REGULATION OF CYBERSPACE

By Marco Piccolo Brescacin

September 24, 2020

Regulation of cyberspace is a current and discussed debate in the international law field, especially due to the exponential growth of technologies and globalisation in the last decades. Internet servers in multiple locations, global networks and transatlantic cables under the sea are a reality and cyberspace has become, in a certain sense, a virtual common that is intrinsically linked to public services, health, information and national security services. 

Efforts have been made at an international level to regulate cyberspace but a consensus is far from being reached. The first step towards this might be recognising that general principles of international law should regulate and guide the development of technology, especially when it affects relationships between states. This article briefly describes the main postures of some countries with regards to the regulation of cyberspace and some of the open questions on this topic.

International efforts to regulate cyberspace: cybersecurity or information security?

The complexity of regulating cyberspace is related to its character of ‘virtuality’ and ‘communality’. Precisely due to these features, international law comes into play as a solution to a collective problem and tries to address issues such as cyberattacks, especially because those attacks surpass territorial boundaries and may be carried out without physically invading another state’s territory. This raises questions related to the attribution of such actions, the physical/kinetic consequences of such, and the possible rights that governments may have (for example, self-defence).

The starting point of this discussion (that is, regulation of cyberspace) is the absence or poor  regulation. The UN Group of Governmental Experts (UNGGE) has strived to reach a consensus on these matters, but has failed to achieve anything transcendental due to strategy, politics and ideological differences between Western countries, on one side, and  Russia and China, on the other side. 

On the other hand, there have been important declarations by the UK Attorney General in 2018 and by the French Minister of Defence in 2019 with regards to the UK’s and France’s position, respectively, on applying international law to cyberspace. These statements were preceded in 2012 by clear affirmations of the former US Legal Adviser of the Department of State, Harold Koh, that, pursuant to US’ legal opinion, international law principles apply to cyberspace. It is not a coincidence that in 2013 the Tallinn Manual on the International Law Applicable to Cyber Warfare was published and then in 2017 was expanded as the Tallinn Manual 2.0. Both texts are the result of academic studies that identifies the application of international law to cyberwarfare and, more generally, cyberconflicts. At least, this is the opinion of Western countries.

One of the reasons states do not agree on the regulation of cyberspace is the ideological differences (as well as naked interests) regarding Internet openness and fundamental freedoms between Western powers, Russia, China and Middle East countries. These divergences of opinion make it difficult to reach an agreement to regulate cyberspace and, in general, Information and Communication Technology (Henriksen, 2019). There is a constant debate about how cyberspace should be dealt with: cybersecurity (West) or information security (China, Russia) (Henriksen, 2019). Russia and China’s proposals to ban or regulate cyberweapons are intrinsically related to their wish to maintain domestic political control over information (in addition, of course, to their fears of cyberattacks) .

Cyberspace and warfare: sovereignty and non-intervention

In summary, yes, Western countries are trying to regulate cyberspace and there is a tension because of ideological differences. However, why are the Western powers the first ones interested in establishing clear principles of application of international law regulating cyberspace? Maybe because of its implications in cyberwarfare: as a matter of fact, many cyberattacks and cybernetic intrusions have been carried out during the last few years, allegedly by states (or private actors located in / paid by other states). For example, the NotPetya cyberattack in 2017 on Ukraine attributed to Russia, or the Russian interference in the 2016 United States elections. On top of that, on April 15, the US accused North Korea of certain cyberattacks whereby the country steals and launders money, extorts companies and uses digital currencies to gain cash for its nuclear program. The US, UK and Australia also attributed to North Korea the 2017 WannaCry ransomware attacks. It appears, at least from a superficial point of view, that countries not wanting to regulate cyberattacks are the ones that commit them.

So, yes, there is an interest to clarify how international law applies to cyberspace, especially cyberattacks. But there’s an additional question: are current principles of international law enough? Some authors think that new treaties are not necessary and that the current principles of international law are up to the task. I do not completely agree with this approach. Koh mentions that it is necessary to develop a common understanding about how these rules apply to cyberspace, but wouldn’t that consensus be reflected in a treaty?

I believe such an agreement must, of course, be based on current principles of international law, but be aware of this new and changing reality cyberspace is. Without a clear treaty regulating this matter, many topics are left open to interpretation, although some countries such as Russia and China appear to be happy with this scenario (that is, the legal gap) that allows them to continue organizing and perpetrate cyberattacks (directly or through private actors). In 2015 the UNGGE prepared a draft to clarify regulation of cyberspace, but China and Russia did not accept such document, apparently, because there were explicit references ‘to the potential applicability of the right to self-defence, the general international law principles of countermeasures and international humanitarian law ’ (Henriksen, 2019).

The application of general principles of international law in cyberspace is not as simple as it seems. Further discussions between states are still needed, but those considerations should be directed to the drafting of certain treaties or conventions with specific provisions. In any case, states should clearly state their position as the UK, France and the US have done.