Due Diligence and the futility of creating norms in cyberspace

Stefan Soesanto is Digital Project Fellow at the European Council on Foreign Relations (ECFR)

It has become all too common for European policymakers and academics alike to obsess over the creation of norms in cyberspace. Especially the promotion of the due diligence principle, to regulate state behaviour in the fifth domain, is riddled with forlorn expectations and futile assumptions.

According to customary international law, due diligence stipulates that, “no State has the right to use or permit the use of its territory in such a manner as to cause injury […] to the territory of another or the properties or persons therein.”[1] Adapted to cyberspace, the Tallinn Manual notes that “a State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.”[2]

Proponents of the due diligence principle naturally praise its anticipated positive impact, such as (1) helping to “protect and further an open, free, and secure global internet,” “(2) prevent regional fragmentation, (3) the threat of crime and (4) a militarization of cyberspace,” as well as (5) lowering global risks in the cyber domain to an acceptable level.[3] Cooperation rather than conflict is the overarching message.

In theory, due diligence would simply shift accountability to the nation state, thereby levelling the playing field between governments, and making already existing international law applicable to the cyber domain. In one swooping move, states could be held responsible for the actions of non-state actors, but would also gain a legal beachhead to exercises stronger regulatory control over privately held IT infrastructure on their territory.

From a legal perspective, such a move would solve a host of current problems. For example, the aperture for attribution would dumb down to the question of “who is to blame?” rather than necessitate a nuanced multi-layered-process determining “who did what, how, why, when, and where?” Expanded sovereignty would also introduce tangibility, by clearly delineating cyberspace along the geographic locations of its physical components. Even the utilization of offensive cyber capabilities could be consigned to the right of self-defence, and thereby help promote a deterrence-by resilience posture.[4]

In practice, however, the application of due diligence will most likely achieve none of its lofty goals.

First, given that cyber operations depend on identifying “specific vulnerabilities in specific systems that can be exploited in specific ways,”[5] they are by their very own nature “soaked in intelligence.”[6] Espionage however falls, apart from a few exceptions, outside the domain of jus ad bellum and jus in bello, and is woefully underdeveloped in international law.[7] The Tallinn Manual for example notes that “though highly invasive, cyber espionage does not rise to the level of a use of force due the absence of a direct prohibition in international law on espionage per se.”[8]

Consequentially, curbing cyber espionage can only occur in a domestic context, by creating prevalent civilian oversight mechanisms that will hold intelligence agencies responsible for any misconduct. However, the Snowden revelations have already shown that even a country like Germany, with all its attached history and oversight mechanisms, was unable to constrain the BND from “eavesdropp[ing] on various US government and diplomatic missions, on fellow EU members, on humanitarian nongovernmental organizations, and even on the Vatican’s mission in Berlin.”[9] There is simply no point in trying to regulate state behaviour in cyberspace without also constraining intelligence agencies from conducting the very missions they were designed to do.

Second, contrary to public perception the fifth domain is becoming more secure rather than less. According to PwC’s 2016 Global State of Information Security Survey of 10,000 IT and security practitioners, 91% now utilize a risk-based security framework within their organization, 69% leverage cloud-based security, 65% collaborate with others to improve cybersecurity, and 59% harness Big Data analytics. Overall, respondents boosted their IT security budgets by 24% in 2015.[10] Indeed, some, like Martin Casado, General Partner at Andreessen Horowitz, persuasively argue that “we have enough tools in place, if used properly, to make the weakest link me and you […].”[11] Therefore security is not necessary a technology problem but one that is user-centric.

Third, users are becoming increasingly aware that the market has failed to deliver on the promise of privacy and cybersecurity.[12] While we have come a long way from the Crypto Wars in the 1990s, the quest for secure online communications is picking up steam again. As a result, the adoption of stronger encryption is becoming commonplace, log-free VPNs are proliferating, and the success of the Tor browser has spread across the globe. One visit to Blackhat or Defcon should make it abundantly clear that any attempt by Western governments to control internet traffic, regulate open-source software, or adopt any other bullying behaviour, will cause an immediate backlash from the community.

The whack-a-mole fight against online piracy is probably the most notable example that controlling cyberspace is futile.[13] Many have tried and many have failed, but governments rarely learn from their mistakes, as Britain’s current discussion on fighting online pornography vividly shows.[14] The bottom line is that cyberspace was not designed to be secure,[15] it was not envisioned to be controllable, and international norms will not dictate how intelligence agencies operate in the fifth domain.

Cybersecurity and norms in cyberspace will be further discussed on 14 September at the Friends of Europe event : ‘CYBERSECURITY AND FOREIGN POLICY – A new role for Europe?’