Applying international law to cyber will be a tall order

Principle on non-intervention is crucial

As previously reported, Braverman said that established international laws on non-intervention have a big part to play in laying down the future legislative landscape for cyber.

“According to the Court [the International Court of Justice] in that case, all states or groups of states are forbidden from intervening – directly or indirectly in internal or external affairs of other states. A prohibited intervention must accordingly be one bearing on matters in which each state is permitted, by the principle of state sovereignty, to decide freely,” she said.

“One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.

“The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of state conduct in cyber space during peacetime.”

Appropriate responses

Braverman said this rule could serve as a benchmark to assess lawfulness, hold those responsible to account and, crucially, calibrate appropriate responses.

She explained this rule could be particularly important in cyber space for two reasons: first because it sits at the heart of international law and protects core matters relating to a country’s sovereignty; second because, thanks to the prevalence of state-backed cyber attacks that fall below the threshold of the use of force (or on its margins), it becomes key to enable countries to define behaviour as unlawful.

In terms of how this rule might work in a cyber context, Braverman said it was necessary to focus on the types of “coercive and disruptive” behaviours that countries can agree are unlawful. This could include attacks on energy supply, medical care, economic stability (i.e. the financial system) or democratic processes. Then it will become possible to establish the range of potential options that can be taken as a proportionate response.

Although much of the content of Braverman’s speech has been set out before – including by her predecessor in post, Jeremy Wright – this is thought to be the first time the government has been specific in the types of cyber attacks that could warrant a response – a significant moment.

Braverman said there were a wide range of effective response options in such circumstances, such as sanctions, travel bans, exclusion from international bodies and so on. But beyond this, she said, a country may respond to an unlawful act in ways which would be deemed unlawful under normal circumstances – that is to say, conducting cyber attacks of their own.

“The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another state,” she said. “It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option in order to bring unlawful behaviour in cyber space to an end.

“The National Cyber Force draws together personnel from intelligence and defence in this area under one unified command for the first time. It can conduct offensive cyber operations – flexible, scalable measures to meet a full range of operational requirements. And, importantly, the National Cyber Force operates under an established legal framework. Unlike some of our adversaries, it respects international law. It is important that democratic states can lawfully draw on the capabilities of offensive cyber, and its operation not be confined to those States which are content to act irresponsibly or to cause harm.”

Line in the sand

Oliver Pinson-Roxburgh, CEO of Defense.com, was among those to voice their support for the ideas set down by the attorney general.

“This speech is an important line in the sand on appropriate security standards in cyber space,” he said. “We live in an era of evolving and unprecedented threats, with threat actors able to deploy automated attack methods to operate at pace and at scale.

“Facing a sprawling threat landscape, where individual actors out for financial gain are mixed in with the geopolitical disruption favoured by nation state actors, businesses need this sort of clarity from the government to help them monitor and respond to threats when they occur.

“It was welcome to hear the attorney general highlight the responsibility of both the public and private sector to maintain cyber resilience,” added Pinson-Roxburgh. “Businesses cannot entirely rely on the briefings and intelligence provided by the NCSC. Hostile actors will look for vulnerabilities across any organisation – large or small.

“There are quick and easy steps businesses can take to build up an end-to-end approach to cyber security, from password best practices for staff, right the way through to the latest in vulnerability scanning and monitoring technology. As legislation for cyber space evolves, businesses can look to outsourced cyber security experts to help them make sense of the latest directives and understand how to remain compliant.”

Keiron Holyome, Blackberry vice-president for UK and Ireland, Middle East, and Africa, also spoke in support of the government’s ambitions, describing cyber warfare as a “formidable threat” to both UK businesses and institutions.

“It’s right that it is governed by international legislation,” he said. “As governments work on a Geneva convention for cyber space, our critical infrastructure and businesses face a daily threat.”

However, he added, it was just as important not to lose sight of the wealth of strategies, skills and technologies that already exist and that can prevent attacks before they execute.

“Continuous threat hunting, automated controls deployment, proactive testing and securing every single endpoint is possible with a prevention-first approach,” said Holyome. “It starts with a zero-trust environment – no user can access anything until they prove who they are, that their access is authorised and they’re not acting maliciously.

“The best way UK organisations can defend themselves in the face of cyber warfare is to be more proactive – and less reactive – in their protection strategy, deploying threat-informed defence and managed services to counter pervading skills and resource challenges. By building up a strong bastion of preventative security, organisations can increase their resilience in the face of global cyber threat.”

Tall order

Steve Cottrell, EMEA chief technology officer at Vectra AI, said: “While it’s extremely positive that the UK government is looking at opportunities to provide clarity in this area, it’s hard to see how anything meaningful can be achieved without widespread international consensus and legislative alignment.

“Cyber attacks frequently cross international boundaries and are often perpetrated from countries that tolerate or downright encourage the attacks as they serve their broader political interests.

“Additionally, there is a challenge when it comes to activities that could be categorised as state espionage – as these are not explicitly prohibited under international law,” he said. “Geopolitics is likely to continue to be the main catalyst for cyber attacks against nations and organisations for the foreseeable future, and it’s key that security defenders stay alert to the evolving cyber threat landscape.”

Ismael Valenzuela, Blackberry’s vice-president of threat research and intelligence, said: “Setting rules of the road for cyber conflict and defining justified responses is a tall order. While this defining of the international law in cyber space is an admirable and necessary development signifying the importance of cyber security for nation states, public and private organisations need to continue to prioritise improving their proactive threat-informed defensive stance against cyber attacks.”