Public International Law of Cyberspace

The Internet, the main component of cyberspace, is one of the “dual use” technologies, which can be used for good and bad purposes depending on the intention of users. Currently, there are more than three billion Internet users around the world (or almost half of the world’s total population), the largest number of whom are in Asia, followed by Europe, Latin America, North America, Africa, and the Oceania. Nation States’ perspectives on the phenomenon of cyberspace naturally reflect their respective cyber capabilities, ideologies as well as strategic, economic, and political interests. States have been trying at various global and regional forums, including the United Nations, to deal with threats, opportunities, and other challenges arising in the cyber domain. However, due to their diverging positions on a new ideal international regulatory regime, relevant existing rules of public international law have to be resorted to, lest there be chaos in cyberspace. Public international law is the body of law governing international relations among States and/or international organizations, including their international legal obligations towards private natural persons or legal persons (or corporations). It derives essentially from international agreements and international custom and comprises international norms, rules, standards, and codes of conduct that can help prevent crises caused by misunderstanding, errors, or misattribution in cyberspace. This chapter explains the perspectives of cyberspace stakeholders and the operation and identification of public international law.

While no State may claim sovereignty over cyberspace, States may exercise jurisdiction, which is the authority of the State to regulate conduct of natural persons or legal entities by its own domestic law, over cyber activities insofar as permissible under international law, including jurisdiction to prescribe law and regulations and jurisdiction to enforce them. Such jurisdiction is based on territoriality, passive personality, active personality, and protective principles to cope with the global connectivity, vulnerable technologies and anonymity in cyberspace that spans the land, sea, air and outer space domains. In order to hold a State responsible for a cyber activity, that activity must be attributed to the State in accordance with international rules on attribution for the purpose of responsibility, including the applicable standard of proof. The 2014 Sony Pictures Entertainment hack and the controversy surrounding alleged foreign interference by cyber means in the 2016 US Presidential election show the difficult challenges for the application of these rules. International organizations can be held accountable for cyber activities attributable to them, too.

The advent of the Internet and online activities creates the greatest challenges for privacy, freedom of expression, and other related human rights. This is the area where cyber activities have the most impact on the modern-day society. While the US gives a top priority to the freedom of expression, Europe accords more importance to privacy than the freedom of expression. A clash between these two differing priorities influences, to a large extent, the different levels and scopes of human rights protection in cyberspace across the Atlantic Ocean. International legal standards balancing human rights, on the one hand, and national security and/or law and order, on the other hand, in such areas as personal data protection, extraterritorial law enforcement measures, and the implementation of exceptions to the exercise of rights and freedoms in cyberspace, are enshrined in the 1966 International Covenant on Civil and Political Rights as well as in regional human rights instruments, such as the European Convention on Human Rights. National law of the States Parties to these instruments must comply with these international legal standards. The European Union has the world’s most advanced legal system of protection of personal data in cyberspace, and the right to be forgotten has now been upheld by the European Court of Justice. This is an area where the private sector, especially Internet service providers, can play an active role in balancing the customer’s human rights and the demand from law enforcement authorities for the private sector’s cooperation in protecting society from harm.

Cyber weapons can be used by States as well as non-State actors to carry out cyberattacks. Cyberattacks may meet the threshold of use of force proscribed by Article 2(4) of the UN Charter if they cause catastrophic physical damage, and not merely severe economic losses. When a cyberattack meets the higher threshold of an “armed attack”, which is a most grave form of the use of force in terms of its scale and effect, this gives rise to the right of self-defence under Article 51 of the UN Charter and customary international law. Because of the exceptional speed of cyberattack, the right of self-defence against it must be effective or else this right would be an illusory one. Self-defence can, arguably, be resorted to against non-State actors operating from the territory of a State which is either unable or unwilling to prevent these actors from perpetrating an armed attack from its territory against the putative victim State. International law also recognizes that the putative victim State may respond to cyberattack below the threshold of an armed attack by means of countermeasures, reprisals, or retorsion, or on the basis of necessity. In order to prevent a cyber conflict from escalating, neutral States are not to take side with any of the belligerent States and the belligerent States themselves must respect the neutrality of neutral States. Cyber disarmament through codes of conduct together with domestic criminal law enforcement against proliferation of cyber weapons can help alleviate the threat of a cyber conflict.

During a war or an armed conflict which is not a declared war, the law of armed conflict, including international humanitarian law, regulates the rights and obligations of fighting parties. The same applies to cyberattacks as part of a war or an armed conflict, where the parties concerned must respect not only the rules of permissible means and methods of warfare, but also the principles of proportionality, distinction between civilians and fighters, and military necessity. For example, the law of armed conflict prohibits cyberattacks that could have destroyed dams, power stations, nuclear stations, and other facilities or infrastructures, with excessively devastating consequences. However, a cyber infrastructure is usually a dual use object and it is practically difficult to distinguish between the one used for military purposes and that used for purely civilian purposes. In a cyber interdependent world, cyberattack against a military target may lead to a disproportionate, indiscriminate adverse effect on civilians not taking a direct part in hostilities. Military personnel must, therefore, make a careful, informed decision when planning and carrying out cyberattack during an armed conflict or a war. Non-State actors, cyber warriors, or cyber mercenaries taking a direct part in hostilities to support one or more side in an armed conflict/war may be subjected to attack by the other belligerent under the law of war. Artificial intelligence that makes soldiers wage cyber war against a remote target according to the programmed judgment of the AI presents a frightening challenge with regard to the law of armed conflict.

Cyber crimes pose everyday threats to anyone anywhere who is engaged in cyber activities. They include illegal access to a computer system; illegal access, interception or acquisition of computer data; illegal interference with a computer system or computer data; production, distribution or possession of computer misuse tools; and breach of privacy or data protection measures. Cyber crimes also encompass computer-related acts for personal or financial gain or harm consisting of computer-related fraud or forgery; computer-related identity offences; computer-related copyright or trademark offences; sending or controlling sending of Spam; computer-related acts causing personal harm; and computer-related production, distribution or possession of child pornography. The Council of Europe’s 2001 Budapest Convention on Cybercrime is the only multilateral agreement in force on cyber crimes and may be used as a model for national legislation as well as international legal cooperation to suppress cyber crimes. US law on cyber crime is analyzed in detail as a case study on criminal prosecution of cyber crime at the national level. Theft of virtual currencies such as bitcoin and virtual items online can be a prosecutable offence of cyber theft. Yet, there is no established case law at either the national or international level whether “hacktivism” (i.e., the non-violent use of a cyber means for political objectives such as website defacement, DoS or DDoS attacks, virtual sit-ins, or virtual sabotage) is an exercise of the freedom of expression and, as such, is not to be punished as a cyber crime.

Cyber terrorism has become a real threat to society. The UN Office on Drugs and Crime classifies cyber terrorism into six categories: propaganda (for the purposes of recruitment, incitement, and radicalization), financing, training, planning, execution, and cyberattacks. Cyber terrorism is in fact acts of terrorism that are “cyber-enabled”, using cyberspace or cyber technologies to perpetrate acts of terrorism against civil aviation, maritime navigation, and targeted victims, among others. The 2010 Beijing Convention and Protocol on aviation security are the first international conventions that specifically mention perpetration by “any technological means” to commit an act of terrorism. However, the other existing sectoral conventions dating back to the early 1960s can also be interpreted to suppress cyber terrorism in various ways. Some regional organizations, including the European Union, have taken steps with efforts to harmonize domestic law to combat international terrorism in line with the sectoral conventions. International cooperation to suppress cyber terrorism requires criminalization of acts that constitute cyber terrorism, extradition of offenders, and mutual legal assistance in criminal matters. Punishing online incitement to commit an act of terrorism, apologies for or glorification of terrorism may create a problem in that it might encroach upon the right to freedom of speech or expression recognized under the constitution of various States and protected by the 1966 International Covenant on Civil and Political Rights and other international human rights instruments.

Remedies for violation of rights in cyberspace may be available in domestic courts as well as international courts or tribunals, depending on the national law and the competence of such courts/tribunals in question and provided that procedural hurdles are overcome. Increased cybersecurity would mean less room for cyberattacks, cyber espionage, cyber crimes, and cyber terrorism. Closely related to the issue of cybersecurity is cyber deterrence, which has caught the attention of cyberwar studies. Deterrence works on two major elements: fear of retaliation, or punishment, by the defending party, and denial of any benefit to the adversary accruing from the initial attack carried out by the adversary. Secrecy, anonymity and difficulties in attribution in cyberspace together with the asymmetry of cyber capabilities among nation States create a big challenge for the application of the doctrine of cyber deterrence. Interdependence in cyberspace may help deter cyberattack insofar as such attack would also deny the attacker of a worthy benefit from the attack. The right model for cyberspace governance would make cyberspace a peaceful domain in which humankind can share benefits equitably. Nation States and international organizations are not suitable to lead cyberspace governance, which should be left to codes of conduct within the cybertechology industry, with government stepping in only to uphold international and national human rights standards which are sanctionable in courts of law. In any case, “cyber sovereignty”, with a State or a geographical region completely isolated in cyberspace from the rest, is not realistic in fact or in law.