The applicability of international law in cyberspace
In research and analysis of legal standards application for information security and legal regulation of cyberspace most attention is focused on the extension to cyberspace of the fundamental principles (humanitarian, non-proliferation, property, freedom of speech, protection of the individual, etc.) and the principles of international law enshrined in the UN Charter [1–3]. Another approach to research of legal regulation in cyberspace is based on the methods similar to the regulation of outer space, airspace and Antarctica, etc. 
And such analogies are not always correct. The main reason is that, although the abovementioned objects pertain the activities of mankind (otherwise there wouldn’t have been such norms) the degree of their use is relatively low in comparison with the overall human activity.
Cyberspace, on the contrary, affects almost all spheres of activity. Such an approach could be valid in cyberspace 20–30 years ago, followed by the development of «cyberlaw» and its division into different sections and directions with the development of the use of cyberspace. But presently the problem has become complicated to the extent that to regard this space as a whole is reasonable only from a philosophical point of view, while practice requires much greater detail.
What we now call cyberspace is essentially a superstructure built upon the sprawling data transmission infrastructure, upon the Internet. Therefore, the most popular approaches are the ones that involve representation of cyberspace foundations — the Internet, as a communications and transport system [4, 5].
In general, the Internet — is definitely a communication system — in terms of both its purpose and the social impacts, which, for example, communication systems have had on the society (primarily radio and television). However, the Internet is not just a communication network, but a computer network, a packet data network, and it is much more complicated, but also more flexible and versatile. In fact, it is a further evolution of communication systems, which requires the development of appropriate standards and regulations; and the rapid development of packet data network — of the Internet, resulted in a situation where the rules of the previous communication systems are not adaptable to network structure.
However, if we recall that the Internet was created specifically as a transport medium, as a packet data network (IP data packets), and all these functions have already become an individual industry, we can see that the current economic practice is consistent with the activities of operators of non-information transport systems (shipping, aviation, railway and other transport companies). Following this line of reasoning, one can try to use the principles of legal regulation and security, developed over the many years of practice of non-information transport systems in the information infrastructure and use the methodology, approaches and practice of the complex and diverse transport law  and the transport regulatory guidelines [6–8] to find legal solutions related to a more detailed representation of the Internet and cyberspace.
Multilayer model of the global network
To simplify the issues in question, a multilayer ISO/OSI model, or a simple TCP/IP model (which is the basis of the Internet) is used in the analysis of the global Internet. Let’s examine these layers using the abovementioned approach of comparing the Internet to different transportation systems.
Data link layer — these are real-world objects: fiber optics, satellites, twisted pair wires, simplest switches, etc. and the rules of their interaction. In accordance with the proposed analogy, we can mention as an example the roads or railways with their functional devices (arrows, substations, etc.). This example may also include (with regard to their specific features) sea and river routes, air space for air traffic, and oil and gas pumping infrastructure. They all are physical material objects (or environments), which are regulated under national and international legislation and regulation rules. These physical carriers’ regulators are, in particular, the International Telecommunication Union and others.
Network layer — is a layer of interaction between all these communication lines, and it also has physical devices, which for convenience are combined with the equipment of the physical (and the next, transport) layer — most notably, routers and switches.
By analogy with the preceding layer, here we can consider both vehicles and means of traffic control. For the railways there are locomotives, carriages, traffic control systems and so on.
It is easy to draw an analogy with the other forms of transport. All of this includes not only logical constructs and organizational structures, but also physical material objects. And being the material objects, they must be regulated by national and international legislation and specific regulatory guidelines. Today such specialized regulators are, in particular, ICANN, IANA and others.
Transport layer — a layer of more complex protocols, which facilitate network information exchange between different hosts, devices, applications, servers, and personal computers (or rather between their components responsible for information exchange).
We provide the following examples as an analogy: logistics, organization of cargo and passenger traffic between stations, terminals, ports, airfields, etc. All of this also includes not only organizational structures, but physical material objects as well. And being the material objects, they must be regulated by national and international legislation and regulatory guidelines. Today such regulators historically are ICANN, IANA and others.
Application layer — in fact this is the cyberspace where people and their software interact (in a certain sense it is already an artificial intelligence). To facilitate this interaction they require personal computers (or other devices of human interaction with the network) and servers, etc.
Applying the same analogy, we can consider exchange of goods between organizations, people, and transportation as such. Not only quantity is important here, but also the content: specific types of goods, migration, etc. All of this should also be regulated by national and international legislation. At this layer, there are also services which enhance the convenience of interaction with the transport system. In conventional transport systems these services include transport agencies, catering services, luggage processing system, and so on. Regarding the Internet, an analog is a more convenient network resources naming system — Domain Name System (DNS) and infrastructure information database (whois service). Their regulatory guidelines have been historically introduced and supported by the same regulators (ICANN, RIPE, and others).
From the abovementioned it is evident that the issue of network regulation of the cyberspace concerns primarily the network and transport layers. Application layer is of interest in terms of services that enable and «govern» the network and transport layers — for example, DNS, and infrastructure information database, in the other cases you can try to draw upon the existing rules. Here we consider the issues of network security, based on the proposed approach (on the network and transport layers).
Special aspects of network security
When people talk about network security, it is understood as information security pertaining to a global network, to the elements of its network, transport and partially application layer and, above all, to the
elements of critical information infrastructures (CII).
Security of network and transport layers implies: availability and integrity in information exchange, and in some cases, protection of data traffic and network controlling information (confidentiality). From the standpoint of network and transport layers, even if we do not consider the characteristics of different types of network attacks, it may be noted that the assurance of availability, spoofing resistance and confidentiality is related not only to destruction, interception, or injection of malicious traffic, but also to the issues of addressing and traffic management: routing and maintenance of the domain name system as a
An architecture ideology of a global network suggests that it is a coherent association of individual networks — autonomous systems of the Internet (interaction between which is based on specific protocols), and this ensures high survivability and reliability of the network if the rules of interworking are fully complied with. However, the regulations are not always accurately and strictly followed, and they are deliberately broken in case of illegal actions (in military or criminal purposes), and communication protocols as such require development and refinement.
Another aspect is that attacks on the elements of the network are carried out through the network itself, through its network and transport layers . If you apply the abovementioned analogy for these layers — these are attacks on the elements of the transport infrastructure: roads, bridges, stations, ports, ships, etc. (which have repeatedly happened in the world). Moreover, it is assumed that the source of the attack is a priori allowed to this infrastructure, and limited only by its regulations.
Another important aspect of network attacks is that it is easier to carry them out from the position of the provider (i.e. a position where there a direct access to network elements is available) or other direct participants in this activity, and it is essential for the attacks on routing systems or DNS. If you apply the previous analogy, we can say that the source of the attack is not only allowed to this infrastructure, but is its owner or a moderator, i.e. has almost limitless potential for its use.
Moreover, as mentioned above, all information exchange activities — is a trade in IP-traffic, and if it were not for an economic stimulus, the network would cease to exist. The main beneficiaries here are the providers engaged in peering and Internet traffic transit, and through them and the other network users profit is gained by equipment manufacturers. Regulatory authorities and partly different content providers such as Google, Facebook, and others — all live off these funds (however, this is related to the application layer, where there are also other financing sources). It is quite clear that all beneficiaries and other associated entities are interested in ensuring security and reliability of the network (otherwise the service will not be in demand). But this applies only to conditions where it is possible to get these benefits!
Indeed, in any case of violation of normal economic activity due to external (revolution, martial law, nationalization, bankruptcy and so on) or internal causes none of the abovementioned organizations have an incentive to maintain the reliability and security of the network. The only interested parties are the users of the network (individuals, companies, government agencies).
Investigation and objectification of facts of network attacks
Investigation of possibilities to prevent, counter and investigate such network attacks is obstructed by the difficulty of their detection and attribution.
Firstly, it is difficult to determine whether the event was a flaw in design and software programming, or there was an actual computer attack. The fact is that any software has errors, the consequences of which could be catastrophic. There are enough examples of real disasters with a large number of casualties or huge economic losses caused by software errors, the source of which were design or programing flaws rather than cyberweapons or backdoors. All this requires a careful study of software code as a part of incidents analysis, and, in the absence of human-readable source code, this task is incredibly difficult and is comparable in complexity to creation of similar software.
Secondly, it is necessary to identify the source of the attack. In the well-known Stuxnet cyberattack, the alleged involvement of the United States and Israel in creation of the code has not been proved , although it is sometimes possible to detect the source of network DDOS-attacks, which are executed constantly on the network. Typically, they are conducted by hacker groups and not by cybertroops of nation-states. And everything is much more complicated in case of targeted attacks. The fact is that all of the existing «intrusion detection» systems actually detect only characteristics of an action, similar to intrusion or changes in the system, and the analysis of the actions, changes in the system and the machine code is performed by specialists.
Furthermore, when the intrusion is detected significantly late, there remains no log data, and to determine the source it becomes necessary to analyze the machine code of embedded programs — and creators of such programs rarely leave autographs.
As it is evident from the abovementioned issues associated with the identification of the attack, technical means alone will be insufficient to determine the cause and origin, attribute the evidence of the criminal use of ICTs. For each such incident it will be necessary to conduct an investigation to determine its nature and to secure the obtained evidence in case the event is recognized as a criminal activity.
The same approach is used in existing transport systems. This is true not only with regard to international commissions, which investigate major air, rail or sea disasters, but also in cases of missing goods
search, traffic disturbance, recovery of compensation for losses attributable to the carrier, etc. If the cause of the incident is not obvious, the work of such commissions usually starts with collection and verification of information on personnel qualifications and the quality of vehicles, their maintenance, inspections, certification, etc., as it allows not only to identify the possible causes of the incident, but also to create a basis for further work.
In case of such investigations, the correct attribution of network attacks requires, besides the arrangements for such investigations carried out by authorized personnel, it is necessary to envisage the requirements for the software that will be examined:
• software must be installed (purchased) officially;
• software must be signed by a trusted developer certificate;
• the developer should store (or hand over) the source code of the installed software for further analysis;
• all software changes (improvements, modifications, bug fixes) must be signed, and their source code — stored.
Such software requirements can be considered a certification of software that should be installed at information infrastructure nodes that can be targets of aggression and must be protected. On a side note, the use of uncertified equipment and transport routes constructed with violations of regulations has long been prohibited in existing transport systems, and it doesn’t matter who the manufacturer was (Boeing, Airbus or TU).
Another important factor in attribution of facts of network attacks — is elimination of anonymity. In existing transport systems, where the consequences of criminal acts can be significant (air, rail, maritime transport), no one has been traveling incognito for a long time, and only goods of the named customers are being transported. All information is recorded in individual tickets and consignment notes. However, anonymity still exists in public transportation or with regard to some postal items, but the cause of this is not the desire to preserve anonymity, but the complexity of capturing information for mass transportation or mail. In any case, other means of capturing information are used here, namely video surveillance systems in public transport, public places, etc.
Similar approaches can be used for global net users. This is not about sending a photo of the user with each of IP-packet he sends. But ISPs, in order to receive their payment, conclude service contracts with individuals and legal entities. More so, many content providers already use mobile devices as a means of user authentication or as payment terminals. That is, the implementation of authentication of any entity that interacts with a global network is technically feasible, and the results of such authentication should be made available only in case of carrying out an investigation, and this will make it possible not to infringe the right to commercial confidentiality or privacy.
Various means of registration are the most important source of information during investigations. In conventional transport systems, in addition to control information database, there are black boxes, which capture information of basic events taking place on board of the vehicle.
In the case of investigation of network attacks such information is often unavailable. This is primarily due to the fact that the number of events, occurring in the network, is too great, and either the registration systems are not able to store such quantities of information, or it becomes too expensive. Here it is appropriate to make three observations.
Firstly, the registration systems are used for different purposes and for safety reasons they store redundant information — separation and storage of the most important information will make it possible to decrease the volume of stored data and to increase the time of its storage.
Secondly, the most technologically complicated systems in terms of registration are the backbone nodes, where electronic equipment has already fallen behind the speeds provided by fiber-optic communication lines. In this case, we can recommend distributing the function of registration among slower nodes. Finally, thirdly, the transition to IPv6 makes it possible to include additional information in the «carrier vehicles» of the network, even though it will result in overhead costs increase — but security is never free of costs.
Prevention of Network Attacks
To ensure security it is more effective not just to detect and identify the sources of network attacks, but also to prevent them, to avoid possible negative effects.
In existing transport systems it is achieved by:
• terms and conditions of transportation services;
• transport network rules of operation;
• standards for vehicles and routes;
• introduction of administrative and criminal penalties for violation of these rules and regulations.
In the information network the function of such rules and regulations is exercised by various ISOs, RFCs and users connection rules. However, neither RFCs or ISOs have legal force (unless they are duplicated by a national standard — for the Russian Federation it is GOST). I.e. they are «de facto» standards and regulations, which are used according to an established practice. At that, as noted above, both users and service providers fall under the jurisdiction of the host country with regard to property relations, contractual obligations, financial and tax reporting, and so on. But the substance of their information transfer activities on the transport and network layers is virtually unchecked.
As of today, this activity is controlled only by the Internet community, telecommunication services market and regulatory organizations. I.e. the current practice does not provide for control by the country in which jurisdiction a part of the network and its equipment is located.
This being said, many regulatory functions are controlled by a single country which at the time created the Internet. For example, ICANN distributes address space and domain names and carries out maintenance of DNS-servers worldwide (this can be considered as the issuance of passports to all inhabitants of the Earth only by US immigration services).
But because the State should be responsible for the criminal acts perpetrated from its territory , it should be able to prevent or terminate such actions. With regard to existing transport systems, the States, as a rule, are able to regulate and control communication lines, enabling equipment and their operators, and to filter traffic at the borders (customs, passport control, anti-terrorism control, veterinary control, etc.). With regard to the global network, such practice has not been developed yet.
If we sum up the above-mentioned aspects of the network, operating history of different transport systems (and partly of communication systems) and the proposals for technical implementation of a number of new functions and features, there is an evident need to:
• formulate in accordance with the national legislation of the following requirements, which provide for increased reliability and security of the information transport network:
◊ certification of CII hardware and software;
◊ expansion of the registration systems to CII;
◊ CII backup;
◊ network performance monitoring;
◊ elimination of anonymity;
• facilitate control by the State of the current operation of the network located in its territory;
• prepare back-up technical, information and organizational structures in order to maintain efficiency, monitoring and network management;
• establish international bodies for certification, regulations management, technical requirements systematization and investigation of network incidents;
• establish international agreements that define not only general rules and regulations, but also harmonize national legislation and rules of interaction between governments and the existing international organizations;
• establish agreements on cross-border traffic exchange, which provide for the more adaptive control over it than the existing protocols (BGP).
 Clarke, Richard A. Cyber War, HarperCollins (2010)
 The Russia — US Bilateral on Cybersecurity — Critical Terminology Foundations, Issue 2
 A.A.Streltsov «Focal Areas in Progressive Development of the International Law of Armed Conflict» (in Russian)(«Основные направления прогрессивного развития международного права вооруженных конфликтов»), Moscow State University, 2014. http://iisi.msu.ru/articles
 The Quest for Cyber Peace. The International Telecommunication Union and the World Federation of Scientists. Geneva 2011.
 V.A.Egizarov Transport Law: Textbook for universities. (Транспортное право: Учебник для вузов. М.: ЗАО Юстицинформ), 2005.
 International Rules for Preventing Collisions at Sea, COLREGs, 1972
 Convention on Road Signs and Signals, 1968 http://www.unece.org/fileadmin/DAM/trans/conventn/signalsr.pdf
 European Agreement Supplementing the Convention on Road Traffic opened for Signature at Vienna on 8 November 1968 http://www.unece.org/fileadmin/DAM/trans/conventn/11-E-ECE-813r.pdf
 The Tallinn Manual on the International Law Applicable to Cyber Warfare. General editor Michael N. Schmitt. Cambridge University Press in 2013.
 Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. International Law, International Relations and Diplomacy, NATO CCD COE Publication, Tallinn 2013
 W32.Stuxnet Dossier. Nicolas Falliere, Loam O. Murchu, Eric Chien.
Symatiec Security Response. Version 1.4 (February 2011)
Moscow State University
Institute of Information Security Issues
This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.