The fact that States resort to automated cyber operations like NotPetya, which spread virally and have indiscriminate effects, raises the question of how the use of these might be regulated. As... Show moreThe fact that States resort to automated cyber operations like NotPetya, which spread virally and have indiscriminate effects, raises the question of how the use of these might be regulated. As automated operations have thus far fallen below the threshold of the use of force, the letter of international humanitarian law (IHL) does not provide such regulation. In IHL, the principles of distinction and discrimination hold that attacks should in their targeting distinguish between the civilian population and combatants, and between civilian objects and military objectives. Attacks must not be indiscriminate, and operations that might foreseeably spread to affect civilian objects are prohibited. This paper draws inspiration from the legal principles of distinction and discrimination to suggest a non-binding norm for responsible State behaviour with regard to automated operations that fall below the threshold of the use of force: the norm proposes that States should design cyber operations so as to prevent them from indiscriminately inflicting damage. The paper finds that in the case of automated cyber operations, a distinction between the nature of the operation and the use of the operation does not make sense because the design (nature) of the malware defines the use. In order to conform with the norm, responsible States should conduct a review of cyber operations prior to their execution. Finally, as the paper illustrates with a comparative analysis of NotPetya and Stuxnet, the post-incident forensic analysis of an operation can allow third parties and victims to determine whether the operation’s designer conformed with the norm. This can help set a normative benchmark by providing a basis upon which States may call out unacceptable behaviour. Show less
Cyberspace permeates global social and economic relations in the 21st Century. It is an integral part of the critical infrastructure on which modern societies depend and has revolutionized how we... Show moreCyberspace permeates global social and economic relations in the 21st Century. It is an integral part of the critical infrastructure on which modern societies depend and has revolutionized how we communicate and socialize. The governance of cyberspace is, therefore, an indispensable component of global governance, and a testing ground for new models of cooperation that could be adapted for effective governance in other areas. The purpose of this policy brief is to provide policymakers with insights on how to improve the effectiveness of cyber governance institutions and processes. These insights could also inform efforts to improve global governance institutions and processes more broadly. The brief considers two principal questions: Who should govern cyberspace, and how? In response to the former question, the authors review multistakeholder models of governance and provide recommendations for their improvement. These include: greater transparency of decision-making processes, with a prohibition on vetoes; dedicating financial resources to the empowerment of disadvantaged stakeholders; and allocating leadership positions in an equitable manner. In response to the latter question, the authors assess formal and informal approaches to governance in cyberspace, concluding that cyberspace should be governed through a combination of both. That is, a flexible, incremental and sectoral approach to strengthening the rule of law in cyberspace through international treaty-making should be complemented by efforts to build trust and consensus through the development, diffusion and institutionalization of norms for responsible behavior in cyberspace, as well as related confidence- and capacity-building measures. Taken together, these recommendations aim to foster common understanding and enhance security and the rule of law in cyberspace. This policy brief draws on The Hague Institute’s work on the Global Governance Reform Initiative (GGRI) project and the Global Conference on Cyberspace (GCCS), hosted by the Kingdom of the Netherlands in April 2015. The GGRI project is a collaborative effort between The Hague Institute, The Ministry of Foreign Affairs of the Netherlands, and the Observer Research Foundation (New Delhi). Show less
