The need of new International Legislature in the Cyber Realm

The virtuous utilisation of Cyberspace has transformed nations, proliferating their efficiency and development. However, lately the sordid side of this development of cyber-capabilities has transpired. The governments across the globe are now mobilising to parry the growing cyber threats, complexity and sophistication of which is ever-growing. Cyber Criminals are posing a huge threat to the trust of people in the security of the cyber space. These actors are working relentlessly to ensure that digital assets are compromised, while discovering new and simple ways of damaging integrity of critical infrastructure and disrupting its availability.

As a constantly prospering and developing world, all nations are operating in an environment that subjects it to constantly evolving threats. Ergo, securing the cyber space is paramount for entities around the world to ensure their prosperity, growth, sovereignty and national security. International Cyberspace is a modern environment that is in a dire need of a structured, adequate and comprehensive protection at the international, national, sector, organisation and individual levels. The world needs to have a perspicacious view with regard to cybersecurity.

All nations, international organizations and regional entities including the African Union; the Association of Southeast Asian Nations (ASEAN) Regional Forum; the Asia Pacific Economic Cooperation Forum; the Council of Europe; the Economic Community of West African States; the European Union; the League of Arab States; the Organization of American States; the Organization for Security and Cooperation in Europe (OSCE); The North Atlantic Treaty Organization (NATO) and the Shanghai Cooperation Organization (SCO) should systematise and codify an international legislation with respect to the regulation of cyberspace.

The importance of international humanitarian law, including its core principles of humanity, necessity, proportionality and distinction is vital while we refer to cyber operations. Cyber attacks be should brought under the purview of an armed attack. International cooperation as well as actions by States in cyber-space should be conducted in conformity with the principles of the United Nations Charter, international law, and relevant international conventions.

At present, Convention on Cybercrime also known as the Budapest Convention on Cybercrime or the Budapest Convention,  the first international treaty seeking to address Internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations is the only international legislation on this subject.

How can a cyber attack be defined for the purposes of international law ?

Firstly it should be pari materia to an armed attack if it has such a direct or indirect effect which resembles the effect of an armed attack.

It can be defined as:

A cyber attack consists of any action or omission, irrespective of the intent or motive which is voluntarily  taken, promoted, initiated, facilitated, adhered to, abided by, to illegally:

Interfere with, alter the status of, destroy, deplete, degrade, adversely restrict, prohibit intercept, monitor, decrypt or undermine the functioning of any information generated, transmitted, received or stored in any computer, computer system, computer network, data, computer data base or software having the effect of going against the interest of the sovereignty, national security or integrity of a nation state or any entity/individual/juridical person/groups of individuals whether organised or unorganised, which is the subject of a nation state and whose rights are guaranteed by the nation state or any international law.

When committed by a non-State Actor, such as

  1. A company or a group of companies: Whether public or private companies, whether having limited or unlimited liability, whether incorporated or not, whether registered or not, having being constituted for any purpose whatsoever
  2. A terrorist outfit,or a sole terrorist given such status either by the a nation or by the international community
  3. Private individual or more than one individuals acting in a combination or with practical co-operation furthering a concerted practice, with the intent to target structures, institutions, organisations, bodies, groups, individuals or a single individual who is vital for the harmonious, secure, stable, peaceful, sovereign  and constructive functioning of the state.When committed directly by a State-entity, no matter the intent;

The Right to Self-Defense 

The inherent right of Self-defence of States should be protected and applied to the realm of cyberspace:

As long as the original attack initiated or originated or was given effect to,  from a State or was under the effective [1] or overall control [2] of a State, as defined by the international judicial organs, it shall be attributable to the state.

As long as the necessity of the response goes it shall be such which is necessary to prevent, combat or parry future cyberattacks and as far as proportionality of the response goes it shall be such which is proportional to the damage sustained by the nation in the cyber attack;

The onus of assessment of damage caused by a cyber attack should come under the ambit of the sovereign function of the state but such assessment shall be accepted by the international judicial organs only after the state proves the damage caused to it by its proper quantification with the help of strict proof, in case if it is later discovered that the assessment of damage is in excess of the real damage then such state shall be liable to effective, indemnifying and proportionate penalties by way of economic sanctions and trade embargoes.

The use of retorsion or reprisals shall only be made against the military objectives in order to respect and be in conformity with the Article 52 of the PROTOCOL ADDITIONAL TO THE GENEVA CONVENTIONS OF 12 AUGUST 1949, AND RELATING TO THE PROTECTION OF VICTIMS OF INTERNATIONAL ARMED CONFLICTS (PROTOCOL I), OF 8 JUNE 1977 as per which:

Article 52 — General protection of civilian objects

Civilian objects shall not be the object of attack or of reprisals. Civilian objects are all objects which are not military objectives as defined in paragraph 2.

Attacks shall be limited strictly to military objectives. In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective con- tribution to military action and whose total or partial destruction, cap- ture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.

In case of doubt whether an object which is normally dedicated to civilian purposes, such as a place of worship, a house or other dwelling or a school, is being used to make an effective contribution to military action, it shall be presumed not to be so used.

As far as the use of kinetic modes as a response is concerned, kinetic self-defence is a valid answer to a cyber-attack if it is in complete consonance with the principles of necessity and proportionality referred to above.

As far as Anticipatory self-defence goes, it  shall be considered to be valid only if includes defensive action(s) that are taken to preparation for potential cyber attacks or cyber threats by enhancing the capabilities of a nation.

Defensive action(s) should not include any form of offensive defence

That in cases where the attack:

By a state, non-state actor under effective or overall control, does not trigger the rules of defense under the Article 51 by virtue of being below the Article 51 threshold, the appropriate defense available shall be a dèmarche or a request to the Security Council for action at the diplomatic level, with economic sanctions or trade embargoes, or with publicity unfavorable to the nation where the incident originates.

By a non-state actor, individual, group of individuals  acting in a combined concerted practice, does not trigger the rules of defence under the Article 51 by virtue of being below the Article 51 threshold, the perpetrator entity shall have personal criminal liability as per the law of land prevailing in the attacked state and such person shall be extradited to the said state irrespective of whether there is any extradition treaty in existence or not. (However, extradition as per this clause does not amount to any extradition treaty and shall not create any right with respect to having any extradition treaty unless expressly agreed by the concerned states. It shall only be utilised for the extradition in cases of the actus reus referred to herein above.)

The aspect of accountability 

A constant vigilance by an international body (hereinafter referred to as such body) having representatives from all the participating nations shall play a vital role in preventing malicious attacks in the cyber realm or in striking them down at the very inception.

It is further stated that such body is sought to be set up keeping in view the 1947 resolution of the Corfu Channel Dispute (Corfu Channel [U.K. v. Alb.], Merits 1949, I.C.J. 4 [Apr 9]) wherein the ICJ based its decision on “certain general and well-defined principles,” specifically “every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other states.” and keeping in view the “no harm” principle enshrined in the Trail Smelter Case.

Furthermore, such body will help counter the malicious obfuscation methods  and absolve the neutral states, computer, computer system(s), computer network(s), data, computer database(s) or software(s)  of which are used as a conduit or a transit for effectuating an act of cyber conflict. Only the legally authorised representative of a country should be the only ones having access to the vital information  (as defined by the respective countries) of his/her country and any action by the whole body to parry, prevent or counter the malicious attack should be taken only after the prior consent from the government of the attacked nation which should be obtained by and communicated to their country’s said legally authorised representative.

The participating nations under cooperative international policies such as HARISS (Harmoniously Allocating Resources in Securing Syntax) should provide their inputs for the establishment, facilitation and maintenance of this international body.

The term input refers to

  • Human Resources
  • Monetary Funds (in any form)
  • Infrastructure (in any form)
  • Capital (in any form), or
  • And other form of utility

It is further stated that the functions of such body among other things which can be defined as time progresses should necessarily include what can be referred to as CURE  which has been elaborated herein-under:

Construction and Upkeep of

● Suggestion with respect to the amendments to definitions which do not alter the basic structure of the definitions as per the international legislature and are in consonance with the spirit of international legislation.

●Implementation of strategies, frameworks and policies for enhancing cyber hygiene and cyber security.

●   Its jurisdiction subject to the prior consent of the government of the concerned nation.

●   A monitoring mechanism by which each representative of a country shall carefully monitor at all times the cyber activities of his respective country.

●     Rules and Regulations with respect to the internal functions of such body which facilitate, promote and encourage smooth and uninterrupted functioning of such body.

●   Capabilities to respond and react to cyber incidents. (for eg. a Computer Security Incident Response Team [CSIRT])

●   Defining and implementing technical standards that might be followed by its members subject to their discretion.

●     Defining and implementing measures for enhancement of cyber security.

●  A Log of all the malicious activities carried out in the cyber realm which were identified during its close monitoring.

● Peace and accord between all its members

●   Methods and practices to patch the defects, lacunas and loopholes in the codes.

● Security Patches that are easily accessible to all.

●    Other functions that are necessary for advancing the purpose and aim behind the constitution of such body.

●      Provisions of training, education and certification for the members.

● Engagement with domestic and international actors for collaborating on cyber security such as through the Budapest convention and other similar conventions for purposes like permitted information sharing , law enforcement, intelligence (permitted) etc.

 

 

Regulating and Enforcing 

 

●      The legal rights of the members

●  The rules, regulations and policies which regulate the conduct of the body and its members and are fundamental to the effective and smooth functioning of such body

Accountability may also be be determined through means such as

  1. Technical and forensic evidence, such as detected signals intelligence (SIGINT), human intelligence (HUMINT) obtained through national secret services, and open-source intelligence (OSINT).
  2. The geopolitical context corroborated by forensic evidence.

The relationship between cybercrime, cyber attack and cyber warfare

A cybercrime is the actual actus reus, where cyber attack being one of the tools that can be utilised for the commission of the cybercrime and cyber warfare is one of the possible consequences of the cybercrime.

Concluding remarks

All the nation states should aim at an effective cooperation, as appropriate, with the private sector, academia and civil society organisations to strengthen the attribution of an cyber attack, in terms of gathering and examining all relevant data  of the technical, political and legal dimension. Both the state and non-state actors (obviously not criminals) should also contribute in the law making process so that longevity and practical applicability of the laws is ensured.

_____________________________________

[1] The Effective Control standard, as referred to in the Nicaragua case, shall be defined as a nation’s control over paramilitaries or other non-state actors only if actors in question are in complete dependance on the state.

[2] The Overall Control standard, as referred to in the Tadic case, shall be referred to as where a state has a role in organising, coordinating and providing support for a group.

-Tushar Kaushik 

Leave a Reply

Your email address will not be published. Required fields are marked *