A month ago, on the sidelines of the Munich Security Conference, Microsoft organized an expert workshop to discuss gaps in international law as it applies to cyberspace. We were fortunate enough to bring together twenty leading stakeholders, including international legal experts, United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) delegates, diplomats, and non-governmental organizations (NGOs). Together, we looked at the current situation in cybersecurity norms and international law, and we discussed possible paths forward. What emerged was a significant consensus on both the need to restructure cybersecurity discussions globally and the necessity of implementing the 2015 UNGGE report.
Gaps in international law were the focus for discussion and, although there were several areas of concern that were identified on the basis of recent cyberattacks, the most significant challenge was seen as being structural: the lack of an international organization or other venue for addressing the cyber threat landscape of today and tomorrow.
The challenge of the cyber threat landscape is not simply that it is always evolving, nor that it is continually extending its reach into the day-to-day existence of citizens, businesses, and governments. The greatest challenge is that when it comes to dealing with cyber threats the world currently lacks:
- A place where victims of nation-state or state-sponsored cyberattacks are able to go to get help after an incident has occurred;
- A standing body or registry that enables ongoing learning about the known threats to people and infrastructure, as well as their corresponding responses;
- A common basis for judging not just if international law has been violated but how;
- A consistent basis for the use of international law in prevention of cyberattacks and for enforcement of law following such attacks.
In other words, the world lacks a common space for finding out the facts about cyberattacks, for learning from others, for interpreting laws and for agreeing who did what to whom. That last point, the attribution of responsibility for cyberattacks, fundamentally underpins the concept of applying international law to cyberspace: if we cannot know who is responsible for a cyberattack we cannot hold them to account.
It may be unrealistic to expect a single silver bullet organization for all aspects of the problem. Nonetheless, there were many at the workshop and, indeed, across the Munich Security Conference who agreed in broad terms that not having some kind of international, non-governmental platform focused on cyberspace (enabling best practice, exchanging information, examining the forensics around the attacks) will undermine future efforts to protect civilians in cyberspace.
Certainly, there are other things that also need to be done to protect civilians and civilian infrastructure from cyberattack by states. Rolling out the 2015 UNGGEs proposed norms of state behavior is one such thing because it will help governments manage the real politick of holding each other to account. The recent case of Sergei Skripal shows that even when there is a will to act, the options for constraining a sovereign state are comparatively limited. Even an incremental improvement in state behavior in cyberspace through applying the 2015 UNGGE suggestions would be a positive step, therefore. After all, today states are choosing not to invoke international law following cyberattacks, perhaps because there is uncertainty about those laws or perhaps because there is a belief that doing so will neither prevent future attacks nor result in any kind of remediation.
The workshop was a very valuable opportunity for Microsoft, and for me personally. By bringing governments, civil society, technical experts and business people together, it fostered exactly the kind of multi-stakeholder discussion that the future of cyberspace depends upon. The outputs of that discussion, especially the general view that a non-governmental international organization is needed, are something that my colleagues and I will certainly look to build on in the coming months. Furthermore, I am hopeful that such an organization will emerge, with time, and that there will be a genuine interest and impetus amongst the public and private sectors to use it. If they do so, they will help to make international law stronger in cyberspace, even in the face of state-sponsored cyberattacks. If that happens then the world will have taken an important step towards making cyberspace a safer and more stable place.