Existing international law is the starting point
Illustration by NICOLÁS ORTEGA
We are witnessing the normalization of global cyber insecurity.
In the last few months, cybercriminals have used ransomware to disrupt the largest U.S. oil pipeline for six days, strike a global meat supplier and disrupt Ireland’s national health system. Cyber operations targeting software by companies such as Microsoft, SolarWinds and Kaseya have resulted in significant losses for US government agencies, Fortune 500 companies, schools, and mom-and-pop shops alike. Meanwhile, foreign influence operations regularly pummel elections and vaccine campaigns with disinformation. Such threats cry out for responsible countries to act to regain control over the online ecosystem.
Fortunately, there is a ready-made tool for them to do so — international law — if they are willing to use it.
Contrary to the idea that cyberspace is a new Wild West where anything goes, the rules of international law provide guideposts on unacceptable cyber behavior. Over the past year, a new Oxford Process has charted a path forward that countries may use to regain some semblance of global cybersecurity and the rule of law.
For more than decade, countries and other stakeholders have negotiated in the United Nations and other fora over the rules of the road for cyberspace. In March, a UN Open-Ended Working Group, representing all its member states, affirmed that international law applies to cyberspace. Far from a seminal moment, however, the UN report masks deep divisions among states about which rules of international law apply to cyberspace and how to interpret those that clearly do. (A later UN Group of Governmental Experts’ report did nothing to alleviate the situation.) Meanwhile, some countries such as the United States and the United Kingdom have become adept at publicly “naming and shaming” other nations, such as Russia, China and Iran for cyber operations. Yet, so far, they have largely declined to employ legal rhetoric in their attributions. That silence might suggest these operations are “awful but lawful,” or, worse, part of the newly accepted reality of international relations — a reality in which individual companies and users increasingly pay most of the costs for cyber operations by countries against one another.
Despite this reticence, there are good reasons for clarifying the ground rules regarding behavior in cyberspace. First, establishing and articulating the rules will make it easier to determine whether cyber operations have crossed the line of acceptable behavior. There was much debate within and outside Western governments as to whether the SolarWinds cyber operation was a grave wrong inflicted on the United States — with some calling it an act of war — or simply the normal stuff of espionage that international law does little to regulate. The lack of consensus on the rules meant that it was unclear whether tripwires had, in fact, been triggered. Second, it is much harder to build a coalition to act in response to a cyberattack when allies are not persuaded that adversaries have committed a wrongful act.
States must use the law they have, whether to publicly endorse positive steps or to identify violations when they occur.
In May 2020, with support from the Japanese government and Microsoft, a group of international lawyers gathered (virtually) at Oxford University to address how international law protects us all from harmful state-sponsored cyber operations. Motivated by the rising tide of cyber operations against the health care sector, more than 100 lawyers issued a statement on the type of cyber operations states are currently barred by international law from pursuing and outlining the positive duties that countries have to police their networks and protect their citizens’ fundamental human rights to life and health. In the ensuing months, three more statements on international law protections followed on vaccine research, foreign election interference, and information operations. Most recently, the Oxford Process met to discuss a new statement to address ransomware, including the responsibilities of countries from whose territory such operations originate.
These statements demonstrate that existing international law rules and principles on the use of force, intervention, sovereignty and human rights delineate which cyber operations countries may conduct against foreign (and domestic) populations. At the same time, international law offers more positive potential, requiring countries to take steps to respect human rights and ensure their territory is not used to harm the rights of others. This last “due diligence” rule may form a key bulwark for holding countries accountable when ransomware groups operate unhindered from their territory.
The Oxford Process cannot supplant state views and agreements on how international law applies in cyberspace. Rather, it offers a “proof of concept,” demonstrating that agreement can be reached among like-minded actors in a relatively short period of time. Despite the old adage that asking 10 lawyers the same question guarantees 20 different answers, the Oxford Process identified much common ground among more than 100 international lawyers from diverse systems and backgrounds. Countries can — and must — do the same. Governments have, moreover, begun to listen, observing Oxford Process sessions in the way industry and civil society traditionally observe UN processes.
Of course, neither international law nor the Oxford Process is a silver bullet for a problem set as complex as cybersecurity. And, like states’ own processes, the Oxford Process has revealed areas in need of more dialogue, such as technology supply chain security. In any case, for international law to regulate cyberspace effectively, it must expand beyond negotiated texts. States must use the law they have, whether to publicly endorse positive steps or to identify violations when they occur. Simply put, it is time for countries and other stakeholders to use the international law rules they already have to secure the information and communication technological ecosystem and its now ubiquitous role in our daily lives.
Dapo Akande is professor of public international law and co-director of the Oxford Institute for Ethics, Law and Armed Conflict at the University of Oxford, and a fellow of Exeter College. He has held visiting professorships in the US and Europe, including at Yale Law School. He is a co-convenor of the Oxford Process on International Law Protections in Cyberspace and was on the International Group of Experts for the “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.” He is co-author of “Oppenheim’s International Law: The United Nations” (2017), which was awarded a certificate of merit by the American Society of International Law, and an editor of the “Oxford Guide to International Humanitarian Law “(2020).
Akande has been an adviser on international law issues to United Nations bodies, the African Union Commission, the Commonwealth Secretariat, the Association of South East Asian Nations, as well as to states and nongovernmental organizations. He has acted as advocate, counsel or adviser/expert in cases before international and national tribunals, including the International Court of Justice, the International Tribunal for the Law of the Sea, the European Court of Human Rights, international arbitral tribunals, World Trade Organization and North American Free Trade Area Dispute Settlement panels, and the UK Supreme Court. He served as legal adviser to the UK Parliament’s All-Party Parliamentary Group on Drones.
Duncan B. Hollis is Laura H. Carnell professor of law at Temple University’s James E. Beasley School of Law and a nonresident scholar at the Carnegie Endowment for International Peace. His scholarship engages with issues of international law and cybersecurity, with a particular emphasis on treaties, norms and other forms of international regulation.
He is a co-convenor of the Oxford Process on International Law Protections in Cyberspace. From 2017-2020 he served on the Organization of American States’ Juridical Committee, including as rapporteur on “Improving Transparency on How States View International Law’s Application to Cyber Operations.”
Hollis’s books include “Defending Democracies: Combating Foreign Election Interference in a Digital Age” (with Jens Ohlin), two editions of the award-winning “Oxford Guide to Treaties,” as well as the seventh edition of the textbook “International Law” (with Allen Weiner). He is an elected member of the American Law Institute and served as an adviser on the fourth restatement on the Foreign Relations Law of the United States. Hollis frequently engages with state and nonstate actors on cyber issues and is a regular consultant for the Microsoft Corp. and its Digital Diplomacy program.