Cyber Interference, Self-Determination and the Principle of Non-Intervention in Cyberspace” (Nicholas Tsagourias), “Violation of Territorial Sovereignty in Cyberspace” (Przemyslaw Roguski), the Multistakeholder Model on Internet Governance (Jacqueline Eggenschwiler & Joanna Kulesza) and on cyber activities of China (Rogier Cremers), Russia (Xymena Korwoska) and NATO (Steven Hill & Nadia Marsan).

Alexander Klimburg and Louk Faesen, in their paper “A Balance of Power in Cyberspace,” argue in favor of a “holistic approach”. The Internet has linked cybersecurity issues, digital economy, human rights and technology development (as AI or IoT) in a new way, which has consequences for all kinds of global diplomatic negotiations. They see in the United Nations and the first three committees of the UN General Assembly an already existing political mechanism for such a “holistic approach” to develop regulatory frameworks for cyberspace and digital cooperation.

Klimburg & Faesen use the “balance of power theory” to explain that a realistic approach to stability and international order needs compromises that will give all parties the same “relative security and relative insecurity”. Stability in cyberspace “hinges upon the acceptance of the framework of the international order by all major powers, at least to the extent that no state is so dissatisfied that it expresses it in a revolutionary foreign policy.” They describe this as a challenge to find solutions based on the “recognition of the limits” by the states with regard to the “technical reality of the domain inhibiting one party from deciding universally and unilaterally, arguably defined as the multistakeholder reality in the context of cyberspace.” Balancing states’ interests in cyberspace are crucial. The holistic approach could be the start of a new beginning in creating stable and peaceful cyberspace.

Looking forward towards 2025

To have academic expertise is very good. But time is ripe now for governmental positioning. A number of states—Finland, New Zealand, France and Estonia—have recently published their legal opinion about the applicability of international law in cyberspace.

The issue of the use of force and countermeasures in cyberspace is one of the key problems. New Zealand published its paper on the eve of the OEWG seminar series on December 1, 2020. It expressed its willingness to explore collective countermeasures in the “collective interest in the observance of international law,” citing the “potential asymmetry between malicious and victim states.” It says that “state cyber activity will amount to a use of force if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law. Such effects may include death, serious injury to persons, or significant damage to the victim state’s objects and/or state functioning”. Cyberattacks against hospitals could be such a case. Estonia maintains a similar position, France recently rejected collective countermeasures, while Finland has avoided the matter altogether. In the OEWG seminar, the question was discussed, whether the publication of “national papers” is useful or could have counter-productive effects, allowing “silent governments” to move away from globally accepted norms.

There were a lot of references to the so-called “like-minded countries.” If they agree, this will set the first standard for global arrangements. It is undoubtedly true that it is much easier to agree among governments that share the same values. However, we live in a divided world where different value systems co-exist. In this divided world, we have one Internet. There is no alternative to the complicated and burdensome process to sit together and figure out how arrangements can be made among partners that are also competitors and adversaries in an interconnected world. Probably a legal opinion of the International Law Commission would be helpful to agree on something like a globally accepted “framework of interpretation.”

But in any case, it will take some time to make progress. Nevertheless, there are some encouraging signs. The fact that the UN becomes more and more a place where not only governments but also non-state actors discuss highly politicized issues as cybersecurity is an interesting step forward towards a new culture of global policy development. The extension of the OEWG mandate by the 75th UN-General Assembly until 2025 is another interesting signal.

The new UN resolution on an extended OEWG calls for enhanced multistakeholder discussions. It recommends that the new OEWG should not only facilitate “the exchange of views among States on specific issues related to its mandate.” Still, it may also decide “to interact, as appropriate, with other interested parties, including businesses, non-governmental organizations and academia.” But again, it is the “How” which is the problem. How will non-state actors become involved? What is “appropriate”? And how will governments take ideas from non-state actors on board? With the Paris Call, the Tech Accord, and the Final Report of the Global Commission on the Stability of Cyberspace, there are already good examples of multistakeholder cooperation in developing cyber norms on the table. The next opportunity is to move forward and propose some innovative procedures for future interactions among state and non-state actors in cybersecurity in the forthcoming OEWG meeting in March 2021.