Paris Call for Trust and Security in Cyberspace: A Watershed Moment or a Storm in a Teacup?

Paris Call for Trust and Security in Cyberspace: A Watershed Moment or a Storm in a Teacup?

Thibault Moulin
mr_thibault_moulin

Published: January 7th, 2019

In 2017, the discussions regarding the application of international law in cyberspace were brought to a standstill. For the first time in the framework of the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), states were unable to reach a consensus on the question. It seems that strong disagreements raised between Western states on the one side, and Russia, China, and Cuba on the other side.[1] The application of international humanitarian law, self-defence and counter-measures was at stake at the time.[2] One year later, diplomatic discussions on the issue are in need of a fresh impetus.

In the light of this previous failure, the Paris Call of 12 November 2018 for Trust and Security in Cyberspace, initiated by French President Macron, sounds particularly interesting. It is innovative on both formal and substantial aspects.

A quick look at the Call’s list of supporters is enough to highlight the formal innovation. More than 200 actors from the private sectors decided to support this text.[3] It includes social networks (Facebook, LinkedIn), computer technology (Toshiba, Dell, HP, Microsoft, Cisco, Oracle), phone (Deutsche Telekom, Nokia, Swisscom), and cybersecurity companies (FireEye, Kaspersky). Google similarly supports the Call. It also includes airplane manufacturers (Airbus, Safran), industrial conglomerates (Samsung, Siemens, Sony), energy producers, distributors and managers (Enel, Engie, Enedis, Total, Schneider Electric), banks and insurance carriers (Deutsche Bank, SIRM) etc. In addition, it gathered several supporters in the academic (Carnegie Endowment for International Peace, Center for International Law and Governance, Fletcher School of Law and Diplomacy at Tufts University, Center For Long Term Cybersecurity, CESICE, Grenoble Alpes CyberSecurity Institute Optus Macquarie University Cyber Security Hub, University of Exeter, University College Dublin etc.), as well as different non-profit organizations (Club of Madrid, World Economic Forum). Of course, states are also present, with around fifty governments supporting the text. This innovation was, besides, underlined by Microsoft President’s speech: ‘[t]he Paris Call breaks new ground by bringing together to support these steps an unprecedented and broad array of supporters. Its signatories include more than 200 companies and business associations, including leading tech companies […] it also includes leading financial services institutions [… ] as well as industrial leaders […] And it includes almost 100 critical NGOs that span groups across civil society’.[4]

Regarding the substantial innovations, some provisions are admittedly classical– yet essential. Paris Call reaffirms that ‘international law, including the United Nations Charter in its entirety […] is applicable to the use of information and communication technologies (ICT) by States’.[5] It ‘also reaffirms the applicability of international human rights law in cyberspace’, as ‘the same rights that people have offline must also be protected online’.[6] These elements were already underlined in the previous reports of the UNGGE.[7] Even the demand to ‘[p]revent ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sector’ looks familiar.[8] It was for instance used in an agreement between China and the United States.[9] Paris Call reiterates the need to ‘[s]trengthen the security of digital processes, products and services, throughout their lifecycle and supply chain’. Concerns regarding the supply chain had been previously expressed by the UNGGE: ‘States are concerned that embedding harmful hidden functions in ICTs could be used in ways that would affect secure and reliable ICT use and the ICT supply chain for products and services, erode trust in commerce and damage national security’;[10] ‘States should encourage the private sector and civil society to play an appropriate role to improve security of and in the use of ICTs, including supply chain security for ICT products and services’.[11] Such protection is vital: it was for instance revealed that ‘Chinese spies’ could have ‘planted chips in the servers of nearly 30 U.S. companies’ on their manufacturing sites in China.[12]

Some changes have however been made when it comes to the prevention of collective welfare harm. In 2015, the UNGGE mentioned that ‘[a] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’.[13] It also highlighted that states had to prevent such activities and assist other states in combating them.[14] In the Paris Call, participants affirm their will to ‘[p]revent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure’,[15] as well as to ‘[p]revent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet’.[16] An express reference to activities ‘contrary’ to ‘obligations’ under ‘international law’ disappeared.

The signatories also pledge to ‘[s]trengthen our capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities’. The UNGGE had previously mentioned that ‘non-intervention in the internal affairs of other States’ did apply in cyberspace.[17] Paris Call’s insistence on ‘electoral processes’ obviously reacts to the hacking of the Democrat National Committee and the subsequent leak of emails. One can however wonder whether this notion of ‘malign interference’ aimed ‘at undermining electoral processes’ tries or not to reinvent the wheel–i.e., if the conditions set in the Nicaragua case will have to be met.[18] Following the allegations of Russian interference with the American elections, many scholars had actually expressed doubt regarding the involvement of any coercive mean–and thus, the breach of the principle of non-intervention.[19]

Paris Call also goes one step further regarding the applicable rules. It indeed mentions that ‘international humanitarian law and customary international law’ are ‘applicable to the use of information and communication technologies (ICT) by States’. Until now, the UNGGE had only ‘note[d] the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction’.[20] In addition, the sole applicability of some customary rules had been acknowledged, such as ‘[s]tate sovereignty and international norms and principles that flow from sovereignty’,[21] or in terms of responsibility.[22]

The actual innovations reside in the following principles.

The first and main innovation is the systematic empowerment of the private sector. This is obvious in several parts of the preamble: ‘[w]e also welcome efforts by States and non-state actors to provide support to victims of malicious use of ICTs on an impartial and independent basis, whenever it occurs, whether during or outside of armed conflict’; ‘We recognize the responsibilities of key private sector actors in improving trust, security and stability in cyberspace and encourage initiatives aimed at strengthening the security of digital processes, products and services’; ‘We welcome collaboration among governments, the private sector and civil society to create new cybersecurity standards that enable infrastructures and organizations to improve cyber protections’; ‘We recognize all actors can support a peaceful cyberspace by encouraging the responsible and coordinated disclosure of vulnerabilities’.[23] This is also reflected in the concrete measures to be taken: ‘we’–rather than the sole ‘states’–‘affirm our willingness to work together […] notably in order to […]’. As again underlined by Microsoft President, ‘[a]ll of this is important for a reason. Success in advancing cybersecurity requires an approach that is not only multinational, but multistakeholder in nature. This is because cyberspace, unlike the traditional planes of warfare like land, sea and air, is typically privately owned. Cyberspace in fact consists of concrete elements in the real world, such as datacenters, undersea cables, and laptops and mobile devices. These are designed and manufactured by private companies. And often they are owned and operated by tech companies and others in the private sector’.[24]

Second, Paris Call adopts a clear-cut approach on the ‘hack-back’: ‘steps’ should be taken ‘to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors’. Such provision is essential to prevent an escalation of violence.[25] A principle is however less clear: the wish to ‘[d]evelop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm’.[26] No definition of ‘malicious ICT tools’ or ‘harm’ is actually provided, and one can wonders whether only malwares causing destruction will be excluded. The case of intelligence gathering is for instance not expressly tackled.

Yet, it suffers in parallel from non-negligible drawbacks.

First, and if one has a look to the instrumentum, Paris Call is not a binding agreement. It is obviously outside the scope of this post to discuss the role of soft law, but the efficiency of previous declarations of this nature on cyber-activities is still debated.[27]

Second, Paris Call has admittedly received an important number of state supports, from the five continents: America (Canada, Chile, Colombia, Mexico, Panama), Asia (United Arab Emirates, Japan, Lebanon, Uzbekistan, South Korea), Africa (Gabon, Morocco, Republic of the Congo, Senegal), Oceania (New Zealand) and Europe (around 30 states). It is thus an important coalition of like-minded states. Yet, European countries remain predominant and Paris Call has major absentees. China, Russia and the USA refused to endorse it,[28] and it goes the same way for other important players in cyberspace, such as Iran or Israel. Consequently, the risk of not reaching a global consensus is high, and Paris Call could face a fate similar to that of the UNGGE.

It is obviously too early to draw many conclusions regarding Paris Call. One can nevertheless acknowledge that Paris Call succeeded in bringing states and private actors together, and in paving ways for their cooperation. It also aims at preventing some basic and–in most cases–well-identified activities. In addition, it reiterates several vital principles and goes one step further in terms of applicable law. It makes an interesting move on the prevention of hack-back by non-state actors. It also deserves credit for relaunching the discussions regarding cyberspace regulation, one year after the failure of the UNGGE. Similarly, it has found support from a high number of states, all around the world. Yet, both the instrumentum and the absence of major powers may seem problematic. It thus remains to be seen what the future holds: whether concrete steps will be taken for its implementation, whether key state players will jump in the bandwagon–in a nutshell, whether Paris Call is a watershed moment or a storm in a teacup.

[1] Elaine Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’, The Diplomat (31.07.2017)

<https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-r... accessed 13.11.2018.

[2] Michael Schmitt and Liis Vihul, ‘International Cyber Law Politicized: The UN GGE's Failure to Advance Cyber Norms’ (Just Security, 30.06.2017)

<www.justsecurity.org/42768/international-cyber-law-politicized-gges-fail... accessed 15.11.2018.

[3] List of Supporters of the Paris Call for Trust and Security in Cyberspace (France Diplomatie)

<www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france... accessed 13.11.2018.

[4] Brad Smith, 'An important step toward peace and security in the digital world' (Microsoft, 12.11.2018) <https://blogs.microsoft.com/on-the-issues/2018/11/12/an-important-step-t... accessed 14.11.2018.

[5] ‘Paris Call for Trust and Security in Cyberspace (France Diplomatie, 12.11.2018) <www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf> accessed 13.11.2018.

[6] Ibid.

[7] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (24.06.2013) A/68/98, para 19; Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, paras 25-26.

[8] Paris Call.

[9] The White House, ‘President Xi Jinping's State Visit to the United States’ (25.09.2015)

<obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states> accessed 13.11.2018.

[10] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (24.06.2013) A/68/98, para 8.

[11] Ibid para 24.

[12] Alan Patterson, ‘Analysts Foresee Supply Chain Impact from Chip Hack Report’, EE Times (10.06.2018) <www.eetimes.com/document.asp?doc_id=1333839> accessed 13.11.2018.

[13] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, para 13.

[14] Ibid.

[15] Paris Call.

[16] Ibid.

[17] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, para 28.

[18] Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Judgment) [1986] ICJ Rep 14, para 205

[19] William Banks, ‘State Responsibility and Attribution of Cyber Intrusions after Tallinn 2.0’ (2017) 95 Tex L Rev 1487, 1501; Sean Watts, ‘International Law and Proposed U.S. Responses to the D.N.C. Hack’ (justsecurity, 14.10.2016)

<www.justsecurity.org/33558/international-law-proposed-u-s-responses-d-n-... accessed 14.11.2018.

[20] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, para 28.

[21] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (24.06.2013) A/68/98, para 20.

[22] Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22.07.2015) A/70/174, para 28.

[23] Paris Call.

[24] Brad Smith, 'An important step toward peace and security in the digital world' (Microsoft, 12.11.2018).

[25] Elsa Trujillo, ‘Cybersécurité: la France entend imposer sa propre vision du cyberespace’, BFM TV (08.11.2018)

<www.bfmtv.com/tech/cybersecurite-la-france-entend-imposer-sa-propre-visi... accessed 13.11.2018.

[26] Paris Call.

[27] Office of the United States Trade Representative, 'Findings of the Investigation into China's acts, Policies, and Practices related to Technology Transfer, Intellectual Property, and Innovation under Section 301 of the Trade Act of 1974 (22.03.2018)

<https://ustr.gov/sites/default/files/Section%20301%20FINAL.PDF> accessed 13.11.2018.

[28] Joseph Archer, ‘US, Russia and China refuse to back French cybersecurity initiative’, The Telegraph (12.11.2018)

<www.telegraph.co.uk/technology/2018/11/12/us-russia-china-refuse-back-fr...