Adaptation of International Security Law to Information Space

Adaptation of International Security Law to Information Space

1. The importance of the issue of international security law adaptation with regard to use of ICTs as means of «coercive» solution of tensions in international relations is one of the aspects of the nationstates’ policy in the field of international information security [1].

This is consistent with the general focus of the UN General Assembly resolutions on the Developments in the field of information and telecommunications in the context of international security (2010–2014), and the reports of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2010, 2013).

The need to find solutions to the problem was supported by the participants of international conferences organized by the International Committee of the Red Cross (San Remo — 2014, Moscow — 2014, St. Petersburg — 2015). According to experts, the situation in the field of conflict prevention in cyberspace is characterized by the following.

On the one hand, international security law is applicable to information space (it is taken into account that the sources of international law are: international conventions; international custom, as evidence of a general practice; general principles of the law recognized by civilized nations; judicial decisions and legal doctrines — as auxiliary material).

On the other hand, there is no consensus on the administration of the rules and principles of international law relevant to regulation of corresponding international relations.

2. The complexity of finding the solution to the issue of international security law application to cyberspace is determined by the following factors.

2.1. There is a lack of agreement between the member-states of the United Nations on the subject of legal regulation. The Western states are willing to discuss issues of regulation of relations with regard to the use of ICTs as a «force», but do not agree to discuss their use as a «power» of the media and communications.

2.2. The processes of malicious use of ICTs are not observable. As a consequence, without the use of special technical means it is impossible to objectively ascertain neither the facts or malicious use of ICTs, nor the consequences of the use of ICTs (the extent and type of damage) nor the entities engaged in these acts. Common attributes of malicious use of ICTs to be recorded by technical means are not defined. There is no international system of objectification of events and attribution of subjects in cyberspace.

2.3. ICTs have no attributes of weapons. This makes it significantly more difficult to classify the use of ICTs as an «armed attack» or «hostilities» that respectively bring about legal relationships associated with both the application of the right to self-defense, and compliance with international humanitarian law.

2.4. Enforcement in the field of international security (including the sphere of ICTs) is carried out by nation-states discretionary with the use of national or regional technical means of objectification of events and attribution of subjects.

Within the jurisdiction of one nation-state or a group of friendly nations enforcement is based on presumption of fairness of the individuals (and their actions) engaged in the operative investigative measures over the facts of malicious use of ICTs. Considering interactions between the nations that are not in relations of mutual trust, presumption of fairness is impossible due to the fact that many nation-states have sufficient technological capabilities to falsify data on almost all events and subjects of cyberspace.

2.5. International law doesn’t provide for frameworks to bind the address space where ICTs are applied to national borders. Presently, the functions of IP-addresses distribution are largely performed by non-governmental organizations, who are not the subjects of international public interactions. This creates additional difficulties when defining the boundaries of battle grounds and neutral states, designation of objects and persons protected by international public law in cyberspace.

2.6. Considering the fact that no nation-state has international obligations in the field of cyberspace security, it is difficult to define the boundaries of national sovereignty and jurisdiction of nation-states. This issue is particularly important in the light of the current practice, when nation-states consider cyberspace security as an element of national security.

3. Presently there are two methodological approaches to solving the problem.

3.1. The first approach is based on the development of general principles of law. This approach is being actively pursued by a team of specialists who have been commissioned by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn (Estonia). As assigned by this Centre, an international group of experts (lawyers and experts in the field of computer science) has developed a so-called Tallinn Manual on the International Law Applicable to Cyber Warfare [2], which is often promoted by specialists of Western countries as a possible framework for the preparation of a universal international convention.

One can formulate a few remarks on the essence of approach proposed by the Manual.

As noted in the Preface to the Manual, the proceedings are methodologically based on the draft Convention on Responsibility of States for internationally wrongful acts, which is treated as a source of international law, although it has only been discussed and noted by the United Nations General Assembly (2001) [3]. One of the central provisions of the draft Convention is the right of every State or group of States to carry out within their own sovereignty and jurisdiction:
• interpretation of observed events in cyberspace as hazardous to the national information infrastructure;
• classification of these events as meeting the norms of international law or as internationally wrongful acts;
• decisions about what country is responsible for the event, which is classified as an internationally wrongful act;
• countermeasures against the country that is ascertained to be responsible for a dangerous violation of international law.

It appears that without a framework for objectification of events in cyberspace and attribution of the subjects of such actions, as well as in the absence of generally accepted interpretation of the term «internationally wrongful acts of States» and a list of such acts, the application of provisions of the draft Convention inevitably increases the risk of provoking an armed conflict between nation-states.

Similar consequences will follow the implementation of recommendation of the Manual that it is not necessary to take into account an attribute of an «armed» attack when investigating a «computer operation» against a member-state of the UN. The removal of this attribute blurs the rigid boundaries of lawful conduct of nation-states in the application of the right of individual and collective self-defense, enshrined in Article 51 of the UN Charter. As a consequence, this leads to an increase of risk of international conflict, which may be provoked by possible erroneous assumptions about the existence of the fact of malicious use of ICTs and ensuing of relevant consequences that exceed the thresholds for the emergence of relations under international treaties about an «armed attack» or the threat or use of force against the territorial integrity or political independence of the victim nationstate.

The international team of experts which prepared the Tallinn Manual disregarded the fact that under existing international conventions no nation-state has any obligations whatsoever to ensure the sustainability of the Internet (we can hardly consider as such the obligations of ICAAN, which in its statutory documents has self-assigned the security of DNS to itself). At the same time, it is assumed that such obligations with regard to the national segment of the network (the boundaries are not defined), as well as responsibility for their fulfillment are derived from the general principles of the law. Under certain circumstances these aspects can also provoke an international conflict.

The foregoing leads to a conclusion that the implementation of this approach can be detrimental to international security, as, in fact, leads to degradation of conflict prevention mechanisms enshrined in the UN Charter, and does not contribute to one of the main objectives of the United Nations — «to save succeeding generations from the scourge of war» (Preamble of the UN Charter).

3.2. The second methodological approach to solution of the problem is based on exploiting the potential for progressive development of positive law — the UN Charter, international conventions and treaties in the field of international security. It is based on proposed concept of «implicit weapons», which determines the conditions for a possible consideration of ICTs as a weapon.

This concept is found upon the precedent created by the UN Security Council resolutions [4] based on discussion of the tragic events of September 11, 2001. It is known, that as part of these events international terrorists attacked civilian and military targets by use of civil aircraft as weapons of destruction. The UN Security Council did not object to exercise of «inherent right of individual or collective self-defence» by the United States in accordance with Article 51 of the UN Charter and, therefore, — to the use of armed force against Afghanistan in the framework of declared global war on international terrorism.

Thus, the above mentioned UN Security Council resolutions introduced the concept of «implicit weapons» in international practice. Its essence includes the following aspects. Any non-military device or mechanism can acquire the properties of weapons, if disruption of normal functioning of such device or mechanism (including through the use of ICTs) can be used to injure personnel and/or damage military equipment. In this case, attack on the territory of a nation-state by the use of such devices or machines can be qualified as an «armed attack».

The adoption of «implicit weapons» concept as a basis for identification of the use of ICTs by the nation-states as the «use of force» and «armed attack» allows us to highlight these main areas of adaptation of international security law:
• clarification of the terminology of international law of conflict prevention with regard to cyberspace (rules of responsible behavior of nation-states in cyberspace);
• peaceful resolution of international disputes related to instances of malicious use of ICTs;
• detection of attacks with the use of ICTs (impact assessment, subsumption of attacks, methods of settling international disputes);
• progressive development of principles and norms of international humanitarian law with regard to conduct of hostilities with the use of ICTs as «implicit weapons» (delimitation of national borders in cyberspace; designation of objects protected under international humanitarian law; objectification of hazardous events associated with malicious use of ICTs; attribution of nation-states that initiated the malicious use of ICTs);
• development of principles and norms of international human rights law with regard to the aspects of military activities with the use of ICTs;
• development of international procedural law with regard to cases of malicious use of ICTs for settlement of international disputes.

The adaptation of international security law to cyberspace and consolidation of the legal developments in international legal instruments would lay the foundations of international legal framework for cybersecurity. An actual form of consolidation for proposed legal developments is a separate issue to be addressed in the framework of adaptation of international humanitarian law and international law of conflict prevention to cyberspace.

Thus, the implementation of an approach based on «implicit weapons » concept makes it possible not only to significantly reduce the risk of an international conflict provoked by malicious use of ICTs, but also to create conditions for the implementation of the UN Charter Article 2 (3) provisions for peaceful settlement of international disputes.

 

[1] Основы государственной политики в области международной информационной безопасности на период до 2020 года. Утверждены Президентом Российской Федерации. 2013 г.
[2] Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual). M.Schmitt et al. eds. Cambridge University Press, forthcoming 2013.
[3] Ответственность государств за международно-противоправные деяния. Резолюция Генеральной Ассамблеи ООН A/RES/56/83 от 21 декабря 2001.
[4] Резолюции Совета Безопасности ООН №1368 от 12 сентября 2001 г. и №1373 от 28 сентября 2001 г.

 

This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.