States Obligation In Applying R2P Doctrine For Ensuring Protection Against Cyber Threat And Security – A Social Peril Demanding Sovereign Protection | Author : Kaarvannan Balasubramanian | Volume II Issue IV |

States Obligation In Applying R2P Doctrine For Ensuring Protection Against Cyber Threat And Security – A Social Peril Demanding Sovereign Protection

Abstract

Computer information systems and communication technologies have become a quintessential ingredient in our day to day livelihood and also makes a reasonable contribution in balancing world order. The cyberspace is like a double-headed sword and its pros and cons depend absolutely upon the use of an individual. The field of Information and communication technology (ICT) extends in making an array of contributions ranging from health care to defence services. The issues with regard to the realm of cybersecurity require a strategic perspective towards appropriately prioritising the concerns that need to be primarily addressed. Further, it also demands adequate measures to be taken within the national cybersecurity policy in compliance with the International Legal Framework. The Legal approach towards ICT gives an aerial view in fore sighting impacts cyberspace can create in disrupting the maintenance of international peace and security which may even extend to the new domain of warfare. Moreover, though the international legal fraternity is well aware of the impact of threat possessed by cyber warfare, it is yet to determine appropriate definition for the law of cyberspace. This paper closely examines the applicability of R2P doctrine in the cyber domain, Opinio juris sive necessitates by International Court of Justice in relevance to cybersecurity and Legal obligations to be complied by States in protecting its citizens from cyber threats.

Keywords- Information and communication technology, Responsibility to protect, Cyber space, State security

Introduction

Up until 21^stcentury, world has underestimated the impacts cyber-attacks could create in the economy and security of a State. Cyber-attack can bring a whole nation to their knees with less cost of executing and significant consequences[1]. Few of the several major disruptions through cyber-attacks include: –

• November 2014 Sony hack which resulted in total loss of nearly one hundred million dollars.

• Marriott owned Starwood hotel group data theft revealing information of over 500 million guests.

• 2016 North Korean hackers breaching Bangladesh banking system leading to $81 million heist.

• WannaCry ransomware campaign that targeted thousands of computer systems worldwide including the UK’s National Health Service (NHS), US hospitals, Nissan, and Russian banks.

• Stuxnet 2010, worm infiltration into Iranian nuclear power facility SCADA systems and affecting uranium centrifuges. It is believed to be the work ofthe US government’s National Security Agency (NSA) with the assistance of Israel.

The Cyber domain is presently considered to be the fifth common domain after Land, Sea, Air and Outer space in terms of sharing mutual responsibilities by all States. One of the major challenge’sStates face is understanding of International Law and its applicability in the cyber environment. Further, there are no treaty in prevalence which directly deals with the cyber warfare and it makes one difficult in ascertaining whether there exists a customary international law norm which specifically deals with the cyber space[2].  Bearing in mind the Sovereignty  definition laid down in Island of Palmas arbitral awards which provides that “Sovereignty between states signifies the independence of State with regard to portion of the globe in exercising the functions of a State by excluding any other State”[3] this paper closely examines the need for applying R2P doctrine by a State in protecting its citizens from cyber threats, Importance of State sovereignty in cyber regime and lastly, this paper makes a comparatively analysis on International Court of Justice judgements and its relevancy to cyber domain through specific cases.

Chapter 1- Doctrine of Right to Protect –Understanding its applicability  

The seeds of this doctrine can be witnessed from the constant human rights violations in Rwanda and Bosnia and effects of World War II that lead to Crimes against humanity, ethnic tensions and fragility.          The R2P doctrine conceptualises the framework that demands every State to exercise its sovereignty over its citizens in order to protect them from serious crimes that threaten human rights in general. R2P doctrine was deeply stressed upon in the 2005 United Nations World summit and it recognised the need for strengthening the developments of a new international norm with specific reference to humanitarian protection. The outcome document of United Nations summit 2005 urges member States to protect its population from International crimes and offences against the administration of justice enshrined under Part II of the Rome statute[4].  Further, this doctrine also recommends member state to act in complete compliance of UN Charter and bear in mind the obligations laid down under Chapter VII of the charter. The Key stone of this doctrine includes: –

• Ensuring States to have the ability to protect its citizens even to those outside the territorial jurisdiction of the State.

• Responsibility of the international community extending to the most vulnerable sections of society regardless of their nationality.

• Stronger Nations to ensure protection of the week States. 

• R2P Doctrine and Cyberspace – Establishing Nexus

Bearing in mind the Statement of Kofi Annan former United Nations Secretary General “States are widely considered to the servant of its people and not vice versa”[5]. States now have to clearly ascertain the impacts cyberspace might create extending to offences mentioned under part II of the Rome statute leading to cyber warfare. Each and every State has sovereign authority over cyber infrastructure and activities taking place under their territorial jurisdiction.Inter-governmental co-operation has the become need of an hour in order to protect the international community from cyber-attacks carried out by non-state actors.

The conceptual framework of the R2P doctrine cannot be construed under a small umbrella of humanitarian assistance in terms of crimes against humanity, genocide, ethnic tensions alone. It is prerogative of a State to ensure protection of its citizens from all contributing factors that might lead to offences mentioned under Part II of the Rome statute.

The perambulatory portion of United Nations General Assembly resolution on combating the criminal misuse of information technologies clearly enshrines the need for enhanced cooperation and coordination among member states in order to combat the criminal misuse of information technology. Thus, making it explicitly clear that cyberspace has become a common domain urging member States for a mutually shared responsibility in prosecuting the perpetrators of the offence and to keep adequate checks and balances over cybersecurity. Further, the resolution also invites member States to make necessary domestic legislationand policies to combat and prevent criminal misuse of information’s[6]. The applicability of R2P doctrine can also be witnessed under provisions enshrined under the Convention of cybercrime wherein the convention urges each party to ensure implementation of procedures subject to safeguards under domestic law for adequate protection of human rights, fundamental freedoms and to act in compliance with 1966 United Nations International Covenant of Civil and Political Rights. The convention also underlines the fact that any safeguard measures taken should in accordance with the public interest and sound administration of justice[7]. 

• ICT AND R2P

• ICT acts as a tool for the prevention of negative propaganda and dissemination within a State’s territory in case of an emerging threat.

• ICT can be used as a mode to diffuse a situation leading to conflict and helps to end or stabilize a post-conflict situation.

• ICT can be called as a digital peacekeeper in handling emergency and crisis situations and shall enable better surveillance and monitoring of the situation.

• ICT can be a source un improving early warning of potential conflicts and promote mitigation and reconciliation for resolving disputes among member States

Based on the aforesaid facts, rule of law and principle of sovereignty with regard to the cyber domain it is clear that States owe certain responsibilities on its own nationals and such responsibilities are inherent in International Humanitarian Law as well. The very notion of sovereignty involves not just by guaranteeing human rights to its citizens but also extends to the protection of citizens from factors that lead to human rights violations. Further, Implying sovereignty over the cyber domain provides legal and regulatory control over States functioning to cyber-related conflict and also guarantees the State to take collective self-defence when cyber operation trigger armed attacks. As provided in rule 20 of the Tallinn manual of cyber warfare Laws pertaining to armed conflicts applied to cyber operations as well despite the absence of specific laws explicitly dealing with cyberwarfare[8].

Chapter II- International Court of Justice and its observations attributing to State sovereignty with regard to cyber security.

 Although ICJ has never addressed the issues pertaining to cybersecurity. The principles laid down by ICJ in few cases help as a guide in ascertaining solutions for cyber threats in the future. This chapter highlights important principles identified by ICJ which can be applied in the cyber environment.

• Corfu channel case– The facts of the case involve two British warships struck in mines and were sunk in Corfu channel. The British government used the innocent passage as a defence and highlighted the failure of the Albanian government to warn British warships of the existence of mines. The ICJ based its decision on a principle that “Every State has an obligation to not allow knowingly its territory to be used for acts that contrary to the rights of other States. The ICJ articulated the principle of Right to Warn[9]. Althoughthe facts of the case are not connected to the cyber domain it clearly helps in drawing an analogy that” It is the duty of the State to warn other States operating within their territory about the domestic network vulnerabilities or third State networks.

• Trail smelter dispute- TheInternational Court of Justice in the instant case dealt with the issue of due diligence to be carried out by a State during any act of commission or omission that is likely to affect a neighbouring State. The dispute involves the emission of environmentally hazardous materials across the US-Canada border raising obligations of a State to its neighbours. Court held that “No State has the right to use or permit the use of its territory to cause injury to another State”. Trail smelter dispute came up with the principle of “No harm” which requires States to ensure their actions cause no harm to the territory of other State[10]. Although this principle is directed towards environmental harm the same can be applied to cybersecurity thereby mandating a State to prohibit any domestic activities that would cause serious international consequences. Hence, if a States action causes serious repercussions to the international community then the offending State has the obligation to mitigate the threat and this can be applied to the concepts of cyber-attacks as well[11].

• Nicaragua case- The International Court of Justice in the instant case highlighted the importance of Non-intervention and State sovereignty. The ICJ urged States not to intervene in the internal affairs of other States[12]. The principle of non-intervention can be extended to the cyber context. The term intervention can be interpreted on the basis of internet architecture reinforcing the concept of free speech and anonymity which might influence the internal affairs of the foreign State. Internet access allows infiltration of ideas that might destabilize the political well-being of a country. The best example is Russia’s interference in 2016 United States elections by orchestrating the hacking of US political organization websites with the goal of harming Hilary Clinton election campaign.

• Gabčíkovo–Nagymaros Project case- This case primarily laid down the concept of countermeasures in the case of Wrongfulness of an act of a State which is not in compliance with the International obligations extending to another State. The injured State can take appropriate legal countermeasures for the breach of international obligation committed by another State. In the case of Hungary v. Slovakia on the Gabčíkovo–Nagymaros Project dispute arose due to Hungary’s failure in non-compliance with the project agreement which prompted Slovakia to divert the flow of Danube river. The ICJ in the instant case held that although Hungary breached the treaty obligations Slovakia’s countermeasures were unlawful because the particular action was not proportionate[13]. Applying the principle of Countermeasure in cybersecurity shall provide States with broad discretion when it comes to responding to an internationally wrongful act. For example the United States breach of China’s great firewall in response to the 2015 United States Office of Personnel Management(OPM)  data breachtargeting the records of as many as four million people. The breach estimates 21.5 million stolen records of federal officials including the identification information such as social security numbers.

 On August 2017 FBI arrested Chinese personnel involved in creating malware for the breach.

Conclusion

Understanding the cyber environment and its relation to public international law has always been a sceptical area to analyse and reach for a conclusion. However, this field demands inter-governmental cooperation for an absolute legal harmonization process to build global cybersecurity norms. Further, the international conventions dealing with cyberspace should incorporate flexible mechanisms on evidence collection and prosecuting the perpetrators of cyber offence. Although there exist conventions specifically focusing on cybersecurity the international legal frameworks is silent on extending sovereign countermeasures to cyber-attacks. It is considered to be an agreed fact that the R2P doctrine has several dissenting opinions but however, the applicability of this principle in cyber domain can create reasonable protection to citizens from mitigating cyber threats. Member States of the United Nations should be granted a common information sharing ground that would give states an incentive in identifying the source of cyberattacks. Cybersecurity has presently become a transboundary concern and is indeed a challenging task for organizations like the United Nations to bring effective countermeasures. Lastly, the information and communication technologies can be considered as a form of aid in itself in order to mitigate cyber threats. Further, no State shallintervene with the right of a State Party, under its domestic legislation, to direct, control, coordinate and supervise telecommunication assistance within a States territorial jurisdiction[14].To conclude, R2P cannot be curtailed of its scope only from international law perspectives and institutions such as the security council and UN systems. R2P doctrine enhances the scope of development and security interlocking objectives of each and every member State for the effective implementation and maintaining the rule of law.

[1] Oren Gross, Cyber Responsibility to Protect: Legal Obligations of States Directly Affected by Cyber-Incident, Cornell International Law journal, Vol. 48: Issue 3. Pg.484, (2015)

[2]Michael N. Schmitt, Tallinn Manual on The International Law applicable to Cyber Warfare (Cambridge University Press) ,(2013).

[3]Island of Palmas Case (or Miangas), United States v Netherlands, Award, (1928) II RIAA 829, ICGJ 392 Permanent court of Arbitration, (4th April 1928).

[4] Rome Statute of the International Criminal Court outcome document,Crimes against Humanity, United Nations General Assembly (17 July 1998).

[5]United Nations, Department of Public Information, SecretaryGeneral Presents Annual Report to General Assembly, U.N. Press Release SG/SM/7136(Sept. 20, 1999).

[6]United Nations General Assembly resolution 56/121, Combating the criminal misuse of Information technologies, A/RES/56/121 (23^rd January 2002).

[7]Conventionon Cybercrime art. 15, Council of Europe(23^rdNovember 2001).

[8]Supra note 2

[9] Corfu Channel Case (United Kingdom v. Albania); Assessment of Compensation, 15 XII 49, International Court of Justice (ICJ) (15^th December 1949)

[10] The Trail Smelter arbitration case (United States vs Canada) 1941, U.N rep. International Arbitral Awards 1905.

[11]Scott J. Shackelford, Scott Russell, Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, Chicago Journal of International Law, Volume 17 issue 1.

[12]Military and Paramilitary Activities againstNicaragua (Nicaragua v. The United States of America). Merits, Judgment. I.C.J. Reports 1986, p. 14.

[13]Gabčikovo-Nagymaros Project, Hungary v Slovakia, [1997] ICJ Rep 3, ICGJ 65 (ICJ 1997), 5th February 1997, United Nations, International Court of Justice.

[14]