Cyber-commentators gave a cautious reception to a speech by UK Attorney General Suella Braverman, donated to Chatham House Think Tankin which she outlines the government’s position on the application of international law to cyberspace, in the context of cyberwarfare, espionage, and other state-sponsored intrusions.
In his speech, Braverman outlined his thoughts on how international law might apply in cyberspace and called on governments to come together to establish an appropriate and clear legal framework. This was seen as a signal that, under certain circumstances, launching cyberattacks against hostile countries could be considered justified and legal.
“The UK’s aim is to ensure that future borders evolve in a way that reflects our democratic values and interests and those of our allies,” she said. “We want to build on the growing activism of like-minded states in international e-governance.
“This includes ensuring that the legal framework is properly applied, in order to protect the exercise of powers deriving from the principle of state sovereignty – to which this government attaches great importance – from external coercion by other states.
“The law must be clear and well understood if it is to be part of a framework governing international relations and curbing irresponsible cyber behavior. Providing more detail on what constitutes illegal activity by states will provide greater clarity on when certain types of robust measures are warranted in response.
The principle of non-intervention is crucial
As noted earlier, Braverman said established international laws of non-intervention have an important role to play in shaping the future cyber legislative landscape.
“According to the Court [the International Court of Justice] in this case, all States or groups of States are prohibited from intervening, directly or indirectly, in the internal or external affairs of other States. Prohibited intervention must therefore relate to matters in which each state is authorized, by the principle of state sovereignty, to decide freely,” she said.
“One of them is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is unlawful when it uses means of coercion with regard to these choices, which must remain free.
“The UK’s position is that the non-intervention rule provides a clear basis in international law for assessing the legality of state conduct in cyberspace in peacetime.”
Braverman said this rule could serve as a benchmark for assessing legality, holding officials accountable and, most importantly, calibrating appropriate responses.
She explained that this rule could be particularly important in cyberspace for two reasons: first, because it sits at the heart of international law and protects key issues relating to a country’s sovereignty; second because, thanks to the prevalence of state-sponsored cyberattacks that fall below the threshold for the use of force (or its margins), it becomes essential to allow countries to define behavior as illegal.
Regarding how this rule might work in a cyber context, Braverman said it’s necessary to focus on the kinds of “coercive and disruptive” behaviors that countries can agree are illegal. This could include attacks on energy supply, medical care, economic stability (i.e. the financial system) or democratic processes. It will then become possible to establish the range of potential options that can be taken as a proportionate response.
Although much of the content of Braverman’s speech has already been exposed – including by his predecessor in office, Jeremy Wright – it is believed to be the first time the government has been specific in the types of cyberattacks that could justify an answer – a meaningful moment.
Braverman said there is a wide range of effective response options in such circumstances, such as sanctions, travel bans, exclusion from international bodies, etc. But beyond that, she said, a country can respond to an illegal act in a way that would be considered illegal under normal circumstances, that is, by carrying out its own cyberattacks.
“The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another state,” she said. “It is also clear that countermeasures do not have to be of the same type as the threat and could involve non-cybernetic means, where that is the right option to stop unlawful behavior in cyberspace.
“The National Cyber Force brings together intelligence and defense personnel in this area for the first time under a unified command. It can conduct offensive cyber operations – flexible and scalable measures to meet a full range of operational requirements. And, most importantly, the National Cyber Force operates within an established legal framework. Unlike some of our opponents, he respects international law. It is important that democratic states can legally take advantage of the capabilities of the cyber offensive, and that its operation is not limited to states that simply act irresponsibly or cause damage.
line in the sand
Oliver Pinson-Roxburgh, CEO of Defence.comwas among those who expressed support for the ideas set out by the Attorney General.
“This speech is an important line in the sand on proper security standards in cyberspace,” he said. “We live in an era of evolving and unprecedented threats, with threat actors able to deploy automated attack methods to operate at pace and scale.
“Faced with a sprawling threat landscape, where individual actors seeking financial gain intertwine with geopolitical disruptions fostered by nation-state actors, businesses need this kind of clarity from government to help them monitor and respond to threats as they occur.
“It was welcome to hear the Attorney General highlight the responsibility of the public and private sectors to maintain cyber resilience,” added Pinson-Roxburgh. “Companies cannot fully rely on the briefings and information provided by the NCSC. Hostile actors will look for vulnerabilities in any organization, large or small.
“Companies can take quick and easy steps to implement an end-to-end approach to cybersecurity, from password best practices for staff, to the latest vulnerability scanning and monitoring technologies. . As cyberspace legislation evolves, businesses can turn to outsourced cybersecurity experts to help them understand the latest guidelines and figure out how to stay compliant.
Keiron Holyome, Blackberry Vice President for the UK and Ireland, Middle East and Africa, also backed the government’s ambitions, describing cyber warfare as a “tremendous threat” to UK businesses and institutions.
“It is true that it is governed by international law,” he said. “As governments work on a Geneva convention for cyberspace, our critical infrastructure and businesses face a daily threat.”
However, he added, it was equally important not to lose sight of the wealth of strategies, skills and technologies that already exist that can prevent attacks before they happen.
“Continuous hunting for threats, deploying automated controls, proactive testing and securing every endpoint is possible with a prevention-focused approach,” Holyome said. “It starts with a zero-trust environment – no user can access anything until they prove who they are, their access is authorized, and they are not acting maliciously.
“The best way for UK organizations to defend against cyber warfare is to be more proactive – and less reactive – in their protection strategy, deploying threat-informed defense and managed services to counter security challenges. skills and resources. By building a strong bastion of preventive security, organizations can increase their resilience against the global cyber threat.
Steve Cottrell, Chief Technology Officer EMEA at Vectra AIsaid: “While it is hugely positive that the UK Government is exploring options to bring clarity to this area, it is difficult to see how anything meaningful can be achieved without broad international consensus and legislative alignment.
“Cyberattacks frequently cross international borders and are often perpetrated from countries that condone or outright encourage the attacks because it serves their broader political interests.
“Furthermore, there is a challenge with regard to activities that might qualify as state espionage – as they are not explicitly prohibited by international law,” he said. “Geopolitics will likely continue to be the primary enabler of cyberattacks against nations and organizations for the foreseeable future, and it’s critical that security advocates remain alert to the evolving cyber threat landscape.”
Ismael Valenzuela, Vice President of Research and Threat Intelligence at Blackberry, said, “Establishing rules of conduct for cyber conflicts and defining justified responses is a difficult task. While this definition of international law in cyberspace is an admirable and necessary development that signifies the importance of cybersecurity for nation states, public and private organizations must continue to prioritize improving their proactive defensive posture. against cyberattacks.