CHECK AGAINST DELIVERY
It is fantastic to be standing here today in Chatham House to speak to you all about cyber and international law.
In 1982, on a visit to Japan, Margaret Thatcher presented a ZX Spectrum to the Japanese Prime Minister. “This is a Small. Home. Computer,” she told the bemused premier, before purposefully pressing a button on the keyboard which changed the screen to reveal a game of chess. Although by the end of the decade the British entrepreneur Sir Clive Sinclair had sold two and half million units of his ZX in the UK, for most people the personal computer was always just a bit of fun. Why would you painstakingly key in your contacts when you already had an address book?
40 years on, it’s hard to understate our reliance on computers. Just imagine how Margaret Thatcher would have reacted in 1982 if you had told her that the small electronic box in front of her would require defence from a dedicated state agency with a budget running into billions of pounds! As a sound fiscal conservative, she may have been tempted to knock it off the table, rather than showcase the British creation across the world.
Once-novel uses of cyber technology, like making a medical appointment or shopping online, have now become routine and sometimes unavoidable. And since an event occurring in cyberspace can have real world consequences, it’s clear that it requires increasing levels of international co-operation, as can be seen in the India-UK cyber statement agreed during the Prime Minister’s recent visit there. Such agreements help States to trade goods, services and ideas. Cyber activity is also now part of how some disputes or tension between countries play out.
Our reliance on cyber has, of course, created huge challenges. Events over the past 10 years, in particular, have demonstrated the vulnerability of critical sectors to disruptive State cyber activity. Perhaps most notoriously, the 2017 NotPetya cyber-attack, which masqueraded as ransomware but served principally to disrupt, affecting in particular Ukraine’s financial, energy and government institutions. But its indiscriminate design also caused wider disruption across the globe, costing firms in sectors of industry as varied as shipping, food production, pharmaceutical research and advertising, hundreds of millions in recovery costs. More recently, Microsoft reported that shortly before Russian’s illegal invasion of Ukraine, the Russian Main Intelligence Directorate (the GRU) targeted destructive malware against hundreds of systems across Ukraine affecting the IT, energy and financial sectors.
The ongoing conflict in Ukraine has demonstrated, on the part of Russia, a callous disregard for established international rules. However, the unprecedented and united international response in support of Ukraine has also reinforced the value of having a framework that makes clear when State action is unlawful.
Cyber is part of the conflict. As Sir Jeremy Fleming recently noted, we have seen cyber in this conflict, and lots of it. The UK, US, EU and other allies announced last week that Russia has been behind a series of cyber-attacks since the start of its illegal invasion. The most recent attack on communications company Viasat in Ukraine had a wider impact across the continent, disrupting wind farms and internet users in central Europe. Putin is also waging a dangerous disinformation war, hiding the truth from the Russian people.
Shaping the international order
Commentators often talk in hushed tones of cyber weapons, with little understanding of what they are, or of the rules which govern how they are used. This misunderstanding means we can see every cyber incident as an act of warfare which threatens to bring down the modern world around us and it’s not uncommon for even seasoned observers to think in this way, as they speak of cyber as a new battlespace where no rules apply. But cyberspace is not a lawless ‘grey zone’. International law governs and plays a fundamental role in regulating cyberspace.
Which is why today I would like to set out how the UK considers international law applies in cyberspace during peacetime, against the backdrop of the Prime Minister’s Integrated Review and the Government’s National Cyber Strategy. With particular focus on the rule on non-intervention, its application to key sectors, and avenues for response.
I’m focusing on the law applicable in peacetime because the UK has already set out that cyber operations are capable of breaching the prohibition on the threat or use of force, and that the law applicable in armed conflict applies just the same to the use of cyber means as other means of waging war. And I want to be clear that in the same way that a country can lawfully respond when attacked militarily, there is also a basis to respond, and options available, in the face of hostile cyber operations in peacetime.
The UK was one of the very first States to articulate publicly its views on the application of international law in cyberspace. I will build on what one of my predecessors, Jeremy Wright QC, said when he was Attorney General in May 2018, here in Chatham House. At that time, it was considered necessary to set out the fundamentals of the UK view – that the rules-based international order extends to cyberspace, and that there are boundaries of acceptable State behaviour in cyberspace as there are anywhere else.
More recently, in June 2021, the UK published a statement as part of the United Nations ‘Group of Governmental Experts’ process, setting out the ways in which international law applies in cyberspace. And the UK continues to attach importance to States clearly setting out their views like this. Significantly, that UK statement concluded by noting the importance of moving “beyond discussion of general concepts and principles, and to be clear about what constitutes unlawful conduct in those sectors which are most vulnerable to destructive cyber conduct”.
One of the Integrated Review’s stated goals is for the United Kingdom to “shape the international order as it develops in future frontiers”. Cyberspace stands out among these future frontiers. The National Cyber Strategy priorities include promoting a “free, open, peaceful and secure cyberspace”. International leadership and partnerships will be essential aspects of shaping and strengthening the international cyber governance framework to deliver these objectives. Partnerships like the ‘Quintet’ of Attorneys General, with my counterparts from Australia, Canada, New Zealand and the United States.
The United Kingdom’s aim is to ensure that future frontiers evolve in a way that reflects our democratic values and interests and those of our allies. We want to build on increasing activism by likeminded States when it comes to international cyber governance.
This includes making sure that the legal framework is properly applied, to protect the exercise of powers derived from the principle of State sovereignty – to which this Government attaches great importance – from external coercion by other States.
The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by States will bring greater clarity about when certain types of robust measures are justified in response.
The rule on non-intervention
Turning to the law – one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention.
Customary international law is the general practice of States accepted as law. As such, it is not static. It develops over time according to what States do and what they say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs States’ behaviour.
A well-known formulation of the rule on non-intervention comes from the International Court of Justice in its Military and Paramilitary Activities judgment. According to the Court in that case, all States or groups of States are forbidden from intervening –
…directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.
The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.
It serves as a benchmark by which to assess lawfulness, to hold those responsible to account, and to calibrate responses.
This rule is particularly important in cyberspace for two main reasons.
First, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to State sovereignty. As long ago as 1966, the UK made clear its position that:
…the principle of non-intervention, as it applied in relations between States, [is] not explicitly set forth in the United Nations Charter but flow[s] directly and by necessary implication from the prohibition of the threat or use of force and from the principle of the sovereign equality of States…
Four years later, in 1970, the UK set out its view that “non-intervention reflected the principle of the sovereign equality of states.” And that these principles were equally valid and interrelated. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.
States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.
What matters in practice is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyber activity which traverses multiple international boundaries millions of times a second.
Second, the rule on non-intervention is also of increasing relevance due to the prevalence of hostile activity by States that falls below the threshold of the use of force or is on the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which States can define behaviour as unlawful.
Threshold for a prohibited intervention
Having identified the importance of the rule on non-intervention, I will now turn to the threshold for its application. The fact that behaviour attributed to another State is unwelcome, irresponsible, or indeed hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offending behaviour must be coercive.
Coercion was rightly described in the Military and Paramilitary Activities case as “the very essence” of a prohibited intervention. It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information-gathering and influencing activities that States carry out as part of international relations.
But what exactly is coercion?
Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.
But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking.
Of course, in considering whether the threshold for a prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.
Illustrative examples
It is therefore important to bring the non-intervention rule to life in the cyber context, through examples of what kinds of cyber behaviours could be unlawful in peacetime. To move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.
And being clear on what is unlawful means we can then be clearer on the range of potential options that can lawfully be taken in response. That is, the kinds of activities which would require legal justification, for example, as a proportionate response to prior illegality by another State. This is crucial in enabling States to act within the law whilst taking robust and decisive action.
With that in mind, today I will set out new detail to illustrate how this rule applies. A non-exhaustive list, to move this discussion forward. I will cover four of the most significant sectors that are vulnerable to dis
Share on Facebook «||» Share on Twitter «||» Share on Reddit «||» Share on LinkedIn