The United Nations and the Need for International Law in Cyberspace

By: Regan Cornelius

Edited By: clark mahoney and renan dennig

Before the global takeover of the internet, countries primarily had to worry about physical manifestations of terror threats and attacks by other states. Now, cyberspace, the technological domain of networks used to spread information, has given states and rogue groups new opportunities to disrupt both governmental organizations and the private sector. This became especially evident during the Covid-19 crisis and ongoing war in Ukraine. As President Biden declared in a statement on March 21, 2022 regarding the potential cyberattacks from Russia against the United States in retaliation for economic sanctions, “malicious cyber activity” is “one of the defining threats of our time.”[1] Similarly, Jürgen Stock, the INTERPOL Secretary General, stated that “cybercriminals are developing and boosting their attacks at an alarming pace,” shifting from targeting individuals and small groups to governments and critical health infrastructure during Covid-19, a pattern that has only hastened as the virus threat slows. [2]

Given these occurrences and warnings, it is unsurprising that work to advance international law regarding cyberspace has hastened. The UN General Assembly established a 25 member-state Group of Governmental Experts (GGE) back in 2004 to examine the dangers information and communications technology (ICT) growth had on military and security. [3] In 2019,  the UN created the cybersecurity open-ended working group (OEWG) to include more member countries than the original small cadre. [4] The two groups worked in tandem to incorporate the GGEs older proposals into the OEWGs new resolutions. 

In March of 2021, the OEWG assumed full responsibility over ICT research and proposals within the UN, and the GGE was dissolved. The culmination of both groups work was the OEWG Final Substantive Report that reached consensus within the UN General Assembly when all Member States agreed without a vote to adopt the draft resolution, reaffirming ICT’s implications for “peace and security, human rights, and sustainable developments.” [5] While the report had no radical or new proposals, it reaffirmed the GGE’s stance on the principles of international law and sovereignty applying to cyberspace, the first-time a truly global agreement has been reached on the issue. Most importantly, the report also reaffirmed that the Charter of the UN is applicable to cyberspace. [6] 

However, the report leaves much to be desired. On top of not being legally binding, the United States and other liberal democracies agreed to water down the emphasis on human rights and the elimination of references to international humanitarian law, pushed for by Russia and China, in order to gain consensus. [7] Perhaps most upsetting for the United States was the inclusion of the phrase “international legally binding obligations,” which is worrisome as one of the countries with the most well-developed cyberspace and cyber warfare capabilities. [8] The phrase could easily be co-opted and used as an excuse to push United States involvement in other countries' cyber conflicts.

A further issue with the report is a failure to establish a new definition of sovereignty as it applies to cyberspace, yet the 2021 OEWG report specifies that measures should be taken “with full respect for the principle of State sovereignty.”  [9] The generally accepted definition of sovereignty is “the supreme authority within a territory” that “confers rights upon states and imposes obligations on them,” and is one of the guiding principles behind international law and relations. [10] This definition and idea of “sovereign equality” has already been given exceptions, most notably in the invocation of The Responsibility to Protect to ensure the international community can intervene in human rights atrocities regardless of borders. [11] Cyberspace, due to its widespread nature and possibilities of attack from anywhere in the world, destroys this notion of sovereignty based on territory. One of the biggest debates between countries in reference to sovereignty is regarding due diligence, or the obligation of states to not allow cyberattacks to be launched from their territory by groups, whether state or non-state based. [12] The 2021 OEWG report requested, “on a voluntary basis, states should not conduct or knowingly support ICT activity contrary to their obligations under international law,” a half-hearted attempt at a due diligence reference that indicates it will not be included in any further, potentially binding, resolutions posed by the OEWG to the General Assembly. [13] Russia and its allies vehemently oppose due diligence in general, while the EU and its partners support the principle. While due diligence in cyberspace is difficult to enforce, as it is nearly impossible due to the web of proxy servers set to mask hackers’ locations and any sort of communication that a government knew the hacker was committing illegal acts on its territory, it is still an important obligation to include. Without its inclusion, there is the potential for greater retaliation from the offended state against the one where the attack originated, as well as granting cyber criminals a relative feeling of safety to unleash attacks if they are not in the territory of their targets. This then brings up the concept of accountability, which is not mentioned in the report much to Western countries consternation. [14]

The fourth and fifth sessions of the OEWG are set to meet in March and July of 2023, and with assistance and cooperation from other UN and private-sector groups, is striving for compromise amid the disagreements between Russia and the United States. [15] The end goal is a resolution passed by the UN General Assembly and permanent security council members, putting into place an international law and standard to regulate the internet and cyber-criminal activity between states without disrupting the free flow of information. However, before the details and content of such a resolution can be discussed, there must be a consensus surrounding the definition of sovereignty, due diligence, and how far legally binding obligations can and should stretch.

Notes:

  1. The White House. “Statement by President Biden on our Nations Cybersecurity.” March 21, 2022. https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/

  2. “INTERPOL report shows alarming rate of cyberattacks during COVID-19.” INTERPOL. August 4, 2020. https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19

  3. “UN OEWG and GGE.” Digwatch. Geneva Internet Platform. 2022. https://dig.watch/processes/un-gge

  4. “Open-ended Working Group.” United Nations. United Nations, 2021. https://www.un.org/disarmament/open-ended-working-group/.

  5. United Nations General Assembly. Report of the Open-ended working group on developments in the field of information and telecommunication in the context of international security, UNGAOR, 25th Sess, Supp No 18, UN Doc A/8018 (2021). Paragraph  2.

  6. United Nations, Charter of the United Nations, 24 October 1945, 1 UNTS XVI, available at: https://www.un.org/en/about-us/un-charter/full-text 

  7. Rodriguez, Katitza, and Baghdasaryan, Meri. “UN Committee to Begin Negotiating New Cybercrime Treaty amid Disagreement among States over Its Scope.” Electronic Frontier Foundation, July 20, 2022. https://www.eff.org/deeplinks/2022/02/un-committee-begin-negotiating-new-cybercrime-treaty-amid-disagreement-among. 

  8. Gold, Josh. “Unexpectedly, All UN Countries Agreed on a Cybersecurity Report. So What?” Council on Foreign Relations. Council on Foreign Relations, March 18, 2021. https://www.cfr.org/blog/unexpectedly-all-un-countries-agreed-cybersecurity-report-so-what. 

  9. Report of the Open-ended working group on developments in the field of information and telecommunication in the context of international security. Paragraph 36.

  10. “Sovereignty.” Oxford Public International Law, April 2011. https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1472. 

  11. Remler, Philip. “Russia at the United Nations: Law, Sovereignty, and Legitimacy.” Carnegie Endowment for International Peace, January 22, 2020. https://carnegieendowment.org/2020/01/22/russia-at-united-nations-law-sovereignty-and-legitimacy-pub-80753. 

  12. “UN OEWG and GGE”

  13. Report of the Open-ended working group on developments in the field of information and telecommunication in the context of international security. Paragraph 31.

  14. Arindrajit, Poetranto, and Lau. “The UN Struggles to Make Progress on Securing Cyberspace.” Carnegie Endowment for International Peace, May 19, 2021. https://carnegieendowment.org/2021/05/19/un-struggles-to-make-progress-on-securing-cyberspace-pub-84491. 

  15. “UN OEWG and GGE”

    BIBLIOGRAPHY:

    Arindrajit, Poetranto, and Lau. “The UN Struggles to Make Progress on 

    Securing Cyberspace.” Carnegie Endowment for International Peace, May 19, 2021. 

    https://carnegieendowment.org/2021/05/19/un-struggles-to-make-progress-on-securing-

    cyberspace-pub-84491. 

    Gold, Josh. “Unexpectedly, All UN Countries Agreed on a Cybersecurity Report. So What?” 

    Council on Foreign Relations. Council on Foreign Relations, March 18, 2021. 

    https://www.cfr.org/blog/unexpectedly-all-un-countries-agreed-cybersecurity-report-so-what. 

    “INTERPOL report shows alarming rate of cyberattacks during COVID-19.” INTERPOL, August 4, 2020. https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19

    “Open-ended Working Group.” United Nations. United Nations, 2021. https://www.un.org/disarmament/open-ended-working-group/.

    Remler, Philip. “Russia at the United Nations: Law, Sovereignty, and Legitimacy.” Carnegie 

    Endowment for International Peace, January 22, 2020. 

    https://carnegieendowment.org/2020/01/22/russia-at-united-nations-law-sovereignty-and-

    legitimacy-pub-80753. 

    Rodriguez, Katitza, and Baghdasaryan, Meri. “UN Committee to Begin Negotiating New

    Cybercrime Treaty amid Disagreement among States over Its Scope.” Electronic Frontier 

    Foundation, July 20, 2022. https://www.eff.org/deeplinks/2022/02/un-committee-begin-

    negotiating-new-cybercrime-treaty-amid-disagreement-among. 

    “Sovereignty.” Oxford Public International Law, April 2011. 

    https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1472. 

    The White House, “Statement by President Biden on our Nations Cybersecurity.” March 21, 2022. https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/

    United Nations, Charter of the United Nations, 24 October 1945, 1 UNTS XVI, available at: https://www.un.org/en/about-us/un-charter/full-text 

     “UN OEWG and GGE.” Digwatch. Geneva Internet Platform, 2022. https://dig.watch/processes/un-gge
    United Nations General Assembly, Report of the Open-ended working group on developments in the field of information and telecommunication in the context of international security, UNGAOR, 25th Sess, Supp No 18, UN Doc A/8018 (2021).