Speaker 1: Louise Marie Hurel, Civil Society, Latin American and Caribbean Group (GRULAC)
Speaker 2: Sean Cordey, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Maurice Eglin, Government, Western European and Others Group (WEOG)
Speaker 4: Anastasiya Kazakova, Private Sector, Eastern European Group
Speaker 5: Koichiro Komiyama, Technical Community, Asia-Pacific Group
- Jan Lemnitzer, Copenhagen Business School, Civil Society, Western European and Others Group (WEOG)
- Ottavia Galuzzi, CyberPeace Institute, Civil Society, Western European and Others Group (WEOG)
Louise Marie Hurel, Civil Society, Latin American and Caribbean Group (GRULAC)
Kevin Kohler, Civil Society, Western European and Others Group (WEOG)
Jakob Bund, Civil Society, Western European and Others Group (WEOG)
Panel - Auditorium - 90 Min
Roles and responsibilities in protecting against cyber-attacks: Which stakeholders hold responsibility for protecting national governments, businesses and citizens against cyber-attacks?
International rules and state accountability: How should international rules be strengthened to protect national sovereignty and citizens against attack by malicious state and non-state actors? What can be done to better hold nation-states accountable for cyber-attacks?
Additional Policy Questions Information: The workshop will concretely address the intersection of the two key policy questions selected above by asking speakers and participants to further reflect on "how the principle of neutrality - and specific protections attached to it - could/should be operationalised in cases of cyberattacks below the threshold of armed conflict?"
In 2013, UN member states recognised that international law (IL) applies to cyberspace. Since then, the crux of the discussion about international rules and accountability has been to understand 'how' IL applies to cyberspace and, more broadly, how cyber norms can be implemented in this context. This panel zooms into a key concept of IL and international relations, that is neutrality, to unpack how it can support the operationalisation of cyber norms. As ransomware attacks against hospitals and other critical civilian infrastructure gain notoriety, how can neutrality considerations help us rethink and strengthen the protection of such facilities and particularly vulnerable groups? The panel will address these questions in a multistakeholder manner, understanding that, beyond notions of 'shared responsibility', all stakeholders play an important role in the understanding of what these principles mean in practice.
Targets: Discussing the contributions of civil society, governments, the private sector and the technical community in support of the implementation of internationally agreed norms, this panel seeks to highlight impactful next steps to strengthen the stability of cyberspace as a global platform for economic development and intercultural exchange. In so doing, our aim is to contribute to a multistakeholder dialogue that accounts for the diverse views around the protection, stability, resilience and security of infrastructures, networks and the societies therein (9.1). Deeply connected to that is the panel's commitment to fostering a discussion to identify strengths, needs, and required protections of each group to enable international cooperation that can reduce the number and impact of cyber incidents (16.1). On the basis of this understanding, the discussions of the panel can inform the development of targeted capacity building offerings for each stakeholder group - in support of each other and their counterparts in developing countries. Finally, the panel seeks to go beyond the understanding of diversity as merely 'ticking the box', it is a fundamental piece to grasping what operationalisation of norms means in practice - in this case, the concerns around the protection of vulnerable groups and critical civilian infrastructures and the concept of neutrality (17.1).
The principle and practice of neutrality in international relations have expanded possibilities for protection but also for managing risks of escalation in the face of geopolitical tension. These contributions and the long history of neutral actors’ engagement in humanitarian action and peacebuilding point to the merits of exploring how these values of neutrality can be extended to cyberspace. Amidst growing concerns over the scale, impact and political motivation behind cyber operations, internationally agreed norms and diplomatic dialogue provide an important horizon for strengthening cyber stability. However, much is left unanswered when considering the operationalisation of norms and the role of states in building trust throughout this process. Neutrality aspects play a critical role in the operationalization of specific norms also recognized by non-neutral actors. Notably, norms proposed by the UN Group of Governmental Experts (UN GGE), call on states to protect the neutrality of states’ computer incident response teams (CSIRTs) by refraining from operations against other states’ CSIRTs and the use of CSIRTs to engage in malicious activity (UN GGE Report 2015, norm 11/k). In support of these efforts, this panel proposes to examine in more detail how neutrality considerations can create new spaces for collaboration to advance the implementation of norms on responsible behavior in cyberspace. Together with relevant representatives from government, information security firms and the incident response community this panel will explore how different stakeholder groups can meaningfully contribute in this process. To inform this discussion, the Igarapé Institute and the Center for Security Studies at ETH Zurich will briefly introduce applicable research findings. These impulse statements will help draw up the discussion by setting out how the rights and duties defined by neutrality law can be applied to different stakeholder groups in cyberspace and by highlighting concerns regarding the politicization of national CSIRTs.
The session will engage a diverse range of stakeholders - from the private sector, academia, government and the technical community. With the start of a new Open-Ended Working Group at the UN and the conclusion of another UN GGE, the session provides a concrete space for the conversation about responsible state behaviour and the concept of neutrality to be explored in a multistakeholder fashion, that is integrating knowledge and expertise to critically address what protections neutrality can facilitate in practice. A second outcome, though not necessarily less important, is that the outcomes of the reflections raised by the discussion will be published in key policy blogs (such as the EU Cyber Directions Blog).
1) Taking advantage of the IGF’s hybrid format this year, we aim to combine online and on-site participation to foster a diverse and inclusive conversation. Through the flexibility facilitated by this hybrid approach, we have been able to confirm the participation of the speakers we consider best placed to make relevant and meaningful contributions. To ensure seamless engagement between speakers attending in person and those participating remotely, we will be conducting joint preparation sessions with the speakers ahead of the panel to coordinate their contributions. Our moderators will encourage online and on-site participants to submit questions and comments in an easy-to-access, shared online space set up with Slido (no app download or account creation required). To create a joint experience for on-site and online participants, we will use Slido as a tool for participants to interact with each other’s input and vote up any questions they would like speakers to focus on.
Usage of IGF Official Tool. Additional Tools proposed: To facilitate interaction among on-site and online participants, moderators will invite all participants to submit questions and comments through Slido, which allows user to vote for questions they like. To make the most of the questions and input provided by participants, we will use Slido as a tool for identifying questions and input considered relevant and important by other participants. Slido is intuitive to use on all major platforms (both mobile and desktop) and requires no prior installations or registration from participants.
As a time-tested legal institution, neutrality holds significant potential as a force for stability in cyberspace and - in times of lively global discussions - can advance the understanding of key conditions for implementing rules of responsible behavior. Greater clarity about state views, which have been the traditional focus under the law of neutrality, has the capacity to create safe spaces for non-state actors that assist vulnerable groups.
The law of neutrality applies to armed conflicts between states. However, the concept of neutrality can also be applied to non-state actors, such as the ICRC. The idea is that humanitarian and technical support should be possible independent of politics. The integration of national CERTs into government structures may undermine the epistemic community of CERTs. Neutral organizations, such as FIRST, may be able to fill this gap.
The panel discussion resulted in a call for more states to publish their views on how the law of neutrality applies to cyberspace and to further detail its operationalization. Coincidentally, it also called for the further discussion and inclusion of neutrality-derived principles/norms in the upcoming OEWG.
The Origins and Legal Core of Neutrality
The panel first provided a general overview of the concept of neutrality. It underlined that neutrality is a flexible, complex, multifaceted concept whose understandings and applications have evolved across various geopolitical and technological contexts. For instance, neutrality can simultaneously imply or refer to a set of legal principles (incl. rights and duties), certain behavioral traits, practices, and reputation, as well as an organization or state policy.
Reflecting on findings from a recent study on “The Law of Neutrality in Cyberspace”, published by the Center for Security Studies, the introduction of the panel noted that, traditionally, neutrality has been linked to some expectations of non-participation, impartiality, and due diligence in exchange for some protection or a guarantee of independence. Historically, however, it has also served many other functions, including ensuring continuous international commerce, promoting and fostering international peace and security, mitigating escalation, or fostering integration and social cohesion.
One core aspect of neutrality is its legal core – the law of neutrality –, which is very much state-centric. This body of law, which belongs to international humanitarian law (IHL), regulates the relations between belligerent and neutral states during an international armed conflict. It was for the most part codified in the 1907 Hague Conventions V & XIII after centuries of evolving state practice. The law provides a set of reciprocal rights and duties to the neutral and belligerent states, which include the duty for a belligerent to respect a neutral state’s inviolability in exchange for the neutral state’s non-participation, impartiality, and preventive measures against violations of its neutrality.
The application of international law to cyberspace has been widely recognized. However, the application of IHL is still disputed by some states. Nonetheless, there is a legal argument to the application of the law of neutrality to cyberspace, which goes back to the ICJ’s 1996 opinion on the Legality of the Threat or Use of Nuclear Weapons which states that “no doubt that the principle of neutrality, whatever its content, which is of a fundamental character similar to that of the humanitarian principles and rules, is applicable […] to all international armed conflict, whatever type of weapons might be used”.
Despite this, the law of neutrality in cyberspace remains quite a niche topic. While the non-binding Tallinn manual and Oslo manual have some specific rules on neutrality in cyberspace, only six states (i.e., the United States, France, Switzerland, Romania, Italy, and the Netherlands) have referenced and addressed it explicitly in their legal opinions. From these, a core set of rights and duties can be identified. Some of these are quite undisputed, such as conducting cyber operations from or against neutral infrastructure under sovereign protection. Others, while recognized, still need further discussions to be operationalized. This is notably the case for a neutral state’s prevention duty or the issue around the legality of routing cyber operations through neutral infrastructure.
Given the complexity of neutrality and its still-undefined implications in the wider context of thinking responsible state behavior in cyberspace, we believed that the IGF was a unique space to bring a multistakeholder view to the topic. In so doing, we sought to challenge, map and test the limits of the concept by promoting a dialogue with both actors that have historically advocated for neutrality (Switzerland) with other non-governmental stakeholders that have been the object of certain protections under the agreed GGE cyber norms.
Conceptualizing Neutrality in Cyberspace
The speakers’ opening remarks highlighted the context of increasing state-sponsored cyberattacks and broadened the discussion beyond the legal core of neutrality. Subsequently, the participants from different stakeholder groups were invited to elaborate on how they use the concept in their daily activities.
The panel member from academia started by highlighting that the old legal rules of neutrality are still applicable. However, there has been a deliberate decision not to develop them further by countries to limit their duties. Hence, the operationalization of neutrality will most likely be “forged by fire”. The speaker particularly focused on the due diligence norm and highlighted two legal cases that might be of particular importance in the future. The first is the Corfu Channel Case between the UK and Albania, whose verdict shows that due diligence does not require attribution. Second, there is the Alabama tribunal, which highlights that there is some duty to prepare and that a too-slow reaction to a cyber-incident may already result in demands for compensation.
The government representative highlighted the fuzzy conceptual borders of cyberspace and neutrality, which means that neutrality principles still need to be made more precise and operationalized. The actor further highlighted that for a permanently neutral country such as Switzerland, the concept can also have a promotional aspect as part of its foreign and security policy. Specific questions that come up for permanently neutral states in cyberspace are often focused on the limits and thresholds of international collaboration. Joint training, exercises, and interoperability are still needed despite permanent neutrality.
The member of civil society viewed the concept of neutrality through the lens of humanitarian values and the protection of human rights. From this perspective, neutrality is about supporting stability in cyberspace and providing technical support and access to knowledge regardless of location, identity, or beliefs. In terms of the on-the-ground practice this translates into free cybersecurity and cyber peace-building support for NGOs.
The representative of the private sector discussed the increasing militarization of cyberspace and noted the need for a neutral status of the CERT communities that track advanced persistent threats. This is similar to how humanitarian organizations, such as the International Committee of the Red Cross, need to be able to do their job and help with kinetic incidents independent of politics. In support of these considerations, it remained critical to account for the distinct characteristics of activities in cyberspace, particularly the covert nature of much activity and the use of cyber capabilities below the threshold of armed conflict. Still, there should be a pragmatic development of duties with a particular focus on transparency in the sharing of threat intelligence and collaboration with Interpol in cybercrime investigations.
The member of the technical community highlighted that a timely response to cybersecurity incidents often requires collaboration between multiple countries. However, in some ways the most important question today is how to deal with multinational tech giants. As non-state actors they are mostly out of the scope of the law of neutrality. At the same time, these companies dominate the public core of the Internet today. Tech giants have an incentive to remain neutral to some degree to maintain business relationships, however, they are not equidistant to countries. For example, some tech giants directly collaborate with the military, for example to provide cloud solutions.
Cyber Norms and Neutrality
Having covered the nexus between the broad and at times undefined notion of neutrality and the everyday activities of each speaker, representatives were then invited to reflect on the operationalization of neutrality in the context of international cyber norms. As highlighted during the workshop, there are multiple norms of responsible behavior in cyberspace that have been agreed in the 2015 GGE report that hint to notions of neutrality and protections of specific actors and territories. Below follows a list of those mentioned by the speakers:
- Norm 3 (13c)– States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
- Norm 6 (13f)– A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
- Norm 7 (13g) – States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
- Norm 8 (13h)– States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
- Norm 11 (13k) – States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
The representative from academia returned to the discussion around due diligence, highlighting that it could be a starting point for thinking obligations and accountability beyond attribution. Furthermore, he referred to Norm 7 and stressed that due diligence could help states think through the necessary protections that need to be in place when securing critical information infrastructures. This would provide more clarity as to what could be considered the appropriate measures (possibly compensation) if an intrusion is identified. However, as he noted, we should also consider Norm 8 on requests for assistance as it deals with the capacity of states in responding to particular attacks. Two questions followed: "When can a state reject a request and on what basis?" and "Should private companies be allowed to assist? If so, how?" The lack of a definition of critical infrastructure poses significant challenges to thinking about the operationalization of these norms.
The speaker from government noted that some norms could benefit from information sharing and the building up of a database of cases. Practices such as these would allow for states to have a better sense of the context of operations and of the interpretation of Norm 3. In addition, he suggested that Norm 11, although important, lacks specificity. Domestically, it is fundamental that states have channels in place for tracking attacks associated with critical sectors. CI operators should be in contact with CERTs and other areas of the government and mechanisms such as MoUs should also be in place to facilitate information exchange and timely response.
When it comes to civil society organizations and front-line human rights defenders, the challenge is one of thinking the character of those actors. The representative from a civil society organization suggested that, in light of Norm 7, human rights defenders working with those directly affected by cyberattacks and assisting them in recovering should be considered critical infrastructure and off-limits. She noted that if one should consider the 5 neutrality functions as per Riklin, the CyberPeace Institute, for example, would be considered under the function of integration given that it convenes a diverse range of actors on threats of relevance to civil society and particularly vulnerable groups.
The representative from the private sector argued that states need to think carefully about how norms for responsible state behavior co-exist with non-state actors. Doing so would help non-state actors understand how they can carry out their activities and what protections are in place (or can be expected). These practices could help strengthen transparency over state action and provide a landscape of greater certainty for private companies working in this space.
Finally, the CERT representative brought an important point of how contextual and institutional shifts can often challenge the implementability of a specific norm. That is the case of Norm 11 that talks about states not targeting CERTs. As the representative noted, CERTs were once thought of as independent and somewhat autonomous focal points for incident reporting. However, as new models such as that of the national cybersecurity centers (often linked to intelligence agencies) and national security concerns rise, CERTs have become more linked to government and geopolitical tensions. These and other dynamics have direct implications in thinking about the interpretation of Norm 11 as they would be structural aspects and organizational impediments for neutrality.
The challenge of neutrality is not an easy one. The evident consolidation of cybersecurity as a key element in states' political agendas and strategic actions (e.g. offensive use of cyber capabilities) has led to an even more intense dispute over what can and should be protected in the context of cyber operations. As highlighted by the government representative, that does not mean that states should not strive (and they should) to define better parameters for what is or is not allowed even below the threshold of armed conflict. This could be achieved via due diligence or through confidence-building measures. Overall, participants agreed that even though neutrality can be interpreted as an apolitical concept, we need to consider that the key questions 'who' decides 'what' and 'whom' can be considered neutral, carries political power and potential for special protections.