Carmen Gonsalves MA1
I would like to set the scene for this panel by giving you a short overview of the diplomatic efforts towards the legal-normative framework for cyberspace our minister referred to earlier.
I will start by focussing on the opportunities cyberspace continues to offer us. Then I will discuss the threats that unfortunately are on the rise. I will conclude with briefly discussing policies that might mitigate that threat: a two-pronged approach where we focus simultaneously on elaborating the normative framework and supporting and strengthening the consensus surrounding it.
So let me start with the opportunities. The digital revolution does more than contribute to economic growth. The interconnected computing power currently at our disposal has the potential to remedy some of the most deep-seated challenges that modern societies have to deal with such as traffic congestion, waste of resources and environmental degradation.
Self-driving cars and traffic systems can prevent both accidents and traffic jams. Smart thermostats and other residence based systems are not only convenient, but are limiting waste of valuable resources.
Also, with information moving ever more quickly and being disseminated more widely, the public debate should be enriched by contributions via online means. Our interconnectivity still carries the potential for a more inclusive and better-informed debate. You might very well think, after DNC and all that, that is a case of utter fake news. But it isn’t.
At least that is what we have to continue to strive for…
Unfortunately our increasing exposure and reliance on technological solutions also increases what is known as our ‘attack surface’.
A lot of the technology was not built with security in mind and if you look at the behaviour of some state and non state actors, it seems that an opportunistic, unrestrained and sometimes even reckless perspective on how cyberspace can be used is threatening the advances it has brought us and in the worst case even has a potential to set us back further.
Cyber operations conducted by states for geopolitical gain and disinformation, or ‘fake news’ operations, are part of this new stark reality.
So what to do? Strengthening our resilience, however important, will not suffice.
I believe that in order to counter this trend we need to engage in diplomacy.
In the long term the only way to reach a structural solution is to agree upon a legal-normative framework that incentivizes states to abstain from harmful cyber operations.
Over the last years, we’ve made some progress in this regard. In UN discussions, more precisely in the Group of Governmental Experts on developments in the field of information and telecommunication in the context of international peace and security, a.k.a. the UN GGE, many countries have endorsed the principle of using existing norms for new technologies. This sounds complicated but it simply means that the existing international legal order that rules the physical world equally applies to cyberspace and we have to make sure that these rules are upheld. The nature of cyberspace makes that this legal framework may require some clarification, but the point of departure is that the same principles that apply offline, do equally so online. That means, for instance, that in cyberspace the same restrictions on the use of force apply that the UN charter dictates for the physical world. It also means existing international obligations to respect and protect human rights apply equally in cyberspace.
Of course, concepts such as the inherent right of self-defense to respond to an armed attack and IHL only refer to a situation where military operations are being conducted. However, in practice a lot of harmful cyber operations cannot be qualified as the use of force and occur in - an albeit sometimes rather murky- peacetime. On top of that, cyberspace is evolving rapidly, resulting in new and unforeseen challenges.
Against this backdrop and in order to keep up, additional, complementary norms of behaviour are needed. The norms of behaviour as recommended by the UN GGE in 2015 can be considered of foundational importance in this regard.
Ideally further norm setting should benefit from input by stakeholders from industry, academia and civil society. There are processes in place to promote this. The Netherlands supports such processes. A good example is the Global Commission on the Stability of Cyberspace, a group of high-level experts deriving their expertise from distinguished careers in academia, politics, civil society and industry. Not surprisingly led by the former Minister of Foreign Affairs of Estonia, Marina Kaljurand.
Last month, the Commission has released a call for a new norm on the protection of electoral infrastructure. Topical against the backdrop of recent blatant attempts of election interference. Hopefully this norm will be endorsed by the UN, eventually. In time, widely accepted non-binding norms of behaviour have the potential to develop into customary international law.
Norms should not only apply to states, of course, industry is becoming more and more aware of the need to agree on norms for the private sector itself.
In addition to legal frameworks of domestic jurisdictions industry indeed has a role to play. The recent Tech Accord between Microsoft and 33 other big tech companies lays out principles aimed at protecting cybersecurity, including a commitment of security by design. Important, given the risks and security requirements related to the Internet of Things. Security by design cannot completely remedy but can substantially limit the risk that my internet connected bread toaster or fridge is used as a vehicle for attacks on an electricity grid or hospital nearby or in another hemisphere. Notwithstanding efforts by the private sector it is of course states that fulfill a unique responsibility as subjects of international law.
This leads me to the need for other states to respond, in case states do not abide by the international rule book. Diplomacy can be used to address this. This can vary from a diplomatic demarche delivered behind closed doors, to collective naming & shaming or, in more severe cases, building a coalition for imposing political or economic sanctions against a persistent law-breaker.
Finally, we need confidence building measures that ensure that countries can communicate clearly in case of a major international cyber incident in order to de-escalate tensions. This is even more important in cyberspace, because you do not always immediately know where an attack comes from. Which can lead to dangerous misunderstandings.
So, from strengthening international law to supporting norm formulation and CBMs to respond to bad behaviour, diplomacy is an ingredient to make it all work. And we firmly believe that for this purpose we need to boost cooperation between likeminded countries, forging strategic alliances.
That’s why the Netherlands has triggered discussions not only on closer security cooperation, but also on stepping up diplomatic action in both NATO and the EU.
The EU cyber diplomacy toolbox adopted by Ministers last year, providing the EU and its member states with the tools to respond to cyber aggression, is one of the promising results.
The heart of the matter, however, remains a solid legal-normative framework. This is after all, the basis for how we conduct ourselves and therefore the focus of our diplomatic engagement.
Of course, it is not always easy to determine how the law applies in a particular situation. But this is obviously not unique to cyberspace. And most importantly, the fact that it may be difficult to apply the rules, does not mean that there is no law, or that we need a whole new set of rules.
And this is where the Tallinn Manual 2.0 comes in. It provides us with essential guidance. It is the most comprehensive, nuanced and authoritative work on how to apply the rules. Of course, the Manual provides guidance only. I should emphasize that we do not consider it is as prescriptive.
The Netherlands is firmly committed to the view that states, and states alone, make international law. As are, I believe, the authors of the Manual.
That is also the starting point for our capacity building efforts that we engage in in the so-called The Hague Process. Last year we organised a number of training courses in international law in cyberspace in both the ASEAN and OAS regions, aimed at foreign policy decision makers.
Both of these programmes will be continued into 2018 and beyond. Besides, we are working with partners to globally increase our reach and work in new regions.
Our rationale is simple. Since states are the ones making international law, we feel that it is essential to ensure that these decision makers, both lawyers and policy officers, are well informed on how international law applies to cyberspace. We believe that this is an area where expertise can still be strengthened.
We are aware that some countries are inclined to believe that new Codes of Conduct or treaties are the answer to all trouble emanating from cyberspace. The argument seems to be that cyberspace is so inherently ‘different’ that ‘something new’ is needed. However, in a great many cases, these views are harmful to these countries’ own interests. An example is the negation of the principle of the right to self-defense, a key tenet of international law, an element that features centrally in the narrative of supporters of a new cyber Treaty. Even more surprisingly, those supporters tend to reject the notion that International Humanitarian Law applies, an opinion fiercely contested by the ICRC, inter alia, which argues that the core principles of distinction, proportionality, necessity and humanity should protect civilians in situations of armed conflict to the furthest extent possible, in cyberspace as much as in the physical world.
The Treaty supporters argue all this would only lead to the militarization of cyberspace, a far from credible argument when considering who generally make it.
But the shoddy way in which the principles of self-defense and IHL are dealt with by the supporters of the ‘Treaty approach’ is symptomatic of broader risks to the international legal order. If one accepts that cyberspace is somehow fundamentally different and a new treaty should be devised, this opens the door to selectively shopping in international law and creating a mechanism that mostly benefits the mighty. Human rights are but one example of an established body of international law that can be exposed to serious risks.
I cannot emphasize enough that throwing this principle out of the window would only benefit those that have the most advanced cyber offensive programmes and are the least inhibited in using them. We think that capacity-building will help to shed a different, positive light on how these issues can be interpreted.
I hope to have clearly outlined where we stand on the role of international law and norms in cyberspace. Thus, as our Minister already said, we also need to ensure adherence to those rules, by responding to bad behaviour, in order to increase the costs for those going beyond the pale. Inaction leads to a situation where irresponsible behaviour becomes the new norm.
The nature of cyberspace is such that having a prompt and robust diplomatic response to bad actors’ behavior can be more difficult than in the physical world. Whereas it is mostly easy to see from where a missile was launched, the use of cyber weapons doesn’t create smoke plumes. These circumstances influence the risk-reward calculus for some actors when they consider to launch cyber operations. But we have to be careful that the perfect does not become the enemy of the good. In some cases attribution is possible and it is a crucial step in changing this risk-reward calculus of the perpetrator.
It is clear that existing international law applies in cyberspace the same way it does in the offline world, both in situations of armed conflict and in peacetime.
This is the guiding principle for the cyber engagement of The Netherlands and the starting point for any discussion on the need for and content of additional norms.
The Tallinn Manual 2.0 is a valuable reference work clarifying how the rules of international law apply. It is also an outstanding tool for ensuring that the consensus on the application of international law is strengthened. It helps us tremendously in the context of our capacity building efforts.
Increased clarity on how to apply international law, which we have the authors of the Tallinn Manual a lot to thank for, also creates a basis for a powerful lawful diplomatic response.