FIRST REPORT. INTERNATIONAL LAW APPLICABLE TO CYBERSPACE

Page created by Elaine Norris
 
CONTINUE READING
99th REGULAR SESSION                                                                        OEA/Ser. Q
2-11 August 2021                                                                            CJI/doc. 648/21
Virtual Session                                                                             1 August 2021
                                                                                            Original: Spanish
                                                                                             *Limited

                                              FIRST REPORT.

                   INTERNATIONAL LAW APPLICABLE TO CYBERSPACE
                         (Presented by Dr. Mariana Salazar Albornoz)

I.     BACKGROUND INFORMATION AND MANDATE:
       This is my first report on International Law applicable to Cyberspace. Its objective is to
recapitulate the work carried out by the Committee on the subject, provide an update on the main
recent developments that the subject has achieved at the international level, as well as to identify
areas with pending studies and explore the possible future steps the Committee might take on the
matter.
       The issue began to be studied by the Inter-American Juridical Committee in 2018, at the
proposal of the then rapporteur Dr. Duncan B. Hollis, under the title “International law and cyber
operations of the State: improving transparency”. Rapporteur Hollis presented to the Committee a
total of five reports on this matter between August 2018 and May 2020 (documents CJI/doc. 570/18,
CJI/doc. 578/19, CJI/doc. 594/19, CJI/doc.603/20 rev. 1 corr. 1 and CJI/doc.615/20 rev. 1). The
purpose, as reflected in those reports, was to contribute from the Americas towards a broader trend
in international relations in search of greater transparency regarding how national States understand
applying international law to cyberspace. The rapporteur identified areas of convergence and
divergence based on the analysis of the responses submitted by the American States to a
questionnaire containing ten questions 1 agreed upon within the Committee (based on the rapporteur's
draft) and circulated to those States in February 2019, as well as from an informal discussion held
with the legal representatives of Member States under the “Chatham House” rule. The fifth and last
report of the rapporteur, which contains the above analysis together with the questionnaire distributed

1
 The questions sent to the States were: “1. Has your Government previously issued an official paper, speech,
or similar statement summarizing how it understands international law applies to cyber operations? Please
provide copies or links to those statements; 2. Do existing fields of international law (including the prohibition
on the use of force, the right of self-defense, international humanitarian law, and human rights) apply to
cyberspace? Are there areas where the novelty of cyberspace excludes the application of a particular set of
international legal rights or obligations?; 3 Can a cyber operation by itself constitute a use of force? Can it
constitute an armed attack that triggers a right of self-defense under Article 51 of the UN Charter? Can a cyber
operation qualify as a use of force or armed attack without causing the violent effects that have been used to
mark such thresholds in past kinetic conflicts?; 4. Outside of armed conflicts, when would a State be
responsible for the cyber operations of a non-State actor? What levels of control or involvement must a State
have with respect to the non-State actor’s operations to trigger the international legal responsibility of that
State?; 5. Are the standards of State responsibility the same or different in the context of an armed conflict as
that term is defined in Articles 2 and 3 common to the 1949 Geneva Conventions?; 6. Under international
humanitarian law, can a cyber operation qualify as an “attack” for the rules governing the conduct of hostilities
if it does not cause death, injury or direct physical harm to the targeted computer system or the infrastructure
it supports? Could a cyber operation that produces only a loss of functionality, for example, qualify as an
attack? If so, in which cases?; 7. Is a cyber operation that only targets data governed by the international
humanitarian law obligation to direct attacks only against military objectives and not against civilian objects?;
8 Is sovereignty a discrete rule of international law that prohibits States from engaging in specific cyber
operations? If so, does that prohibition cover cyber operations that fall below the use of force threshold and
which do not otherwise violate the duty of nonintervention; 9. Does due diligence qualify as a rule of
international law that states must follow in exercising sovereignty over the information and communication
technologies in their territory or under the control of their nationals?; 10. Are there other rules of international
law that your government believes are important to highlight in assessing the regulation of cyber operations by
States or actors for which a State is internationally responsible?”
2

and the responses provided by the States, was published by the Committee and constitutes a useful
reference tool on the current state of the views of the States of the region on the issue 2.
       At the end of Dr. Hollis's mandate in the Committee, the Committee appointed me as
rapporteur for this theme as of January 1, 2021, and modified the title of the rapporteur to
"International Law Applicable to Cyberspace" in order to reflect the breadth of the spectrum of the
subject. Since then, as I reported verbally during the 98th session of the Committee held last April, in
my capacity as rapporteur on this issue I have participated in the following: (i) on February 4, I
presented the work of the Rapporteur at the Regional Meeting of National Commissions on
International Humanitarian Law of the Americas, organized by the International Committee of the
Red Cross; (ii) on March 8, I moderated the webinar organized by the OAS Department of
International Law on “International Law and State Cyber Operations” in which the former rapporteur
Dr. Hollis presented the results of his report to the Member States of the OAS; (iii) on March 18, I
participated in the global discussion “Digital Technologies and Humanitarian Action in Armed
Conflicts” organized by the International Committee of the Red Cross (ICRC); (iv) on March 24, I
presented the work of the rapporteurship at the Inter-American Defense Board seminar on “Human
Rights and International Humanitarian Law for the Armed Forces in the Western Hemisphere” for
14,000 members of the armed forces in the region; and (v) on June 9, I participated in the first meeting
of the ICRC's Global Advisory Committee on Digital Threats in Armed Conflict.
II.   RELEVANCE OF THE TOPIC:
      As indicated in previous reports, cyber attacks can have serious economic, national security
and human-rights implications for States. Given the current context, it is necessary to consider that
during the past year, the COVID-19 pandemic and its consequent confinement have provoked an
enormous digital acceleration that, although on the one hand this has highlighted the benefits of
information and communication technologies, on the other it has also aroused international attention
on the risks and consequences of malicious attacks on them. Quoting the recent report of the United
Nations Group of Experts on this issue:
                “The current global health crisis has underscored the fundamental benefits of
         ICTs and our reliance upon them, including for provision of vital government services,
         communicating essential public safety messages, developing innovative solutions to
         ensure business continuity, accelerating research, and helping to ensure continuity in
         education and social cohesion through virtual means. In this time of uncertainty, not
         only States, but also the private sector, scientists and other actors, have leveraged
         digital technology to keep individuals and societies connected and healthy. At the
         same time, the COVID-19 pandemic has demonstrated the risks and consequences of
         malicious activities that seek to exploit vulnerabilities in times when societies are
         under enormous strain. It has also highlighted the necessity of bridging digital divides,
         building resilience in every society and sector, and maintaining a human-centric
         approach” 3.

2
  Available                                                                                          at:
http://www.oas.org/es/sla/cji/docs/Derecho_Internacional_y_Operaciones_Cibern%C3%A9ticas_del_Estado
_publicacion.pdf
3
  United Nations General Assembly, Open-ended working group on developments in the field of information
and telecommunications in the context of international security, Final Substantive Report, doc.
A/AC.290/2021/CRP.2, adopted on March 12, 2021. Available at: https://front.un-arm.org/wp-
content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf
3

     In the last few months the world was shaken by one of the largest cyber attacks in history, against
SolarWinds 4, the American software company. The attack was perpetrated in three states between
mid 2020 and May 2021. It affected a database of more than 18,000 world companies and key federal
agencies of the United States government (including the Ministries of Internal Security, of State, of
Power, of Finance and the National Administration of Nuclear Security). The attack was attributed
to the Russian intelligence services and the United States expressed it was preparing penalties against
that country in response to the attack. The recent attack against SolarWinds shows that the problem
not only continues, but that it is even more severe and has consequences in the area of inter-state
relations. This case, and previous events in the earlier reports of the Rapporteurship, confirms the
huge relevance of having a clear attitude regarding the scope of the application of international law
in the context of cyberspace.
III.   RECENT DEVELOPMENTS IN MULTILATERAL AND ACADEMIC FORUMS:
       a)  Intergovernmental Forums
       The intergovernmental consensus seeks to recognize that international law is indeed applicable
to cyberspace. In addition to the recognition given in past years within the framework of the UNI,
the ASEAN and the European Union, as mentioned in previous reports of the Rapporteurship, we
now enjoy the recent recognition on the part of the General Assembly of the Organization of
American States. Through resolution AG/RES.2959 (L-0/20) adopted on 21 October, 2020, the
General Assembly of the OAS, following the recommendation of the Inter-American Juridical
Committee (although the text differs from the original recommendation): released the following
statement:
       “REAFFIRMING the enforceability of international law in cyberspace and the
       importance of the implementation of non-binding voluntary norms for the responsible
       behavior of the State in the cyberspace, in the consensus reports of the Group of
       Governmental Experts of the United Nations on the Progress in the Sphere of
       Information and Telecommunications in the Context of International Security.”
       Notwithstanding the international consensus concerning the application of international law to
cyberspace, there are still huge divergencies in the positions of the States as to how such application
is conducted. In other words, the States agree that international law is applicable to the cyberspace,
but they do not agree on the concrete reach of this enforcement in certain fields.
       Several intergovernmental forums, already mentioned in previous reports, have been created
with the aim of promoting discussions and reducing the gap between the various positions on the
issue. In recent months, the following significant advances have been reached in the United Nations
intergovernmental discussions regarding how international law applies to cyberspace:

4
 See, for example: “The US is readying sanctions against Russia over the SolarWinds cyber attack. Here's a
simple explanation of how the massive hack happened and why it's such a big deal”, Business Insider, April
15, 2021, available at: https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-
cyber-security-2020-12?r=MX&IR=T
4

       •      On 12 March, 2021, the Open-ended Working Group on the progress in the field of
              information and telecommunications in the context of international security adopted its
              Final Substantive Report 5. The Group, created by the General Assembly of the United
              Nations in 2018 6, held sessions on three occasions between 2019 and 2021 open to the
              participation of all the United Nations Member States.
       •      With the aim of “ensuring the uninterrupted and continuous nature of the
              aforementioned process”, the General Assembly of the United Nations, through
              resolution 75/240 adopted on December 31, 2020, decided to establish a new open-
              ended working group on security and the use of information and communication
              technologies for the period 2021-2025. Among a number of duties, the group will
              continue drafting the rules, norms and principles for the responsible behavior of States,
              and will continue to study the manner in which international law is applicable to the use
              of information technologies and communications by States.
       •     On 28 May 2021, the Group of Governmental Experts on Promotion of the Responsible
             Behavior of the States in Cyberspace in the Context of International Security adopted
             its consensus report 7. The Group was also created by the General Assembly of the
             United Nations in 8 and has held sessions on four occasions between 2019 and 2021. The
             Group is composed of experts from 25 States appointed on the basis of equitable
             geographical representation. Representing the American region, experts from Brazil,
             México, the United States and Uruguay participated in these sessions.
       The reports of both United Nations groups were guided and informed by the reports adopted
in 2010, 2013 and 2015 by the groups of governmental experts previously created within the United
Nations on this subject. These groups adopted 11 voluntary non-binding standards on the responsible
behavior of States in cyberspace, with recommendations on confidence-building, capacity and
cooperation measures 9.
       The work of the rapporteur in this Committee, as reflected in previous reports, has wisely
focused on seeking to identify the vision of the American States on the main international-law issues
related to cyberspace in order to improve transparency and thereby the discussions of the United
Nations forums. The Rapporteurship has sought to serve as a platform for transparency, without
attempting in any way to codify or progressively develop international law on the matter or to develop
guides or compendiums of good practices on the matter.
       However, the participation of the American States in the efforts of this Committee has been
extremely limited: only nine 10of the 35 States of the American region provided responses to the
questionnaire circulated by the Committee, and some of those responses do not contain conclusive
positions. As the report that preceded me has rightly concluded, this lack of participation is largely
due to a disparity between the States of the region in terms of their cybernetic capabilities and their

5
  United Nations General Assembly, Final Substantive Report of the Open-ended working group on
developments in the field of information and telecommunications in the context of international security,
A/AC.290/202/CRP.2          (March       10,    2021),     Available      at:    https://front.un-arm.org/wp-
content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf
6
  Created by resolution A/Res/73/27 adopted by the General Assembly of the United Nations on December 11,
2018.
7
  Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the
context of international security, Advance Copy (28 May 2021), Available at: https://front.un-arm.org/wp-
content/uploads/2021/06/final-report-2019-2021-gge-1-advance-copy.pdf
8
  Created by Resolution A/Res/73/266 adopted by General Assembly of the United Nations on December 22,
2018.
9
  General Secretary of the United Nations, Informe del Grupo de Expertos Gubernamentales sobre los Avances
en la Información y las Telecomunicaciones en el Contexto de la Seguridad Internacional, 19, U.N. Doc.
A/68/98 (24 de junio de 2013); and General Secretary of the United Nations, Informe del Grupo de Expertos
Gubernamentales sobre los Avances en la Información y las Telecomunicaciones en el Contexto de la
Seguridad Internacional, 10, U.N. Doc. A/70/174 (22 de julio de 2015).
10
   Bolivia, Chile, Costa Rica, Ecuador, Guatemala, Guiana, Peru, the UnitedStates and Brazil.
5

knowledge of their legal international implications. The disparity is also reflected at the global level,
as identified by the various above-mentioned United Nations forums; this disparity makes it difficult
to reach any consensus on the matter. Thus, both these forums and this Committee have agreed on
the urgent need to continue building capacities in this matter by fostering dialogues between state
and non-state actors concerning the scope of the application of international law to cyberspace.
Consistent with the foregoing, and on the recommendation of this Committee, the AGOEA resolution
cited above, adopted on October 21, 2020, also resolved:
      “To instruct the CAJP [Committee on Juridical and Political Affairs], to hold a session
      prior to the fifty-second regular session of the General Assembly with the aim of
      reflecting collectively on how to strengthen the regime of responsibilities in the use of
      information technologies and communication and consequently entrust the Department
      of International Law to prepare a report of its main results to offer them to the CJI”.
      In addition, in response to the Committee's recommendation, the Department of International
Law will also organize a course on the matter addressed to the Member States of the region.
Furthermore, it should be noted that another OAS body that carries out training work related to
cyberspace is the Inter-American Committee against Terrorism (CICTE).
      b)     Academic forums
       In the Academic millieu, the Tallin Handbook 11 and the Tallin Handbook 12 were produced in
2013 and 2017, respectively, as a result of the work of an independent NATO-funded group of
experts to address how international law applies to cyber warfare (first manual) and how it applies
to other areas of international law related to State cyber operations (second manual). These continue
to be useful references to nurture analyses on the matter.
         In turn, the International Committee of the Red Cross (ICRC) has issued various studies on
the way in which it applies international humanitarian law - within its competence - to cyberspace,
which are also useful references for analyses on the matter 13.The most recent was published in May
2021 and deals with ways to prevent harm to civilians resulting from cyber military operations during
armed conflicts 14. Another recent ICRC contribution on this issue was to launch, on June 9, 2021, its
Global Advisory Committee on Digital Threats in Armed Conflict, comprising 16 international
experts who will examine the main legal and political challenges concerning the protection of
civilians against such threats.
       These global efforts have recently been joined by the Oxford Process on International Law
Protections in Cyberspace, launched in May 2020 by the Oxford Institute of Ethics, Law and Armed
Conflict in alliance with Microsoft. Since its inception and up to the date of this report, the Oxford
Process has issued four public statements on protection that confer international law in cyberspace
in relation to cyber operations against the health sector, vaccine research in the context of COVID-
19, foreign electoral interventions by digital means, and the regulation of information operations and
activities 15.

11
   Michael Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn,
Estonia: NATO CCD COE, 2013).
12
   Michael Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn,
Estonia: NATO CCD COE, 2017).
13
   See, for example: CICR, Position Paper on International Humanitarian Law and Cyber Operations during
Armed Conflicts” (noviembre 2019); CICR, Report on International Humanitarian Law and the Challenges of
Contemporary Armed Conflict (November, 2019); CICR, International Humanitarian Law and the Challenges
of Contemporary Armed Conflicts, (October, 2015) pp. 39-44.
14
   CICR, “Avoiding CivilIan Harm from Military Cyber Operations during Armed Conflicts”, available at:
https://www.icrc.org/en/document/avoiding-civilian-harm-from-military-cyber-operations
15
       Available     at:     https://www.elac.ox.ac.uk/the-oxford-process-on-international-law-protections-in-
cyberspace#/
6

IV.    THE FUTURE WORK OF THE INTER-AMERICAN JURIDICAL COMMITTEE ON
       THE MATTER:
       As mentioned, the divergence of positions on the part of the States as regards the scope of the
application of international law to cyberspace continues, and the discussions within the United
Nations will continue as far as 2025. In addition to this, the enormous disparity between the
cybernetic capacities and legal knowledge of the States on this matter has been made quite evident,
as also reflected in the low response that the Committee received to the questionnaire on the subject
that was circulated in 2019.
       It is relevant that the Inter-American Juridical Committee continues to promote transparency
in the positions of the American States on the matter, thereby contributing to ongoing international
discussions. I submit to the consideration of the members of the Committee that this be done
emphasizing the following two points:
       First of all, due to the fact that several States still lack a clear position on the issue, the task of
making their positions transparent also includes promoting dialogue and legal training on
international law applicable to cyberspace. The next “reflection session” of the CAJP, to be held in
2022, as well as the course to be organized by the Department of International Law, will prove useful
to continue identifying the main aspects of concern in the region and to intensify training in the
subject, through the participation of experts. The Committee could continue to promote further
training and forums for dialogue in which both State and non-State actors participate. The
participation of the private sector is of the utmost importance since it is frequently an involuntary
accomplice or victim of cyber-attacks, as well as possessing the technological knowledge that States
require to adopt comprehensive policies to deal with digital threats. The Committee could also seek
synergies with the training sessions and dialogue forums carried out by other OAS bodies such as
CICTE.
       Second, in order to encourage more States in the region to have clear positions on the main
international-law issues that are being debated on the topic of cyberspace, the Committee could
prepare a new questionnaire to circulate to the States, with the following characteristics:
       i.      Expand the subject of the questionnaire to cover not only issues related to international
               peace and security (on which the 2019 questionnaire focused) but also other aspects of
               international law applicable to cyberspace, while also ensuring that the questions are
               formulated in a general and simplified manner. As suggested topics, the questionnaire
               could cover the following themes:
         1. The rules of international responsibility of States (including questions of attribution for
            cyber operations of non-state actors and due-diligence obligations);
         2. The fundamental principles of sovereign equality of States and non-intervention in the
            internal affairs of others;
         3. The prohibition of the use of armed force between States and the exception of legitimate
             defense (ius ad bellum);
         4. The norms of international humanitarian law (ius in bellum), including humanitarian
             principles, prohibited methods and means of cyber combat, and issues related to cyber-
             attacks against critical infrastructure, essential services or data);
         5. The norms of international human-rights law (including (i) the rights to privacy and the
             protection of honor, private life and dignity, which is related to the protection of personal
             data, (ii) freedom of expression and protection from misinformation, disinformation and
             hate-speech through digital media, (iii) the need to reduce the digital gender gap and (iv)
             the duties of companies in relation to human rights);
         6. The rules applicable to cybercrime.
       (ii)   As an introduction to the question related to each topic, the questionnaire could include
              a list of the main international conventional and customary norms (accompanied by
              some relevant international jurisprudence), with a discussion of how they apply to each
7

              topic related to cyberspace. The list would not assess or attempt to guide positions, nor
              would it provide legal analysis on such (these analyses are already included in
              exhaustive studies such as those of Tallinn or the ICRC, for example). The intention
              behind this exercise of normative identification is simply to provide the legal elements
              to facilitate the States’ understanding of the questions that are being formulated, and to
              promote the analysis and positioning of more States on the matter.
       (iii) Based on the responses received, the Committee could compile and analyze them; this
              could prove to be a useful tool for the process of positioning the States of the region on
              the matter and thereby contribute to advance international discussions.
       All the above are mere suggestions, and the Committee could explore other options to better
deal with this issue and ensure a substantive contribution from the OAS to international discussions
of the same. The meeting with the Legal Consultants of the Foreign Ministries of the Member States,
scheduled within this session of the Committee, is also an opportunity to consult the opinion of the
Member States on the suitability of this or other avenues for the rapporteur to better contribute to the
advancement of the issue in our region.

      99 pos – ag. 2021
      i648 – 99 posag 2021 – Mariana Salazar – ciberespacio- EN
      MAS/msg – 1/8/2021
      CO/JM- msg 3/8/21 Lt.4.8.21.
You can also read