In recent years, states have increased their capabilities in cyber domain to conduct attacks to harm other states. New York Times’ David Sanger in his book ‘The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age’ has mentioned that currently more than 30 states have the capability to conduct cyberattacks. He also wrote that about 200 known state-on-state cyberattacks have happened in the last decade or so.
Under this context, in February 2017, Microsoft President Brad Smith proposed ‘Digital Geneva Convention’ (DGC) to counter the growing number of state-on-state cyberattacks. While proposing DGC (see figure 1), Mr. Smith also advocated the establishment of an IAEA-like international, independent organization to monitor cyberspace activities between and among states, and also identify attackers. The proposal also calls for an industry agreement to create a shared set of principles and behaviours that would protect citizens and have binding rules for states. Subsequently, there has been ongoing discussion among experts about the merits and demerits of the proposed convention.
Although the US and NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) have opposed the proposed DGC but a number of tech leaders, World Economic Forum and UNHCR have welcomed the initiative. During the Munich Security Conference in February this year, Siemens launched the ‘Charter of Trust’. In setting the course similar to DGC, the key goal of the charter is to set minimum general standards for cybersecurity that are in line with requirements of state-of-the-art technology. Similarly, in April, 34 companies, mostly American, signed ‘Cybersecurity Tech Accord’ by pledging to not assist any government in launching cyber operations and to help victim states in dealing with cyber operations. The accord, which now has 61 signatories, was viewed as a first major sign towards the realization of DGC. However, the accord contains a number of issues like the innocence issue, mechanism to implement the commitments and undefined criteria of public reporting against goals.
While proposing DGC, Mr. Smith implied the existence of normative legal void with respect to state-sponsored cyberattacks. However, extensive existing international law is applicable to cyber domain. But the perception of normative legal void exists due to the inherent weakness of the international law enforcement framework and the attribution problem.
In setting the course similar to DGC, the key goal of the charter is to set minimum general standards for cybersecurity that are in line with requirements of state-of-the-art technology.
Despite an on-going debate about the feasibility of applying existing international law to cyberspace, a number of efforts have been undertaken to extend the applicability of international law to cyber domain. The most significant effort in cyber governance discussion came in the form of NATO-sponsored Tallinn Manuals (the first manual in 2013 and second one in 2017). The Manuals were the outcomes of international law experts and practitioners studying which treaty provisions can be applied to cyberspace and whether current state practice has solidified to the point that it may be considered customary international law. However, Tallinn Manual’s practicality in restraining cyber conflict is modest for the following reasons:
- Failure to gain wider support
- Offering interpretation of only existing international law
- The Manual is only an expression of experts’ opinion regarding existing law
- Slim chances that an international agreement regarding global cyber governance can suffice.
Similarly, the UN-mandated Group of Governmental Experts (GGE) which deliberates about new technologies, consisted of experts from interested states, issued two reports (first report in 2013 and second in 2015) outlining the consensus-based principles. But the working group has stalled since mid-2017 due to consensus breakdown.
Moving towards the applicability of international law to cyberspace, the assessment that the Law of Armed Conflict applies to cyberspace is acknowledged by NATO, UN GGE reports and several states. In its Nuclear Weapons Advisory opinion, the International Court of Justice (ICJ) confirmed that Article 2(4) [prohibiting the use of force] and Article 51 [right to engage in self-defence] of UN Charter applies regardless of any weapon used. In the same opinion, the ICJ indicated that the law of armed conflict applies “to all forms of warfare, and to all kinds of weapons, those of the past, those of the present, and those of the future.” Regarding sovereignty, Rule 66 of Tallinn Manual, which is based on sovereignty principle and Articles 2(1), (3) and (4) of the UN Charter, states that ‘[a] State may not intervene, including by cyber means, in the external or internal affairs of another state’.
Despite the applicability of certain parts of existing international law to cyber domain, the attribution problem continues to persist. International law is not applicable on an individual who conducts cyber operation on his/her own. In such a scenario, the host country can either prosecute that individual by its own laws or extradite the individual to the victim state. However, the extradition process may also prove to be difficult as a state might refuse to extradite. A case in point is the failure of American authorities to extradite alleged Russian hackers from several European countries.
Similarly, there is also an on-going debate as to whether states should reveal their covert cyber capabilities in order to build a case against a state for conducting cyber operation. Apart from the attribution problem, the major problem in implementing DGC will be the willingness of cyber active states especially the ‘seven sisters of cyber conflict‘ to abide by such a convention. Enforcement mechanism need to be strengthened by imposing economic sanctions or condemning actions of states involved in conducting cyber operations against other states.
Under DGC, every stakeholder will be allocated a designated action area. States would be signatories of the DC, the private sector will have its own industry agreement like ‘Cybersecurity Tech Accord’ and an INGO would be responsible for investigating cyber-attacks. This multilateral approach by DGC is opposed by the US and NATO CCDCOE because they believe that the proposed convention will transform traditional multi-stakeholder governance model of cyberspace, which favours Western countries, to multilateral approach, which is preferred by China and Russia.
Under DGC, every stakeholder will be allocated a designated action area. States would be signatories of the DC, the private sector will have its own industry agreement like ‘Cybersecurity Tech Accord’ and an INGO would be responsible for investigating cyber-attacks.
In his book, Mr. Sanger pointed towards the fact that no Russian, Chinese or Iranian companies have so far become a signatory to the Global Cybersecurity Accord. Similarly, tech giants like Google and Amazon continue to struggle between their desires to do vast businesses with American military and also not alienate their customers. No provision of supporting human rights has been also pointed as a major shortcoming of the accord. The proposed convention is also considered by some experts as flawed by international law perspective by ignoring the provisions of existing international law for cyber domain. For example, Microsoft proposed applying Geneva Conventions, which were meant to regulate war, in peacetime conditions.
The debate about the necessity of DGC will continue in the near future. If lessons from history are learnt, then the DGC should introduce technical standards that should stop any form of cyber intrusion. History bears witness to the fact that the successful models that regulated communication technologies in the past were those in which states have successfully agreed to technical standards rather than abstract principles that are difficult to enforce. Even after addressing weaknesses, materialization of DGC might take several years but the proposed convention can be seen as a continuation of steps moving towards an international cybersecurity arrangement.