Cyber commentators welcomed the speech of the Attorney General of the United Kingdom Suela Braverman, delivered to the Chatham House Trustin which she set out the government’s position on the application of international law to cyberspace, in the context of cyber warfare, espionage and other state-supported interventions.
In his speech, Braverman set out his thoughts on how international law can be applied in cyberspace and called on governments to come together to establish an appropriate and clear legal framework. This is taken as a signal that in some circumstances the launch of cyberattacks against hostile countries can be considered justified and legitimate.
“The aim of the United Kingdom is to ensure that future borders develop in a way that reflects our democratic values and the interests of those of our allies,” she said. “We want to build on increased like-minded activity when it comes to international cyber governance.
“This includes ensuring that the legal framework is properly applied in order to protect the exercise of powers deriving from the principle of state sovereignty – to which this government attaches great importance – from external coercion by other states.
“The law needs to be clear and well-understood in order to be part of the framework for managing international relations and tackling irresponsible cyber behavior. Defining more details on what constitutes illegal activity by States will shed more light on when certain types of robust measures are justified in response.
The principle of non-interference is crucial
As previously reported, Braverman said established international non-interference laws play a major role in defining the future legislative landscape for cyberspace.
“According to the court [the International Court of Justice] in this case, all states or groups of states are prohibited from interfering – directly or indirectly in the internal or external affairs of other states. “Prohibited interference must therefore be relevant to matters on which each state is allowed, in accordance with the principle of state sovereignty, to decide freely,” she said.
“One of them is the choice of political, economic, social and cultural system and the formulation of foreign policy. Interference is unlawful when it uses methods of coercion in respect of such choices, which must remain free.
“The United Kingdom’s position is that the rule of non-interference provides a clear basis in international law for assessing the legality of a state’s conduct in cyberspace in peacetime.
Braverman said the rule could serve as a benchmark for assessing legality, holding those responsible accountable and, crucially, calibrating appropriate responses.
She explained that this rule can be particularly important in cyberspace for two reasons: first, because it is at the heart of international law and protects fundamental issues related to a country’s sovereignty; second, because the proliferation of state-backed cyberattacks that fall below the threshold for the use of force (or at its borders) makes it crucial to enable states to define behavior as illegal.
Regarding how this rule could work in a cyber context, Braverman said there was a need to focus on the types of “coercive and destructive” behavior that parties could agree to be illegal. This may include attacks on energy supply, medical care, economic stability (ie the financial system) or democratic processes. It will then be possible to identify the set of potential options that can be considered as a proportional response.
Although much of the content of Braverman’s speech has been set out before – including by her predecessor Jeremy Wright – this is believed to be the first time the government has been specific about the types of cyberattacks that may be needed. significant moment.
Braverman said he has a wide range of effective options to respond to such circumstances as sanctions, travel bans, exclusion from international bodies, and so on. But beyond that, she said, a country can respond to an illegal act in ways that would be considered illegal under normal circumstances – that is, by carrying out its own cyberattacks.
“The United Kingdom has previously indicated that countermeasures are available in response to illegal cyber operations from another country,” she said. “It is also clear that countermeasures do not have to be the same as the threat and may involve non-cyber means, where this is the right option, to put an end to illegal behavior in cyberspace.
“For the first time, the National Cyber Force is gathering intelligence and defense personnel in this area under a single command. It can conduct offensive cyber operations – flexible, scalable measures to meet a full range of operational requirements. And, importantly, the National Cyber Force operates within an established legal framework. Unlike some of our opponents, he respects international law. It is important that democracies can legally take advantage of offensive cybernetics and that its action is not limited to those states that are content to act irresponsibly or cause harm.
Line in the sand
Oliver Pinson-Roxberg, CEO of Defense.comwas among those who expressed support for the ideas put forward by the Attorney General.
“This speech is an important line in the sand about appropriate security standards in cyberspace,” he said. “We live in an age of evolving and unprecedented threats, and threat participants can implement automated attack methods to work at a pace and scale.
“Faced with a growing landscape of threats, where individual actors seeking financial gain are mixed with geopolitical disturbances preferred by participants in nation states, businesses need this kind of clarity from the government to help them monitor and respond to threats when they arise.
“It was good to hear the Attorney General emphasize the responsibility of both the public and private sectors to maintain cyber resilience,” Pinson-Roxberg added. “Businesses cannot rely entirely on briefings and intelligence provided by the NCSC. Hostile participants will look for vulnerabilities in any organization – large or small.
“There are quick and easy steps businesses can take to build a holistic approach to cybersecurity, from best practices for staff passwords to the latest technology for scanning and monitoring vulnerabilities. As cyberspace legislation evolves, businesses can look to outsourced cybersecurity experts to help them make sense of the latest directives and understand how to stay compliant.
Kayran Holiom, Blackberry The vice president for the United Kingdom and Ireland, the Middle East and Africa also spoke in support of the government’s ambitions, describing the cyber war as a “huge threat” to both business and UK institutions.
“It is legal that it is governed by international law,” he said. “As governments work on the Geneva Convention on Cyberspace, our critical infrastructure and businesses face a daily threat.
However, he added, it is equally important not to lose sight of the wealth of strategies, skills and technologies that already exist and that can prevent attacks before they are implemented.
“The continuous search for threats, the implementation of automated controls, proactive testing and securing each endpoint is possible with a priority approach to prevention,” Holiom said. “It starts with a zero-trust environment – no user can access anything until they prove who they are, that their access is allowed and they don’t act maliciously.
“The best way for UK organizations to defend themselves in the face of cyber warfare is to be more proactive – and less reactive – in their defense strategy by implementing threat-aware protection and managed services,” to address comprehensive skills and resource challenges. By building a strong bastion of preventive security, organizations can increase their resilience to the global cyber threat.
Steve Cottrell, Chief Technology Officer for EMEA Vectra AIsaid: “While it is very positive that the UK government is looking for opportunities to clarify this area, it is difficult to see how something meaningful can be achieved without widespread international consensus and legislative alignment.
“Cyberattacks often cross international borders and are often carried out by countries that tolerate or directly encourage attacks, as they serve their broader political interests.
“There is also a challenge when it comes to activities that can be categorized as state espionage – as they are not explicitly prohibited by international law,” he said. “Geopolitics is likely to continue to be a major catalyst for cyber attacks against nations and organizations for the foreseeable future, and it is crucial that security advocates are on the lookout for the evolving cyber threat landscape.”
Ismael Valenzuela, Blackberry’s vice president of threat research and intelligence, said: “Defining cyber conflict rules and defining justified responses is a difficult task. Although this definition of international law in cyberspace is an admirable and necessary development, which means the importance of cybersecurity for nation states, public and private organizations must continue to prioritize improving their proactive, threat-aware defensive stance against cyber attacks.