In two speeches in February, UN Secretary-General António Guterres asserted that a lack of rules regulating cyberwar constitutes a global threat the international community must address. In Munich, the secretary-general argued that cyberwars between states are underway and that "we have not been able to discuss whether . . . the Geneva Conventions apply to cyberwar or whether . . . international humanitarian law applies to cyberwar." In Lisbon, he claimed that "episodes of cyber warfare between states already exist" and "there is no regulatory scheme for that type of warfare" because "it is not clear how the Geneva Convention[s] or international humanitarian law applies." Guterres proposed using the First Committee of the UN General Assembly "to have a serious discussion about the international legal framework in which cyberwars take place."
These remarks raise questions that undermine the secretary-general's call for the regulation of cyberwar. First, what the secretary-general considers a cyberwar is not clear. He used the term “cyberwar” repeatedly, but, at Munich, he acknowledged cybersecurity problems that “go beyond cyberwar.” The line between war and peace is critical to the UN’s mission and to the international law that authorizes and informs UN activities. Given how war threatens the UN’s purposes, claims by the secretary-general that "war" of any kind is underway should be backed with evidence interpreted according to the UN Charter and international humanitarian law.
Second, why the secretary-general believes "we have not been able to discuss" the application of international humanitarian law, including the Geneva Conventions, to cyberwar is perplexing. Despite the lack to date of any cyber operations triggering armed conflict, intergovernmental, governmental, and nongovernmental discussion about whether and how international law on the use of force and international humanitarian law applies to cyber warfare has been extensive.
Indeed, the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security agreed that the UN Charter, including its prohibition on the use of force, applies in cyberspace. The GGE failed to reach consensus on whether international humanitarian law applies in cyberspace, but the group discussed the question seriously for years.
The GGE’s lack of consensus has not prevented states from integrating analysis of cyber operations in manuals on the law of armed conflict and their use of cyber capabilities in armed conflict. Nongovernmental efforts, including the Tallinn Manual process and work by the International Committee of the Red Cross, have applied jus ad bellum and jus in bello to cyber operations. The secretary-general's prediction that "the next war will begin with a massive cyberattack to destroy military capacity . . . and paralyze basic infrastructure such as electric networks" reflects scenarios that government officials and nongovernmental experts have analyzed under international law on the use of force and international humanitarian law.
Third, If Guterres meant that cyberwar involves activities not amounting to armed conflict, such as cyber interference in elections, he was wrong to assert that it is unclear how international humanitarian law applies. It does not apply. However, UN bodies, including the Counter-Terrorism Committee, apply other rules critical to the UN’s mission, such as the principles of sovereignty and nonintervention and human rights law, to cyber activities outside armed conflict. How these rules apply in cyberspace has been extensively discussed across the UN and elsewhere for many years, often with controversy overshadowing consensus.
Fourth, the secretary-general undermined his call for global cyberwar regulations when he identified systematic violations of existing international law in armed conflicts around the world. The secretary-general acknowledged in Munich that “dramatic violations of international humanitarian law, human rights law and refugee law were taking place, with people suffering enormously, and that it was practically impossible to guarantee accountability in relation to these terrible violations.” The rules being violated with impunity are rules that clearly apply in armed conflict. Clarity in application has proved no deterrent to massive non-compliance with international law during armed conflicts.
Given this reality, why the secretary-general believes that rules specifically developed for cyber warfare would fare any better than other rules of international law designed to apply in times of war is not clear. Making matters worse, the secretary-general admits that, in contexts not involving cyber warfare, the world is experiencing “the permanent violation of cybersecurity” by states, terrorists, and criminals against which existing international law, national laws, and non-binding cyber norms have apparently been ineffective.
The secretary-general is not the first, nor will he be the last, person to desire a stronger role for international law concerning the cyber activities of state and nonstate actors. However, that objective comes no closer by blurring the line between war and peace and pretending that the international community has, so far, not seriously discussed the challenges cyberspace presents to the application of international law in all contexts.