August 2013, No. 2 Vol. L, Security
The ubiquitous use of information and communication technologies (ICT) serves both as an enabler of growth and innovation as well as the source of asymmetrical cyberthreats. Around the globe, about 2 million people are connected to the Internet, and the use of the Internet and ICT-enabled services is becoming more and more an indispensible part of our everyday lives. With the increasing dependence on ICT and the interlinked nature with critical infrastructure, we have become alarmingly vulnerable to possible disruption and exploitation by malicious cyberactivities.
Malicious cyberactivities have been affecting individuals, private entities, government institutions and non-governmental organizations for years. We have witnessed large-scale cyber-incidents such as in Estonia in 2007, with numerous sophisticated targeted attacks, hacktivism and countless instances of identity theft and malware. Due to the unpredictable nature of cyberthreats, an incident that may appear in the beginning as an act of hacktivism or financially motivated cybercrime may rapidly escalate into something much more serious and reach the threshold of national security, even cyberwar.
Despite the lack of consensus on exactly what constitutes cyberwarfare or cyberterrorism, governments need to ensure that their infrastructure is well protected against different types of cyberthreats and that their legal and policy frameworks would allow to effectively prevent, deter, defend and mitigate possible cyberattacks. Not being able to agree on common definitions of central terms such as “cyberattack” and “cyberwar” should not prevent states from expressing the urgency of preparing their nations for possible cyberincidents.
The logic of international cooperation and collaboration lies on why, when, and how to collaborate, and generally takes place in order to follow one’s interests or to manage common aversions.1 In the context of cybersecurity, the need for international cooperation between states, international and regional organizations and other entities is emphasized by the borderless and increasingly sophisticated nature of cyberthreats. Principally, any actor, whether it is a country or a non-governmental organization, following its objectives in cybersecurity requires cooperation from a wide range of international partners. In fact, much of the international collaboration will occur outside specific national frameworks, emphasizing the Whole of System approach that stresses the need to take into account all relevant stakeholders.2
Thus, from a national perspective, advancements in cybersecurity depend to a large extent on the political will of different actors. Areas such as information and intelligence sharing and mutual assistance may become essential in responding to a cybercrisis, but the effectiveness of such cooperation depends greatly upon strategically aligned policy goals and bilateral and multilateral relations. In many domains, such as international criminal cooperation, there are several preconditions that need to be in place in the cooperating countries, such as substantive national law as well as procedural law and international agreements, before the dialogue on the possibility of any sort of international cooperation can grow into further discussions on the efficiency of such cooperation.
INTERNATIONAL ORGANIZATIONS ACTIVE IN CYBERSECURITY
National policies, international agreements as well as other initiatives addressing cybersecurity that are being proposed and launched by different international, regional and national actors may vary considerably in their scope, aim and success, but they all underline the international dimension of cyberspace.
For example, the United Nations First Committee has been actively examining the Developments in the Field of Information and Telecommunications in the Context of International Security for years. The African Union has published the Draft African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa. The European Union (EU) has recently published a Joint Communication on the Cyber Security Strategy of the European Union, which is the first attempt for a comprehensive EU policy document in this domain to reflect the common view on cybersecurity of all its 27 member states.
Even though in recent years the wider debate has intensified on the development of possible norms of behaviour or a set of confidence-building measures in the cybersecurity domain, it should not be forgotten that most of the pressing issues and challenges in areas related to cybersecurity have roots in the adoption and review of national legislation and the implementation of multilaterally agreed principles.
The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) is a North Atlantic Treaty Organization (NATO) accredited international military organization that focuses on a range of aspects related to cybersecurity, such as education, analyses, consultation, lessons learned, research and development. Even though the Centre does not belong to the direct command line of NATO, its mission is to enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyberdefence.
Determined that international cooperation is key to the successful mitigation of cyberthreats worldwide, the Centre invests not only in broader collaboration with NATO and EU entities but, more specifically, focuses on improving practical cooperation within and among its sponsoring nations by hosting a real time network defence exercise known as Locked Shields. It also participates in many other similar simulations, thereby allowing the participants to put national coordination and cooperation frameworks to practise, and to learn and test the skills needed to fend off a real attack.
Regarding the legal and policy aspects of cybersecurity, NATO CCD COE has identified two main trends. Firstly, a growing number of countries are adopting national cybersecurity strategies and the majority of these documents confirm the role of cybersecurity as a national security priority. To further analyse such a development and the concept of national cybersecurity strategies, the Centre has conducted a comparative study called the National Cyber Security Framework Manual. The research asserts that a comprehensive cybersecurity strategy needs to take into account a number of national stakeholders with various responsibilities in ensuring national cybersecurity. The national stakeholders include critical infrastructure providers, law enforcement agencies, international organizations, computer emergency response teams and entities ensuring internal and external security. Importantly, instead of viewing cybersecurity as a combination of segregated areas or isolated stakeholders, the activities of different subdomains and areas of competence should be coordinated. Secondly, there are ongoing discussions about the applicability of international law to cyberactivities. Whereas it is widely accepted that cyberspace needs to be protected like air, sea and land, and is clearly defined by NATO Strategic Concept as a threat that can possibly reach a threshold setting threatening national and Euro-Atlantic prosperity, security and stability, there are only a few international agreements that would directly address behaviour in cyberspace.
Agreeing on a common stance even in matters regarding well-established norms of customary international law, such as the prohibition of the use of force codified in the United Nations Charter, Article 2(4), together with the two exceptions of self-defence and a resolution by the Security Council, in the context of their applicability to the cyberdomain remains a challenging task for the involved parties.
Therefore, amid the complex legal issues surrounding these debates, in 2009 NATO CCD COE invited an independent International Group of Experts to examine whether existing international law applies to issues regarding cybersecurity and, if so, to what extent. The result of this three-year project, the Tallinn Manual on the International Law Applicable to Cyber Warfare, focuses on the jus ad bellum, the international law governing the resort to force by states as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict. The experts taking part in the project concluded that, in principle, jus ad bellum and jus in bello do apply in the cyber context but this may be altered by state practice. This and other opinions expressed in the Tallinn Manual should not be considered as an official declaration of any state or organization, but rather as the interpretation of the group of individual international experts acting solely in their personal capacity. The Manual does not, however, address cyberactivities that occur below the threshold of a use of force, and for that purpose NATO CCD COE has launched a follow-on three-year project entitled Tallinn 2.0.
In order to prepare nations for possible cyberincidents and ensure a solid ground for international cooperation, both comprehensive national cybersecurity strategies and a common understanding on the applicability of the international law are required.
Even though it has been argued that multilateral treaties are the most practical vehicles for harmonizing national legal systems and aligning the interpretation of existing international law, discussions about moving towards such an agreement on a global level appear to be at a very early stage. Given the current normative ambiguity surrounding international law in the context of cybersecurity, international cooperation between different actors is deemed to be the cornerstone of effective responses to cyberthreats.
The opinions expressed here are those of the author and should not be considered as the official policy of the NATO Cooperative Cyber Defence Centre of Excellence, NATO or any other entity.
1 Choucri, Nazli. Cyberpolitics in International Relations (MIT Press, 2012), pp. 155-156.
2 Klimburg, Alexander (ed.). National Cyber Security Framework Manual (NATO CCD COE, 2012).