The geopolitical representations of international law in the international negotiations on the security and stability of cyberspace

Introduction

Almost two years ago, on 12 November 2018, the French president, Emmanuel Macron, launched the Paris Call for Trust and Security in Cyberspace during his speech at the Internet Governance Forum, at the UNESCO headquarters.^(x) The shared aspirations of the French authorities and of the private sector led to this unique document. Indeed, for the first time, state and non-state actors – including French and foreign companies – agreed on a common declaration on the security and stability of cyberspace. The supporters of the Paris Call reaffirmed their attachment to “an open, secure, stable, accessible, and peaceful cyberspace, which has become an integral component of life in all its social, economic, cultural, and political aspects” and to the principle that “international law, including the United Nations Charter in its entirety, international humanitarian law and customary international law is applicable to the use of information and communication technologies (ICT) by states”.

France’s ambition was to reopen international discussions on the regulation of cyberspace, which had ended in stalemate after the failure in June 2017 of the fifth Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). This failure and the disagreements it underscored led international negotiations into a period of uncertainty and instability. With the Paris Call, France hoped to impose itself as a driving force on those questions, federating the so-called “like-minded states” and pushing for the resumption of the negotiations. That said, power rivalries never stopped prevailing, and it led to the adoption of two competing resolutions by the United Nations General Assembly (UNGA) in December 2018 and to the implementation of two competing negotiation processes. In that context, international law is a central element in the state-level discussions on peace and stability in cyberspace. But international law is exposed to contradictory geopolitical representations that complicates these negotiations – for two main reasons.

First, contradictory representations of cyberspace coexist – sometimes within the same state – depending on whether it is described as falling within the purview of state sovereignty or not. On the one hand, cyberspace is perceived as a conquerable space, which would thus not be submitted to state sovereignty, and, for that reason, would require the elaboration of new guidelines to rule behaviours. This representation explains why the applicability of international law on cyberspace is being debated. But, on the other hand, cyberspace is also described as a territory where state sovereignty is exerted, a new way to act.^(x) For that reason, the only question worth asking is how existing international law can be applied to cyberspace. Yet, the characteristics of cyberspace complicate the implementation of rules of international law and lead to many debates about their interpretation, their limits, and the means that can be employed to ensure the security and stability of cyberspace.

The second reason is linked to the very nature of international law as it organises the coexistence of states. Any debate on the international regulation of the digital space, and more particularly on international law, fits within existing power rivalries between states. International law is a tool of states’ diplomacy, a “strategic object, used and sometimes manipulated by a state based on its perception of a national interest”.^(x) Hence, states’ “external legal policies”^(x) vary depending on perceived geopolitical threats. Now, due to exacerbated tensions in cyberspace – and in the world at large – international law has become an object of disputes. Incidentally, an analysis of states’ positions on international law, and more generally on the international regulation of the digital space, reveals different representations of these threats. It also translates in legal terms states’ strategies on these issues and delineates the competing visions of the international legal order.

International law has always been the subject of intense debates between states and has long been used by some of them to counter the technological development of others. Any shrewd observer would note that, within the larger theme of the regulation of the digital space, this has always been a topic of disagreement – since the first resolution of the UNGA in 1998. However, the consensus reached by the GGEs in 2010, 2013, and 2015, as well as the notable progress made back then, have eclipsed the fundamental disagreements on international law.

From the start, international law has been both an important topic and an important source of tensions in the work of the GGEs. The failure of two GGEs, in 2004 and 2017, was partly due to matters of international law. Following the last failure, in 2017, dual dynamics took shape: International law obtained a more central role in states’ diplomatic strategies and its instrumentalisation in the discourses opposing those respecting and those not respecting international law, i.e. those defending it and those questioning it.^(x) Because it is a natural by-product of power rivalries, it has become a privileged tool in the negotiations on ICTs in the context of international security. Considering the context surrounding the adoption of the resolutions 73/27 “Developments in the field of information and telecommunications in the context of international security” and 73/266 “Advancing responsible state behaviour in cyberspace in the context of international security” in 2018, which respectively created the Open-Ended Working Group (OEWG) and the sixth GGE, as well as the preceding GGE reports on which they base their work, the treatment of international law has revealed strong oppositions. These disagreements focus, on the one hand, on the necessary means to ensure security and stability in the digital space and, on the other hand, on the content of the negotiations that illustrate the perception of the risk of militarisation of cyberspace associated with the possible forms of responses authorised by international law in reaction to internationally wrongful acts. For all that, negotiating on protective principles, such as the principle of sovereignty, which may limit states’ actions on the territory of other states, is not exempt of difficulties because of the entanglement of the issues at stake.

This article aims to analyse and provide food for thought on the role played by international law in the two ongoing processes at the UN, and eventually to present how it has been instrumentalised in the present negotiations. First, we will describe the context during which these two processes were born and what are their mandates. Then, we will focus on the ambiguous (sometimes confusing) role played by norms and international law in the regulation of cyberspace and on the geopolitical motivations underpinning it. Finally, we will examine the geopolitical representations associated with the interpretation of several rules of international law.

I. Elements of context on the GGE and the OEWG

The two processes launched by the United Nations General Assembly reflect current geopolitical tensions. If their composition and calendar differ, their mandates are largely similar. A brief reminder of the preceding GGEs and of UN-level discussions on progress in information and telecommunication in the context of international security allows us to measure the progress made and the depth of the work that remains to be done on the matter.

The preceding GGEs and the UN-level discussions on progress in information and telecommunications in the context of international security

When the Russian Federation introduced the theme of “progress in information and telecommunication in the context of international security” at the United Nations General Assembly in 1998, it started a discussion on the consequences of the development of states’ cyber capacities on the security and stability of the world. It led to the adoption of the resolution 53/70 on 4 December 1998. The General Assembly has passed a resolution on the matter every year since.

These resolutions have led to the creation of five successive GGEs: in 2004, 2009, 2012, 2014, and 2016. But they only became truly effective in the 2010s. For example, the participants in the 2004 GGE weren’t able to reach a consensus and no final report was adopted. As one of the experts in the Russian delegation later testified: “whether humanitarian international law and international law provided a sufficient regulation of security in international relations in case of a ‘hostile’ use of information and communication technologies for politico-military reasons was the main stumbling block”.^(x) Hence, international law was already at the heart of the disagreements among governmental experts. The following three GGEs proved conclusive and led to the adoption of consensual reports in 2010 (document UN A/65/201), 2013 (document UN 1/68/98) and 2015 (document UN A/70/174), which the Secretary General submitted to the General Assembly. The UNGA took note of the three and suggested that member states draw from them. The three reports contain recommendations on confidence building measures susceptible to upholding security and stability of cyberspace, on measures of international cooperation and assistance that could be implemented by the states, and finally norms of responsible behaviour meant to better define what responsible behaviour in cyberspace should be.

Furthermore, the applicability of international law to cyberspace was first recognised in the 2013 final report:

International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful, and accessible ICT environment.^(x)

The 2015 report of the GGE, which was instructed to deal with international law for the first time,^(x) went further and dedicated its sixth part to international law, listing several rules. Since then, numerous states have endorsed this approach in their voluntary contributions to the Secretary General of the United Nations.^(x)

The fifth GGE ended in failure in June 2017. The governmental experts weren’t able to come to an agreement leading to the adoption of a consensual final report. Three states refused the inscription in the final report of the applicability of certain branches of international law. Indeed, China, Cuba, and Russia refused to mention and further elaborate on the applicability of the right of self-defence, of the law of countermeasures, and of the law of armed conflicts in the final report. Cuban and Russian governmental experts explained that the endorsement of the applicability of these branches of international law in cyberspace could serve to justify the militarisation of cyberspace,^(x) and they pointed at profound divergences in interpreting the law. It is in this very tense context that, eventually, the Open-Ended Working Group and the sixth Group of Governmental Experts were created.

The Open-Ended Working Group (OEWG) and the sixth Group of Governmental Experts (GGE)

The Open-Ended Working Group and the sixth Group of Governmental Experts were created by the resolutions 73/27 and 73/266, adopted within a few days, on 5 and 22 December 2018, respectively, in a context of heightened tensions between the states. For the first time since the discussion started in 1998, two resolutions on ICTs in the context of international security – instead of the usual one – were adopted by the General Assembly, which testified to an apparent rupture between member states and gave the impression that two blocks of states were fighting each other on this topic.

The context of the creation of two negotiation processes

The resolutions creating the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE) were introduced by two groups of states forming seemingly adversarial blocs. But the reality is more complex and nuanced.

Russia, supported by China and other states,^(x) proposed a first draft of resolution in October 2018. It contained a paragraph creating an OEWG and listed not only norms adopted by the GGE in 2015 but also norms taken from the International Code of Conduct for Information Security proposed by the member states of the Shanghai Cooperation Organization in 2015 – and rejected by Western governments. As a response, the United States submitted an alternative draft for a resolution creating a sixth GGE, which was supported by many European countries.^(x) Eventually, Russian and co-sponsoring states modified their project to account for the many criticisms they received. But the United States and their co-sponsors didn’t retract their own draft. They asserted that the modified Russian draft paving the way for an OEWG still contained unacceptable dispositions and didn’t reflect the 2015 GGE final report as well as it claimed. For that reason, two competing resolutions on ICTs in the context of international security were debated in the First Committee of the UNGA, one promoted by Russia, the other by the United States.

Heightened tensions between the states surrounded the debates. Hence, according to the press communiqué describing the debates, Iran, “[a]s a victim of cyber weapons, [...] rejects the status quo and supports the establishment of international legal norms and rules aimed at preventing the malicious use of cyberspace and information and communications technology. Condemning those seeking dominance and superiority in cyberspace and their attempts to maintain the status quo, [the Iranian representative] pointed to a certain state [the United States] which, in collaboration with Israel, used the computer worm Stuxnet against Iran’s critical infrastructure, and yet has tabled a draft resolution regarding responsible state behaviour in cyberspace”.^(x) The representative of the People’s Republic of China asked whether a negative vote on the Russian resolution would bring a “ticket” for the country to take part in the GGE.^(x) The impression of two competing blocs of states was then reinforced by the sponsoring states of each resolution but also by the context of their adoption and the contents of the debates. These two “blocs” articulated themselves around two approaches often analysed as diametrically opposed: On the one side, there was the United States and European countries, usually described as the “like-minded states”, whereas on the other side, China and Russia advertised a different approach. That said, we need to nuance both the homogeneity of the two blocs of states and the antagonism underlaying their respective positions.

First, more than homogeneous blocs, the countries in each group share certain characteristics in their approach that are not completely alike either. There are, for example, important divergences between the Chinese approach and the Russian one,^(x) as well as between France’s and the United States’. Second, the majority of UN member states did not adhere to any of the groups that offered the resolutions, which limits the notion that two blocs of states structured the oppositions in international negotiations. More importantly still, the vast majority of the members voted in favour of the two resolutions.^(x) If, for a number of countries, these two processes are effectively competing, they each advanced different sets of interests. The limited composition and the focus on expertise in the GGE make concrete progress possible on the core of the questions debated, whereas the non-limited composition of the OEWG offers a more inclusive approach that allows each state to have its positions and interests heard. The first session of the OEWG, which took place in New York in September 2019, actually highlighted the interests that many states have in taking an active part in the discussions – something confirmed during the second formal session in February 2020. Hence, the two ongoing processes don’t oppose two homogenous blocs of states and, based on their respective composition, they are somewhat complementary. Despite the hostile climate that surrounded their creation, which reveal strong geopolitical tensions, they offer – in theory at the least – a possibility for the states to go beyond their inherent divisions to a smooth parallel functioning or even synergy. The ambassadors Guilherme de Aguiar Patriota and Jürg Lauber, which preside over the GGE and the OEWG, respectively, actually advertised this constructive ambition from the moment they were nominated in those roles.

In the negotiations, European countries have given the impression that they are working independently from each other, although there is a willingness to adopt a common position nowadays. France has positioned itself as a driving force in the international discussions on this topic with the launch of the Paris Call. If it has been endorsed by European states, it remains a French initiative and not a common European initiative. Similarly, despite the adoption of the “Cyber Diplomacy Toolbox” by the European Union, some states have been more inclined to side with other coalitions and with non-European countries. This European inability to offer a unified voice has been reinforced by the fact that, during the adoption and negotiation of the previous resolutions, they have been portrayed as simply following the United States. That said, there is a genuine European willingness to act in a more united manner and to position itself as a major actor in international discussions.

Through its member states, the EU has the necessary assets to affirm itself as a leading voice in international discussions and defend its own interests. If European countries succeed in working together, the EU could become a formidable force of propositions as it lays out its expertise and its past successes in the implementation of its international obligations on this matter. For example, the NIS directive^(x) and the General Data Protection Regulation^(x) participate in the implementation of the obligation of due diligence and to the “creation of a global culture of cybersecurity”^(x) among European states. Furthermore, Europe is often described as able to provide a less divisive approach to the issue, one that could reconcile different positions. The United States, on the other hand, has been very critical of multilateral organisations since Donald Trump was inaugurated and they have shown their contempt for the adoption of new norms, which makes observers think they won’t be able to adopt a constructive approach and make concessions. The ongoing discussions at the General Assembly of the United Nations and the resolutions it potentially adopts will provide valuable insights into the approach of states and the future of the discussions. The complementarity of the two processes has been highlighted by several states. The OEWG is open to all the member states, taking all the points of view into account. But, on the contrary, the composition of the GGE is limited to 25 member states designated “on the basis of equitable geographical distribution”,^(x) and the permanent members of the Security Council are ex officio members. Hence, the GGE appears as a more specialised entity. However, an analysis of their respective mandates shows that, if they can be complementary, their mandates overlap to a certain extent which does not facilitate the search for consensus and coherence in the negotiations.

The mandates of the two negotiation processes

At first glance, the mandates of the two groups are so similar that they overlap to a large extent, with the risk of encroaching on each other. Indeed, both groups are mandated to work on the norms, rules, and principles of responsible behaviour of the states, on confidence building measures, on capacity building, and international law. A careful reading, in fact, reveals several differences.

First, the GGE will be able to consult states that aren’t members of the GGE and with the competent regional organisations (African Union, Organization of American States, Organization for Security and Co-operation in Europe, and the Regional Forum of the Association of Southeast Asian Nations). For its part, the OEWG will hold informal sessions to consult private actors and non-governmental organisations. Furthermore, non-state actors are authorised to attend the formal sessions, but that only applies to the organisations accredited to the United Nations Economic and Social Council (ECOSOC), following the Chinese refusal to enlarge the pool further. Second, the resolution 73/266, defining the mandate of the GGE, states that its report will be presented to the General Assembly with “an annex containing national contributions of participating governmental experts on the subject of how international law applies to the use of information and communications technologies by states”.^(x) For that reason, the 25 countries participating in the GGE will have to clarify their position on the international law applicable to cyber operations. France and the Netherlands are already set to do that with the publication of a report on International Law Applied to Cyberoperations by the French Ministry of Armed Forces,^(x) and with an official document untitled International Law in Cyberspace by the Dutch Ministry of Foreign Affairs.^(x) These two documents, published on 9 September and 14 October 2019, are probably meant to be the two countries’ national contributions to the GGE.^(x) Finally, the OEWG will be tasked with studying “the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations”,^(x) which implies the possibility of creating a permanent body or process to deal with ICTs in the context of international security.

Some differences have raised concerns, starting with the respective timelines. The OEWG was supposed to end its work in 2020, during the 75th session of the UNGA, a year before the GGE which mandates last until 2021 and the 76th session of the UNGA. The extension of the 75th session until March 2021, due to the COVID-19 crisis, will allow the OEWG’s work to continue so it can present its report by March to the 75th session of the UNGA. The deadlines for the two reports will be preserved. Some observers are worried that several states behind the resolution creating the OEWG might change course after the end of its sessions. In other words, they would be adopting a constructive approach up to the end of the OEWG’s work, in order to achieve a consensus on its conclusions, before turning less cooperative during the remaining time of the GGE sessions, to push for a failure and boast of the superior achievements of the OEWG.

The second concern comes from the content of the mandates. International law is being discussed in the two processes and constitutes a central topic in their proceedings. This is both an opportunity and a risk: States are able to have in-depth discussions about these questions and debate the interpretation of international law in this new context of international peace and security, but they risk adopting diverging directions in the two processes, leading to a certain level of instability for the international legal order.

The same can be said about the norms of responsible state behaviour, mentioned twice in the resolution 73/27 that defined the mandate of the OEWG. The situation here is delicate for two reasons.

The first mention of the norms in the resolution 73/27 appears early on in the definition of the mandate in paragraph 5. The General Assembly decided to convene an OEWG that shall strive,

acting on a consensus basis, to continue, as a priority, to further develop the rules, norms and principles of responsible behaviour of states listed in paragraph 1 above, and the ways for their implementation; if necessary, to introduce changes to them or elaborate additional rules of behaviour;^(x)

Hence, norms – as stated in the resolution – constitute the working base of the OEWG. If the resolution 73/266 only refers to the 2015 GGE report, the resolution 73/27 acknowledges it too but slightly differs from the norms defined in it, which means that the working base of the two processes could differ. It would increase the risks of contradictions and divergence in the meaning of the recommendations adopted by each process. For example, the recommendation on the prevention of malicious computer tools or technologies is included in a paragraph on supply chain integrity in the 2015 GGE report, whereas it is the subject of a stand-alone provision in resolution 73/27. In the latter case, the autonomisation of the problematic could indicate a desire to work more extensively on the issue of proliferation.

That said, an observation of the practice of the states shows that this risk remains limited at this point. During the first two sessions of the OEWG, the large majority of states opted for the norms as stated in the GGE report instead of the ones written in resolution 73/27. It illustrates the lack of consensus on the norms stated in the provisions of the resolution 73/27 but it also highlights a gap between a strict application of the mandate and the practice adopted during the negotiations.

The uncertainty around the working base can also affect other aspects of the negotiations. The mandate states that the OEWG ought to “develop… the ways for their implementation”.^(x) Hence, the member states are tasked with detailing the operationalisation of the norms. Indeed, as several of them are purely declaratory, they need to be specified to be implemented. Finally, the mandate paves the ground for a reappraisal of the conclusions of the 2013 and 2015 GGEs as states are able to “introduce changes”,^(x) including establishing new norms. If elaborating new norms – which is authorised by resolution 73/27 – could mean creating new norms that better define what responsible behaviour is, it could also imply the creation of norms susceptible to limit the open nature of cyberspace – hence reassessing what was decided in 2013 and 2015 to guarantee it.

The second mention of norms in the resolution 73/27 can be found in the second part of the definition of the mandate. But it isn’t explained if this mention refers to the norms stated in the resolution 73/27 or the ones adopted by the GGEs in 2013 and 2015.

A close reading of the mandate thus highlights a number of questions related to the working base on which the negotiations will be conducted. The practice of using the GGE norms seems to prevail so far but contradictions could emerge as both the GGE and the OEWG are tasked with working on these provisions.

The fact that international law and the norms of responsible behaviour are mentioned in both mandates raises the question of the division of labour between the two. In his speech during the first session of the OEWG in June 2019, the special representative of the President of the Russian Federation for international cooperation in information security proposed that the OEWG deals with norms of responsible behaviour, confidence building measures, and measures of international cooperation and assistance, hence leaving the issue of international law to the GGE.^(x) This proposal wasn’t taken on, and the two processes work concomitantly on the whole set of issues.

Two comments need to be made at this point. On the one hand, treating these issues of international law and norms of responsible state behaviour indiscriminately can be justified by the difficulty to dissociate them completely. Indeed, these topics are intrinsically linked, as we shall see. On the other hand, this situation reinforces the risk of repetitions in the content of the negotiations but also of contradictions in the formulate recommendations made by the two groups on the rights and obligations of the states in the digital space. Moreover, the refusal to dissociate them highlights disagreements on the necessary means to ensure security and stability of cyberspace.

II. Norms and international law: between confusion and disagreement on the means necessary to ensure security and stability of cyberspace

In the International Strategy for Cyberspace published by the White House in 2011,^(x) the United States called for the elaboration of norms of responsible state behaviour in cyberspace. The 2013 GGE report contains a part dedicated to norms, rules and principles of responsible state behaviour in which the member states of the GGE recognised the applicability of international law in cyberspace but also adopted several norms meant to strengthen the security and stability of the global computer environment. Analysing them shows that several norms build on the recognition of the applicability of international law in cyberspace, and paraphrase existing international obligations to be applied in cyberspace. In the 2015 report, the member states opted to list the norms of responsible behaviour and international law provisions in two different parts. But this distinction disregards the links that exist between the first, which are soft law provisions that are usually non-binding, and the second, including some rules restated by the GGE. Furthermore, this distinction complexifies the definition of rights and obligations for the states in cyberspace as it introduces a confusion on the nature of the rules and complicates the conduct of the negotiations. Finally, there is no division of work in the two mandates, which mostly highlights disagreements on the means necessary to ensure the stability and security of cyberspace.

A distinction partly artificial in its formal and material dimensions

The formal separation – in two distinct parts of the report – of non-binding provisions on responsible state behaviour on the one side, and international law on the other, bears three limits.

The first limit has to do with the mentioned nature of the dispositions listed in the part dedicated to – legally non-binding – norms. There is no comparable mention in the part dedicated to international law. It states that

Voluntary, non-binding norms of responsible state behaviour can reduce risks to international peace, security and stability. Accordingly, norms do not seek to limit or prohibit action that is otherwise consistent with international law.^(x)

Incidentally, the state cannot be held liable for a violation of these norms.

But, as the 2015 GGE report is an expert report and not a treaty of international law, all the provisions it contains, including the ones in the part dedicated to international law, are legally non-binding by nature. The same can be said about the resolutions of the General Assembly which, even though they can participate in the formulation of international law,^(x) are absolutely non-binding. Hence, the mention raises a number of questions.

The mention of the non-binding character of the norms can effectively be read as introducing a distinction between them and the obligations pertaining to international law that are addressed in another part of the report. It implies that these provisions are not linked to international law, reinforcing their distinctiveness from the obligations of international law listed in another part of the report.^(x)

But this distinction between norms of responsible behaviour and obligations of international law disregards the link that exists between certain non-binding provisions and some binding obligations. This is the second limit. Indeed, if these provisions are non-binding, they cannot be qualified as outside of the boundaries of the law, in comparison to the legal rules that would be the only binding ones. They are both part of the so-called “normative gradation”^(x) between law and lawlessness. The non-binding provisions, often called soft law, can contribute to the interpretation of existing obligations in international law, or to the formation of new international obligations,^(x) as their non-binding character doesn’t imply an absence of legal effects.^(x) Indeed, “states opt out from a binding legal commitment when they make a statement of soft law, but they do not altogether refuse to engage”.^(x)

Finally, the third limit deals with the mention, in the part dedicated to norms and in the one dedicated to international law, of the obligation of diligence^(x) and the obligation to protect and respect human rights.^(x) These repetitions highlight a link between the two and the fact that the states haven’t been able to distinguish the two completely.

Hence, the present analysis shows the limits of the formal distinction between non-binding norms and provisions paraphrasing obligations of international law. And this distinction is all the more artificial on the material level, i.e. in terms of the content.

Analysing the content of the norms of responsible behaviour show that they can be divided into two categories. Some identify good practices to strengthen the security and stability of the global cyber environment whereas others are built on obligations of international law applied to state behaviours in cyberspace.^(x) As such, this second category of norms is tightly linked to international law on the material level.

The separation between obligations in international law stated in the report and the norms creates two problems, as they are both linked: one pertains to the identification of the rights and obligations of the states, and the other the conduct of the negotiations.

First, this distinction raises a problem in identifying the rights and obligations of the states. As soon as a norm of responsible behaviour paraphrases an international obligation, we can question the desire to maintain the link that exists between the two. What consequences can we draw from this distinction when the content is the same? Does it imply that the implementation and the respect of the obligation stated in the norm is a simple recommendation, distinct from the international obligation on which it has been built? We don’t think it is, as the state ought to respect international obligations in all cases. The message hence carried could imply that the norm is detached from international law to be made autonomous and, in as such, that the behaviour to be adopted in cyberspace wouldn’t be built upon an international obligation but on the goodwill of the states.

Furthermore, some norms and provisions contained in the part dedicated to international law seem to interpret the obligations of international law whereas others are only paraphrasing them. As such, it is difficult to differentiate a simple reminder of a rule of international law from the specific interpretation of an international obligation applied to cyberspace.

When the same obligation is cited in both parts of the report, should the provision set out in the part dealing with international law be considered to be of greater value than that cited in the part dealing with norms, since it is specified that norms are not intended to limit the rights and obligations of states? Depending on the statement of the paraphrased obligation or the one on which the provision is laid out, and on the retained response, the consequences in terms of the rights and obligations of the states could differ. For example, when the provision in the part dealing with international law narrowly interprets an international obligation, whereas the provision in the part dealing with norms simply paraphrases, does it mean that the first disposition carries more weight – because it comes from the part dealing with international law – and, if that’s the case, that the retained interpretation of an international obligation is more restrictive in its content when it is applied to cyberspace?

Second, this distinction risks being problematic in the conduct of international negotiations in the OEWG and in the GGE. The states will discuss norms and international law at two different moments because the working sessions are organised by themes, with one dedicated to norms and another to international law. Yet, because they are both linked, the risk is that states treat this issue twice and adopt two different, or even contradictory, positions. Furthermore, as the ongoing negotiations on norms focus mainly on their operationalisation, i.e. on their practical implementation, future provisions will have a part in the interpretation of international obligations. However, the question of content also encompasses aspects not covered by the provisions specifying the implementation of the norms and thus interpreting international obligations. Should it be considered that if certain clarifications are not made it is because they do not result from the implementation of the concerned international obligation? Or should the elements not mentioned be said to have no consequences on the interpretation of the international obligation?

The problems in the negotiations risk being even more complex depending on whether they are conducted based on the norms stated in resolution 73/27 (OEWG) or on the norms previously adopted in the GGE reports, as most states do. Indeed, the operationalisation of the norms necessitates a prior identification of the accepted basic norms. The norm on the obligation of due diligence from the resolution 73/27 is a good illustration.^(x) It is made of the GGE norm on the obligation of due diligence^(x) and of the paragraph relative to the same obligation in the part dealing with international law.^(x) The GGE norm paraphrases the famous dictum of the International Court of Justice in the Corfu Channel case stating an obligation to every state not to allow willingly its territory to be used for acts contrary to the rights of other states.^(x) The corresponding paragraph in the international law section of the report contains a provision focusing on the use of intermediaries by states and on not allowing their territory to be used by non-state actors to commit internationally wrongful acts. This paragraph seems to interpret the obligation of due diligence by specifying its implications as regards the conduct to be adopted vis-à-vis intermediaries and non-state actors, questioning the willingness of states to limit its application in the digital context to these two cases. Depending on the interpretation of this paragraph, the obligation of due diligence is therefore more precise or more limited than the obligation set forth by the International Court of Justice and reproduced in the section dealing with norms. However, in so far as these two provisions are combined in resolution 73/27 but not in the GGE report, depending on which text is taken as a reference for the definition of its operationalisation, the provisions adopted will not be the same, leading to a risk of confusion as to what is expected of the states.

The established distinction between the norms of responsible behaviour and the provisions of international law isn’t as clear-cut as the report suggests. In fine, the very notion of a norm of responsible behaviour, in its relation to international law, is potentially questioned on a material level. But it questions whether norms “are indeed intended to promote and enhance international law or whether ‘responsible state behaviour’ is a deflected route around international law”.^(x) On a formal level, the distinction between norms and provisions of international law will be a springboard to justify the elaboration of a treaty.

The distinction furthers the case for a treaty

Due to the specificities of cyberspace, the need for new rules emerged early on. Hence, Russia had already argued in favour of a new treaty in 2000, explaining that positive international law wasn’t able to respond to the specific challenges pertaining to cyberspace or set guidelines for the behaviours of states.^(x) On the contrary, many Western countries believed that new rules weren’t necessary. The recognition that international law applies to the behaviour of the states in cyberspace could have ended the debate and signified the absence of a manifest legal gap. Existing rules of international law regulate states’ behaviours in cyberspace and thus it seems unnecessary to adopt new rules. Additionally, the norms of responsible state behaviour could complete and specify international obligations. That being said, and despite an apparent consensus, the possibility of a treaty re-emerged in 2019, facilitated by the distinction established between norms and international law. It illustrates diverging points of view on the means required to secure cyberspace.

The opposition focuses on the value of the instrument

The proponents of a treaty want to elaborate a binding legal instrument to define explicitly the rights and obligations of the states in cyberspace. They don’t challenge the applicability of positive international law, but consider it insufficient to take hold of all the specificities of cyberspace. This position highlights an exceptionalist vision of international law, built on the inability of general international law to regulate certain phenomena, and it implies the development of a lex specialis, i.e. specific rules of law aimed at regulating these phenomena. For their opponents, positive international law is flexible enough to regulate the behaviours of the states. However, due to the specificities of cyberspace, additional norms of behaviour are necessary on some aspects. But these norms aren’t meant to become international obligations, in the short or medium range at the least. This interpretation is confirmed by the very notion of the norm of behaviour, as “norms do not seek to limit or prohibit action that is otherwise consistent with international law”.^(x) Hence, the value of the rules is questioned more than their contents. On one side, some states, such as Russia, wish to elaborate new international obligations that would find states internationally responsible in case of violation. On the other side, different states, such as the United States, prefer to go on with the non-binding rules of soft law, which means that a violation, as such, cannot engage the responsibility of a state. The opposition between the groups has thus crystalised on the necessity of a treaty and on the value of its provisions, without discussing its eventual content.

It can be explained by various reasons. On the one side, this antagonism can be traced back to the early stages of the discussions on cybersecurity at the UN. It illustrates the use of international law to try and limit the capabilities of the most advanced states and highlights a geopolitical power struggle. On the other side, it expresses different visions of international legality. From the perspective of the Russian doctrine, these norms are meant to become international obligations, following a legalist vision built on the development and respect of international law. Without questioning international law, and even though there are important differences between them, Western countries have a more political vision in which political and legal commitments are complementary. They don’t necessarily try to develop binding rules and opt for non-binding commitments.^(x)

This preference can also be explained by the fact that they don’t want to be legally constrained when the power balance in the negotiations over a treaty wouldn’t necessarily be in their favour. If this element can be overcome by the different steps of the signing and ratification of the treaty, which they would be free to proceed with after the treaty is open for signature, the very existence of this treaty could put them in an uneasy situation. The lack of a signature and ratification could be instrumentalised to point at a refusal to ensure peace and stability of cyberspace. More largely, it is important to note that the present period is inauspicious to the development of new multilateral treaties and of international law at large, as several states are particularly critical of the international legal system and of the potential constraints coming from it.^(x)

However, two important distinctions must be made. First, the instrumentum – the choice of a specific legal instrument – versus its content. Then, the distinction between the notions of binding and obligatory. A treaty is a binding legal instrument. It is an “agreement concluded between two or more subjects of international law, intended to have legal effects and to be governed by international law”.^(x) It creates international obligations that ought to be implemented by the states according to the principle of pacta sunt servanda. That said, a binding instrument can contain general provisions that gives some leeway to the states to implement them. Their decision to respect these provisions could be materialised in different ways. This is, for example, the case of the UN Framework Convention on Climate Change, which was open to signature after the Rio Conference of 1992. Alan Boyle explains that “[t]his treaty does impose some commitments on the parties, but its core articles, dealing with policies and measures to tackle greenhouse gas emissions, are so cautiously and obscurely worded and so weak that it is uncertain whether any real obligations are created”.^(x) On the contrary, non-binding provisions can have an obligatory character due to the vocabulary used, to their exactness – which leads to a uniform implementation – or to the existence of strong monitoring mechanisms. Hence, “the technique or conventional mould doesn’t solely confer a given intensity to the obligations”.^(x) For that reason, legal formalism cannot presume of the obligatory character of the provisions.^(x) In other words, we need to go beyond the type of instrument dealt with in this case to study its practical content.

Beyond the instrument, what could be in the treaty?

In terms of its content, it remains to be decided whether a treaty should create new international obligations – transforming norms of responsible behaviour into international obligations, for example – or if it should specify the way existing international obligations ought to be interpreted, in order to better define the rights and obligations of the states in cyberspace.

First of all, the problematic interpretation of international law in this context wouldn’t necessarily be settled with the adoption of a treaty. We need to remember that each state is free – within the limits granted by international law – to retain its own interpretations. However, the communication of each state’s approach on the implementation of rules of international law could play an important role in identifying their practices.^(x) The requirement for the countries participating to the sixth GGE to submit national contributions “on the subject of how international law applies to the use of information and communications technologies”^(x) could bring relevant elements to that end. Indeed, if the 25 countries – and especially the five permanent members of the Security Council (China, United States, France, United Kingdom, Russia) – oblige, it will be possible to assess the points of divergence and convergence in their approach of international law applied to cyber operations. At the moment, less than a dozen countries have substantially communicated about their approach.^(x) Furthermore, the norms of responsible state behaviour are useful for agreeing on the interpretation of several rules of international law in specific contexts. In that sense, several norms adopted by the previous GGEs participate in the interpretation of international law.

Second, the identification of new international obligations should only come from a deeper work of interpretation and from the practice of the states on the application of international law to cyberspace. Indeed, how can we identify whether new rules are necessary if the behaviours already covered by positive law haven’t been previously identified? As such, the example of the protection of electoral infrastructures from computer attacks aimed at interfering with the election is significant. This proposal’s relevance from the Global Commission on the Stability of Cyberspace (GCSC),^(x) also stated in the Paris Call, raises a number of questions as the principle of non-intervention is already evidently applicable to electoral infrastructures. If it can be perceived as an implementation of this principle, could it also be seen as weakening it – and, as a consequence, the implied protection of electoral processes – with its non-binding character and the language employed? Beyond this example, we need to identify the relevance and the risk of obsolescence of international law when choosing too restrictive or precise norms that impede on the customary rules of international law. The flexibility and the adaptability offered by general principles shouldn’t be discarded simply because of new technological developments.

Finally, the distinction made between norms of behaviour and international law offers an argument in favour of the elaboration of new international obligations. Indeed, we can already see a contradiction in the arguments deployed by states that refuse to debate the elaboration of a treaty yet defend existing norms of responsible behaviour – or even endorse the adoption of new norms. Hence, the official French position provides that the existence of legal gaps justifies the adoption of new international obligations, though these gaps haven’t been established.^(x) That said, France actively defends the norms adopted in 2013 and 2015 and the Paris Call also contains new norms. These positions can be perceived as contradictory as the elaboration of these norms should be interpreted as the marker of a legal gap that requires filling, and could be used to justify the opening of discussions on an international treaty. The Russian proposal to put the OEWG in charge of norms of behaviour signals a renewed interest in Russia for an international treaty on this matter. Indeed, the OEWG’s format – open to all member states – could constitute a favourable framework to that end. It is thus probable that Russia uses the process to bring back the topic and defend the necessity of a treaty. This is what the Russian delegation has already done during the formal sessions of the OEWG. If so, it is all the more understandable that the provision on the handling of evidence when making accusations of cyber operations, which was originally in the section on international law in the 2015 GGE report, was referred to as a norm of responsible behaviour in resolution 73/27, since it would be a matter of transforming it into a genuine international obligation. This disposition, present in section IV of the 2015 report, has been explicitly rejected by the United States and France who refused to interpret it as creating a new international obligation. But, as they qualify the provision as a norm, and according to the objective of the elaboration of a treaty, it could eventually become a new international obligation.

It is important to note, however, that many states don’t support a new treaty, even among the ones often associated with Russia. Hence, the Chinese position is more prudent and focuses on the need to continue studying the interpretation of international law and the consequences of its application on state behaviours in cyberspace. Without rejecting the eventual need for new rules of law in the future, it doesn’t subscribe to the exceptionalist vision.

Whatever the Russian strategy on an eventual treaty may be, analysing the normative character and the legal effects of the adopted provisions now constitutes a major challenge in an attempt to find our way through the meanders of state rights and obligations in cyberspace. The states’ practice in terms of international law and norms of behaviour remains embryonic. And yet, it is fundamental due to its role in forming international law. Besides, even though these instruments aren’t binding, the states that adopted them are required to behave in good faith. The implementation of a declaratory monitoring mechanism, based on the model proposed by France during the G7,^(x) or by Australia and Mexico during the OEWG,^(x) and which could be built upon states’ voluntary contributions to the Secretary General of the United Nations, would constitute a tool to reinforce these norms, on the same level as the confidence building measures and the measures of international cooperation and assistance that have been adopted.

As they separated norms of behaviour and international law, the member states of the fifth GGE not only introduced a largely artificial distinction that was partially contradicted by the very content of these norms, but they also revived tensions around the adoption of a new treaty that have been exacerbated in the current geopolitical context. The issue of a treaty now represents a major point of divergence that blocks substantive progress on the content of the rights and obligations of the states in cyberspace. And this situation has been reinforced by the oppositions on the content of the rules of international law that need to be discussed.

III. Interpreting international law: an entanglement of issues and the risk of a militarisation of cyberspace

The principle of the applicability of international law is now consensual. But there is no agreement on what it entails, leading to serious risks of deadlock. The 2017 GGE failed because several states refused the applicability of certain branches of international law to cyberspace to be detailed in the report. This opposition was presented in some commentaries^(x) as an overall questioning of the applicability of international law in cyberspace. But this wasn’t the case.

Contrary to what has been said, neither China nor Russia question the principle of the applicability of international law or of the Charter of the United Nations, in its entirety, to cyberspace. Their positions are somewhat similar, but with a few nuances. The two states have expressed a desire to focus on protecting principles of international law, such as principles of sovereignty and non-intervention, and on the clarification of the primary rights and obligations of the states rather than to discuss the reactions to violations of international law, such as self-defence and countermeasures. Their refusal to debate the applicability of Article 51 of the UN Charter (right to self-defence) in cyberspace isn’t a challenge to the applicability of the rule. Their attitude lays on political and legal arguments, such as the difficult attribution and the weak standards of proof. According to their analysis, these legal obstacles hinder the right to self-defence – and yet not questioning its existence. This subtilty in their reasoning has often been dismissed by other state actors, either due to a simple thinking or to political interests. But it is all the more important as, politically speaking, it doesn’t make any sense for a state to renounce its right to self-defence. Interestingly, if the Russian discourse on this right has been overly critical, the country has never renounced it.

Furthermore, several months after the failure of the fifth GGE, the heads of states of the BRICS (Brazil, Russia, India, China, and South Africa) adopted the Xiamen Declaration, on 5 September 2017, which stated their commitment to the applicability of international law to information and communication technologies:

We consider the UN has a central role in developing universally accepted norms of responsible state behaviour in the use of ICTs to ensure a peaceful, secure, open, cooperative, stable, orderly, accessible, and equitable ICT environment. We emphasise the paramount importance of the principles of international law enshrined in the Charter of the United Nations, particularly the state sovereignty, the political independence, territorial integrity and sovereign equality of states, non-interference in internal affairs of other states and respect for human rights and fundamental freedoms. We emphasise the need to enhance international cooperation against terrorist and criminal misuse of ICTs, reaffirm the general approach laid in the eThekwini, Fortaleza, Ufa, and Goa declarations in this regard, and recognise the need for a universal regulatory binding instrument on combatting the criminal use of ICTs under the UN auspices as stated in the Ufa Declaration.^(x)

This opposition on the interpretation of international law has crystalised tensions between states and it is rooted in disagreements on the representations associated with the interpretation of several rules of international law. Certainly, states adopt interpretations that may differ depending on the threats they prioritise or on their strategic interests. In other words, the debates aren’t about the rules of international law themselves, but their interpretation. These rules are relatively flexible and make different interpretations possible and, as such, states differ on them. The legal translation of the various representations of the threats is bound to be notably marked in cases dealing with the responses authorised by international law to acts defined as internationally wrongful. But it will also be complicated by the entanglement of issues, thus illustrating the difficulty for a state to position itself on the interpretation of international law when it considers all its strategic interests.

The responses authorised by international law: the case of the militarisation of cyberspace

The discussion at the 2017 GGE stalled on the paragraph dealing with international law. Several states refused to mention^(x) the law of armed conflicts, countermeasures, and self-defence^(x) because they believed it could lead to the militarisation of cyberspace. These points of disagreement between the states highlight the absence of consensus on the implementation of the modalities of response to cyber operations as laid out by international law. To respond to an unfriendly act, a state can adopt measures of retorsion, whereas it can adopt measures of retorsion and countermeasures^(x) in reaction to an act recognised as wrongful internationally; self-defence, meanwhile, is only invokable in response to an armed attack.^(x)

The various responses that a state can invoke and implement in reaction to a cyber operation will probably be the subject of further disagreements, or tensions, in the GGE and the OEWG. This issue is crucial as we’ve seen a multiplication of public political attributions and/or imputations.^(x) Since the hacking of Sony Pictures in November 2014, attributed to North Korea by the United States, we have seen a change in the strategy of several states as they decided to denounce certain computer hacks publicly, even in a coordinated (semi-collective attribution) or joint (collective attribution) manner. An analysis of the discourses of attribution shows three dynamics. First, they often fall within power struggles that oppose the “Five Eyes”^(x) to Russia, China, and some of their allies. Second, it shows that, if the states shy away from legally qualifying the behaviours they denounce, they do at least invoke the international legal order and the norms of responsible behaviour adopted by the 2013 and 2015 GGEs. According to its proponents, the “naming and shaming” strategy aims at establishing the political responsibility of the attacking states and reinforcing the security and stability of cyberspace. It materialised in the adoption on the sidelines of the General Assembly of the United Stations, by 27 states including France, of a “Joint Statement on Advancing Responsible State Behavior in Cyberspace” on 23 September 2019, also known as the “New York Call”.^(x) Third, these discourses are often accompanied by sanctions.^(x)

Contextual elements are important to understand why, politically, there is opposition on the issue of how to respond to state-sponsored cyber operations. Existing frictions between groups of states are important, and so are uncertainties over the non-explicit legal qualification used by states to adopt undefined measures to respond to targeted computer attacks. In other words, the relative uncertainty over the interpretation of international law by states creates legal insecurity over the justifications invoked to justify a response. This new context of relative legal insecurity explains, in part, some states’ reluctance to codify the interpretation of certain branches of international law applicable in cyberspace.

From the perspective of international law, these uncertainties come from diverging interpretations, including between so-called “like-minded” states, and some of these uncertainties tend to favour the use of military force. The first divergence rests on the existence of a threshold between the use of force (article 2§4 of the UN Charter) and an armed attack (article 51). The first opens the right to adopt countermeasures, whereas the second triggers the right to self-defence. But the United States doesn’t recognise this distinction, the right to self-defence being, according to them, triggered as soon as a state violates article 2§4.^(x) This interpretation does lower the threshold on the use of self-defence and, as such, the potential use of force to respond to an internationally wrongful act.

The second point of divergence pertains to the theory of armed countermeasures. Contrary to self-defence, countermeasures cannot be a use of force. It has been confirmed by the Articles of the International Law Commission on the Responsibility of States for Internationally Wrongful Acts.^(x) A minority group in the literature suggests that, while we should maintain the distinction between the threshold for the use of force and an armed attack, a state victim of the use of force that doesn’t amount to an armed attack could opt for armed countermeasures.^(x) In that case, they should respect a double criteria of necessity and proportionality, which apply to both countermeasures and self-defence. This theory questions the balance between the two forms of response as it authorises the states to adopt, in response to an act below the threshold of an armed attack, measures that could imply the use of force. Knowing the uncertainties when identifying the different qualifying thresholds, these interpretations could favour the conduct of cyber operations with potentially destabilising effects.

The third point of divergence deals with the adoption of collective countermeasures to support the state victim of a cyber operation. The possibility to adopt collective countermeasures in response to cyber operations has been defended by the Estonian president in her opening speech at CyCon.^(x) Even though it contains several ambiguities, the regime of collective countermeasures is defined by the Articles of the International Law Commission on the Responsibility of States for Internationally Wrongful Acts. But the Estonian proposal wants to broaden them.^(x) As several states attribute to certain states cyber operations suffered by third countries,^(x) including through collective and semi-collective attributions, this proposal has been perceived as destabilising and a future source of divisions and tensions that could represent an important point of stalemate. France, for instance, has expressed its opposition to such an evolution of the law on collective countermeasures.^(x)

Finally, the last point of divergence rests on the assimilation, and sometimes confusion, between the obligation of due diligence, and the theory of unable or unwilling. The non-respect of the obligation of due diligence by a state allows the victim state to adopt, under certain conditions, measures of retorsion or countermeasures without being able to use the right to self-defence.^(x) On the contrary, the theory of unable or unwilling has been used by the United States to justify the use of force on the territory of states, without their consent, because they were unwilling or unable to adopt the necessary measures to end the use of their territory by armed groups. This principle is highly controversial; the United States has been the only one to invoke it, and it seems to be distancing itself from it nowadays. Believing that the theory of unable or unwilling and the obligation of due diligence are identical legitimises the use of force in situations proscribed by current international law. Any mention of this principle in a section dedicated to international regulation or to threats would be perceived as a way to facilitate the use of military force against a state whose territory has been used to launch cyber operations against another state.

These four points expose the legal arguments behind the reluctance of some states in the discussions on the forms of responses to internationally wrongful cyber operations under international law. As they facilitate the conduct of cyber operations in response to an unfriendly act or an internationally wrongful act, their opponents believe that they lead to the militarisation of cyberspace at the expense of an open, secure, accessible, and peaceful cyberspace. However, and despite the predictable difficulties of the endeavour, these countries think that the negotiations should focus on protecting and stabilising principles, such as the principles of sovereignty and non-intervention.

The principle of sovereignty: an interpretation complicated by the entanglement of issues

Sovereignty, an attribute of the state, is at the basis of international law.^(x) Several corollaries emerged from this principle, including the sovereignty equality of the states, their freedom to act within the perimeter of their sovereignty, and the non-intervention in the internal or external matters of a state. This implies limits on the right for a state to conduct cyber operations against another state. For that reason, these corollaries are deemed protecting and stabilising. Determining which cyber operations constitute a violation of sovereignty and of the territorial integrity of a state, or of the principle of non-intervention, is a true challenge. Indeed, because the issues are entangled – a legal question can be led out differently in different contexts and provoke different interpretations depending on competing strategic interests – and because the states have chosen not to address certain types of cyber operations or topics, including cyber espionage, it is difficult to reach a consensus on the interpretation of these principles in the digital context.

With regard to respect for the sovereignty and territorial integrity of a state, the territorial criterion serves as a cornerstone for defining the contours of states’ rights and obligations. However, in the digital context, it can be abused by a phenomenon that disregards borders. We are therefore witnessing a two-fold movement. On the one hand, all the states recognise that their sovereignty can be exerted over all the infrastructures present on their territories,^(x) leading to a territorialisation of cyberspace based on its physical layer^(x) but they also use other mechanisms, such as the theory of effects.^(x) On the other hand, parts of the doctrine and several states have partly reassessed this territoriality based on techno-political arguments,^(x) on an unreasonable interpretation of the territorial criteria^(x) and on other credentials to establish their jurisdiction.^(x)

This is a fundamental issue when dealing with two problems in particular. The first one deals with the exercise of extraterritorial enforcement jurisdiction,^(x) especially in criminal matters. It has generally been accepted that a state cannot collect evidence on the territory of another state without a permissive rule, be it a conventional one – the authorisation comes from a pre-existing treaty between the concerned states – or an agreement from the state territorially competent.^(x) The second deals with espionage and whether or not an intrusion in a computer system can be considered equal to an intrusion on the territory of a state.^(x) The first issue falls within the scope of the discussions on cybercrime and should therefore not be addressed by the GGE or the OEWG. The second is a matter of international peace and security and, although it is not addressed for political reasons, it should have its place in the ongoing negotiations. This is all the more the case since most state-led cyber operations are carried out by intelligence services. Moreover, any exploitation of a vulnerability for intelligence purposes creates a broader risk, as the vulnerability can also be exploited for other purposes by other malicious actors. Moreover, offensive tools developed by states for intelligence purposes can be stolen and reused, thus directly contributing to their proliferation and international instability. Viewed from two different angles, this subject amounts to asking the following question: Does an unauthorised penetration of the information systems^(x) located on the territory of a state undermine its territorial integrity and constitute a violation of its sovereignty?^(x) From the answer to this question, however, comes the implementation of the secondary rules on the responsibility of the states for internationally wrongful acts, determining in particular the measures that the injured state may take to induce the responsible state to comply with its international obligations.

This situation illustrates the difficulty in setting apart topics of negotiation when they all come back to the same issue and, ultimately, the risk of producing contradictory conclusions. To avoid that problem, it would be necessary to take into account the finality of the act. Here, setting a distinction would without a doubt be interpreted – and rightly so – as an attempt to instrumentalise the principle of sovereignty to make cyber operations lawful when conducted for espionage. This situation also highlights the limits faced by the negotiations on the interpretation of international law applied to cyberspace. In view of the conflicting positions on this subject, it seems unlikely that a consensus can be reached on a principle which is at the basis of the international legal order and from which other principles of international law and the definition of many rights and obligations derive. That raises the question of the delimitation between what should be the subject of a consensus in international negotiations and what should be left to the interpretation of each state.

Thus, the points of divergence between the states on the interpretation of international law remain numerous, whether they pertain to primary norms – such as sovereignty – or on secondary norms – the response to internationally wrongful acts. Identical positions on specific points can be adopted by states usually perceived as antagonistic (this is the case with the French and Russian approach on sovereignty) whereas these same states can fight each other forcefully on other issues. Likewise, the notion of “like-minded” is fictitious and doesn’t stand up to a careful examination of states’ international legal policies. And yet, these divergences risk being accentuated, as we’ve seen before, by the artificial distinction established between norms of responsible behaviour and international law.

Conclusion

As it is an instrument of the foreign policy of the states, international law has become a Gordian knot in international negotiations on the security and stability of cyberspace. This article has demonstrated the role it plays nowadays in the work of two ongoing processes at the UN on peace and stability of cyberspace: the GGE and the OEWG.

Politically speaking, the norms of responsible behaviour unquestionably have a role to play. They can orient the states in the identification of what constitutes responsible behaviour and pave the way for future international law in cyberspace. Yet, we need to underline the relatively artificial nature of the distinction between non-binding legal norms and international law. After analysing in depth this distinction operated in the reports, our study shows that there is a strong link between certain norms and some obligations of international law. Some norms directly derive from obligations of international law, such as the obligation of due diligence, for example, and are primarily there to help interpreting them. In such a context, it seems difficult to operate a strict distinction. It would be counterproductive, or even legally dangerous, for a norm based on an obligation of international law to evolve in a different, or even opposite, direction from the said obligation.

In the current international context, non-binding norms appear as a palliative to international law for two main reasons. First, because they provide an opportunity for states to agree on the interpretation of certain obligations under international law and other elements of responsible behaviour in cyberspace, without setting them in stone. Secondly, these norms could eventually serve as a basis for the transformation of existing rules and principles of international law or even for the formation of new conventional or customary rules. This is a long and uncertain process that should not be neglected, however, as it is at the origin of many existing obligations under international law. Again, these two remarks further underline the often artificial nature of the distinction between norms and international law. The adoption of norms based on political consensus must therefore take into account their relationship with international law and their potential consequences for its development.

Finally, the operated distinction seems to be the product of power struggles observed during the previous GGEs, or even of a relative polarisation around the positions defended by the United States and Western countries on the one side, and Russia and China on the other. In reality, this relative polarisation is fictitious and there is a mosaic of different approaches sharing many similarities beyond the two “blocs” often described. This diversity of approaches exists on the application of international law in general, but also on its implementation when dealing with cyber operations in particular. The overall situation reaffirms the need for the states to substantially communicate about their approach and their interpretation of the rules and principles of international law, something that only a minority of them has done thus far.

Our study focused on the norms of behaviour and international law in the negotiations at the UN. States, as the main subjects of international law and members of the United Nations, are the primary protagonists. However, it is necessary to note the growing power of new actors, especially on issues related to ICTs. Indeed, some non-state actors are now particularly active in the discussion of norms.^(x) They are behind some initiatives proposing or promoting new norms of responsible behaviour. With the multiplication of initiatives from non-state actors and with the development of non-binding norms, we can see that international law remains the pillar of the international legal order, even with the need to define the rights and obligations of states in cyberspace. Through the debates and oppositions it entails, its overall usefulness as law organising the peaceful coexistence of states has been reaffirmed. Nevertheless, it is certainly not a panacea^(x) and remains the result of power struggles in a context of heightened geopolitical tensions.

Bibliography

Adamson Liisi, “International Law and International Cyber Norms. A Continuum?,” in Broeders Dennis, van den Berg Bibi (eds.), Governing Cyberspace. Behavior, Power and Diplomacy, Rowman & Littlefield, 2020, 25.

Baxter R. R., “International Law in ‘Her Infinite Variety’,” The International and Comparative Law Quarterly, 29:5, 1980.

Bourguignon Jonathan, “La recherche de preuves informatiques et l’exercice extraterritorial des compétences de l’Etat,” in S.F.D.I., Internet et le droit international, Colloque de Rouen, Pedone, 2014.

Boyle Alan E., “Some Reflections on the Relationship of Treaties and Soft Law,” The International and Comparative Law Quarterly, 48:4, 1999.

Broeders Dennis, Adamson Liisi and Creemers Rogier, A coalition of the unwilling? Chinese and Russian perspectives on cyberspace, Policy Brief, November 2019.

Buchan Russell, Cyber Espionage and International Law, Bloomsbury Publishing, 2018.

Cahin Gérard, La coutume internationale et les organisations internationales. L’incidence de la dimension institutionnelle sur le processus coutumier, Publication de la R.G.D.I.P., Nouvelle Série, 52, Pedone, 2001.

Cazala Julien, “Lehttps://www.cairn.info/revue-interdisciplinaire-d-etudes-juridiques-2011-1-page-41.htmhttps://www.cairn.info/revue-interdisciplinaire-d-etudes-juridiques-2011-1-page-41.htm,” Revue interdisciplinaire d’études juridiques, Vol. 66, 2011/1.

Chinkin Christine, “Normative Development in the International Legal System,” in Dinah Shelton (ed.), Commitment and Compliance. The Role of Non-Binding Norms in The International Legal Systems, Oxford University Press, 2000.

Combacau Jean and Sur Serge, Droit international public, 11th edition, L.G.D.J., Domat, 2014.

Daillier Patrick, Forteau Mathias and Pellet Alain, Droit international public, 8th edition, L.G.D.J., 2009.

Daskal Jennifer, “Borders and Bits,” Vanderbilt Law Review, 71, 2018.

Delerue François, Cyber Operations and International Law, Cambridge University Press, 2020.

Delerue François, International Law in Cyberspace Matters: This Is How and Why, EU Cyber Direct, Policy in Focus 2019.

Delerue François, “Reinterpretation or Contestation of International Law in Cyberspace?” Israel Law Review, 52:3, 2019.

Delerue François, “The Codification of the International Law Applicable to Cyber Operations: A Matter for the ILC?”, ESIL Reflections 7, 2018.

Delerue François and Géry Aude, “Le droit international et la cyberdefense,” in Didier Danet, Amaël Cattaruzza and Stéphane Taillat, La Cyberdéfense – Politique de l’espace numérique, Armand Colin, 2018.

Delerue François and Géry Aude, Etat des lieux et perspectives sur les normes de comportement responsable des Etats et mesures de confiance dans le domaine numérique, Note Stratégique, CEIS 2017.

Desforges Alix, Approche géopolitique du cyberespace, enjeux pour la défense et la sécurité nationale, l’exemple de la France, Ph.D. thesis, University Paris 8 Vincennes-Saint-Denis, 2018.

Desforges Alix and Douzet Frédérick, “Du cyberespace à la datasphère. Le nouveau front pionnier de la géographie,” NETCOM, 32:1-2, 2018.

Douzet Frédérick and Géry Aude, “War and Peace in Cyberspace: Obama’s Multifaceted Legacy,” in François Vergniolle de Chantal (dir.), Obama’s Fractured Presidency. Policies and Politics, Edinburgh University Press, 2020.

Fernandez Julian, “Un enjeu et un moyen de la diplomatie des Etats,” Questions Internationales, A quoi sert le droit international ?, 49, mai-juin 2011.

Jacob Patrick, “La compétence des États à l’égard des données numériques : du nuage au brouillard... en attendant l’éclaircie ?,” Revue critique de droit international privé, 3, 2019.

Koh Harold Hongju, “International Law in Cyberspace,” Harvard International Law Journal, Vol. 54, from a speech given to the 2012 USCYBERCOM Inter-Agency Legal Conference.

Krieger Heike and Nolte Georg, The International Rule of Law – Rise or Decline? – Points of Departure, KFG Working Paper Series No 1, 2016.

Ladreit de Lacharrière Guy, La politique juridique extérieure, Economica, 1983.

Lafouasse Fabien, L’espionnage dans le droit international, Editions Nouveau Monde, 2012.

Pellet Alain, “Le ‘bon droit’ et l’ivraie – Plaidoyer pour l’ivraie (Remarques sur quelques problèmes de méthode en droit international du développement),” in Le droit des peuples à disposer d’eux-mêmes : méthodes d’analyse du droit international. Mélanges offerts à Charles Chaumon, Pedone, 1984.

Roberts Anthea, Is International Law International?, Oxford University Press, 2017, 432 p.

Roguski Przemyslaw, Application of International Law to Cyber Operations: A Comparative Analysis of States’ Views, The Hague Program on Cyber Norms, Policy Brief, 2020.

Schmitt Michael N. and Vihul Liis (eds.), The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2th edition, Cambridge University Press, 2017.

Stern Brigitte, “Quelques observations sur les règles internationales relatives à l’application extraterritoriale du droit,” A.F.D.I., Vol. 32, 1986.

Streltsov A. A., “La Sécurité de l’information au niveau international : description et aspects juridiques,” Les technologies de l’information et la sécurité internationale, Forum du désarmement, 2007.

Tikk Eneken, International Law in Cyberspace: Mind the gap, Research in Focus, 2020.

Treppoz Edouard, “Jurisdiction in the Cyberspace,” Swiss Review of International and European Law, 26:2, 2016.