“The need to create a separate law for the cyberspace relies on the idea that existing international law is insufficient”, Martti Koskenniemi, international lawyer and Director, Erik Castren Institute of International Law and Human Rights at the University of Helsinki, Finland, said at the EU Cyber Direct conference held in Brussels, earlier this month. Koskenniemi explored the idea, that if the cyberspace needs to be regulated internationally, what does one need to consider when thinking about how to go about it.

Creating a regime for regulating the cyberspace

When you create a separate law for the cyberspace, Koskenniemi said, you end up creating exceptions for the cyberspace, in order to deviate from existing biases and preferences of international law, which has state oriented biases, and if you’re a rights person, you want to regulate state activities. Thus, you’re left with two alternatives: you can go by the old law, based on sovereignty and with state level interventions and existing institutions, or alternatively, you create “a regime with its own rules, its own institutions, populated by cyber people and cyber preferences.”

“What would be the benefit of a new regime? New principles, new biases, new regimes. Cyber experts would rule, and by cyber priorities. You don’t have to care about the Security Council. Would that be a good thing? There are problems there. If cyberlaw is something specific, then general principles and solutions that have accumulated over the years would be irrelevant. There would be a whole new black hole there.” But that’s not the only worry, Koskenniemi said. “That might not succeed. When the WTO was established in 1995, a protest was carried by international trade experts.” The WTO treaties were created in a way to avoid legal vocabularies. They wanted to avoid a court, and set up a dispute resolution body because they thought the old laws were not good. However, while they set up the body, “it was populated by experts in international law, who declared that WTO ruling has to be in consonance with international law.” Effectively, it became what it was set up not to be.

Regulatory choices: standards vs bright line rules

“My second point is that of regulatory choices: there are two broad regulatory choices. Regulation can be regulated by bright line rules or broad standards. Bright line rules regulate in an on-and-off way, like a red light. These are predictable, and easier to use. It’s useful to have these when you don’t trust the people in the field. In case of cyber activities, you can imagine that cyber activities can be regulated by rules. But rules have some problems. Rules come with terrible costs, especially in the international world: They’re always generalizations of past practices. It so happens that the future will not be identical with the past. Rules will create problems in the future, problems that can be called over-inclusive or under-inclusive. There are always new cases and situations, so these can be under inclusive. Usually we regulate by standards, which give room for us to think about new cases, and include words like “reasonable” and “in good faith”. But standards can be too general. If you say that people should act reasonably, then you trust people.”

“In case of bright line rules, the red light includes the situation, for example, when you’re bringing your husband to the hospital. If you say that drivers should act reasonable, people think that they’re always reasonable. In the case of red lights, they regulated thousands of cases. The heart attack person being regulated is marginal case. In the cyber field, we have to check if there are massive activities that take place thousands of times. When they are, they are possible even though there are problems of under and over inclusiveness. In most modern societies, what has happened is the de-normalisation of laws. For example in case of contract law: what is reasonable, what is in good faith?”

When cyberattacks are in breach of international law

“When international lawyers approach the problem of cyber, the way that approach takes is always almost the same. Is a cyber attack, for example, malware, or interference in something, that is a breach of sovereignty? A breach of sovereignty is a violation of international law, and triggers state responsibility. State responsibility is the activation of state actors.” Koskenniemi said that the thinking among international lawyers at the International Court of Justice, is that when there is effective control of the operations, when the state organ must have given instructions and supervised, then the state is responsible. “That’s a very tight level of control. This rule is good for the state, because they can just look away,” citing the case of Nicaragua as an example. There can also be an overall control test, Koskenniemi said, about determining when a state is in overall control.

“What’s the right test? It’s all about what washes with the right kind of audience. What about these international law notions? It’s a very broad set of notions which have been applied in many ways, so a strategic application of the law is useful. It’s mostly up to what can a particular audience be persuaded by,” he said.

What is international law?

“There are 4 different understandings [of international law]: one is the approach that underlies much of the debate in the cyber realm: that it’s a regulatory technique. As a regulatory technique, it has some really important specifies. There is no constitution there, and it’s auto-interpretative. It creates endless debates. It is very broad, using sovereignty, non interference, good faith, reasonableness as regulatory techniques. A second is about law-fare, which is a term American lawyers use. It is a way of legal warfare. Law as an instrument by which you hit your enemy on the head. In courts, conferences, and I often, I recognise this truer than regulatory techniques. It is about law-fare and defending my people versus yours. A third understanding is of law as what courts do. Many people don’t think there’s a law unless there’s a court to enforce it. In international law, there is very little of that. The EU court is the only significant exception. If you think international law is what is applied by courts then there isn’t much”

“A fourth is law as a means of cooperation, learning and communication, collaboration. Often that necessitates a legal vocabulary. People who are unsatisfied, with it this helps. In case of cyber law, the only avenue in which this field can be developed, is this field.”

*

Disclosure: The author traveled to Brussels at the expense of the EU Cyber Direct initiative, as a speaker at this conference.