This presentation explains two of the elevent Norms proposed by the UNGGE in 2015
Cyber Norm (b) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; and
Cyber Norm (c) States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences
Building a better Britain: How cities like Bradford can help to end economic ...
Cyber norms (b) and (c) United Nations Singapore Cyber Programme 2019
1. Cyber Norms
(b) and (c)
United Nations Singapore Cyber Programme 2019
Benjamin Ang, Senior Fellow, CENS / RSIS / NTU
Twitter @benjaminang LinkedIn @benjaminangck
2. Do not allow
Territory to be
used for
Wrongful Acts
States should not
knowingly allow their
territory to be used for
internationally wrongful
acts using ICTs;
3. Due Diligence in International Law
No State is responsible for acts of individuals “as long
as reasonable diligence is used in attempting to
prevent the occurrence or recurrence of such wrongs.”
Wipperman’s case
“every State's obligation not to allow knowingly its
territory to be used for acts contrary to the rights of
other States”
Corfu Channel
4. Factors in considering Due Diligence
1. effectiveness of the State’s control over certain areas
of its territory,
2. degree of predictability of harm and
3. importance of the interest to be protected.
5. Different standards
‘effective control' – Military and Paramilitary Activities in
and against Nicaragua
in applying IHL rather than the law of state
responsibility, the 'overall control test', ought to apply. –
ICTY in Tadić case
ICJ rejected the ICTY's position and returned to
'effective control‘ – Application of the Convention on
the Prevention and Punishment of the Crime of
Genocide
6. FIRELAND
Does it apply to this case? (1)
WATERLAND
AIRLAND
I shall attack
AIRLAND
infected
infected
Hey FIRELAND,
you can use our
servers
7. FIRELAND
Does it apply to this case? (2)
WATERLAND
AIRLAND
I shall attack
AIRLAND
infected
infected
We are not
aware of
anything
8. FIRELAND
Does it apply to this case? (3)
WATERLAND
AIRLAND
I shall attack
AIRLAND
infected
infected
We are not
aware of
anything
Hey WATERLAND,
your servers are
attacking us!
Oh No! We don’t
have capacity!
9. Information for
Attribution
In case of ICT incidents,
States should consider all
relevant information,
including the larger
context of the event, the
challenges of attribution in
the ICT environment and
the nature and extent of
the consequences;
11. FIRELAND
Dangers of Wrong Attribution
WATERLAND
(not aware)
AIRLAND
infected
infected
WATERLAND, we will
take countermeasures
against you!
We’re
innocent!
Ha ha ha
(evil
laughter)
Is AIRLAND in breach
of International Law?
12. Scenario: Country A
launches malware
against the civilian
hospital computer
systems of Country B
Are A and B in an
existing armed
conflict?
NO. Was there
property damage or
injury?
NO. Were computer
systems prevented
from functioning?
NO (e.g. cases of
espionage, stealing
data). No armed
attack, LOAC/IHL
does not apply
YES, it might be an
armed attack, for
which LOAC/IHL
would apply. But not
clear if it is unlawful.
YES. Then LOAC/IHL
applies – go to [Box 1]
YES. Then LOAC/IHL
applies. Was there
property damage or
injury?
NO. Were computer
systems prevented
from functioning?
NO (e.g. cases of
espionage, stealing
data). Not unlawful
under LOAC/IHL
YES. Not clear if it is
unlawful under
LOAC/IHL. Not clear if
it is ‘use of force’
under UN Charter
YES. Then it is
unlawful under
LOAC/IHL. It is also
‘use of force’ under
UN Charter
Is it an armed attack?
Does LOAC / IHL apply?
Does AIRLAND have capacity?
14. Who knows the whole story?
Military
Intelligence
Police Foreign Affairs Telco
Cybersecurity
Companies
CI OwnersCERTsLawyers
White
Hats
Civil
Society
Other nations
15. Post it: What can ASEAN Member
States do implement these two norms?
States should not
knowingly allow their
territory to be used for
internationally wrongful
acts using ICTs
States should consider all
relevant information,
including the larger
context of the event, the
challenges of attribution in
the ICT environment and
the nature and extent of
the consequences