Conference on State Practice and the Future of International Law in Cyberspace

Dear Friends and Colleagues,

I cannot tell how much I appreciate you gathering here in Tallinn today. I know that many of you have, during the past months, participated in several events on the issue of norms, rules and principles of responsible State behavior in cyberspace. I also hope that the following two days will allow lively and fruitful exchanges of views in an open, inclusive and forward-looking way.

As a lawyer and as a diplomat I appreciate the interplay of law and politics in the international cyber security dialogue. I have personal experience of complicated diplomatic efforts to mitigate cyber-attacks against my country. Today, my Ministry is in charge of developing Estonian views on international law as it applies to State behavior in cyberspace.

Estonia has been a member of three consecutive UN Groups of Governmental Experts (UN GGE) in the United Nations First Committee.

The upcoming GGE is faced with the expectation of taking us beyond already agreed positions. Whether or not each of us will be part of the next GGE, it is our privilege and duty to inform those discussions and to support an outcome that respects and responds to our common concern.

For Estonia, international law is the biggest authority. We therefore strive for clarity and certainty of norms as it not only reduces the risk of intolerable practices, but provides transparency and predictability of behavior that allows us to focus on peace rather than on conflict.

I want to take this opportunity to elaborate on the question of peace and conflict. Seen through the Estonian lens, while we have witnessed the disruptiveness of malicious cyber activities, our focus has always been on using ICTs in support of State and societal functions; peace, growth and prosperity. We have never invested overly into military cyber capability development, although we have taken the question of cyber defence very seriously. We have promoted an atmosphere of trust and cooperation between government and industry, including critical infrastructure providers. And we have always taken into account the preferences and requests of the community of users. For Estonia ICTs are technologies of peace and development, not of conflict. I am sure this is the case for the majority of countries in the world.

However, I can understand how these technologies can be seen as a potential source of conflict by some of us. We have heard of development of offensive military cyber capabilities and doctrines. We can see the growing statistics of cybercrime, economic espionage and other malicious uses of ICTs. Estimates of cyber crime diminishing GDP vary between 0.1 and 1.6 per cent, thus depriving us from the full benefits that ICTs can offer. Terrorists exploit ICTs and social media to forward their sermon of hatred, violence and intolerance, to recruit followers and lead their mislead troops.

It is essential to acknowledge that we perceive cyber threats and opportunities differently. Regardless of how clearly we can see and understand each other’s perspectives, it is essential that we remain mindful to each other’s views. This open and permissive attitude allows us to achieve stability and security, while taking full advantage of technological development and advances.

It is therefore essential that we need to go further than we already have.

We need to broaden our understanding of international law. We have concluded that international law, in particular the UN Charter, is applicable to international cyber security. There are other international legally binding instruments that are applicable. We need to identify and register these instruments.

I have noted that for some commentators the applicability of international humanitarian law is not settled. Let me share the Estonian position on that. While we acknowledge, and in fact hope, that cyber hostilities will never mount to the levels of use of force or armed attack, we also consider it very essential that should that ever happen, protections of international humanitarian law are to be afforded to their fullest. Once we have affirmed these guarantees AND clearly condemned any threat to peace and security in cyberspace, we can start working on details that, no doubt, need to be clarified with the view to application of particular norms.

We need to broaden our discussion on how international law applies to State activities in cyberspace. In this regard we have witnessed both uncertainty and differences. In the absence of easily observable State practice, and given the challenges of attribution, we must make extra efforts to apply the concepts and principles of sovereignty, non-intervention and state responsibility to activities in the cyber domain. And we need to be mindful of our different interpretations of some of these concepts, both due to our different traditions of international law, but also due to the fact that we are only starting to apply the well-established legal norms and principles to a new reality – cyberspace.

Over the almost two decades that the UN First Committee has dealt with the issue of international cyber security, individual States have grown their expertise and experience in addressing these fundamental questions and specific threats. We need to look at what States actually do when facing cyber threats, because their actions speak of proposed standards of responsible behavior.  We need to carefully look at all the proposals, verbal and material, that States are making about how to deal with these threats.

In this regard, I also want to emphasize how important it is that we have different experiences. Our differences inform the margins of actions that each of us, or all of us together, can take in case of an incident.

But we should not stop at that – while we have clearly condemned any malicious and hostile acts in cyberspace and focused on the remedies that international law offers in case of breaches, we need to turn to preventing incidents from happening and escalating.

Here, it is important to find the incentives and common interests of all stakeholders, including governments, industry and the civil society.

It is equally important to acknowledge that international law is not the only regime that we need to adjust to our needs. When it comes to prevention, it is essential to create national policies, procedures and standards that support cooperation and exchange of information.

This is why this conference looks at the future of international law by not (only) looking at international law. As the GGE has structured the conversation, when discussing how international law applies, we also identify potential gaps and inconsistencies that merit new norms, rules and principles. State behavior is equally conditioned by legally non-binding norms. The GGE could be further informed by practices and norms that both States and industry have come to follow in their activities in cyberspace.

I would therefore propose a few additional approaches that the international community could consider.

States have the responsibility to lead a global culture of cybersecurity. The GGE has made reference to expectations that governments have towards industry and critical infrastructure operators. It is now essential to hear how governments should lead. Few corporate actors have tabled their views on this. In my view, we need to hear more. I would therefore invite the industry to consolidate and share their views on norms, rules and principles of responsible State behavior, as well as the application of international law.

I also invite different schools of international law and international relations to discuss the urgent and practical issues of international cyber security and help us chart the political-normative surface we need to operate on. Let us not just suggest, but demonstrate that international law is alive, is relevant, and is useful. Let us demonstrate that we can use some of its core principles, such as good faith, and our pledge to remain bound by treaties, to modernize it to the age of smart and connected technologies.

My last point is something I hope you all consider when thinking and making decisions about international cyber security and international law. I would like to introduce you to a scholar of Estonian origin who spent most of his career at the service of the Russian empire at the end of the 19^th century.

Professor Friedrich Frommhold Martens, a distinguished legal scholar and an assigned diplomat to the Hague Peace Conference, helped governments overcome a similar legal puzzle we are facing today. He suggested that while norms on (at that time) land warfare are still to be clarified by high contracting parties, states should afford maximum protections to anyone under the rule of law. The Martens Clause reads as follows:

Until a more complete code of the laws of war is issued, the High Contracting Parties think it right to declare that in cases not included in the Regulations adopted by them, populations and belligerents remain under the protection and empire of the principles of international law, as they result from the usages established between civilized nations, from the laws of humanity, and the requirements of the public conscience.[1]

I very much hope that in our thinking and discussion of the future of international law, we follow the example and spirit of Professor Martens and that we build the future of international law by not changing the law, but changing our thinking and behavior to support the existing legal order to the fullest.