Using the WTO to Respond to Economic Cyber Espionage?
US policy concerns about cyber espionage continue to grow, especially traditional and economic espionage allegedly conducted by China against the US and US companies through cyber technologies. Today (February 11), the Washington Post reported on a new National Intelligence Estimate focused on a “massive cyber-espionage campaign” directed at the US private sector by China. Concerns about economic cyber espionage include deepening frustration because the options available to the US to address cyber espionage are few, and the use of the limited options, such as criminalizing economic espionage in national law, have not proved much of a deterrent before or after spies began exploiting the Internet.
In the debate about how to counteract economic cyber espionage, cybersecurity heavyweights are encouraging the US to use the World Trade Organization (WTO) and its rules on intellectual property in the Agreement on Trade-Related Intellectual Property Rights (TRIPS) to address economic cyber espionage. On February 7, 2013, Richard Clarke argued in an op-ed that “victims of Chinese economic espionage should seek to establish clear guidelines and penalties within the World Trade Organization system[.]” In a Center for Strategic and International Studies (CSIS) report released on February 8, 2013, James Lewis argued that the US should use the WTO in its strategy against Chinese economic cyber espionage (see pages 49-51 of the report).
The recent appearance of these WTO arguments by Clarke and Lewis suggests that these influential experts perceive policy traction with these proposals is possible. Indeed, the Washington Post reported in its February 11 story that the Obama administration is considering, among other options, making “complaints to the World Trade Organization.” However, the idea that the WTO can prove useful to the US in addressing economic cyber espionage is not convincing legally or politically. The US should not view the WTO and TRIPS as appropriate venues for confronting the problem of economic cyber espionage.
Becoming Binary Amidst Multipolarity: Internet Governance, Cybersecurity, and the Controversial Conclusion of the World Conference on International Telecommunications in December 2012Posted: February 8, 2013
Arms control experts know that national security policies are embedded in larger concerns about the balance of power in international relations. The contentious outcome of the World Conference on International Telecommunications (WCIT) in Dubai in December 2012 demonstrates that cybersecurity is similarly tethered to geo-political competition over power and influence. The WCIT ended in acrimony because of disagreements on issues fundamental to the Internet’s place in national and international politics. These disagreements reflect deep differences among states on Internet and cyberspace governance–differences that produce incompatible notions of cybersecurity and a difficult environment in which to pursue international cooperation on this security problem.
The UN’s International Telecommunication Union (ITU) convened the WCIT to negotiate changes to the International Telecommunication Regulations (ITRs), a treaty adopted by ITU member states in 1988 to foster more effective cooperation on provision of international telecommunication services (e.g., telegraph and telephone). Since 1988, the global emergence of the Internet has revolutionized international telecommunications, making the ITRs essentially irrelevant to issues raised by the Internet’s astonishing growth and profound economic and political implications. The initiatives and processes that produced the global Internet took place outside the ITU and other intergovernmental institutions in “multi-stakeholder” forums, such as the Internet Engineering Task Force (IETF) and the Internet Corporation for Assigned Names and Numbers (ICANN).
Since at least the early 2000s, a number of countries, including China, Russia, and many developing nations, have expressed concerns about these multi-stakeholder processes and have sought to increase the role of governments, intergovernmental institutions, and international law in such governance. An important element in this challenge has been the perception that the status quo gives the United States a dominant position not justified in the context of a global Internet. The United States and its like-minded allies opposed efforts in ITU forums, such as the World Summit on the Information Society (2003-2005), to move from multi-stakeholder approaches to more intergovernmental influence and control.
The WCIT became the latest diplomatic venue for this clash of interests and ideas. Although the ITU Secretary-General repeatedly said that the WCIT would not be about Internet governance, ITU members proposed changes to the ITRs that put Internet governance, whether narrowly or broadly conceived, on the negotiating table. These proposals fueled arguments that the WCIT constituted a threat to a free and open Internet. The WCIT opened in a highly politicized environment and was not able to achieve sufficient compromises to produce consensus. In the end, 88 countries–including many African states, Brazil, China, Iran, and Russia–signed the revised ITRs, and 55 nations–including the United States and members of the European Union (EU)–did not sign the revised treaty. (For more legal analysis of the revised ITRs, see my American Society of International Law Insight on the WCIT and the revised ITRs.)
The United States was the most prominent opponent of the revised ITRs, and its opposition centered on Internet-related issues, namely expanding the scope of the ITRs to reach providers of Internet services, adding provisions on network and information security and on spam to the revised regulations, and attaching a non-binding resolution addressing Internet governance. For the United States, the revised ITRs threatened the multi-stakeholder approach and opened possibilities for countries to use the revised regulations to justify censorship in cyberspace, disrupt innovation, and harm the economic potential the Internet supports.
Looking more specifically at cybersecurity, the WCIT and its outcome did not create controversies in this policy space because problems have existed for years concerning how to improve cooperation on this issue. In brief, countries have disagreed about what “cybersecurity” or, as other countries prefer, “information security,” means. In addition, distrust among countries has increased, national moves to strengthen cyber defenses and capabilities have heightened worries, and high-profile incidents of cyber attacks, especially Stuxnet, have deepened anxieties. International cooperation has developed more in regional contexts than at the multilateral level, as illustrated by the Shanghai Cooperation Organization’s agreement on information security, NATO’s development of a cyber defense policy, and the EU’s recent announcement of its cybersecurity strategy.
However, the WCIT worsens the already questionable prospects for multilateral cooperation on cybersecurity for the foreseeable future. The two sides of the Internet governance debate hardened and entrenched their respective positions through the WCIT and the revised ITRs. China, Russia, and other supporters of the revised ITRs will, in all likelihood, use the ITU and the revised ITRs to press their ideas and interests on Internet issues, including what they perceive as security threats in this realm. The United States has announced that it will continue to oppose changes to Internet governance attempted through the ITU and the WCIT and will move to strengthen its cyber diplomacy through leveraging its allies in Europe (e.g., the EU and NATO) and intensifying bilateral cooperation with other countries, especially on cybersecurity.
This binary context of opposing factions adversely affects more than hopes for internationally agreed controls on cyber weapons (to the extent such hopes have survived to this point in time); it also challenges the role of Internet-relevant norms–binding and non-binding–in an international political environment that is experiencing confrontation and contestation about the Internet and cyberspace. Revelations subsequent to the WCIT’s conclusion–including allegations of Chinese hacking of major US newspapers and reporting on scaled-up US military cyber capabilities and secret “rules of engagement” for US cyber operations–have deepened the sense that power politics in cyberspace has entered a new and potentially more dangerous phase.
On 28 September, the Iranian Foreign Affairs Minister Ali Akbar Salehi addressed the UN Security Council at the High Level Meeting on Countering Nuclear Terrorism (the text of the speech can be read here). Among other things, in the speech Salehi criticized cyber attacks against Iranian nuclear facilities and qualified them as ‘manifestation of nuclear terrorism and consequently a grave violation of the principles of UN Charter and international law’ (the emphasis is mine). This might be the first time that Iran has taken an official and explicit position with regard to the (il)legality of Stuxnet, at least in an international forum (on the ‘conspiracy of silence’ that surrounded Stuxnet, see David Fidler’s interesting article in Privacy Interests, July/August 2011).
The question however is, which UN Charter principles were allegedly breached by Stuxnet? Assuming that Salehi used the word ‘principles’ in a technical sense, the Charter’s principles are famously listed in Article 2. Principles 5, 6 and 7 are not relevant in the present case. Principle 2 merely refers to the duty to comply in good faith with the obligations arising from the Charter. On the other hand, Principle 1 reaffirms the sovereign equality of states, a corollary of which is the prohibition of intervention in internal affairs of other states. According to the International Court of Justice, the prohibition of intervention is ‘part and parcel of international law’ (Nicaragua v. United States (Merits), 1986, para. 202). The 1970 UN General Assembly’s Declaration on Friendly Relations condemns ‘armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements’, and also emphasizes that ‘[n]o State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind’ (the emphasis is mine). The language is broad enough to cover intervention by means of cyber attacks when they have a coercive purpose, i.e. when they aim at coercing the target state into doing or not doing something that the state is otherwise legally entitled to do. But if the (non-forcible) intervention is a reaction against something that the target state was not legally entitled to do, i.e. a breach of international law, then it could amount to a lawful countermeasure aimed at persuading the wrongdoing state to stop the breach and provide reparation. From this perspective, the legality of Stuxnet would therefore depend on: 1) whether Iran’s nuclear programme is an internationally wrongful act in the form of a violation of NPT obligations; 2) whether the state(s) behind Stuxnet (if any) were ‘injured’ by Iran’s breach or were otherwise entitled to adopt countermeasures in relation to it under the law of state responsibility (see Arts. 42, 48 and 54 of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts); 3) whether Stuxnet amounted to a ‘use of force’ (countermeasures cannot affect the prohibition of the use of force: Art. 50 (1) of the ILC Articles); 4) whether non-proliferation law is a special regime that has its own enforcement mechanisms (see Sahib Singh’s chapter in my and Dan’s book).
The third condition leads me to discuss the other two relevant principles in Article 2 of the UN Charter that might determine the illegality of Stuxnet. Principles 3 and 4 are two sides of the same coin and affirm the obligation to settle international disputes peacefully and not to resort to armed force in international relations. Whether Stuxnet is a violation of these two principles depends on whether it can be qualified as a use of ‘armed force’. I have already addressed this issue here, so I will limit myself to refer to the points I make in that article. The recently released draft of the Tallinn Manual on Cyber Warfare (text here) argues, in Rule 11, that ‘[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’. It then suggests several non-exhaustive factors in order to determine when it is so (pp. 49-50). In the end, the Manual concludes that Stuxnet was a use of force (p. 47) and, at least according to some of the experts that drafted the Manual, even an ‘armed attack’ (p. 56). I do not think that Stuxnet reached the scale and effects threshold of an armed attack, but, as it did cause material damage of some significance, I do not see any problems with qualifying it as a use of force, for the reasons I try to explain in my article. It should also be noted that, unlike the previous case of the principle of non-intervention, the legality of Stuxnet as a use of force would not depend on whether Iran has breached the NPT: under Article 51 of the Charter, force can be used only if an armed attack ‘occurs’. Even if Iran were developing nuclear weapons, it would not have committed an armed attack until it actually uses them.
To sum up. If Stuxnet was a use of force, then the responsible state(s) breached the principles listed in Article 2 (1), (3) and (4) of the UN Charter. As countermeasures cannot consist of a violation of the prohibition of the threat and use of force, Stuxnet would be illegal even if it were established that Iran is in breach of the NPT. If however Stuxnet is not considered a use of force, it would be a breach of the principle of non-intervention, unless it amounts to a lawful countermeasure against Iran’s alleged breach of its non-proliferation obligations.
I would be interested in your thoughts on this.