Applicability of International Law in Cyberspace: Positions by Estonia and Latvia

With the constant development of information and communication technologies (ICTs), the issue of their application and related security risks is also becoming relevant. Although ICTs and a range of other emerging and revolutionary technologies bring significant benefits to individuals and societies, for instance, in terms of communication, access to services and business, they also play an essential, and sometimes negative, role in international relations.

The use of ICTs by states for military purposes and the increase of state-sponsored cyber-attacks for espionage, theft of intellectual property and other malicious and disruptive activities raise serious concerns not only about the protection and resilience of ICTs systems, but also about the irresponsible state behaviour in cyberspace. Some states are using cyber-attacks as part of a wider hybrid warfare to influence an adversary. Such malicious and disruptive cyber-activities orchestrated by one state against another can threaten international peace and security. At the global level, states are increasingly discussing international cybersecurity issues, including international law, norms and principles states should adhere to when using ICTs.

In the United Nations (UN) Committee on Disarmament and International Security (also known as the First Committee), states have been discussing ICTs issues in the context of international security since 2004 when the UN Group of Governmental Experts (UN GGE) began its work. Such discussions, but in the framework of a new expert group, namely UN Open-Ended Working Group (UN OEWG), are expected to continue until 2025. Since 2004, states have been actively working together to understand whether and how the international law applies to cyberspace, including when states are using ICTs (the behaviour of states in cyberspace). In less than twenty years, progress has been made in recognising the application of existing international law in cyberspace, including the UN Charter and human rights principles, as well as various other non-binding rules and principles. The attempts to reach a common understanding of applicability of international law in cyberspace have been only partially successful.

For example, different views over the aspects of countermeasures, self-defence and application of international humanitarian law still exist. Moreover, there are attempts by some states to review the decisions once made by the UN General Assembly on the applicability of international law in cyberspace. Authoritarian states do not fully share the view that existing international law is applicable in cyberspace and persistently suggest that there is a need for a new, binding international treaty that would regulate the states' conduct in cyberspace. Democratic states do not share such a view and keep promoting and strengthening the concept of applicability of already existing international law in cyberspace. Democratic states have concerns that through such a new, binding international treaty authoritarian states will restrict free flow of information and the governance model of cyberspace will become state centric, not human centric (Rosenbach & Chong, 2019). Democratic and like-minded states need to promote the concept that international law applies in cyberspace and take global discussions further in order to answer the question how it is applied.

The aim of the article is to examine how one of the most important outcomes of the work of UN GGE, notably stating that international law is applicable in cyberspace and is crucial to maintaining peace and stability (UN GGE, 2013), is reflected in current national cybersecurity strategies and national statements of Estonia and Latvia at relevant UN GGE and UN OEWG meetings. The article provides qualitative, comparative, and, to a very limited degree, also legal analysis on Estonia's and Latvia's contributions on understanding on whether and how international law applies to the use of ICTs by the state. The qualitative analysis is performed by interpreting and analysing national cybersecurity strategies and national statements. The core issues of the article are analysed through foreign policy perspective. The article does not discuss or interpret legal concepts. The result of the research indicates that Estonia has been more active than Latvia in terms of defining and promoting its official position on applicability of international law in cyberspace. Latvia has not yet provided detailed positions on applicability of international law in cyberspace which may indicate lack of expertise and/or lack of human resources. If Latvia provided such an analysis and position, it would contribute to strengthening the understanding of the international community on the applicability of international law in cyberspace.

The article explains the global processes at the UN Committee on Disarmament and International Security in relation to responsible state behaviour in cyberspace and security of and in the use of information and communications technologies. The article examines Estonia's and Latvia's understandings of applicability of international law in cyberspace. It concludes with a comparison of the cases of Estonia and Latvia providing final conclusions.

Early concerns that the misuse of ICTs could endanger international stability and security, rose in 1998, when Russia introduced a UN resolution on “Developments in the field of information and telecommunications in the context of international security” (UN doc. A/RES/53/70, 1999). Discussions on norms and laws which should govern the use of cyberspace became more prominent when the UN GGE was established in 2004.

The mandate of UN GGE has evolved over the years. For instance, in 2004 the group's mandate was:

“Requests the Secretary-General to consider existing and potential threats in the sphere of information security and possible cooperative measures to address them, and to conduct a study on the concepts referred to in paragraph 2 of the present resolution, with the assistance of a group of governmental experts [..].”

The latest UN GGE group in 2018 was mandated to:

“[..] to continue to study, with a view to promoting common understandings and effective implementation, possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building, as well as how international law applies to the use of information and communications technologies by States [..].”

Adjustments and evolutions of the mandate are in line with the findings and recommendations of the UN GGE reports in 2013, 2015 and 2021.

Until now there have been six UN GGE. Usually, the group works for two years, it has at least 2 working sessions per year. The groups have consisted of 15–25 experts. The main outcome of working sessions is consensus reports which include findings and, most importantly, recommendations for states to guide their conduct in cyberspace. The recommendations are non-binding, but, mostly, have been well recognised by the UN member states and some of them even adopted by consensus. In total, the groups have produced four reports. The most prominent and fundamental findings and recommendations are included in 2013 and 2015 reports. (UN, 2021)

In 2013, the UN GGE report concluded that international law applies in cyberspace; state sovereignty applies to State conduct of ICTs; human rights and fundamental freedoms must be respected in cyberspace:

“19. International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.

20. State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory.

21. State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments.”

After the report in 2013, the UN GGE continued its work, building upon work that had been done previously and concluded its work with a new consensus report in 2015. The report of UN GGE in 2015, among other things, offers eleven key recommendations for voluntary, non-binding norms, rules or principles of responsible behaviour in cyberspace (UN doc. A/70/174).

One of the key recommendations is:

“States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.”

Recommendations suggest that states should not conduct or knowingly support malicious ICT activities and such activities should be mitigated if emanating from their territory and are directed against another state (UN doc. A/70/174, 2015). The report also provides deeper insights on how international law applies to states' conduct in cyberspace. Mainly, it reflects discussions on sovereignty, confirming that:

“States have jurisdiction over the ICT infrastructure located within their territory.”

The group concluded that there is a need for continued discussions to improve the understanding of how international law applies in cyberspace, including on countermeasures which states can implement according to the UN Charter. The report also highlights the challenges of attribution.

In 2017, UN GGE failed to agree on a consensus report because of different views over the aspects of countermeasures, self-defence, due diligence, application of international humanitarian law and sovereignty (Tikk & Kerttunen, 2017). The group resumed the work in 2019 and provided a consensus report in 2021. The report addresses the issue with the application of international humanitarian law, noting that IHL is applicable in cyberspace but only during an armed conflict (UN doc. A/76/135, 2021). Normative clarifications regarding due diligence and sovereignty still need to be addressed.

There is a separate document accompanying UN GEE report 2021:

“Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States submitted by participating governmental experts in the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security established pursuant to General Assembly resolution 73/266”.

This compendium consists of national views on how international law applies to states' conduct in cyberspace submitted by UN GEE participating states. Apart from the Compendium 2021, since the establishment of UN GEE, UN member states are regularly invited by resolutions to inform the UN Secretary General of their opinions and positions on concepts covered by the UN GGE recommendations. It also refers to states' views and assessments of how international law applies in cyberspace.

UN Resolution A/RES/73/27 in 2018 introduced a new group called Open-ended Working Group (UN OEWG) with almost the same mandate as UN GGE. UN OEWG is a Russian led initiative, open to all UN member states, while UN GGE members are selected based on candidatures. The group concluded its first report in 2021 and is expected to continue its work till 2025. The report does not contribute meaningful, new recommendations on how international law applies in cyberspace. Nevertheless, it was crucial that the UN OEWG reaffirmed the work done by UN GGE in 2013 and 2015 (UN doc. A/AC.290/2021/CRP.2, 2021). The report is accompanied by “Compendium of statements in explanation of position on the final report” which reflects detailed positions of states on different issues, including controversial ones.

Although a lot has been achieved at the global level in terms of building norms and laws which should govern the use of ICTs by states in cyberspace, states must continue to discuss and to develop common understanding on how international law applies in cyberspace.

This section analyses national cybersecurity strategies. These are important policy documents which reflect what positions states have on different issues and also determine strategic guidelines. Additionally, national contributions to both compendiums (in the frameworks of UN GGE and UN OEWG 2021 reports) will be analysed, in order to identify contributions of Estonia and Latvia. For the UN OEWG 2021 Compendium all UN member states were able to submit their positions, explaining their views on different issues expressed in UN OEWG report 2021. For the UN GGE 2021 Compendium only those states participating in the group were invited to submit their national views. Estonia is the only Baltics state which participated in the UN GGE 2019–2021. Latvia's contribution is not expected in the UN GGE Compendium. National statements expressed at relevant UN GGE and UN OEWG meetings will also be discussed.

Establishment of laws, norms and principles governing the use of ICTs in cyberspace is still ongoing. The processes at the UN are highly politicised. There are two diverging visions on how cyberspace should be governed and by what laws states should be guided in use of ICTs in cyberspace. The UN General Assembly has affirmed that international law applies in cyberspace. Remaining question is: how does it apply? Meanwhile, there are attempts by some states to review the decisions made by the UN GA and proposals to create new, binding treaties which would regulate cyberspace. Democratic states consider that through such proposals authoritarian states intend to restrict free flow of information, and the governance model of cyberspace would become state centric, not human centric.

Research shows that Estonia and Latvia both affirm and support the notion that international law is applicable in cyberspace, but Estonia has been more active than Latvia in terms of defining and promoting its official position on applicability of international law in cyberspace. Estonia has developed a detailed national position, addressing the most pressing and controversial concepts discussed at the UN GGE. Such a contribution helps to improve understanding of the applicability of international law in cyberspace for those states that lack expertise in legal aspects of cybersecurity, thus increasing support for the concept that international law is applicable in cyberspace. Overall, such a contribution helps to improve general understanding of the normative framework (norms, laws and principles) applicable in cyberspace. The ongoing processes at the UN level also have an implication for other international organisations, and a clear understanding of the violation of the normative framework is essential.

Estonia has been a regular UN GGE participant and with its expertise has contributed to all four consensus reports. Latvia has not been a member of the UN GGE processes but participated in the UN OEWG 2019–2021. In the case of Latvia, there is significantly fewer public materials and data to analyse. Latvia has not yet provided detailed positions on applicability of international law in cyberspace, even though it is encouraged by the UN Secretary General to do so. This may indicate a lack of expertise and/or a lack of human resources responsible for developing detailed positions on international cybersecurity policies. If Latvia provided such an analysis and position, it would contribute to strengthening the understanding of the international community on the applicability of international law in cyberspace. Although Latvia and Estonia are similar in terms of geography, military, economics, and territorial size, the role of cybersecurity in their foreign policies is fundamentally different. In the case of Estonia, cyber is part of its foreign policy, especially international cooperation on cyber norms and international law. The membership of the UN GGE has been a goal. Estonia promotes itself as the leading nation in the field and is keen to strengthen its expertise further. Estonia's ambitious cyber foreign policy and strong expertise have been developed since it suffered from state-sponsored cyber-attacks against its government websites and online services in 2007.

In-depth discussions are needed at the UN level to continue to build a common understanding of how international law applies in cyberspace.