The international community agrees that international law applies in cyberspace. But how does it apply? Interpreting established concepts of international law such as sovereignty, countermeasures, combatancy or perfidy in the novel context of cyberspace can be particularly challenging.   In this post, the editors of the Cyber Law Toolkit, an interactive online resource on international law and cyber operations, introduce some of the pressing legal questions raised by the hostile uses of information and communications technologies. The 2020 annual update of the Toolkit – released this week – offers some solutions while highlighting the need for further research. 

 

By the time you finish reading this article – depending on how quickly you read and which statistic you choose to believe – between 10 and 360 new hostile cyber operations will have been launched around the world. Of the thousands such incidents that occur daily, some inevitably cause transborder economic harm, stir up political tensions or impact on States’ national security. In short, they bring about the type of effects we would expect international law to have something to say about. 

Since 2013, the international community has agreed that international law applies to the use of information and communications technologies (ICTs) by States. However, that agreement – once touted as a ‘landmark consensus’ – opened the door for many more questions. One could say we have since entered the current ‘how’ phase of development of international cyber law: we might know that international law applies in cyberspace, but we are still trying to find out how it applies. 

Consider this example: It is well established that international humanitarian law (IHL) prohibits the misuse of the distinctive emblem such as the red cross and the red crescent. Thus, a soldier who fires at an enemy during an armed conflict from a vehicle marked with a red cross violates this body of law and may be liable for a war crime. But how does that prohibition apply in cyberspace? What if a party to an armed conflict gains unauthorized access to an ICRC mobile app and then uses it to impersonate the ICRC to obtain a military advantage? Would that also be forbidden under IHL? 

In search of practical answers 

In October 2019, the ICRC joined the Cyber Law Toolkit project, which aims to provide answers to cutting-edge questions of international cyber law. They are all in the ‘how’ category: How do the protections of civilian objects during armed conflict apply to cyber operations against civilian data? How does international law protect international organizations against ransomware attacks? How does the obligation to review the legality of new weapons, means, and methods of warfare apply to malware designed to cause physical damage? 

To ground these issues in less abstract terms, the Toolkit organizes its analysis around different hypothetical scenarios. These were chosen on the basis of consultations with technical, policy, and legal experts who identified real-world incidents – some publicly known, some not – that had raised uncertainties about the application of international law. This approach allows the Toolkit to be specific in its analysis without getting bogged down in the particularities of actual prior incidents. 

This week marks the announcement of the Toolkit’s first annual update. Five wholly new scenarios have been added to the Toolkit, which now counts 19 in total. The Cyber Law Toolkit website also contains overview tables for 31 leading publicly known cyber incidents (e.g. WannaCry or NotPetya) that have prompted some of the analysis. The user-friendly Toolkit is further organized by dozens of keywords such as attribution, military objectives, or weapons review. All key legal concepts (e.g. due diligence or self-defence) are also defined in succinct boxes that explain their relevance to cyberspace in general terms. 

This season’s highlights  

New additions to the Cyber Law Toolkit cover a broad range of areas of international law, such as State responsibility, the law of the sea, international criminal law, and IHL. The scenarios are all written in an accessible style intended for a broad audience, including legal practitioners tasked with providing advice on international law and cyber operations in both military and non-military contexts, as well as academics and students of international law. Where several legal solutions are reasonably available, the Toolkit outlines their main contours, even if it ultimately sides with one of them.  

One of the new scenarios explores the constraints that international law places on co-ordinated responses to hostile cyber operations. In the scenario, a State-sponsored ransomware campaign severely interferes with the functioning of various public institutions in another State. The scenario suggests that the victim State’s allies could join it in issuing public attribution statements or imposing a travel ban against the identified individual perpetrators. As the scenario’s analysis shows, however, collective countermeasures – understood as otherwise unlawful measures taken by non-injured States to induce the responsible State to cease its wrongful conduct – are beyond what international law currently permits. 

Another new scenario considers the legal status of various cyber operators during armed conflict. It is no secret that many States are developing military cyber capabilities intended for use in armed conflict. However, the types of personnel involved in such operations differ widely. In the Toolkit’s scenario, a dedicated military cyber unit, a government-run computer emergency response team, and a group of civilian patriotic hackers all contribute to the military effort of a State involved in an armed conflict. Analysis shows that most of these persons would qualify as civilians under IHL, but that their cyber conduct may entail the loss of protection from attack. 

Yet another new scenario zooms in on cyber deception during armed conflict. It analyses how rules of IHL, including the prohibition of perfidy and the prohibition on improper use of established indicators, apply to various military deception operations in cyberspace. These include the hacking of an “e-Red Cross” mobile app, as mentioned earlier. The scenario contends that spreading false information in the guise of the ICRC in this way would be contrary to the object and purpose of the rules protecting the distinctive emblem and as such it would violate IHL. 

The cyber road ahead 

Although the ambition of this update is to further reduce the current uncertainty about the application of international law in cyberspace, many more ‘how’ questions remain in need of answers. For instance, in an August 2020 statement to the UN Security Council, the ICRC President Peter Maurer called for greater clarity on how international law applies to cyber operations against critical civilian infrastructure (for a recent analysis, see this article by three ICRC lawyers in the International Review of the Red Cross). And multilateral discussions on how international law applies to the use of ICTs also continue in two UN-mandated processes, which thus help identify points of convergence as well as divergence among States. 

In the meantime, the Cyber Law Toolkit has just issued a call for submissions in view of the next planned general update in September 2021. The editors welcome suggestions for new scenarios from experts in the field as well as feedback on the existing ones from the current and future users of the Toolkit. It is our hope that in addition to offering – as the name suggests – practical tools for legal advisers, the project will also continue to contribute towards the development of shared understandings about international cyber law and thus to making cyberspace a more stable and secure domain. 

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with wide array of topics related to international law and cyber operations. The project is currently supported by the following partner institutions (listed in alphabetical order): Czech National Cyber and Information Security Agency (NÚKIB); International Committee of the Red Cross (ICRC); NATO Co-operative Cyber Defence Centre of Excellence (CCDCOE); University of Exeter; and Wuhan University. The Toolkit consists of 19 hypothetical scenarios, each of which contains a description of cyber incidents inspired by real-world examples and accompanied by detailed legal analysis. The Toolkit content only reflects the views of its authors and it does not represent the views of any of the partner institutions, or of any of the organizations that the authors are, or have been, affiliated with. 

This post is also available in Mandarin Chinese.

See also