Ericson Scorsim. Lawyer and Consultant in Regulatory Communications Law. Ph.D. in Law from the University of São Paulo (USP). Author of the book “Jogo geopolítico entre Estados Unidos e China no 5G: impacto no Brasil.” (The Geopolitical Game between the United States and China regarding 5G: Impact on Brazil.)
The United Nations (UN) has set up a study group on information and telecommunications technologies and global cybersecurity.
There are several reasons given for the project: the advanced development of new information and telecommunications technologies, the increase in global connectivity, the dual-use nature of information and communications technologies (i.e., civilian and military use), the essentiality of these technologies for government services, the existence of real threats in the exploitation of these technologies that put the security of nations at risk, the expansion of the Internet of Things and the risks associated with it.
Considering this, the study group’s report proposes confidence-building measures between countries on the subject of cyber defense.[1] In particular, the group seeks to construct rules, norms, and principles of state responsibility in terms of international law and cyber defense. It also aims to promote institutional dialogue about the increasing dependence on information and communication technologies.
It is further suggested that states be encouraged to build the capacity to identify and protect national and transnational critical infrastructure and supranational critical information infrastructure. As for the promotion of responsible behavior by the states, a strategy of technological neutrality should be adopted to prevent the abuse of technologies concerning the carrying out of cyber-attacks and the exploitation of information and communication technology vulnerabilities, including the context of “machine learning,” “quantum computing,” and the “Internet of Things.” It is further recommended that states do not adopt “proxies” to commit harmful acts internationally and prevent their territory from being used by non-state actors to commit harmful acts against other countries and/or targets. Thus the suggestion of measures for “building confidence” among the states.
The issue of the right of states to use force in the cyber environment is under debate. States have the right to defend themselves in the cyber environment. However, states’ actions must be guided by international law principles, such as humanity, necessity, proportionality, differentiation, and precaution.[2] As per the UN final report: “States concluded that there are potentially devastating security, economic, social and humanitarian consequences of malicious ICT activities on critical infrastructure (CI) and critical information infrastructure (CII) supporting essential services to the public. While it is each State’s prerogative to determine which infrastructures it designates as critical, such infrastructure may include medical facilities, financial services, energy, water, transportation, and sanitation. Malicious ICT activities against CI and CII that undermine trust and confidence in political and electoral processes, public institutions, or that impact the general availability or integrity of the internet, are also a real and growing concern. Such infrastructure may be owned, managed, or operated by the private sector, may be shared or networked with another state or operated across different states. As a result, inter-state or public-private cooperation may be necessary to protect its integrity, functioning and availability”.[3]
The UN’s concern is that the misuse of information and communication technologies may cause future conflicts between states. In other words, cyberattacks between states can trigger severe conflicts between them. Therefore, the UN wants to deploy confidence-building measures among states through reliable partnerships. In this sense, it recommends installing specialized cyber response teams: computer emergency response teams (CERTs) or computer security incident response teams (CSIRTs). Thus, it is recommended that access to technologies be facilitated for states, that the state sovereignty principle be respected, and that sensitive information’s confidentiality be protected.
On this subject, it should be noted that cyber operations can violate the sovereignty of other countries. A country can address other countries’ critical national infrastructures (telecommunications, energy, financial, water, civil aviation systems, among others). Recently, the specialized media pointed out that France has expanded the number of cyber operations against targets located in other countries. That opened a debate as to whether France was adopting a contradictory practice in terms of sovereignty. On the one hand, France advocates for the purist conception of classical sovereignty in terms of physical territory. However, on the other hand, France maintains a flexible position of sovereignty in the cyber environment, to the point of attacking cyber targets located in other countries. In this second option, there is simply a denial of another state’s sovereignty in the case of a cyber-attack. France has unleashed several cyber operations: the Emoted (2021), Encrochat (2020), and Retaup (2019). Operation Emotet was a coordinated operation between France, the Netherlands, Germany, the United States, the United Kingdom, Lithuania, and Ukraine to disrupt emotet malware. The operation consisted of implanting malicious software in command-and-control servers. The emotet malware has also infected computer systems located in other ninety (90) countries. In 2020, the Center for Combating Digital Crime (C3N) of the French National Gendarmerie led Operation EncroChat. The target was the servers of the private company EncroChat that provide encrypted phones for secure communications. Malicious software was infiltrated into the servers of said company, demanding its performance installed on the machines. Upon the update of the software, the malicious agent was installed.
In 2019, after the French Ministry of Defense announced that international law applies to cyberspace, the National Gendarmerie announced the cyber operation against the private company Avast to combat the malicious Retadup virus. This virus infected servers on French territory in command-and-control systems. Military doctrine on the subject (Tallinn Manual 2.0) considers that law enforcement operations led by one State that attack command and control servers located in another State (without the consent of this other State) constitute a violation of the State’s sovereignty considered to be the target. The cyber operation could only be carried out within the territory of the State. Research observatories point to abusive practices by twenty-three (23) states.
Thus, there are two perceptions about the nature of cyber operations. According to author Jack Kenny, there are two possible explanations for this.[4] On the one hand, “purists” argue that persistent cyber-engagement operations with the invasion of other states’ networks to maintain a presence within these networks and, thus, obtain intelligence, could constitute a permanent violation of state sovereignty.
There are cyber policies in this sense of permanent engagement in cyberspace: U.S (“defend forward”), U.K (“active defense”), Canada (“active cyber”), New Zealand (“internationally active” engagement.” Russia, China, Iran, North Korea, and others also have active cyber capabilities. In his conclusions, Jack Kenny says: “states that choose not to recognize that a rule of sovereignty applies to cyber operations, such as the U.K., maintain operational flexibility but leave their infrastructure open to attacks that would not be prohibited by a rule of international law below a prohibited intervention. It is clear that for states to develop an understanding of how the rights inherent in sovereignty apply to cyber operations, they must balance the interests of operational freedom with the protection of critical national infrastructure on a state’s territory to identify a ‘half-way house” de minimis threshold at which a violation of sovereignty takes place. Over time, in the absence of a treaty, statements by states by stats on how they interpret the rights inherent in sovereignty to apply with specificity to cyber operations may contribute to the formation of specific customary international law that may focus or clarify the application of such rules”.
In short, the United Nations perceives the problem of conflict between states and/or non-state actors and sovereignty concerning operations conducted in the cyber environment. The concern is with critical national infrastructures that could be classified as military targets. One way to solve this problem is to strengthen the rules, principles, and customs of international law to contain States’ offensive capability in cyberspace and to ensure the self-defense of states in the face of cyberattacks.
Finally, the issue of the impact of information technologies and telecommunications on sovereignty is of interest to Brazil. Further studies, research, and measures are needed to improve the Brazilian State, companies, and individuals’ cyber governance. Currently, cyber defense is a sine qua non condition for the political-electoral sovereignty of the country.
*All rights reserved. This article must not be reproduced or used without mentioning the source.
[1] United Nations, General Assembly. “Second ‘pre-draft’ of the report of the OEWG on developments in the field of information and telecommunications in the context of international security.
[2] United Nations, General Assembly. “Open-ended working group on developments in the field of information and telecommunications in the context of international security, 8-12 March 2021.
[3] United National, General Assembly. Open-ended working group on developments in the field of information and telecommunications in the context of international security. Final substantive report, 10 March 2021.
[4] Kenny, Jack. France, cyber operations and sovereignty: the “purist” approach to sovereignty and contradictory state practice. March 12, 2021.
