This week, Net Politics is taking a look at the work of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, which is meeting this week in New York.
From its first incarnation in 2004, the UN’s Governmental Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) tussled over whether international law applied to the use of information and communication technologies (ICTs) by states. This struggle explains why some experts considered it a breakthrough in June 2013 when the GGE stated that “[i]nternational law, and in particular the Charter of the United Nations, is applicable, and is essential in maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.” With that resolved, the GGE has turned to address how international law applies to state use of ICTs.
International Law Applies to State Use of ICTs ... Really?
The significance accorded to the GGE’s celebrated statement exceeds its actual importance. Recall what happened in and after June 2013. The United States was preparing to confront China over economic cyber espionage, but Snowden’s disclosures about the NSA’s cyber espionage derailed that plan. But, international law does not prohibit or regulate espionage. So at the moment the GGE agreed international law applies to state use of ICTs, international law did not (and still doesn’t) apply to one of the most important state uses of ICTs that cause international security problems.
The GGE recommendation did not fare better where international law has rules. Since the release of the 2013 GGE report, the United States has refused to discuss many activities Snowden disclosed, such as offensive cyber operations against foreign nations, let alone explain how they complied with international law. The United States has argued its international legal obligations to protect privacy did not apply to its foreign surveillance activities, which angered allies. China continues to cite the principles of sovereignty and non-intervention in dismissing human rights concerns about its Internet censorship. Russia used cyber operations in its annexation of Crimea and intervention in Ukraine. Iran hacked a Las Vegas casino, and North Korea launched a cyberattack against Sony. Given such behavior, it is fair to ask whether the rules of international law really apply in any meaningful way.
Challenges to GGE Efforts on How International Law Applies
As the GGE considers how international law applies, it has to navigate legal, technological, and political challenges. Legally, many rules relevant to ICT use in international security contexts are general in nature. For example, international law prohibits the use of force by states except in self-defense in response to an armed attack. Assessing how this rule applies requires fact-specific, case-by-case analyses of incidents. Was Stuxnet a use of force or an armed attack? International lawyers have tackled this question, but controversies surrounding how the law applies to Stuxnet demonstrate the difficulties associated with legal analysis.
Technologically, assessing how international law applies requires identifying how technological features of ICTs affect the functioning of legal rules. ICTs allow states to obscure their involvement in cyber operations, which complicates the application of international law on state responsibility. Technology also offers states ways to calibrate effects so that their actions stay under key legal thresholds. So, states can target and disrupt civilian computers during armed conflict as long as the effects do not qualify as an “attack” in the law of armed conflict. These capabilities make cyber attractive to states and create disincentives for adjusting pre-cyber rules to account for what cyber technologies make possible.
The elasticity and utility of cyber technologies explain why the U.S. Director of National Intelligence predicted that, rather than massive cyber attacks, the United States confronts “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.” Similarly, the Commander of U.S. Cyber Command emphasized the need for more offensive cyber power to deter persistent and growing threats that defenses and international law are not stopping.
Politically, focusing on how international law applies reveals that states have different interests and compete for influence in cyberspace. As the Snowden-triggered controversies show, serious disagreements exist among leading democracies about how international human rights law applies to state use of ICTs. The gap is more profound between democracies and authoritarian states. These problems are deeply political, and the differences among states—especially between democracies and authoritarian governments—inform the larger competition for power and influence intensifying in international relations. This context means that GGE discussions involve political sub-texts, particularly between the United States and China, that involve more than ICTs and that will make reaching anything more than superficial consensus difficult.
Given that it took the GGE nearly a decade to agree that international law applied to state use of ICTs, it is hard to see this process easily overcoming the legal, technological, and political problems inherent in assessing how international law applies. Consensus that cyber activities might, in unspecified situations, violate sovereignty, the principle of non-intervention, the use-of-force prohibition, rules on discrimination and proportionality in the law of armed conflict, or human rights would merely restate that international law applies. This outcome would be no more impressive or important than it was the first time.