States and societies have enjoyed the benefits of cyberspace for over 30 years. For almost as long, they have also been affected by the multitude of risks involved, such as cybercrime, hacktivism, espionage, technical failures and human error. Cyberspace continues to bring gains and convenience but also problems. Despite the three decades of interactions in cyberspace, the development of a common understanding with regard to the very core of applicable rules of international law, concepts of international relations and diplomacy in cyberspace is still in its early days.
The ‘Tallinn Manual’ (2013), written at the invitation of the Centre by an independent group of legal scholars and practitioners explored state activities in cyberspace during armed conflicts. Yet, the reality that states struggle with on a daily basis is not the armed attacks reaching the threshold entitling actions in self-defence but incidents in the low end of the conflict spectrum. Every minute of every day, a growing number of governmental, military, commercial and private computers are being probed and sometimes hacked successfully, roughly two new malware samples are identified worldwide every second. The peacetime cyber risks are current and concrete.
The ‘Peacetime Regime’ book is examining state behaviour in cyberspace during peacetime – the daily struggle in cyber trenches depicted by legal norms and regulatory approaches, the complex technological aspects, and issues around modern diplomacy and international relations.
The authors of the book are renowned experts from a wide range of professional backgrounds, including academia, international organisations, governmental and non-governmental entities, the civilian as well as the military sector. For an interested reader who seeks to understand cyberspace and its technical components, as well as its legal, political and diplomatic implications, the present volume is the first comprehensive work providing such an insight.
Introduction to cyberspace – sociological facets and technical features
The first part of this book describes the sociological features of state and non-state actors in cyberspace, their relationships and interdependencies. While the overwhelming majority of skilled IT professionals belong to the non-state actors’ group, the states are left with figuring out how to compete for this talent, coexist or deal with this sub-culture. The ways to approach this challenge is multiple, from ignoring their existence to actively fostering volunteer actions, for good and ill. To continue with the analysis of proficiency and action patterns of malicious actors, this chapter also links in different technical aspects of remaining anonymous in cyberspace, explaining the methods of back-tracing and problems related to attribution and misattribution. Also, an overview of technical defensive mechanisms and solutions are provided (firewalls, intrusion detection, honeypots, encryption etc.) highlighting the possible challenges today and tomorrow. And last but not least, the chapter offers a comprehensive analysis of the life-cycle of cyber operations, describing the seven stages of hacking and demonstrating different techniques of the attackers and effects on a target system in each stage. Importantly, the technical descriptions do not imply any suggestions about their legality or political acceptability.
Rights and obligations of states in cyberspace
The second part of the book dives into the muddy waters of international law with regard to rights and obligations of states in the cyber realm. There is no such legal regime as ‘international cyber security law.’ The discussions around international cyber security regulation today focus primarily on ICT laws and cyber-crime related provisions. But cyberspace as a globally shared ‘substrate’ has penetrated almost every facet of life and consequently, the traditional ICT sector-specific perspective on cyber security regulation does not well accommodate the cross-sectional nature of the matter.
The present volume takes a closer look at those branches of international law that on the first glance seem not directly related but in fact may be very relevant for the comprehensive understanding of the security of cyberspace – law of the sea, aviation and space laws, economic and consular laws etc. The topics covered also include international environmental law and the possible application of its principles to cyberspace. And naturally, the chapter devotes central attention to the role of international telecommunications law in the governance of cyberspace. Also, a profound analysis is offered on the new tendencies in public international law on cyber espionage issues with politico-military as well as an economic focus.
The articles offering interpretations of international law as prescribing state behaviour in cyberspace are followed by a discussion about the responsibility of states and international organisations for internationally wrongful cyber activities. The focus here is on the division of responsibility between NATO and its member states, walking through a set of hypothetical scenarios discussing cyber attacks in connection with the exercise of self-defence.
State interaction and counteraction in cyberspace
The third part focuses on the political and diplomatic interactions of states in cyberspace and on governments’ means of countering malicious cyber activities. A thorough attention is given to a rising international relations sub-discipline known as cyber diplomacy, assessing the policy-making challenges in the era of ICT revolution and convergence, and describing the international initiatives in fighting cyber crime and building capacity in less advanced states. A detailed analysis is provided on confidence building measures (CBMs) illustrating the current developments in the OSCE and the UN which aim to elaborate such measures for cyberspace. The scope and effectiveness of mechanisms attained by international organisations to handle international cyber crisis are depicted and assessed across the spectrum of different international groupings, from well-established regional organisations to less-formal multilateral platforms. States’ ability to exercise coercion in ‘cybered’ conflicts is analysed in the perspective of the predicted rise of virtual borders of Cyber Westphalia that could create new challenges for states to identify and resist coercion. The third section also offers some legal remedies in response to illegal cyber activities, as provided in the system of international relations. It attempts to analyse alternatives to military responses to cyber attacks, drawing on states’ due diligence obligations not to harm others. Conditions by which states may employ countermeasures in response to malicious cyber operations that do not qualify as armed attack are also closely examined.
Instead of conclusions
It is difficult to summarise the nuances of a volume of such dimension (746 pages), however interestingly, three major recurring themes can be identified throughout all articles. First, the aspect of territoriality, and a ‘territorial link’ of ‘cybered’ activities – ‘cyber boarders’ – shows unimpaired relevance in international law and international relations. Second, aspects of anonymity of online activities, both as a curse and a blessing, present another common trail throughout the book. And third, the recognition of a ‘due diligence’ obligation of states, either with regard to responsibility for malicious activities originating from its territory, or in the broader context of not harming others, is a new general trend elaborated upon in this book.