The global regulation of cybersecurity is one of the most contentious topics on the international legal plane.
States, the actors primarily responsible for arranging most other international regulatory regimes, have so far been incapable of reaching a consensus on how to govern international cyberspace. For example, in 2017, the United Nations Group of Governmental Experts, arguably the most promising effort to create international norms for cyberspace, collapsed. In this vacuum, private tech companies are seizing the opportunity to create norms and rules for cyber operations, essentially creating a privatized version of cybersecurity law. As Julie Cohen argued recently, the “dominant platforms’ role in the international legal order increasingly resembles that of sovereign states.” This increasing involvement of tech platforms is challenging to the structure, values and future of the international legal system. But tech companies, unlike governments, need not respect values such as accountability, transparency or fairness. This post details the norms that tech companies have articulated or emphasized and highlights the gaps that remain.
There are many good reasons why private tech companies would take the lead in developing such norms. The primary reason is that internet users are vulnerable, and their vulnerability, particularly to state-sponsored activity online, is negatively impacting the reputation of and trust in the tech industry. Internet users are vulnerable to having their personal information compromised; their access curtailed; or devices such as vehicles, pacemakers, webcams, and insulin pumps hacked. These are all documented or possible consequences of malicious cyberspace activity. With the potentially devastating consequences of these events in mind, it is understandable that the next logical step would be to develop binding norms and rules to effectively deter such activity.
Among tech companies shaping the norms of international cyberspace—a phenomenon referred to in political science scholarship as norm entrepreneurship—Microsoft is leading the charge. For example, in a policy paper in late 2017, Microsoft suggested that the world needs a Digital Geneva Convention to counter state-sponsored cyberattacks. To effectuate these proposed new norms, some observers have advocated for the creation of a “Cyber Red Cross.” Most importantly, as many as 70 tech companies are now signatories of the “Cybersecurity Tech Accord,” an agreement that binds signatory companies to the values Microsoft advocates.
The Cybersecurity Tech Accord contains four principles. First, tech companies will protect their users from cyberattacks, by providing products and services with built-in security and privacy. Second, tech companies will not provide assistance to governments or any other organization in the launch of cyberattacks. Third, tech companies will educate users on tools available to them and will support civil society, governmental and organizational efforts in advancing global cybersecurity. And, fourth, tech companies will create formal and informal partnerships to enhance cybersecurity by sharing information on threats, patching vulnerabilities, and encouraging global information sharing to protect civilians, and to help in recovery efforts, from cyberattacks.
No Room for States?
Many observers would contest the premise that states are unable or unwilling to regulate global cybersecurity by claiming that the international legal order, through long-standing principles and frameworks, already provides a variety of protections to civilians from state-sponsored cyberattacks. Indeed, state-generated international law does enshrine protections for civilians under international human rights law, including the rights to life, due process, privacy, assembly, speech, access to information and even basic access to the internet itself. Using state-sponsored cyberattacks against civilians, depending on their effects, could potentially be in violation of these human rights obligations. Additionally, once an armed conflict emerges, international humanitarian law offers its own set of protections with the aim of reducing suffering and adverse consequences that are so endemic to war.
For example, international humanitarian law prohibits the direct targeting of civilians by warring parties. Today, this is reflected in undisputable and binding customary international law. By analogy, civilians ought to be protected from direct cyberattacks, as they are not involved directly in the conflict and therefore are not legitimate military objectives. The same body of law also restricts indirect harm to civilians, by limiting the amount of permissible collateral damage involving civilians and civilian property. It may therefore appear as if, at least in theory, there is sufficient law applicable to state-sponsored cyber-attacks.
While these assessments appear straightforward and are backed by long-standing practice, emerging state activity—and, most importantly, the status and behavior of tech platforms themselves—make these case-by-case assessments far more complicated than it may seem at first blush, and many questions remain unresolved. What does it mean to directly target a civilian using malware that is inherently indirect? Does such targeting need to be lethal? Or would directly disabling civilian computer systems and networks also constitute a violation of that rule? Does collateral damage mean only deaths and injuries to civilians? Or would it also include other harms, such as data loss, denial of service, manipulation, spread of fear and terror, and major inconvenience? Would election interference be in violation of international human rights law? Or do dated conceptions of sovereignty and prohibited intervention limit such determination? International law seems unable to answer these questions with a reasonable degree of specificity.
These questions are far from theoretical. In fact, they represent a significant gap in international law that is not easily solvable. This indeterminacy poses a serious and immediate danger to civilians who find themselves in the midst of a cyber conflict. Platforms that promote “norms,” “rules” and “principles” for global cybersecurity recognize that they have the opportunity to seize the role of international lawmakers. Clearly, private entities have no authority to create “law” as that term is typically understood within the U.S. constitutional system, but platforms may be able to create certain prescriptions internationally that will affect state practice and eventually permeate legal systems and become authoritative while not originally grounded in any democratic legitimacy, public interest or accountability expected from “real” legislators. This is largely enabled through customary international law.
This contribution demonstrates and argues that there is a growing involvement of the tech industry in the creation and promotion of international norms and rules for global cybersecurity. This involvement goes beyond global cybersecurity and extends to other areas of technology regulation—such as facial recognition, data privacy, artificial intelligence and more. In each of these areas, tech platforms are now using the normative vacuum left by states to promote their own vision of global cybersecurity norms. There are some considerable issues that state governments, civil society actors and internet users need to be assessing in light of this privatization of cybersecurity law. While the tech industry has an important role to play in global cybersecurity, state governments would be wise to curb the appetite for global power that some of the major tech platforms currently have, so that values such as democratic legitimacy, accountability and transparency remain at the core of digital life.
An expanded version of this argument is forthcoming in the UC Irvine Law Review and is available now on SSRN. The author would like to thank New America for its support.