Regulation in the Cybersphere: International and National Debates

Andrea Rotter

Hanns-Seidel-Stiftung

Andrea Rotter heads the Foreign and Security Policy Division at the Academy for Politics and Current Affairs of the Hanns Seidel Foundation (HSF) in Munich, Germany. Her research focuses on transatlantic security cooperation as well as German and European security and defense policy. Her current research projects address the evolution of Germany’s strategic culture, the transformation of NATO in the wake of Russia’s war of aggression against Ukraine, and the link between geopolitical rivalry and space security policy.

Prior to joining HSF, she was a researcher in the Americas Research Division at the German Institute for International and Security Affairs (SWP) in Berlin and taught at the Chair of International Politics and Transatlantic Relations at the University of Regensburg. In 2018, she was a visiting fellow at the German Marshall Fund of the United States (GMF) and the American-German Institute (AGI) at Johns Hopkins University in Washington, DC. From 2018-2022, she was a member of the Young Leaders Program of the Federal Academy for Security Policy (BAKS), Berlin, and is an alumna of the International Visiting Leadership Program (U.S. Department of State) and the Manfred Wörner Seminar (GMF & German Federal Ministry of Defense). She is also a member of the extended board of WIIS (Women in International Security) Germany and heads the regional chapter in Munich.

Rotter holds a master’s degree in European-American Studies from the University of Regensburg and a bachelor’s degree in International Cultural and Business Studies from the University of Passau and Stirling, UK.

A new hack on the German Bundestag at the beginning of 2018 caused a sensation and again brought the explosive nature of cybersecurity policy challenges to the forefront of the debate in the media and in politics.[1] While that intrusion was a form of espionage, cyberattacks can certainly be used as a means of hybrid warfare. Though these occur below the threshold of a military conflict, it is still important that they receive an adequate response. Not only can servers be hacked to gain access to information, but such attacks can also interfere with critical power or telecommunications infrastructures. Moreover, hackers can also target military servers, as attacks in both Germany and the U.S. have already demonstrated. This endangers the operational capability of armed forces in case of emergency and thus represents a serious threat to national security. In addition, these opportunities are no longer limited to state actors, but can also be implemented by non-state actors, thus adding complexity to potential threat scenarios.

Download Publication

Looking at the current proliferation of offensive cyber capabilities, it becomes clear that cyber operations will significantly affect the nature of future conflicts. According to the UN, it is estimated that around thirty states are currently developing or already have offensive cyber capabilities.[2] In addition, cyberspace operations offer the potential attacker advantages that he does not have in the conventional sphere: Cyberattacks are not costly. In contrast to conventional weapon systems, no complex hardware is required, only the necessary software with the corresponding know-how. Moreover, cyberattacks are not constrained by territorial borders. Hackers have the ability to attack a country’s critical infrastructures several hundred miles away and conceal their actual location in various ways, making attribution and a timely response almost impossible. The validity of historically-proven deterrence strategies is therefore called into question.NATO, for example, sought to address this evolution by declaring cyberspace an official area of operation alongside sea, air, and land, elevating cybersecurity to a core task of its collective defense at the 2016 NATO Summit in Warsaw. Thus, a cyberattack could theoretically also trigger a case of mutual self-defense under Article 5 of the NATO Treaty.[3] Due to the potential for uncontrolled escalation of conflicts in cyberspace, states, non-state actors, and science and business representatives are trying to regulate cyberspace. The 2016 “White Paper on German Security Policy and the Future of the Bundeswehr,” for example, sets the goal of reaching “a common understanding on the application of international law to the cyber and information domain.”[4] However, as with past technological developments, national legislation and the application of international law in cyberspace are lagging behind.

The International Debate

On an international level there are different fora which seek to create a unified approach to cyberattacks. One product of these fora was the Tallinn Manual. In 2009, an international panel of experts coordinating with the NATO Cooperative Cyber Defense Center of Excellence (NATO CCD COE) in Estonia sought to develop international guidelines for cyber-based warfare for the first time.

While the focus in the first “Tallinn Manual on the International Law Applicable to Cyber Warfare” in 2009 was on cyber activities in armed conflict, the “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations” published in 2013 concentrated on how international law should be applied to cyber operations in peacetime. Though the Tallinn Manuals provide the most complete examination of the international law framework for operations in cyberspace, they only present recommendations by experts, not a consensus built between states and of binding character under international law.[5]

The GGE sessions in the context of the United Nations (UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security) provide the most comprehensive cyberspace regulation mechanisms with state participation to date. Under the UN mandate, there have been five working groups set up in the years 2004/2005, 2009/2010, 2012/2013, 2014/2015, and 2016/2017 in order to cooperate on establishing international yet non-binding norms in cyberspace. The final report of the 2012/2013 process was celebrated as a breakthrough, as a consensus emerged that “international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment” among the fifteen participants, including the U.S., Russia, China, Great Britain, France, and Germany.[6] Consequently, the permanent members of the UN Security Council as well as ten other countries agreed that international law is indeed applicable to the cybersphere.

In 2017, however, this process came to an abrupt end. Under Germany’s chairmanship, a new GGE of twenty-five experts came together to confer about possible challenges and risks in the area of IT security, as well as strategies to overcome these threats, yet without inhibiting the free flow of information.[7] Unfortunately, in the context of the 2016/2017 working group, there was no consensus reached about a common final report, which caused the UN-led process to flounder. The failure was based on basic differences on the application of international law in the cyber realm. While the U.S. hoped for a definitive position on the application of international law as it relates to self-defense, international humanitarian law, and allowable responses to cyberattacks, countries like China, Russia, and Cuba refused such guidelines. Instead of creating rules applying to conflict, these countries would rather have focused on preventative measures to avoid such conflicts in the first place.[8] There are further multilateral fora outside of the UN framework that work on international cyber norms (for example, within the Shanghai Cooperation Organization under the leadership of Russia and China) or that focus on confidence building measures (i.e., within the OSCE). However, there is still no international consensus about cyber norms, let alone binding international law.

With this background on the faltering progress at the international level, bilateral dialogues and the compatibility of national law initiatives are becoming more important. This gave the Hanns-Seidel-Stiftung (HSS) and the American-German Institute (AGI) at Johns Hopkins University further reason to initiate a Transatlantic Cybersecurity Partnership, in which the relevant German and American actors from academia, politics, the private sector, and the cabinet ministries could be given space to deepen a German-American dialogue and provide concrete policy proposals.

National Discourses in Germany and the U.S.

The different perspectives of threats from the cybersphere, which prevent a global consensus on how to respond to them, can be seen even between allies such as Germany and the U.S. in their differing national strategies. These differing views also expressed themselves during the course of the Transatlantic Cybersecurity Partnership. The possible responses to a cyberattack in peacetime were at the center of the discussion about cyber norms.

Generally, there was consensus that there should be more legislative debate on both sides of the Atlantic about cyber threats. In terms of international norms, Germany is anchored in an EU framework, similar to the United States’ Cyber Diplomacy Act of 2018, which focuses on the development of international cyber norms and encourages U.S. international cooperation in this sensitive area.[9] On the national front, the participants were unified that the countries need to focus on minimizing their own vulnerability and strengthening public-private partnerships (PPP). In the event of a successful cyberattack, a diversity of methodological responses can be explained by differences in each political culture, the composition of the security apparatus, the legislative framework, and the resulting competencies and the extent to which they are embedded in international frameworks. Germany and the United States set different priorities in the discussion around hack backs and the role of the state and the private sector. On the one hand, Germany wants to leave the regulation authority to the federal state (see the IT-Security Law 2015 and the Cybersecurity Strategy for Germany 2016), but the possibility of active cyber defense by the federal state is currently being evaluated. In the U.S., on the other hand, in the drafted Active Cyber Defense Security Act, legislators are thinking about allowing corporations and organizations that have been attacked to take active cyber defense measures themselves in order to get back stolen information.[10] Of course, according to the draft law, state agencies such as the FBI’s National Cyber Investigative Joint Task Force must be informed, but the possibility of independent active measures taken by private actors would be far beyond what is being discussed in Germany. These different legislative initiatives discussed during the workshops provided reason to debate the definition and classification of cyber-attacks, the problem of attribution, as well as what would constitute a measured response to a cyber-attack.

In summary, both countries are relatively at the beginning of the legislative debate around cyber defense. Legal and structural requirements are being applied to developments in the cybersphere step by step. When one considers the common security risks, a German-American dialogue is of absolute necessity. Though many of the questions posed in the framework of the Transatlantic Cybersecurity Partnership could not be answered with certainty, the identification of shared relevant questions, provided added value and inspiration for future rounds of consultation.

[1] Georg Mascolo and Ronen Steinke, “Regierung ließ russische Hacker monatelang gewähren,“ Süddeutsche Zeitung, 1 March 2018. Online.

[2] See also: “UN GGE” on Geneva Internet Platform Digital Watch Observatory, June 2017. Online.

[3] “Wales Summit Declaration,” NATO, 5 September 2014. Online.

[4] “Weißbuch zur Sicherheitspolitik und zur Zukunft der Bundeswehr,” Bundesministerium der Verteidigung, 2016, p. 82. Online.

[5] See also Michael N. Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017).

[6] “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security A 68/98*,” United Nations General Assembly, 24 June 2013. Online.

[7] “Resolution adopted by the General Assembly on 23 December 2015 A/Res/70/237,” United Nations General Assembly, 23 December 2015. Online.

[8] See: Alex Grigsby, “The End of Cybernorms,” Survival Vol. 59 No. 6 (December 2017-January 2018): 109-122.

[9] Cyber Diplomacy Act of 2018 (H.R. 3776), 115^th Congress Second Session, 28 June 2018. Online. Passed by the House of Representatives, but not by the Senate.

[10] See: “IT-Sicherheitsgesetz,” Bundesamt für Sicherheit in der Informationstechnik, 15 July 2015. Online; “Cybersicherheitsstrategie für Deutschland 2016,” Bundesministerium des Innern, 9 November 2016. Online; Active Cyber Defense Certainty Act (H.R. 4036), 115^th Congress First Session, 12 October 2017). Online.