The second substantive sessions of the first United Nations Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE), established under the First Committee, have come and gone. During the second meeting of the all-inclusive OEWG, which is open to all 193 UN member states, and the GGE, a wide range of relevant issues were covered. These included voluntary and non-binding norms, rules and principles of responsible state behaviour, how international law applies in cyberspace, how to implement confidence-building measures to build trust between states, and how to increase global capacity when it comes to ensuring cyber security. Both processes build upon previous GGEs, which have already established an international cyber stability framework that is rooted in the consensus reports from 2010, 2013 and 2015 and based on previously mentioned elements.
Process of international law discussions
This article focuses on the exchange of views by states on international law. International law itself is not separate from the other pillars of the framework for increasing and maintaining cyber stability that have been discussed under the auspices of the OEWG and GGE. This was clear given that the voluntary norms of responsible state behaviour were often linked with international law obligations. Many states have acknowledged the existing and growing need to include international law more actively in capacity-building projects. Therefore, it was proposed to develop a central repository which would include state practice and views on how international law applies.
The inclusiveness of the OEWG can be seen as a legal capacity building effort, as every state may voice either its legal opinion or its need to increase its understanding of how international law applies. This was emphasised by several representatives, who pointed out that when it comes to international law, many states are as yet undecided; to be able to contribute to these discussions and draw conclusions, they must first understand the nuances of international law.
Most noteworthy was that there seems to be an increasing readiness amongst states to come forward with their positions on international law, even though this is a rather sensitive topic about cyber. It was allegedly the final nail in the coffin of the previous GGE, which did not produce a consensus report.
We already know that the UK, Australia, France, The Netherlands and Estonia have presented their views on the matter. They have now been joined by, among others, Finland, Austria and the Czech Republic, who each expressed their positions on international law matters such as sovereignty, the principle of non-intervention, due diligence, the prohibition of the threat or use of force, countermeasures and self-defence.
Finland stated that international humanitarian law (IHL) applies to cyber operations when they are conducted as part of an ongoing armed conflict or amount to one themselves. In such circumstances, there would be no reason to deny the protection that IHL provides. IHL being a form of lex specialis, it does not override other rules of international law during an ongoing conflict such as the obligations deriving from international human rights law (IHRL).
Interestingly, Finland came out in strong support of states’ due diligence obligations regarding the cyber environment, claiming that it is a particularly pertinent issue. The representative asserted that states clearly have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other states, whether using ICTs or otherwise. The state from which the harmful cyber operation originates must also take ‘appropriate action to terminate it, as well as to investigate the incident and to bring those responsible to justice’. This is sometimes regarded as an impossible task and there should not be an expectation for states to be able to stop every malicious cyber operation. Like France, The Netherlands and Estonia, Finland believes it is necessary to take all measures that are feasible under the circumstances. The Finnish representative concluded by stating that such public statements are relevant, and that Finland is working on formulating its own national positions.
Austria used the OEWG as a forum to declare its detailed positions on sovereignty in cyberspace and the application of IHL and IHRL. Austria, as with most others in the room, reaffirmed the applicability of international law but at the same time emphasised the need for a specific consensus regarding the application of customary international law, general principles of law and treaty obligations to cyber operations. Referring to a recent malicious cyber operation that targeted the Austrian Foreign Ministry, the representative drew attention to a principle of state sovereignty. Under the law of state responsibility, conduct that violates the rule constitutes an internationally wrongful act and is attributable to a state, and the targeted state has the right to seek reparations. Among other response options, the injured state may also have the right to react by taking appropriate countermeasures.
However, as several other states mentioned during the week of discussions, references to state sovereignty must not be an excuse to justify human rights violations. The Austrian representative stated that a state’s sovereignty must not serve as a pretence to tighten control over its own citizens by undermining basic human rights, such as the rights to privacy and freedom of expression. In relation to IHL, the Austrian position was that states must acknowledge that cyber operations can be and are conducted by other than conventional means of warfare during an armed conflict. Therefore, all states are obligated to ensure that the lives of innocent civilians are spared. This is the IHL duty which all states must follow, including in respect of ICT incidents.
The Czech Republic’s position
The Czech Republic presented a similar statement on the issues addressed by Austria. It was reiterated that existing international law applies in its entirety and provides sufficient tools to prevent conflict in the cyber domain, a recurring theme throughout the week and across the subject matter. The main issue, as the Czech Republic sees it, is not whether there are gaps in the existing law, but rather that a gap exists in the compliance with existing law and how to apply it in the ICT environment. The representative of the Czech Republic referred to an opinion of the International Court of Justice from 1971 which stated that an ‘international instrument has to be interpreted and applied within the framework of the entire legal system prevailing at the time of interpretation’ and should also be considered from the standpoint of existing international law in relation to state conduct in cyberspace. The representative emphasised that a similar concept is implied by the general rule of interpretation in Article 31(3)b of the Vienna Convention on the Law of Treaties, which states that ‘there shall be taken into account, together with the context, any subsequent practice in the application of the treaty which establishes the agreement of the parties regarding its interpretation’.
From the interpretation perspective, the Czech Republic addressed the issues of sovereignty, human rights and international humanitarian law. Firstly, its representative reiterated the previous GGE reports that principles of sovereignty and sovereign equality are ‘cornerstones for the UN Charter’. Therefore, the principle of sovereignty is an independent right and respect of sovereignty is an independent obligation. This statement was followed by an emphasis on the interconnectedness of the principles of sovereignty and non-intervention. The representative pointed in his oral statement to every state’s right to enjoy the principle of sovereignty without interference from another state, be it ‘an internal one with the exclusive jurisdiction over the ICT located on its territory, or the external one including the determination of its foreign policy, subject only to obligations under international law’.
Like Austria, the Czech Republic confirmed that while exercising its jurisdiction over ICT infrastructure located in its territory, a state must not forget its obligations under international humanitarian law. Human rights apply online and must be also protected online, in particular freedom of expression. Several states, including the Czech Republic and Finland, referred to the recent report by the Freedom Online Coalition on Human Rights Impact of Cybersecurity Laws, Practices and Policies which elaborates on how a human rights-based approach should be the basis for strengthening security and stability in cyberspace.
Finally, the representative of the Czech Republic highlighted the importance of applying IHL by implying that it would in no way encourage the militarisation of cyberspace nor legitimise warfare in general. IHL must apply in instances where it is vital to reduce military use by creating constraints to offer protection.
Most states confirmed the applicability of international law, the UN Charter in its entirety, international humanitarian law and international human rights law. It was encouraging that many representatives mentioned the opportunity to address issues of state responsibility in relation to below-the-threshold cyber operations. However, these views on interpretations and statements on how international law applies were opposed by Russia. The representative of Russia did not explicitly oppose the applicability of international law, but rather believed that this had been one part of the compromise discussed during 2014-2015 GGE and that negotiations on an international legally binding instrument must follow. The necessity for a new instrument was echoed by a few other countries including Syria, Egypt, Iran and Cuba. Given that China has also been well-known for its concern over the applicability of IHL and the militarisation of cyberspace, it was notable that it did not speak out on matters of international law during the week. However, some states argued that the applicability of IHL would escalate the military use of cyberspace.
On the matter of below-the-threshold cyber operations and internationally wrongful acts, some states brought up the legal status of the International Law Commission (ILC) Articles and how views on their customary status differ. For example, Brazil stated that international courts and states have accepted that the articles mirror some part of customary international law – the rules of attribution for example – but that this is not the case with countermeasures. Others, including Japan, believed that states maintain the right to take proportional countermeasures if the rules to do this are filled.
There is an increase in the number of states which have begun to form their own positions, which were mirrored in the increasing need for capacity building and understanding how international law applies. The US pointed out that this should be the focus of the group, stating that there is no need to propose a wide range of new norms or regulations without having a common understanding of how it applies. Therefore, it is premature to discuss whether or not there are gaps in the existing international law. It is important to hear more views from states, perhaps discussing what types of malicious cyber operations could violate international law. In addition, how to avoid or deter these activities and to work together towards a common understanding are important, as are the legal options for states and the constraints placed on them.
The work of the OEWG takes place in parallel with the sixth GGE, which includes 25 experts and discusses similar topics to the OEWG. As the previous GGE did not succeed in its international law discussions, this time it has emphasised in its mandate the opportunity for governments to present their national views on how international law applies as a separate annex to its report. This might be one option to bypass the controversial issue and present divergent views separately. However, there seems to be an agreement that the result of both discussions must maintain what was reflected in the 2010, 2013 and 2015 GGE reports and neither discussion should begin from scratch.
Position papers from states for the OEWG and GGE can be found on their websites and from the UN meetings papersmart site. This overview is based on the public statements made by the state representatives. In addition, all substantive sessions of the OEWG are uploaded to the UN website.
Author: Maria Tolppa, NATO CCDCOE Law Branch
This publication is a part of the INCYDER database, a research tool on International Cyber Developments (INCYDER), established by NATO CCDCOE to facilitate the work of researchers, lawyers, policy-makers and other cyber security-related practitioners. INCYDER offers up-to-date overviews and easy access to the most relevant legal and policy documents adopted by international organisations active in the cyber security domain along with practical summaries and analysis of recent trends within these organisations written by CCDCOE researchers.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
 Open-ended Working Group on developments in the field of information and telecommunications in the context of international security.
 Group of Governmental Experts on advancing responsible state behaviour in cyberspace in the context of international security.
 Backround of the UN processes are further analysed here: https://ccdcoe.org/incyder-articles/a-surprising-turn-of-events-un-creates-two-working-groups-on-cyberspace/..
 France’s position: ‘The fact that a state does not take all reasonable measures to stop wrongful acts against other states perpetrated from its territory by non-state actors, or is incapable of preventing them, cannot constitute an exception to the prohibition of the use of force’.
 The Netherlands’ position: ‘To this end a state must take measures which, in the given circumstances, may be expected of a state acting in a reasonable manner.’
 Estonia’s position: ‘Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.’