International Cyber Norms Legal, Policy & Industry Perspectives Anna-Maria Osula and Henry Rõigas (Eds.) This publication may be cited as: [Article author(s)], [full article title], International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016 © 2016 by NATO Cooperative Cyber Defence Centre of Excellence. All rights reserved. No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non- profit or non-commercial purposes, providing that copies bear a full citation. NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org LEGAL NOTICE This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE). It does not necessarily reflect the policy or the opinion of the NATO CCD COE or NATO. The NATO CCD COE may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication. Print: EVG Print Cover design & content layout: Villu Koskaru ISBN 978-9949-9544-6-9 (print) ISBN 978-9949-9544-7-6 (pdf) NATO Cooperative Cyber Defence Centre of Excellence The Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) is a NATO-accredited knowledge hub, think-tank and training facil- ity. The international military organisation focuses on interdisciplinary applied research and development, as well as consultations, trainings and exercises in the field of cyber security. The Centre’s mission is to enhance capability, cooperation and information sharing between NATO, Allies and partners in cyber defence. Membership of NATO CCD COE is open to all Allies. The Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, Turkey, the United Kingdom and the United States have signed on as sponsoring nations. Austria and Finland have joined the Centre as contributing participants. The Centre is funded and staffed by these member nations. Foreword All our lauded technological progress – our very civilization – is like the axe in the hand of the pathological criminal. – Albert Einstein Einstein’s pessimistic notion is as relevant today as a century ago. The very opportu- nities that are created by information and communication technologies also bring vulnerabilities with them. Everything that is good and everything that is bad in human nature have their manifestations in cyberspace. The ultra-rapid advance- ment of technology has challenged and outpaced the development of the norma- tive frameworks that should limit malicious activities – be it crime, hacktivism or state-sponsored activities. This book looks at these normative frameworks and focuses on the interaction between the different types of norms that regulate state behaviour in cyberspace. International developments regarding cyber norms have been addressed by mul- tiple international actors. NATO has taken a clear line on the issue: the Alliance expressed its position in the Wales Summit Declaration (2014), stating that existing international law applies to cyberspace. The declaration also affirmed that cyber defence is part of NATO’s core task of collective defence and emphasised that a cyber attack can lead to the invocation of Article 5. Indeed, in the context of this book, Article 5 can be seen as the most relevant norm for the Alliance. On the global level, key players have agreed on the applicability of international law and have pro- moted accompanying cyber ‘norms of behaviour’. First steps have been taken, but we are far from having a common understanding among states. Thus, academics and other non-state actors have de facto led the way on the subject of cyber norms. The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) has been addressing the subject of ‘cyber norms’ since its establishment in 2008. The Centre has focussed on the question of how existing international legal norms apply to cyberspace by hosting and facilitating the Tallinn Manual process. More specifically, the firstTallinn Manual on the International Law Applicable to Cyber Foreword 7 Warfare (2013) paid particular attention to cyber operations that qualify legally as ‘use of force’ or ‘armed attack’ or that take place during an armed conflict. However, since the most frequent cyber incidents do not rise to these levels, the Centre is currently finalising a follow-on projectTallinn 2.0, which will be published at the end of 2016. While the Tallinn Manual process looks at the existing international law, the Centre has also taken on the task of understanding how different stakeholders con- ceptualise and further develop the broadly definable ‘cyber norms’. This book is a result of a three-year project, during which the Centre has brought together govern- ment officials, political scientists, lawyers and industry representatives for discus- sions, with the aim of mapping and understanding their views on the issue. These workshops have clearly presented that different disciplines define and apply the term ‘cyber norm’ in various and often confusing ways. Therefore, the objective of this book is to explain, analyse and discuss these diverse approaches to cyber norms by gathering different practical and theoretical viewpoints from distinguished legal experts, political scientists, government officials and private sector representatives. It is my hope that our work – both the Tallinn Manual process and the ‘cyber norms’ project – will support the efforts to agree on common norms in the cyber domain. I would like to thank the book’s editors, authors, peer-reviewers and sup- port staff for their excellent contributions to the project throughout the years. Sven Sakkov Director, NATO Cooperative Cyber Defence Centre of Excellence 8 International Cyber Norms: Legal, Policy & Industry Perspectives Contents Foreword. 7 Contents . 9 1 Introduction . .11 Anna-Maria Osula and Henry Rõigas 2 The Nature of International Law Cyber Norms. 23 Michael N. Schmitt and Liis Vihul 3 Cyber Law Development and the United States Law of War Manual. 49 Sean Watts 4 The International Legal Regulation of State-Sponsored Cyber Espionage. 65 Russell Buchan 5 Beyond ‘Quasi-Norms’: The Challenges and Potential of Engaging with Norms in Cyberspace. 87 Toni Erskine and Madeline Carr 6 United Nations Group of Governmental Experts: The Estonian Perspective. 111 Marina Kaljurand 7 Confidence-Building Measures in Cyberspace: Current Debates and Trends . 129. Patryk Pawlak Contents 9 8 Outer Space and Cyberspace: A Tale of Two Security Realms. 155 Paul Meyer 9 International Legal Norms in Cyberspace: Evolution of China’s National Security Motivations. 171 Greg Austin 10 Technological Integrity and the Role of Industry in Emerging Cyber Norms . .203 . Ilias Chantzos and Shireen Alam 11 Key Concepts in Cyber Security: Towards a Common Policy and Technology Context for Cyber Security Norms . 221 Claire Vishik, Mihoko Matsubara, Audrey Plonk Appendix 1 – Cyber Security Norms Proposed by Microsoft. .243 Biographies . 249 10 International Cyber Norms: Legal, Policy & Industry Perspectives International Cyber Norms: Permission to make digital or hard copies of this publication for internal Legal, Policy & Industry Perspectives, use within NATO and for personal or educational use when for non-profit or non-commercial purposes is granted providing that copies bear this Anna-Maria Osula and Henry Rõigas (Eds.), notice and a full citation on the first page. Any other reproduction or NATO CCD COE Publications, Tallinn 2016 transmission requires prior written permission by NATO CCD COE. CHAPTER 1 Introduction Anna-Maria Osula and Henry Rõigas 1. International Norms Limiting State Activities in Cyberspace Cyberspace has created both great opportunities for, and serious threats to, states and non-state actors. This has led to a common understanding that behaviour per- taining to the use of information and communication technologies (ICTs) has to be limited in order to prevent conflicts that endanger international peace and security. Although these concerns also apply to other subjects, the focus of the current dis- cussions in the context of international security remains primarily on restraining the activities of states as the most capable actors. Recent cyber security related discussions in international forums indicate ‘cyber norms’ or cyber ‘norms of behaviour’ as the most suitable vehicles for guiding states’ behaviour in cyberspace. The main goals for agreeing on norms are believed to include increased predictability, trust and stability in the use of ICTs, hopefully steering states clear of possible conflict due to misunderstandings. Additionally, norms are seen as guiding principles for shaping domestic and foreign policy as well as a basis for forging international partnerships. However, despite being frequently addressed by policy-makers, academia, non- profit