The International Telecommunications Union defines the ‘cybersecurity’ as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets”. In today’s digital world, where there are more devices than people and Internet of Things (IoT) is ubiquitous, cybersecurity has assumed greater significance. Any national security policy would be incomplete without a robust cybersecurity component.
Today many countries field offensive cybersecurity capabilities. There are several incentives to conduct cyberattacks: difficulty in attribution; low cost employment; and perceived non-escalatory potential. For the same reasons, the US resorted to a cyberattack against Iran in June 2019 after Iran had downed a US drone. The 2009 Stuxnet attack on Iran’s enrichment facility set back the Iranian nuclear program by two years. A potent cyberattack against critical infrastructure of a country can also result in significant physical damage with catastrophic humanitarian consequences. With now increased use of Artificial Intelligence in digital sphere, an AI enabled cyberattack can be a great force multiplier in a country’s military arsenal.
At the same time, international normative developments relating to cybersecurity or information communication technologies (ICTs) in the context of international security have been taking place at a frustratingly slow pace. Countries which enjoy technical dominance in the field of cybersecurity and which possess state of the art offensive cybersecurity capabilities are the most reluctant to accept any constraints in form of legally binding measures or a comprehensive treaty. There is currently no treaty or an international convention on cybersecurity.
The Russian Federation first introduced a draft resolution in 1998 on the subject in the First Committee of the UN General Assembly (GA). It was adopted without a vote by the General Assembly as resolution 53/70. Since that time there have been annual resolutions calling for the views of UN Member States on the issue of information security.
In addition, there have been six Groups of Governmental Experts (GGEs) established by the UN since 2004 to examine existing and potential threats in the cyber-sphere and possible cooperative measures to address them. The sixth GGE is meeting from 2019-2021. Out of the five GGEs, which had completed their work, three were able to agree on a consensus report. While the GGEs have been limited in their representation (with only 15-25 members), the UNGA also established an Open-Ended Working Group in December 2018, which is open for participation to the entire UN membership, to discuss ICT security.
What have all these GGEs produced? Well, they have been focusing only on regulating the state behaviour rather than the capabilities. The first three GGEs had been able to agree on following important principles:
- International law, in particular the UN Charter, is applicable to the cyber-sphere and is essential for an open, secure, peaceful and accessible ICT environment.
- State sovereignty applies to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.
- State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms.
- States must not use proxies to commit internationally wrongful acts and must ensure that their territories are not used by non-State actors for unlawful use of ICTs.
The fourth GGE was particularly important as it agreed on a set of voluntary, non-binding norms, rules or principles of responsible behaviour of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment. These norms included inter alia, challenges of attribution in case of ICT incident, prohibition of any ICT activity to damage ‘critical infrastructure, responsible reporting of ICT vulnerabilities, ensuring integrity of ICT supply chains, and international cooperation and exchange of information.
However, the aforementioned principles remain as non-legally binding voluntary norms developed by a select number of experts and later endorsed by the UN Member States through GA Resolutions. Essential differences remained in the approaches of several Member States, which prevented consensus in the fifth GGE. For instance, the western states, particularly the US, wanted to include the application of principles such as international humanitarian law (IHL), the right to self defense, as well as international law of state responsibility and countermeasures in the ICT sphere. There were concerns on the other side that it would lead to endorsement of militarization of cyberspace, which several countries want to prevent. For example, how a law of armed conflict would be applied in the ICT sphere? Which activity would constitute as a ‘cyberattack’? When would the right to self defense measures kick in and what could they entail?
Pakistan continues to maintain the position that the complex nature of cyberspace necessitates a cautious interpretation of existing international law principles and simply applying the existing international law to cyber space is not sufficient in addressing the multifaceted legal challenges arising from the use of ICTs and it is necessary to have a new legal instrument addressing all these legal challenges. The existing principles of international law and IHL do not adequately cover all the questions related to cyber operations and it is necessary that a framework should be drafted that provides definitions for terms used in cyber operations.