Writing the Rulebook for Cyberspace

We are witnessing the normalization of global cyber insecurity.

In the last few months, cybercriminals have used ransomware to disrupt the largest U.S. oil pipeline for six days, strike a global meat supplier and disrupt Ireland’s national health system.  Cyber operations targeting software by companies such as Microsoft, SolarWinds and Kaseya have resulted in significant losses for US government agencies, Fortune 500 companies, schools, and mom-and-pop shops alike.  Meanwhile, foreign influence operations regularly pummel  elections and vaccine campaigns with disinformation.  Such threats cry out for responsible countries to act to regain control over the online ecosystem. 

Fortunately, there is a ready-made tool for them to do so — international law — if they are willing to use it. 

Contrary to the idea that cyberspace is a new Wild West where anything goes, the rules of international law provide guideposts on unacceptable cyber behavior.  Over the past year, a new Oxford Process has charted a path forward that countries may use to regain some semblance of global cybersecurity and the rule of law.

For more than decade, countries and other stakeholders have negotiated in the United Nations and other fora over the rules of the road for cyberspace.  In March, a UN Open-Ended Working Group, representing all its member states, affirmed that international law applies to cyberspace.  Far from a seminal moment, however, the UN report masks deep divisions among states about which rules of international law apply to cyberspace and how to interpret those that clearly do. (A later UN Group of Governmental Experts’ report did nothing to alleviate the situation.) Meanwhile, some countries such as the United States and the United Kingdom have become adept at publicly “naming and shaming” other nations, such as Russia, China and Iran for cyber operations.  Yet, so far, they have largely declined to employ legal rhetoric in their attributions. That silence might suggest these operations are “awful but lawful,” or, worse, part of the newly accepted reality of international relations — a reality in which individual companies and users increasingly pay most of the costs for cyber operations by countries against one another.

Despite this reticence, there are good reasons for clarifying the ground rules regarding behavior in cyberspace. First, establishing and articulating the rules will make it easier to determine whether cyber operations have crossed the line of acceptable behavior. There was much debate within and outside Western governments as to whether the SolarWinds cyber operation was a grave wrong inflicted on the United States — with some calling it an act of war — or simply the normal stuff of espionage that international law does little to regulate.  The lack of consensus on the rules meant that it was unclear whether tripwires had, in fact, been triggered. Second, it is much harder to build a coalition to act in response to a cyberattack when allies are not persuaded that adversaries have committed a wrongful act.

States must use the law they have, whether to publicly endorse positive steps or to identify violations when they occur.

In May 2020, with support from the Japanese government and Microsoft, a group of international lawyers gathered (virtually) at Oxford University to address how international law protects us all from harmful state-sponsored cyber operations.  Motivated by the rising tide of cyber operations against the health care sector, more than 100 lawyers issued a statement on the type of cyber operations states are currently barred by international law from pursuing and outlining the positive duties that countries have to police their networks and protect their citizens’ fundamental human rights to life and health.  In the ensuing months, three more statements on international law protections followed on vaccine research, foreign election interference, and information operations.  Most recently, the Oxford Process met to discuss a new statement to address ransomware, including the responsibilities of countries from whose territory such operations originate. 

These statements demonstrate that existing international law rules and principles on the use of force, intervention, sovereignty and human rights delineate which cyber operations countries may conduct against foreign (and domestic) populations. At the same time, international law offers more positive potential, requiring countries to take steps to respect human rights and ensure their territory is not used to harm the rights of others. This last “due diligence” rule may form a key bulwark for holding countries accountable when ransomware groups operate unhindered from their territory.

The Oxford Process cannot supplant state views and agreements on how international law applies in cyberspace.  Rather, it offers a “proof of concept,” demonstrating that agreement can be reached among like-minded actors in a relatively short period of time.  Despite the old adage that asking 10 lawyers the same question guarantees 20 different answers, the Oxford Process identified much common ground among more than 100 international lawyers from diverse systems and backgrounds. Countries can — and must — do the same.  Governments have, moreover, begun to listen, observing Oxford Process sessions in the way industry and civil society traditionally observe UN processes. 

Of course, neither international law nor the Oxford Process is a silver bullet for a problem set as complex as cybersecurity.  And, like states’ own processes, the Oxford Process has revealed areas in need of more dialogue, such as technology supply chain security.  In any case, for international law to regulate cyberspace effectively, it must expand beyond negotiated texts.  States must use the law they have, whether to publicly endorse positive steps or to identify violations when they occur.  Simply put, it is time for countries and other stakeholders to use the international law rules they already have to secure the information and communication technological ecosystem and its now ubiquitous role in our daily lives.