Conference: The Peaceful Settlement of Cyber Disputes

On March 4-5, 2021, the Sheffield Centre for International and European Law at the University of Sheffield will host an online conference on "The Peaceful Settlement of Cyber Disputes." Registration is free but prior registration is required. The program and registration details can be found here.

Symposium: Exploring the Frontiers of International Law in Cyberspace

On December 4, 2020, the European Society of International Law, the Jagiellonian University Chair of Public International Law, and the Grotius Centre for International Legal Studies will hold an online symposium on "Exploring the Frontiers of International Law in Cyberspace." Program and registration information are here.

Milanovic: Surveillance and Cyber Operations

Marko Milanovic (Univ. of Nottingham - Law) has posted Surveillance and Cyber Operations (in Research Handbook on Extraterritorial Human Rights Obligations, Mark Gibney et al. eds., forthcoming). Here's the abstract:

Advertisement

This chapter examines the extent to and the basis on which human rights treaties apply extraterritorially to state surveillance and cyber operations. Consider only the following examples: (1) The targeted surveillance of a specific individual outside a state’s territory – as, for instance, with the operations allegedly conducted by the authorities of Saudi Arabia against Saudi dissidents abroad, one of which ultimately led to the plot to assassinate the journalist Jamal Khashoggi, or against the CEO of Amazon, Jeff Bezos, apparently in a rather crude attempt to blackmail him. (2) Mass surveillance or bulk collection programmes, such as those run by the US and UK signals intelligence agencies, that syphon the content of electronic communications of millions of people outside the state’s territory, or the metadata about these communications, in order to create searchable datasets in which persons of particular interest, e.g. suspected terrorists, can then be found. (3) Cyber operations that exfiltrate data on Covid-19 vaccine research, potentially affecting the development of vaccines that could save many thousands of lives. (4) Cyber operations that destroy or manipulate such data. (5) Cyber operations against hospitals or against critical infrastructure, which directly endanger many lives. (6) Cyber operations against media outlets, which disrupt their activities and inhibit their freedom of expression. (7) Online misinformation operations for various purposes, for example to manipulate the outcome of an election or to destroy public trust in state institutions during the pandemic. Common to all of these scenarios is that through entirely digital means states can violate a host of different human rights, from the rights to privacy and the freedom of expression, to the right to life and the right to health, of persons located outside their territories.

Advertisement

The chapter will first proceed to briefly outline how the traditional models of extraterritorial application, the spatial and the personal, would apply to surveillance and cyber operations, examining a few old cases in which the issue was raised, if never properly resolved. It will then look at recent developments that are particularly important in the surveillance and cyber context, even if some of them are not directly apposite: a judgment of the UK Investigatory Powers Tribunal, the advisory opinion of the Inter-American Court of Human Rights on the environment and human rights, the Human Rights Committee’s General Comment No. 36 on the right to life, and the judgment of the Federal Constitutional Court of Germany on the applicability of the German Basic Law to surveillance operations abroad. The chapter will then finally offer some concluding thoughts on the direction towards which the legal position is likely to evolve, and should evolve, regarding the applicability of human rights law to extraterritorial surveillance and cyber operations.

Call for Submissions: Cyber Law Toolkit

A call for submissions has been issued for the 2021 update of the Cyber Law Toolkit, an interactive web-based resource on the international law of cyber operations. Here's the call:

Cyber Law Toolkit, the leading interactive web-based resource on the international law of cyber operations, is inviting submissions for its next general update in September 2021. Successful authors will be awarded an honorarium. The Toolkit consists of a growing number of hypothetical scenarios, each of which contains a description of cyber incidents inspired by real-world examples and accompanied by detailed legal analysis. To keep pace with the recent developments in the cyber security domain and remain relevant source for practitioners and scholars alike, the Toolkit is regularly updated. The project team welcomes proposals for new scenarios to be included in the 2021 Toolkit update. This call for submissions is open until 15 November 2020. For more information, see the full text of the call.

Benesch: But Facebook’s Not a Country: How to Interpret Human Rights Law for Social Media Companies

Susan Benesch (Harvard Univ. - Dangerous Speech Project) has posted But Facebook’s Not a Country: How to Interpret Human Rights Law for Social Media Companies (Yale Journal on Regulation, forthcoming). Here's the abstract:

Advertisement

Private social media companies regulate much more speech than any government does, and their platforms are being used to bring about serious harm. Yet companies govern largely on their own, and in secret.

To correct this, advocates have proposed that companies follow international human-rights law. That law–by far the world’s best-known rules for governing speech–could improve regulation itself, and would also allow for better transparency and oversight on behalf of billions of people who use social media.

This paper argues that for this to work, the law must first be interpreted to clarify how (and whether) each of its provisions are suited to this new purpose. For example, the law provides that speech may be restricted to protect national security, as one of only five permissible bases for limiting speech. Governments, for which international law was written, may regulate on that basis, but not private companies which have no national security to protect.

To fill some of the gap, the paper explains and interprets the most relevant provisions of international human-rights law–Articles 19 and 20 of the International Covenant on Civil and Political Rights, which pertain to freedom of expression–for use by social media companies, in novel detail.

Kettemann: The Normative Order of the Internet: A Theory of Rule and Regulation Online

Matthias C. Kettemann (Leibniz Institute for Media Research │ Hans-Bredow-Institut) has published The Normative Order of the Internet: A Theory of Rule and Regulation Online (Oxford Univ. Press 2020). Here's the abstract:

There is order on the internet, but how has this order emerged and what challenges will threaten and shape its future? This study shows how a legitimate order of norms has emerged online, through both national and international legal systems. It establishes the emergence of a normative order of the internet, an order which explains and justifies processes of online rule and regulation. This order integrates norms at three different levels (regional, national, international), of two types (privately and publicly authored), and of different character (from ius cogens to technical standards).

Matthias C. Kettemann assesses their internal coherence, their consonance with other order norms and their consistency with the order's finality. The normative order of the internet is based on and produces a liquefied system characterized by self-learning normativity. In light of the importance of the socio-communicative online space, this is a book for anyone interested in understanding the contemporary development of the internet.

This is an open access title available under the terms of a CC BY-NC-ND 4.0 International licence. It is offered as a free PDF download from OUP and selected open access locations.

Lahmann: 'Hacking Back' by States and the Uneasy Place of Necessity within the Rule of Law

Henning Lahmann (ESMT Berlin - Digital Society Institute) has posted 'Hacking Back' by States and the Uneasy Place of Necessity within the Rule of Law (Zeitschrift für Ausländisches Öffentliches Recht und Völkerrecht, forthcoming). Here's the abstract:

The article deals with necessity as one of the circumstances precluding wrongfulness under customary international law and how, in view of the protracted problem of timely attribution in cyberspace, it will likely gain relevance when states are forced to defend against malicious cyber operations threatening important assets such as critical infrastructures. While the necessity doctrine seems fit for purpose in principle, the article argues that it lacks granularity, as it has rarely been tested on the international plane. More importantly, like all norms that invoke an exception to the normal function of the law in an emergency situation, necessity is problematic from an international rule-of-law point of view. Taking these pitfalls into account, the article proposes some general principles for a possible special emergency regime for cyberspace that could put cyber necessity on a normatively more stable footing.

Shany & Schmitt: An International Attribution Mechanism for Hostile Cyber Operations

Yuval Shany (Hebrew Univ. of Jerusalem - Law) & Michael N. Schmitt (Univ. of Reading - Law) have posted An International Attribution Mechanism for Hostile Cyber Operations (International Law Studies, forthcoming). Here's the abstract:

This article is the result of an international research project organized by the Federmann Cyber Security Research Center at Hebrew University to consider the feasibility of establishing an international attribution mechanism for hostile cyber operations, as well as the usefulness of such a body. The authors observe that, at present, states wielding significant cyber capability have little interest in creating such a mechanism. These states appear to be of the view that they can generate sufficient accountability and deterrence based on their independent technological capacity, access to expertise and to offensive (active defense) cyber tools, political clout, security alliances, and other policy tools, such as sanctions. However, countries with limited technological capacity and less ability to mobilize international support for collective attribution are more amenable to the prospect.

To date, proposals to establish an international attribution mechanism have not acquired momentum. However, the authors suggest that progress remains possible by focusing on the three logical constituencies for such a body—States with limited technological, intelligence, and diplomatic capacity; States interested in generating broad collective attribution of attacks perpetrated against them; and international and regional organizations operating a cyber-related sanctions regime. Such a focus, combined with greater granularity, would significantly improve the prospects for the establishment of an international attribution mechanism and its eventual utilization by the international community.

Hamilton: Governing the Global Public Square

Rebecca J. Hamilton (American Univ. - Washington College of Law) has posted Governing the Global Public Square (Harvard International Law Journal, forthcoming). Here's the abstract:

Social media platforms are the public square of our era – a reality that has been entrenched by the widespread closure of physical public spaces in response to the Covid-19 pandemic. And this online space is global in nature, with over 2.5 billion users worldwide. Its governance does not fall solely to governments. With the rise of social media, important decisions about what content does - and does not - stay online are made by private technology companies.

Reflecting this reality, cutting-edge scholarship has converged on a triadic approach to understanding how the global public square operates - with states, users, and technology companies marking out three points on a “free speech triangle” that determines what content appears online. While offering valuable insights into the nature of online speech regulation, this scholarship—which has influenced public discussion—has been limited by drawing primarily on a recurring set of case studies arising from the U.S. and the European Union. As a result, the free speech triangle has locked in assumptions that make sense for the U.S. and the EU, but that regrettably lack broad applicability.

This Essay focuses our attention on the global public square that actually exists, rather than the narrow U.S. and European-centric description that has commanded public attention. Drawing on interviews with civil society, public sources, and technology company transparency data, it introduces a new set of case studies from the Global South, which elucidate important dynamics that are sidelined in the current content moderation discussion.

Drawing on this broader set of materials, I supplement the free speech triangle’s analysis of who is responsible for online content, with the question of what these actors do. In this way, activity within the global public square can be grouped into four categories: content production, content amplification, rule creation, and enforcement. Analyzing the governance of the global public square through this functional approach preserves important insights from the existing literature while also creating space to incorporate the plurality of regulatory arrangements around the world. I close with prescriptive insights that this functional approach offers to policymakers in a period of unprecedented frustration with how the global public square is governed.

Keitner: Foreign Election Interference and International Law

Chimène Keitner (Univ. of California - Hastings College of the Law) has posted Foreign Election Interference and International Law (in Election Interference: When Foreign Powers Target Democratic Institutions, Duncan Hollis & Jens David Ohlin eds., forthcoming). Here's the abstract:

This draft chapter explores the possibilities, and limitations, of international law in regulating states’ attempts to influence each other’s elections. It begins by tracing attempts to further codify the non-intervention principle in the 1960’s and 1970’s. It then examines the tension produced by states’ conflicting desires to preserve the greatest possible freedom of action for themselves and to constrain the behavior of others. To date, this dynamic has impeded the ability to formulate explicit treaty-based solutions to the problem of foreign election interference. Identifying customary international law in this area requires inferring specific conduct-regulating rules from general principles, which can yield contested results. States are unlikely to agree to more granular, binding international rules as long as regimes currently in power benefit from constructive ambiguity. Although agreement on more concrete rules and enforcement mechanisms might remain elusive, like-minded states should continue to emphasize the importance of supporting peoples’ abilities to determine their own political destinies. This requires, at a minimum, promoting an anti-deception norm as a matter of both domestic and international law.

Milanovic & Schmitt: Cyber Attacks and Cyber (Mis)information Operations during a Pandemic

Marko Milanovic (Univ. of Nottingham - Law) & Michael N. Schmitt (Univ. of Reading - Law) have posted Cyber Attacks and Cyber (Mis)information Operations during a Pandemic (Journal of National Security Law & Policy, forthcoming). Here's the abstract:

The COVID-19 pandemic has been accompanied by reprehensible cyber operations directed against medical facilities and capabilities, as well as by a flood of misinformation. Our goal in this article is to map out the various obligations of states under general international law law and under human rights law with regard to malicious cyber and misinformation operations conducted by state and non-state actors during the pandemic. First, we consider cyber operations against health care facilities and capabilities, including public health activities operated by the government, and how such operations, when attributable to a state, can violate the sovereignty of other states, the prohibitions of intervention and the use of force, and the human rights of the affected individuals. Second, we perform a similar analysis with regard to state misinformation operations during the pandemic, especially those that directly or indirectly affect human life and health, whether such misinformation is targeting the state’s own population or those of third states. Finally, we turn to the positive obligations that states have to protect their populations from hostile cyber and misinformation operations, to the limits that human rights law imposes on efforts to combat misinformation, and to protective obligations towards third states and their populations.

We argue that international law can play a robust role in addressing the COVID-19 pandemic. For the most part, the parameters of the relevant legal rules are reasonably clear. But significant areas of uncertainty remain. For instance, at least one state, wrongly in our view, rejects the existence of the general international law rule most likely to be breached by COVID-19-related cyber operations, sovereignty. Another major issue is the extraterritorial application of the human rights obligations to respect and protect the rights to life and health in the cyber context, which we examine in detail.

It is difficult to find anything positive about this horrific global pandemic. However, perhaps it can help draw attention to the criticality of moving forward the international cyber law discourse among states much more quickly than has been the case to date. Many states have been cautious about proffering their interpretation of the applicable law, and to some extent rightfully so, but caution has consequences and can leave us normatively ill-prepared for the next crisis. Some states have condemned the COVID-19-related cyber operations, although seldom on the basis of international law as distinct from political norms of responsible state behavior. Hopefully, they will add legal granularity to future statements. But all states, human rights courts, human rights monitoring bodies, the academy, the private sector and NGOs must take up the challenge presented by this tragic pandemic to move the law governing cyberspace in the right direction.

Horowitz: Cyber Operations under International Humanitarian Law: Perspectives from the ICRC

Jonathan Horowitz (ICRC) has posted an ASIL Insight on Cyber Operations under International Humanitarian Law: Perspectives from the ICRC.

Lahmann: Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution

Henning Lahmann (ESMT Berlin - Digital Society Institute) has published Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution (Cambridge Univ. Press 2020). Here's the abstract:

Addressing both scholars of international law and political science as well as decision makers involved in cybersecurity policy, the book tackles the most important and intricate legal issues that a state faces when considering a reaction to a malicious cyber operation conducted by an adversarial state. While often invoked in political debates and widely analysed in international legal scholarship, self-defence and countermeasures will often remain unavailable to states in situations of cyber emergency due to the pervasive problem of reliable and timely attribution of cyber operations to state actors. Analysing the legal questions surrounding attribution in detail, the book presents the necessity defence as an evidently available alternative. However, the shortcomings of the doctrine as based in customary international law that render it problematic as a remedy for states are examined in-depth. In light of this, the book concludes by outlining a special emergency regime for cyberspace.

Lahmann: Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution

Henning Lahmann (Digital Society Institute) has published Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution (Cambridge Univ. Press 2020). Here's the abstract:

Addressing both scholars of international law and political science as well as decision makers involved in cybersecurity policy, the book tackles the most important and intricate legal issues that a state faces when considering a reaction to a malicious cyber operation conducted by an adversarial state. While often invoked in political debates and widely analysed in international legal scholarship, self-defence and countermeasures will often remain unavailable to states in situations of cyber emergency due to the pervasive problem of reliable and timely attribution of cyber operations to state actors. Analysing the legal questions surrounding attribution in detail, the book presents the necessity defence as an evidently available alternative. However, the shortcomings of the doctrine as based in customary international law that render it problematic as a remedy for states are examined in-depth. In light of this, the book concludes by outlining a special emergency regime for cyberspace.

Call for Submissions: International Law and the Internet

The Zeitschrift für ausländisches öffentliches Recht und Völkerrecht/Heidelberg Journal of International Law has issued a call for submissions for a special issue on "International Law and the Internet." The call is here.

Delerue: Cyber Operations and International Law

François Delerue (Institut de Recherche stratégique de l’École militaire) has published Cyber Operations and International Law (Cambridge Univ. Press 2020). Here's the abstract:

This book offers a comprehensive analysis of the international law applicable to cyber operations, including a systematic examination of attribution, lawfulness and remedies. It demonstrates the importance of countermeasures as a form of remedies and also shows the limits of international law, highlighting its limits in resolving issues related to cyber operations. There are several situations in which international law leaves the victim State of cyber operations helpless. Two main streams of limits are identified. First, in the case of cyber operations conducted by non-state actors on the behalf of a State, new technologies offer various ways to coordinate cyber operations without a high level of organization. Second, the law of State responsibility offers a range of solutions to respond to cyber operations and seek reparation, but it does not provide an answer in every case and it cannot solve the problem related to technical capabilities of the victim.

Call for Papers: The Challenge of Global Cybersecurity

A call for papers has been issued for a conference on "The Challenge of Global Cybersecurity," to be held March 26-27, 2020, at the University of Granada. The call is here. The deadline is February 1, 2020.

Workshop: Democracies and Structural Changes in the Digital Age

A workshop on "Democracies and Structural Changes in the Digital Age" will take place December 16-17, 2019, in Hamburg. The program is here. Registration is open until December 11.

Goeble: Freiraum oder Herrschaftsgebiet: Menschenrecht auf Zugang und völkerrechtliche Prinzipien als Schranken staatlichen Handelns im Internet

Thilo Goeble has published Freiraum oder Herrschaftsgebiet: Menschenrecht auf Zugang und völkerrechtliche Prinzipien als Schranken staatlichen Handelns im Internet (Nomos 2019). Here's the abstract:

Der Autor beschäftigt sich mit der Frage, ob und wie völkerrechtliche Schranken die Macht der Staaten im Internet schon heute begrenzen und wie diese in Zukunft aussehen könnten. Insbesondere geht er auf ein Menschenrecht auf Zugang zum Internet ein. Ein Schwerpunkt bildet die Meinungsäußerungs- und Informationsfreiheit auf der Ebene der Vereinten Nationen sowie des Europarates, die aus der Sichtweise verschiedener Eingriffsdimensionen untersucht werden. Hierzu erfolgt eine ausführliche Auswertung der bestehenden Dokumente und der Rechtsprechung. Im Anschluss liefert der Autor einen eigenen Formulierungsvorschlag für ein Menschenrecht auf Zugang zum Internet de lege ferenda. Aufgrund der Qualifizierung des Internets als internationaler (Über-)Raum werden des Weiteren völkerrechtliche Schranken, die sich insbesondere aus dem Bereich des Umweltvölkerrechts, den Regeln der internationalen Beziehungen und des humanitären Völkerrechts ergeben, auf ihre Übertragbarkeit hin untersucht.

Dederer & Singer: Adverse Cyber Operations: Causality, Attribution, Evidence, and Due Diligence

Hans-Georg Dederer (Univ. of Passau) & Tassilo Singer (Univ. of Passau) have posted Adverse Cyber Operations: Causality, Attribution, Evidence, and Due Diligence (International Law Studies, Vol. 95, 2019). Here's the abstract:

Adverse cyber operations against States are on the rise, and so are the legal challenges related to such incidents under public international law. This article will not delve into already intensely debated problems of classification, such as whether adverse cyber operations constitute “armed attacks” or “use of force.” Rather, the article will focus on causality and attribution with special regard to problems of evidence. In particular, the article will elaborate on the applicable standards of proof to be met by the victim State when submitting, or having to submit, evidence to justify self-defense or countermeasures against the State of origin. We propose a “sliding scale” of standards of proof depending on the gravity, or seriousness, of the deviation from public international law. Accordingly, the standard of proof differs depending on whether the victim State strikes back through use of force or through action below the use of force threshold. Importantly, even in light of a high standard of proof, the burden of proof incumbent on the victim State may be discharged based on indirect evidence only. Particularly for satisfying proof of attribution, we suggest distinguishing between cyber operations traceable to State IT systems of the State of origin and cyber operations traceable to private IT systems located within the State of origin. This distinction is significant with regard to the requirements for a rebuttal of attribution by the State of origin. These requirements are expressions of due diligence obligations on the part of the State of origin.