In July, SingHealth, Singapore’s largest group of healthcare institutions, had its database compromised in what was described as a major cyber attack. The scale of the attack was unprecedented, reaching a record high of 1.5 million patients’ data stolen – including that of the Prime Minister’s.
Authorities described the incident as a “deliberate, targeted, and well-planned cyber attack”. Given the nature of the data exfiltrated, cybersecurity experts believe it was the work of a state sponsored entity, with the Nikkei Asian Review quickly pointing to China as the main suspect.
Certainly, the weaponisation of cyberspace by states is nothing new. Russia’s alleged hacking into the 2016 US presidential elections has been well documented, and even from as far back as 2007, Estonia experienced a string of cyber attacks that viciously crippled several government and corporate sites, all of which were allegedly orchestrated by the Kremlin.
While the advent of information and communications technology has integrated the world, it has also undoubtedly increased the space for vulnerability in the 21st century. Such as it is, have there been any attempts to regulate this space?
The Tallinn Manual definitely stands as a case-in-point.
The study, which was crafted by an international group of experts between 2009 and 2012, explores the legality of actions in the cyber realm. In addition to being the first study of its kind, the Manual was remarkable for its distinction between jus ad bellum (the conditions under which states may resort to war) and jus in bello (the boundaries upon the conduct of states in wars) in the cyberspace.
For Dr Bill Boothby, who was one of the members of the drafting committee for the Tallinn Manual, its emphasis on scope and detail also sets it apart from its legal forerunners.
The former Air Commodore of the United Kingdom Royal Air Force, who was in town earlier this month to deliver a talk at the S. Rajaratnam School of International Studies, said: “It is quality scholarship; we did get together a good group of individuals and they are international experts.
“What the Tallinn Manual does so well is that it looks at the law and says how the existing rules of law can be made to apply in the cyber context. So it isn’t just saying these are the rules that apply, but it’s also saying how they apply.”
And it’s easy to see why. The Manual details explicit scenarios, like the hacking of a nation’s nuclear power plant and its use as a cyber hostage to affect civilian populations for instance. It also sought to discover how the Internet’s ability for sabotage could be incorporated into future military practice, like the spread of degrading pictures of prisoners-of-war to inflict psychological harm.
Instead of simply stating the laws that apply to the cyberspace, the Tallinn Manual attempted to demonstrate how these laws apply too.
Then there is also the UN Group of Governmental Experts (UN GGE). Given the highly global nature of cyberattacks, one must expect the UN to be involved at some point. Formed in 2004, the GGE gathers consensus from states on how they can adhere to the UN Charter when operating in the cyberspace, and also how they can take responsibility for the occurence of cyberattacks within its own territory.
It has also made recommendations for information sharing on cyber procedures between the GGE and the Organisation for Security and Cooperation in Europe (OSCE) as well as the establishment of cross-border efforts to combat cyber crime.
Most importantly, regular sessions anchored by the GGE has provided a platform for comprehensive exchange of views between various countries on matters of cybersecurity, proving itself as a step in the right direction to manage the weaponisation of the cyberspace.
Drawbacks of past efforts
But in spite of these efforts, the reality is that both fall short in regulating actions in cyberspace.
While the Tallinn Manual remains an authoritative text, it only reflects the perspectives of a group of experts, not that of a state or group of states. It is not a prescriptive set of laws and carries no legal weight, which renders it relatively toothless in international disputes.
Said Dr Boothby: “It’s an example of soft law; it’s not law in the hard sense.
“It’s not treaty law, it’s not customary law, and it’s not a source of law. But on the other hand it is usable as reflecting the best guess of those participating experts of what the law is.”
Then there is also the unenviable task of determining what exactly constitutes a cyber attack. The Manual is equivocal on this, and understandably so. Developments in cyberspace come thick and fast, and any effort at being specific becomes obsolete quickly. In fact, the expanded second edition of the Manual that was published in 2017 changed the term cyber warfare to cyber operations in its title, reflecting that most cyber attacks do not meet the threshold of being an act of war.
To be sure, this makes identifying cyber attacks and the enactment of regulatory laws even harder. In accordance with the Tallinn Manual, even aggressive actions such as Russia’s alleged interference in the 2016 US Presidential Election do not constitute a cyber attack.
At present, Nato does not define cyber attacks as a clear military action. This means that the provisions of Article V of the North Atlantic Treaty, in which an attack on one is an attack on all, will not automatically be extended to the attacked country in the event of a cyber attack. It’s a worrying loophole for Nato members, given that a number of them have been the target of cyber attacks in recent years.
For the GGE, lack of consensus between countries has proved a hindrance. In both the 2013 and 2015 editions of the GGE, the declaration that international law was applicable to the cyberspace became a divisive controversy. For instance, countries like Cuba opposed the equivalence between a cyber attack and an armed attack, reasoning that an endorsement of the “right to self-defence” would significantly weaken the advantages that militarily weaker states may enjoy in the cyberspace.
The divisions reached a nadir last June when the 2016/17 GGE failed to reach a consensus for the first time in its history, with several states failing to agree on a single paragraph detailing how international law applies to states in their use of Information and Communication Technologies (ICTs). Given this failure, questions are now asked as to whether this legal debate should be continued, and whether this spells the demise of the GGE’s role in regulating cyber security.
What then should be the way forward?
It’s difficult to say, but an international criminal tribunal for cyberspace could be one.
Stein Schjolberg, a prominent voice in cybersecurity circles and a Court of Appeal Judge in Norway, believes that under Chapter 7 of the United Nations Charter, a tribunal could be established to expand the jurisdiction of the International Criminal Court.
He has also proposed an addendum to the tribunal: a prosecutor of international cybercrime. The prosecutor is a separate entity of the tribunal and also enjoys autonomy from the Security Council, states, international organisations, or other organs of the tribunal.
However, such ratification would have to be accepted by the United States, Russia, and China in order to produce any realistic effect. In light of recent threats of sanctions made by the United States against the International Criminal Court, such a conclusion is unlikely. Even more so considering that there are also countries – such as China, Iraq, and Turkey – who are neither parties nor signatories to the Rome Statute.
While there are options that can be considered, it seems that they can only happen with one indispensable condition: a global consensus for a regulatory protocol. Unless there can be a consensus on the underlying principles that should govern the cyberspace, we are perhaps still far from having a set of rules to effectively curb its precarious effects.
But for observers like Dr Boothby, this too is unlikely to happen anytime soon. He said: “I don’t see the likelihood of any new treaty in this field, because the differences of view between Russia and China and the West are too deeply entrenched.
“I don’t think you get international law in an area like this until or unless you get some sort of disaster.
“And if we have a disaster, then that would be the wake-up call for the international community to come together, and say: Look, enough of this. Let’s talk sense.
“Until that happens, I think we will continue to talk nonsense.”