Coco & de Souza Dias: 'Cyber Due Diligence': A Patchwork of Protective Obligations in International Law

Antonio Coco (Univ. of Essex - Law) & Talita de Souza Dias (Univ. of Oxford - Jesus College) have posted 'Cyber Due Diligence': A Patchwork of Protective Obligations in International Law (European Journal of International Law, forthcoming). Here's abstract:

With a long history in international law, the concept of due diligence has recently gained traction in the cyber context, as a promising avenue to hold states accountable for harmful cyber operations originating from, or transiting through, their territory, in the absence of attribution. Nonetheless, confusion surrounds the nature, content and scope of due diligence. It remains unclear whether it is a general principle of international law, a self-standing obligation or a standard of conduct, and whether there is a specific rule requiring diligent behaviour in cyberspace. This has created an ‘all-or-nothing’ discourse: either states have agreed to a rule or principle of ‘cyber due diligence’, or no obligation to behave diligently would exist in cyberspace. We propose to shift the debate from label to substance, asking whether states have duties to protect other states and individuals from cyber harms. By revisiting traditional cases, as well as surveying recent state practice, we contend that – whether or not there is consensus on ‘cyber due diligence’ – a patchwork of different protective obligations already applies, by default, in cyberspace. At their core is a flexible standard of diligent behaviour requiring states to take reasonable steps to prevent, halt and/or redress a range of online harms.

Heller: In Defense of Pure Sovereignty in Cyberspace

Kevin Jon Heller (Univ. of Copenhagen; Australian National Univ.) has posted In Defense of Pure Sovereignty in Cyberspace (International Law Studies, forthcoming). Here's the abstract:

Advertisement

The final report of the United Nations Open-Ended Working Group (OEWG), adopted by consensus in March 2021, affirms that international law applies to cyberspace and calls upon states “to avoid and refrain from taking any measures not in accordance with international law.” Significant differences nevertheless remain concerning how international law applies to cyberspace, because states have been unable to agree on what kinds of cyber-operations international law prohibits. Instead, the OEWG’s final report simply – and rather tepidly – articulates 11 “voluntary, non-binding norms of responsible State behaviour.”

Advertisement

States are particularly divided over the international wrongfulness of cyber-operations that penetrate computer systems located on the territory of another state but do not rise to the level of a use of force or prohibited intervention – what are often referred to as “low intensity” cyber-operations. Low-intensity cyber-operations, which include most acts of extraterritorial law-enforcement (including counterterrorism) and espionage, are the most common form of cyber-operation and are likely to become even more common over time, given their relative lack of expense and their significant utility for states.

Advertisement

States have adopted three very different positions concerning whether low-intensity cyber-operations are internationally wrongful, all of which turn on whether such operations violate the sovereignty of the territorial state. The first position, endorsed by the UK and the US, is that low-intensity cyber-operations are never wrongful, because sovereignty is a principle of international law, not a primary rule that can be independently violated. The second position, defended most vigorously by France, is that low-intensity cyber-operations are always wrongful, because sovereignty is a primary rule of international law that is violated by any non-consensual penetration of a computer system located on the territory of another state – what has been called the “pure sovereigntist” approach. And the third position, adopted by states such as the Netherlands and the Czech Republic, is that although sovereignty is a primary rule of international law, only low-intensity cyber-operations that cause some kind of physical damage to the territorial state or render its cyber-infrastructure inoperable are wrongful – what has been called the “relative sovereigntist” approach.

This article has two purposes: to explain the different positions that states have taken on whether low-intensity cyber-operations violate sovereignty, and to provide a comprehensive analysis of which position is the strongest both legally and in terms of cyber policy. The article is divided into five sections. Section I briefly explains why sovereignty is a primary rule of international law, not simply a principle from which specific primary rules can be derived. Section II asks whether sovereignty applies in cyberspace as a rule, agreeing with the vast majority of states that it does. Section III explains and assesses the two positions that states have taken concerning how sovereignty applies in cyberspace as a rule: pure sovereignty and relative sovereignty. It concludes that the pure-sovereigntist position has a much stronger foundation in general international law than the relative-sovereigntist position. Section IV then analyses and rejects the most common legal objection to that conclusion: the supposed permissibility of espionage. Finally, Section V argues that a variety of policy considerations also favour pure sovereignty over relative sovereignty.

Ponta: Responsible State Behavior in Cyberspace: Two New Reports from Parallel UN Processes

Adina Ponta (Babeș-Bolyai Univ.) has posted an ASIL Insight on Responsible State Behavior in Cyberspace: Two New Reports from Parallel UN Processes.

Conference: The Challenge of Global Cybersecurity

On September 16-17, 2021, the University of Grenada will host a conference on "The Challenge of Global Cybersecurity." Program and registration are here.

Conference: The Peaceful Settlement of Cyber Disputes

On March 4-5, 2021, the Sheffield Centre for International and European Law at the University of Sheffield will host an online conference on "The Peaceful Settlement of Cyber Disputes." Registration is free but prior registration is required. The program and registration details can be found here.

Symposium: Exploring the Frontiers of International Law in Cyberspace

On December 4, 2020, the European Society of International Law, the Jagiellonian University Chair of Public International Law, and the Grotius Centre for International Legal Studies will hold an online symposium on "Exploring the Frontiers of International Law in Cyberspace." Program and registration information are here.

Milanovic: Surveillance and Cyber Operations

Marko Milanovic (Univ. of Nottingham - Law) has posted Surveillance and Cyber Operations (in Research Handbook on Extraterritorial Human Rights Obligations, Mark Gibney et al. eds., forthcoming). Here's the abstract:

This chapter examines the extent to and the basis on which human rights treaties apply extraterritorially to state surveillance and cyber operations. Consider only the following examples: (1) The targeted surveillance of a specific individual outside a state’s territory – as, for instance, with the operations allegedly conducted by the authorities of Saudi Arabia against Saudi dissidents abroad, one of which ultimately led to the plot to assassinate the journalist Jamal Khashoggi, or against the CEO of Amazon, Jeff Bezos, apparently in a rather crude attempt to blackmail him. (2) Mass surveillance or bulk collection programmes, such as those run by the US and UK signals intelligence agencies, that syphon the content of electronic communications of millions of people outside the state’s territory, or the metadata about these communications, in order to create searchable datasets in which persons of particular interest, e.g. suspected terrorists, can then be found. (3) Cyber operations that exfiltrate data on Covid-19 vaccine research, potentially affecting the development of vaccines that could save many thousands of lives. (4) Cyber operations that destroy or manipulate such data. (5) Cyber operations against hospitals or against critical infrastructure, which directly endanger many lives. (6) Cyber operations against media outlets, which disrupt their activities and inhibit their freedom of expression. (7) Online misinformation operations for various purposes, for example to manipulate the outcome of an election or to destroy public trust in state institutions during the pandemic. Common to all of these scenarios is that through entirely digital means states can violate a host of different human rights, from the rights to privacy and the freedom of expression, to the right to life and the right to health, of persons located outside their territories.

The chapter will first proceed to briefly outline how the traditional models of extraterritorial application, the spatial and the personal, would apply to surveillance and cyber operations, examining a few old cases in which the issue was raised, if never properly resolved. It will then look at recent developments that are particularly important in the surveillance and cyber context, even if some of them are not directly apposite: a judgment of the UK Investigatory Powers Tribunal, the advisory opinion of the Inter-American Court of Human Rights on the environment and human rights, the Human Rights Committee’s General Comment No. 36 on the right to life, and the judgment of the Federal Constitutional Court of Germany on the applicability of the German Basic Law to surveillance operations abroad. The chapter will then finally offer some concluding thoughts on the direction towards which the legal position is likely to evolve, and should evolve, regarding the applicability of human rights law to extraterritorial surveillance and cyber operations.

Call for Submissions: Cyber Law Toolkit

A call for submissions has been issued for the 2021 update of the Cyber Law Toolkit, an interactive web-based resource on the international law of cyber operations. Here's the call:

Cyber Law Toolkit, the leading interactive web-based resource on the international law of cyber operations, is inviting submissions for its next general update in September 2021. Successful authors will be awarded an honorarium. The Toolkit consists of a growing number of hypothetical scenarios, each of which contains a description of cyber incidents inspired by real-world examples and accompanied by detailed legal analysis. To keep pace with the recent developments in the cyber security domain and remain relevant source for practitioners and scholars alike, the Toolkit is regularly updated. The project team welcomes proposals for new scenarios to be included in the 2021 Toolkit update. This call for submissions is open until 15 November 2020. For more information, see the full text of the call.

Benesch: But Facebook’s Not a Country: How to Interpret Human Rights Law for Social Media Companies

Susan Benesch (Harvard Univ. - Dangerous Speech Project) has posted But Facebook’s Not a Country: How to Interpret Human Rights Law for Social Media Companies (Yale Journal on Regulation, forthcoming). Here's the abstract:

Private social media companies regulate much more speech than any government does, and their platforms are being used to bring about serious harm. Yet companies govern largely on their own, and in secret.

To correct this, advocates have proposed that companies follow international human-rights law. That law–by far the world’s best-known rules for governing speech–could improve regulation itself, and would also allow for better transparency and oversight on behalf of billions of people who use social media.

This paper argues that for this to work, the law must first be interpreted to clarify how (and whether) each of its provisions are suited to this new purpose. For example, the law provides that speech may be restricted to protect national security, as one of only five permissible bases for limiting speech. Governments, for which international law was written, may regulate on that basis, but not private companies which have no national security to protect.

To fill some of the gap, the paper explains and interprets the most relevant provisions of international human-rights law–Articles 19 and 20 of the International Covenant on Civil and Political Rights, which pertain to freedom of expression–for use by social media companies, in novel detail.

Kettemann: The Normative Order of the Internet: A Theory of Rule and Regulation Online

Matthias C. Kettemann (Leibniz Institute for Media Research │ Hans-Bredow-Institut) has published The Normative Order of the Internet: A Theory of Rule and Regulation Online (Oxford Univ. Press 2020). Here's the abstract:

There is order on the internet, but how has this order emerged and what challenges will threaten and shape its future? This study shows how a legitimate order of norms has emerged online, through both national and international legal systems. It establishes the emergence of a normative order of the internet, an order which explains and justifies processes of online rule and regulation. This order integrates norms at three different levels (regional, national, international), of two types (privately and publicly authored), and of different character (from ius cogens to technical standards).

Matthias C. Kettemann assesses their internal coherence, their consonance with other order norms and their consistency with the order's finality. The normative order of the internet is based on and produces a liquefied system characterized by self-learning normativity. In light of the importance of the socio-communicative online space, this is a book for anyone interested in understanding the contemporary development of the internet.

This is an open access title available under the terms of a CC BY-NC-ND 4.0 International licence. It is offered as a free PDF download from OUP and selected open access locations.

Lahmann: 'Hacking Back' by States and the Uneasy Place of Necessity within the Rule of Law

Henning Lahmann (ESMT Berlin - Digital Society Institute) has posted 'Hacking Back' by States and the Uneasy Place of Necessity within the Rule of Law (Zeitschrift für Ausländisches Öffentliches Recht und Völkerrecht, forthcoming). Here's the abstract:

The article deals with necessity as one of the circumstances precluding wrongfulness under customary international law and how, in view of the protracted problem of timely attribution in cyberspace, it will likely gain relevance when states are forced to defend against malicious cyber operations threatening important assets such as critical infrastructures. While the necessity doctrine seems fit for purpose in principle, the article argues that it lacks granularity, as it has rarely been tested on the international plane. More importantly, like all norms that invoke an exception to the normal function of the law in an emergency situation, necessity is problematic from an international rule-of-law point of view. Taking these pitfalls into account, the article proposes some general principles for a possible special emergency regime for cyberspace that could put cyber necessity on a normatively more stable footing.

Shany & Schmitt: An International Attribution Mechanism for Hostile Cyber Operations

Yuval Shany (Hebrew Univ. of Jerusalem - Law) & Michael N. Schmitt (Univ. of Reading - Law) have posted An International Attribution Mechanism for Hostile Cyber Operations (International Law Studies, forthcoming). Here's the abstract:

This article is the result of an international research project organized by the Federmann Cyber Security Research Center at Hebrew University to consider the feasibility of establishing an international attribution mechanism for hostile cyber operations, as well as the usefulness of such a body. The authors observe that, at present, states wielding significant cyber capability have little interest in creating such a mechanism. These states appear to be of the view that they can generate sufficient accountability and deterrence based on their independent technological capacity, access to expertise and to offensive (active defense) cyber tools, political clout, security alliances, and other policy tools, such as sanctions. However, countries with limited technological capacity and less ability to mobilize international support for collective attribution are more amenable to the prospect.

To date, proposals to establish an international attribution mechanism have not acquired momentum. However, the authors suggest that progress remains possible by focusing on the three logical constituencies for such a body—States with limited technological, intelligence, and diplomatic capacity; States interested in generating broad collective attribution of attacks perpetrated against them; and international and regional organizations operating a cyber-related sanctions regime. Such a focus, combined with greater granularity, would significantly improve the prospects for the establishment of an international attribution mechanism and its eventual utilization by the international community.

Hamilton: Governing the Global Public Square

Rebecca J. Hamilton (American Univ. - Washington College of Law) has posted Governing the Global Public Square (Harvard International Law Journal, forthcoming). Here's the abstract:

Social media platforms are the public square of our era – a reality that has been entrenched by the widespread closure of physical public spaces in response to the Covid-19 pandemic. And this online space is global in nature, with over 2.5 billion users worldwide. Its governance does not fall solely to governments. With the rise of social media, important decisions about what content does - and does not - stay online are made by private technology companies.

Reflecting this reality, cutting-edge scholarship has converged on a triadic approach to understanding how the global public square operates - with states, users, and technology companies marking out three points on a “free speech triangle” that determines what content appears online. While offering valuable insights into the nature of online speech regulation, this scholarship—which has influenced public discussion—has been limited by drawing primarily on a recurring set of case studies arising from the U.S. and the European Union. As a result, the free speech triangle has locked in assumptions that make sense for the U.S. and the EU, but that regrettably lack broad applicability.

This Essay focuses our attention on the global public square that actually exists, rather than the narrow U.S. and European-centric description that has commanded public attention. Drawing on interviews with civil society, public sources, and technology company transparency data, it introduces a new set of case studies from the Global South, which elucidate important dynamics that are sidelined in the current content moderation discussion.

Drawing on this broader set of materials, I supplement the free speech triangle’s analysis of who is responsible for online content, with the question of what these actors do. In this way, activity within the global public square can be grouped into four categories: content production, content amplification, rule creation, and enforcement. Analyzing the governance of the global public square through this functional approach preserves important insights from the existing literature while also creating space to incorporate the plurality of regulatory arrangements around the world. I close with prescriptive insights that this functional approach offers to policymakers in a period of unprecedented frustration with how the global public square is governed.

Keitner: Foreign Election Interference and International Law

Chimène Keitner (Univ. of California - Hastings College of the Law) has posted Foreign Election Interference and International Law (in Election Interference: When Foreign Powers Target Democratic Institutions, Duncan Hollis & Jens David Ohlin eds., forthcoming). Here's the abstract:

This draft chapter explores the possibilities, and limitations, of international law in regulating states’ attempts to influence each other’s elections. It begins by tracing attempts to further codify the non-intervention principle in the 1960’s and 1970’s. It then examines the tension produced by states’ conflicting desires to preserve the greatest possible freedom of action for themselves and to constrain the behavior of others. To date, this dynamic has impeded the ability to formulate explicit treaty-based solutions to the problem of foreign election interference. Identifying customary international law in this area requires inferring specific conduct-regulating rules from general principles, which can yield contested results. States are unlikely to agree to more granular, binding international rules as long as regimes currently in power benefit from constructive ambiguity. Although agreement on more concrete rules and enforcement mechanisms might remain elusive, like-minded states should continue to emphasize the importance of supporting peoples’ abilities to determine their own political destinies. This requires, at a minimum, promoting an anti-deception norm as a matter of both domestic and international law.

Milanovic & Schmitt: Cyber Attacks and Cyber (Mis)information Operations during a Pandemic

Marko Milanovic (Univ. of Nottingham - Law) & Michael N. Schmitt (Univ. of Reading - Law) have posted Cyber Attacks and Cyber (Mis)information Operations during a Pandemic (Journal of National Security Law & Policy, forthcoming). Here's the abstract:

The COVID-19 pandemic has been accompanied by reprehensible cyber operations directed against medical facilities and capabilities, as well as by a flood of misinformation. Our goal in this article is to map out the various obligations of states under general international law law and under human rights law with regard to malicious cyber and misinformation operations conducted by state and non-state actors during the pandemic. First, we consider cyber operations against health care facilities and capabilities, including public health activities operated by the government, and how such operations, when attributable to a state, can violate the sovereignty of other states, the prohibitions of intervention and the use of force, and the human rights of the affected individuals. Second, we perform a similar analysis with regard to state misinformation operations during the pandemic, especially those that directly or indirectly affect human life and health, whether such misinformation is targeting the state’s own population or those of third states. Finally, we turn to the positive obligations that states have to protect their populations from hostile cyber and misinformation operations, to the limits that human rights law imposes on efforts to combat misinformation, and to protective obligations towards third states and their populations.

We argue that international law can play a robust role in addressing the COVID-19 pandemic. For the most part, the parameters of the relevant legal rules are reasonably clear. But significant areas of uncertainty remain. For instance, at least one state, wrongly in our view, rejects the existence of the general international law rule most likely to be breached by COVID-19-related cyber operations, sovereignty. Another major issue is the extraterritorial application of the human rights obligations to respect and protect the rights to life and health in the cyber context, which we examine in detail.

It is difficult to find anything positive about this horrific global pandemic. However, perhaps it can help draw attention to the criticality of moving forward the international cyber law discourse among states much more quickly than has been the case to date. Many states have been cautious about proffering their interpretation of the applicable law, and to some extent rightfully so, but caution has consequences and can leave us normatively ill-prepared for the next crisis. Some states have condemned the COVID-19-related cyber operations, although seldom on the basis of international law as distinct from political norms of responsible state behavior. Hopefully, they will add legal granularity to future statements. But all states, human rights courts, human rights monitoring bodies, the academy, the private sector and NGOs must take up the challenge presented by this tragic pandemic to move the law governing cyberspace in the right direction.

Horowitz: Cyber Operations under International Humanitarian Law: Perspectives from the ICRC

Jonathan Horowitz (ICRC) has posted an ASIL Insight on Cyber Operations under International Humanitarian Law: Perspectives from the ICRC.

Lahmann: Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution

Henning Lahmann (ESMT Berlin - Digital Society Institute) has published Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution (Cambridge Univ. Press 2020). Here's the abstract:

Addressing both scholars of international law and political science as well as decision makers involved in cybersecurity policy, the book tackles the most important and intricate legal issues that a state faces when considering a reaction to a malicious cyber operation conducted by an adversarial state. While often invoked in political debates and widely analysed in international legal scholarship, self-defence and countermeasures will often remain unavailable to states in situations of cyber emergency due to the pervasive problem of reliable and timely attribution of cyber operations to state actors. Analysing the legal questions surrounding attribution in detail, the book presents the necessity defence as an evidently available alternative. However, the shortcomings of the doctrine as based in customary international law that render it problematic as a remedy for states are examined in-depth. In light of this, the book concludes by outlining a special emergency regime for cyberspace.

Lahmann: Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution

Henning Lahmann (Digital Society Institute) has published Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution (Cambridge Univ. Press 2020). Here's the abstract:

Addressing both scholars of international law and political science as well as decision makers involved in cybersecurity policy, the book tackles the most important and intricate legal issues that a state faces when considering a reaction to a malicious cyber operation conducted by an adversarial state. While often invoked in political debates and widely analysed in international legal scholarship, self-defence and countermeasures will often remain unavailable to states in situations of cyber emergency due to the pervasive problem of reliable and timely attribution of cyber operations to state actors. Analysing the legal questions surrounding attribution in detail, the book presents the necessity defence as an evidently available alternative. However, the shortcomings of the doctrine as based in customary international law that render it problematic as a remedy for states are examined in-depth. In light of this, the book concludes by outlining a special emergency regime for cyberspace.

Call for Submissions: International Law and the Internet

The Zeitschrift für ausländisches öffentliches Recht und Völkerrecht/Heidelberg Journal of International Law has issued a call for submissions for a special issue on "International Law and the Internet." The call is here.

Delerue: Cyber Operations and International Law

François Delerue (Institut de Recherche stratégique de l’École militaire) has published Cyber Operations and International Law (Cambridge Univ. Press 2020). Here's the abstract:

This book offers a comprehensive analysis of the international law applicable to cyber operations, including a systematic examination of attribution, lawfulness and remedies. It demonstrates the importance of countermeasures as a form of remedies and also shows the limits of international law, highlighting its limits in resolving issues related to cyber operations. There are several situations in which international law leaves the victim State of cyber operations helpless. Two main streams of limits are identified. First, in the case of cyber operations conducted by non-state actors on the behalf of a State, new technologies offer various ways to coordinate cyber operations without a high level of organization. Second, the law of State responsibility offers a range of solutions to respond to cyber operations and seek reparation, but it does not provide an answer in every case and it cannot solve the problem related to technical capabilities of the victim.