By Anubha Gupta
In 1983 at Camp David, President Ronald Reagan watched the then new Hollywood thriller WarGames in which a teenager hacks into the North American Aerospace Defence Command causing World War III, prompting the shaken Reagan to ask, “Could something like this really happen?”
Fast forward to 15 July 2022, the Albanian Government faced a cyberattack which temporarily shut down digital services and websites. The government speculated it as an act of state aggression and launched an investigation which was later attributed to Iran. On 7th September 2022, Albania cut diplomatic ties with Iran and expelled its embassy staff. This episode has stirred up a hornet’s nest as it is an unprecedented episode of assertion of sovereignty in cyberspace over the alleged use of force by Iran in Albania’s cyberspace. Eventually, one must grapple with the contentious debate around sovereignty in cyberspace which will further set the tone for the future course of cyber norms.
Understanding sovereignty in the cyberspace
The 1648 treaty of Westphalia introduced the modern state system based on the principle of sovereignty. Sovereignty is fundamental to statehood. From the principle of sovereignty flows the other two principles i.e., use of force and non-intervention which regulate or prohibit the exercise of authority in inter-state relations.
As cyberspace becomes more divided and divisive on account of increasing attempts by the states to weaponise cyberspace, it has, therefore, necessitated shared governance of cyberspace. Cyberspace piggybacking the internet, has created multiple centres of power which in turn has become anarchical, thus, mounting contentious debates over the governing agency i.e., who and how will cyberspace be governed.
Most states argue for the state-controlled governance model in cyberspace invoking the principle of sovereignty as enshrined in the 1648 treaty. However, attribution, anonymity, and the nature of attacks (speed, intensity, location, and character) in cyberspace render the domain vulnerable and challenging vis-à-vis the principle of sovereignty in cyberspace. Nevertheless, with the development of technology, states are increasingly able to attribute the cyber attacks,though they not able to predict and deter them. Consequently, it has compelled the states to build cyber norms related to cyber sovereignty. The United Nations Group of Government Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace recognised that international law, and in particular, the UN Charter—principles of state sovereignty, the settlement of disputes by peaceful means, non-intervention in the internal affairs of other states, and application of international humanitarian law—applies in cyberspace as well.
However, states differ in their interpretation and application of the above-mentioned principles. For example, France has disagreed to use the requirement of only the damage clause for it to be considered as a use of force. Instead it has stated factors such as operations that penetrate military systems to weaken defensive capabilities and financing or training groups to conduct cyber-attacks against as equivalent to the use of force in cyberspace. India prefers the UN Charter-based order in cyberspace that is internationally binding yet at the Open-Ended Working Group (OEWG), India made recommendations to remove references to human centric approaches to replace them with terms like peace and stability.
The application of UN charter including principles of state sovereignty in cyberspace is non-binding on states encouraging them to choose ambiguity and silence in cyberspace. The violation of sovereignty hinges upon a certain threshold above which it can be tantamount to the use of force, state aggression, state intervention, breach of territorial integrity, and violation of political independence. Where one stands depends on where one sits i.e., geographical, historical, political factors, etc. influence our views and choices. The countries such as the United States (US) is rooting for a global, open, multi-stakeholder and inclusive cyberspace as it owns giant tech companies that possess the technologies and also control the information in cyberspace. Some states like China, Russia, and developing countries (like Brazil) choose absolute cyber sovereignty, where the government thinks that it should have sole jurisdiction over what content, data, and services are provided or accessed on the internet within the state’s territory. Thus, the application of sovereignty in cyberspace has become so disputable that world leaders need to take a step back and re-evaluate the idea of sovereignty to focus on the larger picture— the notion of cyber norms.
Whither Cyber Norms?
The States in the international system have been making attempts to define and articulate the notion of sovereignty in cyberspace in consonance with their national interests. The idea of sovereignty in cyberspace places it in the political realm. The framing is distinct from the discourse of other realms of rights, ethics, economics, etc. Thus, there is a need to shift to a broader understanding, away from a political reframing of sovereignty in cyberspace to a norm-based global cyber order. The anarchical cyberspace has given rise to increased cyber attacks and cyber threats by one state against the other state, thus, pushing all states towards sovereignty-based governance in cyberspace. However, this notion of sovereignty in cyberspace is rife with increased cyber insecurity which might lead to cyber war. Therefore, as the realm of space has successfully demonstrated, cyberspace should also move away from the idea of sovereignty.
Instead, states should focus on the bigger idea i.e., the cyber norms. A norm is a collective expectation for the proper behaviour of actors with the given identity, a shared belief that is recognised by others. Cyber norms, thus, need to be a shared belief, accepted and recognised by all the involved parties. The process of cyber norms making has emerged in the work of the United Nations which began with the formation of UN GEE followed by the OEWG—with a similar mandate, albeit for a more inclusive grouping of interested member states and UN observers—at the UN to identify or operationalise various normative standards of behaviour for states and other stakeholders in cyberspace. The cyber norms making process at the GGE and OEWG lay a strong foundation to address threats such as attacks on critical infrastructure, damage to global supply chains, misuse of ICT within the state’s territory, risks to human rights, and the right to privacy. As the need to move towards establishing cyber norms has ratcheted up for e.g. the Sixth GGE Reportacknowledged how attribution is a complex undertaking which makes comprehensive analysis a must before attributing a cyber offence to its source, the question remains what these norms should be, how they will work, and why stakeholders should accept them.
Not a pipe dream
There is a great need to constantly learn and unlearn cyberspace, calling for constant cross communication among various stakeholders. States cannot be the sole actors defining and implementing cyber laws and norms. Participation of non-governmental organisations and civil society, therefore, becomes a prerequisite for any comprehensive cyberspace order. The principles of justice and equality in cyberspace should guide the world leaders in making the cyber norms.