Keynote HE Ms. Ank Bijleveld MA, Minister of Defence1
“We have to steer the cyber domain, before it steers us.”
What a day it has been. This day has brought forth several important new insights.
As you are aware, the Netherlands is playing an active role in fostering the discussion on international law in cyberspace. To further substantiate our role, my colleague Minister of Foreign Affairs Stef Blok, and I, thought it would be a good idea to talk about this issue in an open setting. And to do so here in The Hague, the legal capital of the world, on the first birthday of the Tallinn Manual 2.0. Today was also an excellent opportunity to demonstrate the close relationship between our respective ministries.
It is important that Defence and Foreign Affairs work together on promoting international peace and security. I am most pleased with the international composition of the two panels, under the guidance of Professor Mike Schmitt.
You may have already heard this, but the word cyber actually stems from the Greek word kubernetes, which can be translated as cybernetics. It means ‘steersman’. And that is exactly what this conference is about.
We have to steer the cyber domain, before it steers us.
I think all of us in this room would agree that the world will not be better off if we allow the cyber domain to spiral out of control. Digital technology may be moving at a dazzling speed, but that does not mean that it should fall outside the scope of international law. This point was the very essence of the 2011 ‘Cyber Warfare’ report.
This ground-breaking report was published by two Dutch advisory bodies:
- the Advisory Council on International Affairs
- and the Advisory Committee on Issues of Public International Law.
The report stated that a cyber-attack can be considered an ‘armed attack’, if it leads to a serious disruption with long-lasting consequences. For instance, if a cyber-attack targets the entire Dutch financial system or if it prevents the government from carrying out essential tasks such as policing or taxation...it would qualify as an armed attack. And it would thus trigger a state’s right to defend itself, even by force.
The Dutch government supports the general conclusions of this report. Luckily, more and more states have since acknowledged that in the cyber domain - as in all other domains - all states are equal before the law. So, it’s not so much a question of whether the rules apply, but of how to apply them. Out of this need for clarity and consensus, the Tallinn Manual was born. Both the original manual and the updated manual ‘Tallinn 2.0’ have helped clarify the legal framework for cyber operations.
Let me please note that the Dutch Government is very grateful for the work done by Professor Mike Schmitt, Ms. Liss Vihul and the international group of experts. The Netherlands actively supports the work of the Cooperative Cyber Defence Centre of Excellence in Tallinn. And we are proud that two members of Dutch academia participated in the Tallinn Manual 2.0 process. I think the manual’s added value will continue to grow over the coming years.
But having a clear legal framework would be null and void, if states are not able to attribute digital attacks. Without a clear answer to ‘who did it?’ there can be no legal retribution, no countermeasures and no self-defence. You have to know what and who hit you, before you can hit back. And whether that should be with your fist or by a slap on the wrist. Now as we know, attribution of cyber-attacks is quite complex. It is subject to much debate and confusion.
So to shed some light on this matter, our scholars at the Netherlands Defence Academy have developed a conceptual framework. It comprises 4 phases.
The first phase is: detection. Attribution starts with the fact that you have to be aware of the harmful effects caused by a cyber-attack. Only then is it possible to start determining the full scope of its effects. And what digital interference is causing these harmful effects.
This brings us to the second phase: technical attribution. In this phase, the attack is linked to a digital source. This can be an email account, a piece of malware or an IP address. The aim of technical attribution is to establish technical authorship: who did it? Which individual or group actually conducted the attack?
The third phase brings in the lawyers. Once the technical author of the attack is known, it will be their task to advise the government on legal responsibility. Who is behind the attack? And especially: which state? If any. If states are involved, the rules on State Responsibility apply.
Once legal responsibility has been established, it is up to the Government to come up with a response. That is the fourth and final phase of the framework. This response could take the shape of purely protective measures, law enforcement, countermeasures, or ultimately self-defence.
In brief: attribution requires 1. detection, 2. technical authorship, and 3. legal authorship, before one is able to respond.
Each state can decide for itself whether it wants to make public the parties responsible for an attack. Or whether it wants to respond directly – discretely – to the actor responsible. Quite often, attribution will not take place publicly. But if this process is made public, it can help if more states become involved. If states work together to detect and attribute cyber-attacks, they can make more effective and accurate assessments. Two recent examples of this are the WannaCry ransomware-attack and the NotPetya cyber-attack.
Together, states can also send a strong signal to the world that all actions - offline or online - have consequences. Governments will also have to practice cyber-attack scenario’s as often as they can, as they are doing with the Locked Shields exercise. Because time is ticking away. Over the last decade, the likeliness of a cyber-attack has increased and will continue to increase. This was noted once again in the latest Cyber Security Assessment for the Netherlands, published just last week. Last month, the United Kingdom's Attorney General Jeremy Wright gave an outstanding speech, in which he set out the UK’s position on this issue. He stated the following: “The clearer we are about the boundaries of acceptable behavior, the lower the risk of miscalculation and the clearer the consequences can be for transgressing them.”
I couldn’t agree more.
If we want to preserve our rules-based international order and properly steer cyber operations, we have to work together and set clear boundaries. I thank every one of you present here today for helping us achieve that goal. And for doing what you can to make this world – online and offline – a safer place. Thank you.