The Netherlands recently released a document describing their views and position on the application of international law to cyberspace and cyberattacks. This is a very reasoned document and contains great insight.
Just like a similar French document (with a big catch - see later; my analysis here), it is short and straight to the point. It covers topics like sovereignty (as viewed in the context of software and hardware. It also highlights that many points are not yet crystal-clear (because of lack of track record of state practice?). But I’ll focus on the selected points of the document.
State intervention
Action in cyberspace transgresses boundaries, the document mentions an example: interference with elections on social media. To be treated as interference, hostile activity should result in the subversive activity of the ‘targeted’ state, i.e. resulting behavior change. While it sounds like it might be difficult to demonstrate (i.e. prove) that a bunch of bots and trolls had this particular effect, but never mind. Because...
Attribution of unlawful acts in cyberspace
The big positive insight offered by the document is that it stresses and distinguishes three types of attribution: technical (lowest level), policy, and legal. This is important because some communications, messages, or articles may sometimes confuse the reader into thinking that technical attribution is sufficient. As was made clear already, numerous times (including by the French document), it is not sufficient. Attribution is a matter of policy and political decision.
But the NL document goes farther as it crisply points out that there’s another layer of great importance, which is the legal one. It’s about holding the perpetrator accountable in line with the law. It is also about argumenting that any responses or retaliatory actions are lawfully justified (this may also be an important message concerning stability, as to avoid treating minor cyberattacks as pretexts for action).
On attribution the document is v. concise so extremely informative. Technical the lowest level. Political is a government decision. Legal attribution is the most demanding. Lawful response to cyberattacks must be justified legally. So hold your cyber-horses! pic.twitter.com/5NN2Ym6zWm
— Lukasz Olejnik (@lukOlejnik) October 15, 2019
To be held legally accountable, showing evidence of unlawful activity is not sufficient. The evidence must be used in making actual proceedings, like maybe under International Court of Justice (bonus points: find out how the body works in practice).
Lastly, it is interesting (laudable) that this document highlights the role of human rights when speaking about laws applying to cyberspace. This message is less clear.
This document is vastly different from the French one, which had a visible tone underlying the role of the military, thresholds of response, etc.
The explanation is very simple. While the document by the Netherlands is prepared by the Ministry of Foreign Affairs, the French document is in fact issued by the Ministry of Defence. That may slightly explain the different tone, weigh, and approach.
All this happens because we’re in a major era of boiling out the rules applying to cyberspace, including cyberwarfare, and probably the time is right.