International Law

Release of the text of the Trans-Pacific Partnership agreement (TPP) has launched the "tale of two treaties" saga so familiar when new trade and investment agreements appear—it is the best of treaties, it is the worst of treaties. Praise for and criticism of the TPP’s chapter on e-commerce form part of this saga, and the gap in rhetoric calls for scrutiny of the legal text in light of the chapter’s strategic goals and the political challenges it faces. The TPP’s strategic objectives include advancing trade and investment liberalization and counterbalancing China’s growing influence. The e-commerce chapter supports these objectives. With WTO negotiations stalled, the TPP provides a way to catalyze liberalization among countries representing forty percent of the global economy, which creates e-commerce opportunities, with expanding digital commerce generating new trade and investment possibilities. The chapter facilitates this dynamic because it will apply on an unprecedented geographic and economic scale. Strategic concerns with China include competition on global e-commerce. The e-commerce chapter is designed to preserve an open, global Internet and can be a model for future agreements. These objectives inform the politics surrounding e-commerce. By facilitating liberalization, critics argue the TPP privileges private over public interests, subordinates privacy to profits, and constricts policy space for welfare-enhancing regulation through substantive and dispute settlement rules that favor companies. Counterbalancing China does not require diluting privacy or empowering corporations at the expense of regulatory sovereignty. These critiques fuel the political debates that will determine whether countries ratify the TPP. Whether international agreements achieve their strategic objectives in politically palatable ways depends, in large part, on what they require countries to do. The TPP’s e-commerce chapter contains four types of provisions. First, the chapter supports liberalization by requiring non-discriminatory treatment, prohibiting customs duties for electronic transmissions, restricting various barriers to e-commerce, prohibiting requirements to use local computing facilities, and facilitating cross-border transfers of information. Second, the chapter balances liberalization with protection of other interests and values. It requires parties to adopt laws for electronic transactions, online consumer protection, and personal information protection. The chapter provides exceptions to liberalization obligations for measures implementing legitimate public policy objectives. Third, the chapter addresses e-commerce’s intersections with other cyber policy concerns. It requires parties to regulate spam e-mail, recognizes the benefits of consumer access to the Internet for e-commerce (net neutrality), and acknowledges cybersecurity’s importance. Fourth, disputes are subject to the TPP’s state-to-state and investor-state dispute settlement (ISDS) procedures. These provisions generate different legal effects. Some provisions create binding obligations, such as the mandate for non-discriminatory treatment of digital products. Other provisions are binding but less demanding, including those stating that parties “shall endeavour” to undertake specific actions. Still other provisions establish no binding obligations, such as those where parties simply recognize issues or agree they should or may behave in certain ways. Determining the meaning of binding obligations, and exceptions thereto, requires applying the complex jurisprudence on trade and investment treaties. The deeper analysis goes into the law, the harder it becomes to make sweeping statements about the chapter’s potential political and strategic importance. Controversies with trade and investment treaties often arise when liberalization obligations (e.g., market access) purportedly clash with public interest regulations (e.g., on health). Opponents of the e-commerce chapter argue the obligation on cross-border transfers of information could override privacy laws and permit corporations to challenge such laws under ISDS. For either of these things to happen would require challenges to privacy regulations to navigate numerous legal requirements and tests frequently interpreted and applied in ways not hostile to public interest regulation. In addition, challenges would unfold against the chapter’s requirement that each party adopt privacy laws that should be informed by principles developed by international bodies, which could include UN human rights treaties and mechanisms. A corporation challenging privacy laws under ISDS could not base its claim on the e-commerce chapter’s obligations on cross-border transfers of information. Instead, it would have to argue, for example, that privacy laws violated non-discrimination duties, failed to provide the minimum standard of treatment required by customary international law, or constituted an illegal expropriation—none of which seem likely given how privacy laws function. The investment chapter also provides that non-discriminatory regulations protecting legitimate public welfare objectives, which would include privacy, are not expropriations, except in rare circumstances. The treaty text, informed by the web of existing jurisprudence, does not ensure the e-commerce chapter will always operate with trade and investment objectives in political harmony with public interest regulations. Nor do the legal complexities assure that the e-commerce chapter will deliver the promised strategic benefits for the United States. But, with the text now in hand, the political viability and strategic consequences of “the most ambitious trade policy ever designed for the Internet and electronic commerce” have become pressing legal responsibilities of the digital age.

The African National Congress (ANC) wants South Africa to withdraw from the International Criminal Court (ICC). Obed Bapela, a deputy minister in the presidency, said that the ICC “has lost its way.” According to the media, the Minister for International Relations (foreign minister) Maite Nkoana-Mashabane indicated that the process would be orderly and not hasty. South Africa will place the issue of its withdrawal on the agenda for November’s Assembly of States Parties meeting attended by all ICC members and it would table it at the January African Union (AU) summit, she said. The ANC will bring the issue to parliament for debate. The ANC government of President Jacob Zuma is no doubt smarting from the domestic and international criticism that followed its failure to arrest Sudanese President Omar al-Bashir when he was in Johannesburg for an AU heads of state summit. Bashir is under ICC indictment for war crimes and crimes against humanity. The South African High Court has ruled that the government acted unconstitutionally when it failed to arrest Bashir, and the ICC has asked for an explanation. Other factors are likely at play in the ANC decision. There is resentment that the United States, among others, supports the ICC but does not accept its jurisdiction. Bapela referred to a handful of powerful countries which refused to be ICC members, yet they still had the power to refer matters to the court.” He went on, “They would rather put their own interests first than the world’s interest.” There is also within the ANC an “Africanist” trend which seeks to align South Africa more with other African states. Many of these states object to the ICC as essentially employing a “double standard” by which Africans are prosecuted but others are not. While not unchallenged within the party, the “Africanists” appear to be growing in strength. Some of their spokesmen are highly critical  of the United States as being ”unilateralist” with little respect for African sensitivities. South Africa under Nelson Mandela was one of the founding supporters of the ICC. The Court continues to have strong support in South Africa among the opposition parties in parliament and among civil society. South Africa’s court system is strong and independent. Despite the ANC’s large majority in parliament, it is by no means certain that South Africa’s departure from the ICC will occur.

When I first saw “the Snowden treaty” in a tweet, I thought it was from The Onion. Wrong, and inexcusable for a guy who published The Snowden Reader. In September, Snowden and his supporters announced they are working on a new treaty to address problems his disclosures and experiences as a whistleblower exposed. Far from satire, the proposal is serious, and the proposers earnest. However, taking this effort seriously proves disappointing because what is proposed seems insufficiently radical for the problems advocates of a Snowden treaty identify. The proposal’s formal title is “International Treaty on the Right to Privacy, Protection against Mass Surveillance, and Protection of Whistleblowers.” The idea came from David Miranda, the partner of Glenn Greenwald, the journalist who helped Snowden. Previously, the UN Special Rapporteur for the Right to Privacy, Joseph Cannataci, identified a potential need for a “Geneva Convention-style” agreement in the wake of Snowden’s revelations. Miranda is working with privacy advocates and lawyers to produce a treaty text Miranda promises will be “a bulletproof document.” The text has not been released yet, but it has been shared with Snowden, “a handful of sympathetic governments,” and Pope Francis. According to a summary, the treaty will reaffirm privacy as a fundamental right, outlaw mass surveillance, and protect whistleblowers. To achieve these goals, the treaty will contain obligations (e.g., no mass surveillance) and mechanisms (e.g., oversight) to monitor and improve compliance. Advocates claim the treaty responds to “real demand” from “the global public,” but they acknowledge adoption will be hard, with many people dismissing it as wildly idealistic. Yes, it is unlikely a U.S. president would negotiate and the Senate consent to a Snowden Treaty. But glib punditry won’t faze the effort. More telling are problems with the proposal on its own terms. Snowden argued that the mass surveillance he disclosed violated international law on privacy in the Universal Declaration of Human Rights and human rights treaties. Similar assertions appear concerning the Snowden treaty. So, if existing treaties and other international documents already recognize privacy is a fundamental right and outlaw mass surveillance, why the need for a new treaty that does the same thing? The existing treaties don’t work? So, the answer is to choose the same strategy, a treaty, to protect the same right? How would a Snowden treaty fare any better? Why would states, which—according to Snowden’s supporters—don’t abide by existing treaties, now decide to respect one that enshrines privacy as a fundamental right and outlaws mass surveillance? How will the same legal strategy to protect the same right yield different results with the same states? These questions can’t be dismissed by claiming the Snowden treaty will be different because, based on what is available, nothing different is proposed. The goal is a treaty negotiated, agreed, ratified, and implemented by states, just like existing treaties. The proposed treaty will re-affirm privacy as a fundamental right, so it is doing nothing new with this right, even in terms of mass surveillance in the digital age. These questions might have answers if the Snowden treaty innovates with the right to privacy rather than simply reaffirming existing international law. Changing the right would mean existing treaties are not sufficient and a new agreement would have a clear rationale. The proposal states the treaty will contain stronger whistleblower protections than international law presently recognizes—a change treaty law could, in theory, advance. But, tweaking the right to privacy to address what Snowden disclosed would suggest his disclosures did not, as claimed, reveal clear violations of international law. Perhaps innovations will appear in compliance and implementation mechanisms. The proposal promises the treaty will require states to establish independent supervision of surveillance activities and periodically review these activities. Any country can, right now, adopt such measures without a Snowden treaty. But, according to Snowden, “around the world governments are aggressively pressing for more power, more authority, more surveillance rather than less.” How do we get innovative, robust compliance and implementation procedures from governments not interested in them? This predictable problem explains why oversight mechanisms in human rights treaties are notoriously weak. Put another way, states can riddle bulletproof documents with holes because they, not privacy advocates, write treaty rules. Oddly, the Snowden-treaty movement wants us to traipse, once again, into this cul-de-sac. Most surprisingly, the Snowden treaty seems very un-Snowden. For many, the power of Snowden’s rallying cry for privacy in the digital age comes from his challenge to established rules and processes and the impact this defiance has had. This example calls for more than believing states will, this time, adopt an effective treaty. So, for @Snowden: Why a treaty? Why not something more radical, like a Snowden Charter—an accord among civil society, consumers, and technology companies to confront governments and confound mass surveillance through, among other things, continuing to expand encryption in our digital lives?

In 2012 radical, jihadist Islamist groups overran northern Mali with Taureg allies. Before they were defeated by French and Malian troops in 2013, the al-Qaeda linked rebels governed the territories they controlled according to what they represented as the principles of Salafist Islam. One prominent group was Ansar Dine, which continues to be active in northern Mali. While the group occupied Timbuktu its governance resembled that of the self-proclaimed Islamic State in Syria and Iraq. One of the similarities was the destruction of ancient monuments associated with other religions or varieties of Islam. The Islamic State’s destruction of ancient monuments in Palmyra, Syria, and Mosul, Iraq, are notorious. So, too, has been Islamic State looting and selling of ancient artifacts. Similarly, Ansar Dine radicals destroyed ancient tombs of local Muslim saints and a number of mosques in Mali. They also destroyed (or sold) ancient manuscripts. Individuals involved in such looting and destruction may be held personally accountable. The International Criminal court (ICC) has determined that the destruction of cultural heritage is a war crime. On September 18, 2015 the ICC issued a warrant for the arrest of Ahmad al-Mahdi al-Faqi, charging him with ordering the destruction of ten buildings of cultural, historical, and religious importance in Timbuktu between June 30, 2012 and July 10, 2012. The Niger authorities arrested al-Faqi and delivered him to the custody of the ICC on September 26. His first hearing was today. ICC prosecutors say that as a member of the radical group Ansar Dine, he played an active role when it occupied Timbuktu. Al-Faqi, a Malian, fled to Niger when the French and Malians drove Ansar Dine out of Timbuktu. The ICC’s chief prosecutor is Fatou Bensouda, herself an African. A citizen of The Gambia, she received her legal training in Nigeria. In a September 28 statement from the ICC, Bensouda said, “intentional attacks against historic monuments and buildings dedicated to religion are grave crimes.” She is quoted by the Financial Times as saying that the destruction was “a callous assault on the dignity and identity of entire populations, and their religious and historical roots.” Mali and Niger are parties to the Rome Statute of the ICC. In 2013, Mali asked the court to investigate possible war crimes associated with the radical occupation of the north. That investigation resulted in the indictment of al-Faqi. Niger as a signatory of the Rome Statute was legally obligated to apprehend al-Faqi if it could and hand him over to the custody of the ICC. It did so. Al-Faqi’s arrest and trial is a welcome step forward to holding accountable those who destroy cultural heritage. However, with respect to the Islamic State, neither Syria nor Iraq is a party to the Rome Statute, which limits any ICC role if and when the Islamic State is destroyed.

For years, the United States has argued that economic espionage by governments is wrong and should stop. The U.S. government became more vocal about this position as the Internet provided means for governments to engage in economic espionage on an unprecedented scale. But, among allies and adversaries, the United States made no headway on its international norm—until last Friday, when the White House announced the U.S. and Chinese governments agreed not to engage in or support economic espionage and to cooperate in implementing this commitment. As CFR’s Rob Knake and others have said, this gobsmacking development is important, particularly as a breakthrough in Sino-American cyber relations. Even thoughtful skepticism underscores the need to come to grips with its implications. Appropriately, attention has focused on the deal’s impact on the U.S.-China relationship, but it also has significance because it gives the U.S.-supported norm against economic espionage global potential it never had before. To grasp this change, recall the difficulties the United States had as evidence of economic cyber espionage by China mounted during the Obama administration. The Mandiant report released in February 2013 on Chinese economic cyber espionage galvanized concerns previously expressed by executive branch and congressional officials and led quickly to a new strategy on the theft of U.S. trade secrets. However, U.S. efforts to advance an international norm against economic espionage did not produce much, if any, support from other countries. At this time, the normative case against economic espionage confronted the problem that neither binding international law nor “soft law” contained indications that states recognized this norm. International law contained no serious restrictions on espionage and did not distinguish between traditional and economic espionage. This problem led to attempts to find footholds in other areas of international law, such as the principle of non-intervention and World Trade Organization agreements, but these efforts—whatever the merits of their legal analyses—did not change state practice. Part of the new U.S. strategy on protecting trade secrets included advancing the norm against economic espionage in U.S. diplomacy, including in negotiations for trade agreements. Snowden’s disclosures, which started in June 2013, damaged this project. The disclosures tarnished U.S. credibility, revealed U.S. intelligence collection against foreign companies and commercial sectors to inform diplomatic and trade negotiations, and gave China ammunition against U.S. complaints about its cyber behavior. The U.S. effort to distinguish between permitted and prohibited types of espionage became more difficult, even while the U.S. government and private cybersecurity companies believed Chinese economic cyber espionage continued unabated, if not actually intensified. Continued U.S. attempts to emphasize its norm, such as through indicting Chinese military personnel in May 2014, failed to gain international traction. This background illuminates why the agreement on economic espionage announced last week is politically surprising and normatively important. Initial reactions often focused on why China seemed to accept the U.S. position despite not previously recognizing the validity of the U.S. stance on economic espionage. Experts frequently commented on the potential impact of the U.S. decision to impose sanctions on Chinese companies that benefit from economic espionage. The release of more information and further analysis might reveal a more complex explanation. But what happened is equally important as why it happened. Now, the United States is no longer the lone normative voice in the economic espionage wilderness. The leaders of the world’s two biggest political and economic powers have agreed to act together against economic espionage. The agreement is not binding international law, but it opens space for advancing the norm against economic espionage globally that the United States, even before Snowden, did not create on its own. This development gives the United States leverage in raising the norm against economic espionage in other diplomatic contexts, including trade negotiations, regional and bilateral cooperation on cybersecurity, and further UN talks about norms of state behavior in cyberspace. This leverage gives the United States an opportunity to push more credibly for countries to accept this norm and anchor it in international law, which potentially creates a rare moment in which international legal restrictions on espionage are even conceivable. Yes, the deal might be, or prove to be, less than what its text contains. Although not a legal document, the agreement might well be “lawyered” by both sides to suit their interests, raising questions whether the two governments are reading the same words. The implementation mechanisms might prove ineffective, or be used tactically in Sino-American disputes about other issues. Great power politics often prove the graveyard for international norms. But, for the moment, the agreement ensures that what happens next on economic espionage will unfold in a different normative context, and that is a remarkable result of cyber statesmanship by Presidents Obama and Xi.

Brian M. Mazanec is an adjunct professor at George Mason University. His book, The Evolution of Cyber War: International Norms for Emerging-Technology Weapons, will be published by Potomac Books next month. The U.S. government has put the promotion of its cyber norms at the forefront of its cyber diplomacy with the hopes that it will constrain pervasive cyberattacks. Past experience with norm promotion efforts provide insight on whether the United States is likely to be successful. Unfortunately, the future is bleak. As a general rule, states develop norms to promote their interests and a norm will only spread if other states perceive it to be in their interest to abide by it. Historical examples of this are plentiful. In the late 19th century, Russia pursued constraining norms against the possession and use of chemical and biological weapons as well as strategic bombing at the First Hague Conference. Russia had failed to master these new weapons and wanted to constrain potential adversaries. Britain, on the other hand, opposed a norm restricting strategic bombing because it saw bombing as a tool to offset the relatively small size of its ground forces. As a result, the conference agreed to prohibit the “discharge of projectiles and explosives from balloons or by other new analogous methods” for a temporary period of five years while prohibiting chemical and biological weapons indefinitely. These bans lasted until the powers of the day determined it was not in their self-interest to maintain them. Britain and Germany both used chemical weapons in World War I and strategic bombing was used throughout World War II by all parties. The requirement that states perceive a norm to be in their self-interest means that norms containing offensive cyber activity are unlikely to work. Unlike other forms of weaponry, cyber weapons are stealthy, making it difficult for planners to determine whether cyber weapons will be useful in the future. Furthermore, some states rely more on cyberspace than others, making states that are less dependent on the Internet less vulnerable to an attack. These relatively immune states will struggle to determine if constraining norms are in their interest as many states did with strategic bombing and will want to keep their options open. Chinese, Russian, and U.S. cyber activities appear to indicate that these states believe they have more to gain from embracing cyberattack capabilities than constraining norms: China has been unconstrained in its cyber espionage, as demonstrated by the recent OPM breach, but it is also preparing to use cyber weapons to cause economic harm, damage critical infrastructure, and influence armed conflict. The U.S. Department of Defense has pointed out that China is “looking at ways to use cyber for offensive operations” and Beijing appears to be developing and fielding advanced capabilities in cyberspace with strategic objectives in mind. Russia’s early cyberattacks on Estonia, Georgia, and Ukraine indicate that it is largely unconstrained by restrictive cyber norms. Although Russia has diplomatically advocated for a ban on cyber weapons and an International Code of Conduct for Information Security, its efforts are analogous to the Soviet Union’s early advocacy for a prohibition on nuclear weapons while simultaneously pursuing such weapons or its support for a ban on biological weapons while simultaneously developing them in secret. Russian military doctrine proclaims that any future war will involve the “early implementation of measures of information warfare to achieve political objectives.” The United States is significantly expanding its cyberattack capabilities at U.S. Cyber Command and engages in offensive cyber operations. However, unlike Russian attacks, the United States appears to avoid targeting nonmilitary assets yet this restraint is likely negated by its perceived general “militarization” of cyberspace by adversaries such as China. The United States has articulated few limits on cyberattacks. For example, the International Strategy for Cyberspace states that the United States reserves “the right to use all necessary means” consistent with the application of international law to defend itself and its allies and partners. There are other reasons beyond self-interest that make containing cyber norms less likely to emerge. For example, unlike when the United States was briefly the only nuclear power after World War II and was able to establish a precedent of restraint in post-World War conflicts, it is too late to have a state establish a precedent through restraint or establish a prohibition on cyberattacks. While policymakers are fixated on the development of constraining rules of the road for cyberspace, history shows that U.S. efforts to promote norms to constrain offensive cyber activities are unlikely to succeed.

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. As Politico noted in June, the United Nations Group of Governmental Experts on Information Security (GGE) agreed to consensus document laying out its recommendations to guide state activity in cyberspace. Politico called the document a "breakthrough" because it enshrines a series of norms that the U.S. government has been promoting. At the time the article was published, it was hard to determine whether the champagne-popping was necessary given that report wasn’t made public. Late last month, the UN released the text of the 2015 GGE report. As with many UN reports, this one is filled with recycled language from previous reports and General Assembly resolutions. The sections that speak to the threats in cyberspace, the need for confidence building measures, and the importance of capacity building are largely pilfered from the 2013 report and don’t really convey anything new. However, there are some exceptions. The U.S. was successful in getting its preferred norms with respect to critical infrastructure--States should respond to requests for assistance, and refrain from cyber activity that intentionally damages or impairs critical infrastructure or computer emergency response teams--adopted by the group. On the surface, getting everyone to agree to not attack critical infrastructure is great. But it’s hard to see what additional clarification this new norm provides. Each state classifies critical infrastructure differently--the United States has sixteen sectors, Japan has thirteen, Canada has ten, Germany has nine--and many of these sectors are defined so broadly, that any disruptive or destructive cyber incident is likely to affect some form of critical infrastructure. For example, the North Korea incident against Sony was probably an attack against critical infrastructure, given that the U.S. Department of Homeland Security classifies motion picture studies as part of it’s commercial facilities sector. Moreover, as David recently pointed out, there’s already a norm against disruptive or destructive cyber activities. It’s called Article 2(4) of the United Nations Charter, which prohibits the threat or use of force. Despite the lack of new insight on the protection of critical infrastructure, the GGE report breaks new ground in three important areas. First, the report explicitly references the possible applicability of the international legal principles of humanity, necessity, proportionality, and distinction, though the wording of the text makes it unclear whether the group reached consensus on whether they actually apply to state activity in cyberspace or merely noted their existence. The U.S. seems to interpret it as endorsing the applicability of these principles to cyberspace, but the Chinese in particular have avoided doing so in the past. At the 2012-2013 GGE, the Chinese blocked any attempt to reference humanitarian law principles in that group’s report on the basis that endorsing their applicability would legitimize armed conflict in cyberspace. If the 2014-2015 group endorsed necessity, proportionality, and distinction, it would represent a considerable shift in China’s position. Second, the report notes that states should substantiate public accusations of state-sponsored cyber activity, and that "the indication that an ICT activity was launched or otherwise originates from a State’s territory ... may be insufficient in itself to attribute the activity to that state." The text was inserted at the last minute at Russia’s request, and it’s unclear why. China, not Russia, is generally the most vocal about the need for evidence when publicly attributing malicious cyber activity, regularly asserting that accusations without proof is "irresponsible and unscientific," In any case, Russia may be trying to promote a norm against public attribution without strong evidence. The United States has signalled that it is willing to name and shame states that engage in destructive activity (e.g. North Korea), steal intellectual property for commercial gain (e.g. the five PLA indictees), and to establish deterrence. In the future, the United States may need to provide more concrete evidence than the "trust us" approach it’s used in the past. Third, the report recommends that states "should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts." This recommendation may seem banal, but it’s pretty significant. Many states have established national computer emergency response teams (CERTs) to act as focal points to coordinate national and international responses to cyber incidents. Oftentimes, one national CERTs’ request for assistance from another can go unanswered for days, allowing malicious traffic that could be terminated to go unabated. In the case of the 24/7 point-of-contact network established by the G8 to combat cybercrime, many of the national points of contact don’t even pick up the phone. Creating an expectation that requests for assistance will be answered may actually pressure some into responding. With any luck (and prayers from Duncan Hollis), the expectation could even turn into an obligation to provide assistance, much like the duty to render assistance under the law of the sea. Are these developments a breakthrough? Not really. Like any diplomatic endeavor, each side will be able to claim that it won. The United States and its allies will trumpet it as a win for their preferred norms. Russia, and to a lesser extent China, will be able to claim that the norms in the report are a step towards the establishment of new international law as Russian GGE expert Andrey Krutskikh did three weeks ago. Nevertheless, there are some nuggets in the GGE report that represent small but genuinely important steps that clarify what states should and shouldn’t do in cyberspace. Correction: This post was updated to reflect the fact that Russia, not China, inserted language in the GGE report that a state should substantiate accusations of state-sponsored cyber activity.

Omar al-Bashir is in China to observe a huge military parade commemorating the end of World War II. He is under indictment by the International Criminal Court for war crimes, which has issued warrants for his arrest. Parties to the Treaty of Rome, which established the Court, are obligated to arrest Bashir. That nearly happened earlier in the year when the Sudanese president went to South Africa for a summit of African Union heads of state. However, China is not a party to the Treaty of Rome. According to Reuters, when a Chinese foreign ministry spokeswoman was asked about the “irony” of inviting a chief of state indicted for war crimes when so many were committed during World War II, she replied that was “overthinking.” She went on to say: “The people of Africa, including Sudan, made an important contribution in the victory in the World Anti-Fascist War. China’s invitation to President Bashir to the commemoration activities is reasonable and fair. While he is in China we will give him the treatment he should get.” According to the media, the Chinese government has been associating the victory parade with atrocities carried out by the Japanese in China during World War II. Western representation at the parade, which will feature 12,000 troops marching through Beijing, will be low-level. Chinese president Xi Jinping welcomed Bashir as an “old friend.” Indeed, Khartoum and Beijing have long been close. China is Sudan’s largest trading partner and source of foreign investment. Sudan’s oil production has largely been in Chinese hands, and Sudan imports a wide range of goods from China. Historically, China has pursued a “non-interference” policy with respect to Sudan, including Khartoum’s human rights abuses. However, more recently China has been playing a positive role in the search for a solution in South Sudan and supplies some 700 peacekeepers to guard the oil fields. It has cut back significantly its arms sales to Khartoum.

The Digital and Cyberspace Policy Program has launched its third Cyber Brief. This one is authored by Tobias Feakin, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute. The brief, entitled Developing a Proportionate Response to a Cyber Incident, proposes a framework that policymakers can use to respond to disruptive or destructive state-sponsored cyber activity. While the framework is deliberately simplified, it can help policymakers in the United States and elsewhere devise responses that are proportionate, legal, timely and discriminatory. To develop proportionate responses, Tobias recommends that policymakers first consult their domestic private sector, particularly critical infrastructure operators, who can advise governments on the types of cyber incidents that would affect their operations and that could require a response. Furthermore, policymakers must be keenly aware of the costs associated with each response, as they will have an impact on a country’s diplomatic relations, reputation, and military and intelligence operations. You can find the full brief here.

Coauthored with Eleanor Powell, intern in the International Institutions and Global Governance program at the Council on Foreign Relations. United Nations peacekeeping efforts have long had a dark side: a history of sexual exploitation and abuse against civilians by UN personnel. While the UN has paid lip service to stopping such sexual violence, a recent internal review reveals the still-alarming scope of these crimes—and the failure of the international community to hold perpetrators to account. After years of inaction and broken promises, however, several factors are aligning today in promising ways that prime the political environment for progress. But the important question is how far this progress will go. Sexual violence by peacekeepers is by now disturbingly familiar. Reports of such crimes date back at least to the 1990s, in UN missions in Mozambique, Bosnia, Guinea, Liberia, and Sierra Leone. Abuses ran the gamut from sex trafficking to prostitution in exchange for money, food, or medical supplies. After repeated outcries, the UN condemned these abuses as reprehensible in a 2003 special bulletin from the secretary-general and established a “zero tolerance” policy in 2005. In fact, business as usual continues. Experts offer various explanations for these recurrent abuses, ranging from power differentials between peacekeepers and impoverished civilians to lack of training and education on UN policies within troop-contributing countries. But one common thread runs through all these cases of abuse: peacekeeping personnel enjoy a staggering level of impunity, thanks to the structure of the UN peacekeeping system. Generally speaking, rich states contribute funds for peacekeeping, and poorer states contribute troops. UN peacekeeping missions are at their historic high deployment, with 106,000 military and police units (compared to 34,000 in 2000) and 19,000 civilian staff in sixteen operations under UN command around the world. Moreover, contemporary missions last almost three times longer than their predecessors, and the UN also provides logistical support to more than 20,000 African Union (AU) personnel. The high demand for UN peacekeepers means that the United Nations Department of Peacekeeping Operations (UNDPKO) is constantly scrambling not just for funds, but for personnel to fill peacekeeping slots. Current UN policies go extra lengths to encourage troop-contributing countries to keep sending personnel—with disastrous consequences for oversight and accountability. Currently, agreements among UNDPKO, troop-contributing countries, and host countries assign jurisdiction for investigating any alleged abuse solely to the troop-contributing country. Any disciplinary action by the sending state, moreover, remains purely voluntary. These policies are meant to send two clear messages: the sovereignty of troop-contributing countries will be protected, and the UN is in the business of promoting continued troop donations rather than turning them away. Inevitably, given the UN’s desire not to step on anyone’s toes, internal UN reform efforts to date have done little to stop sexual abuse by peacekeepers. A UN Office of International Oversight Services report from May 2015 recorded 480 allegations of abuse between 2008 and 2013. (Given the underreporting of such crimes, the number of victims is likely far higher). While no UN mission was immune, the report singled out as egregious four missions in Haiti, the Democratic Republic of Congo, Liberia, and Sudan/South Sudan. Moreover, the report suggested a disturbing trend: in 36 percent of cases, the alleged victims were minors. This report, along with the recent leaked allegations against French troops in the Central African Republic and another round of allegations of abuses committed by AU peacekeeping contingents from Chad and Equatorial Guinea, suggests that little has been done to curb sexual abuse in such operations a quarter of a century after it was first reported. At long last, however, real action may be on the horizon. In June, UN Secretary-General Ban Ki-moon announced the creation of an External Independent Review Panel, co-chaired by Marie Deschamps (Canada), Hassan Jallow (Gambia), and Yasmin Sooka (South Africa), to examine the UN’s handling of allegations of sexual exploitation and abuse. This marks the first time the UN has commissioned such a review. The panel will publicly release its findings within ten weeks, to be subsequently used “in any manner the Secretary-General considers to be in the interests of the United Nations.” Meanwhile, President Obama plans to hold a summit on peacekeeping during the UN General Assembly’s high-level week in late September. Beyond urging states to fill gaps in existing missions and plan future operations, the president can use this platform to highlight the glaring problem of sexual abuse in UN missions. Finally, in October, the United Nations is scheduled to undertake a high-level review of Security Council Resolution 1325 (2000), which calls upon UN peace missions to be more gender sensitive and end impunity for gender-based crimes. In parallel with these multilateral efforts, some troop-contributing states are beginning to combat impunity on their own, by taking allegations against their nationals seriously, and publicly detailing their disciplinary actions. India recently made headlines for punishing several members of its contingent for sexual abuses in the DRC, and France announced it would take legal action against its soldiers accused of raping children in the Central African Republic in 2014. Another promising development is the growing activism of civil society actors. Until recently, the advocacy community focused its energies on the broader category of sexual violence in conflict, which has sometimes distracted attention from the particular problem of abuse by peacekeepers. That has changed. In May, Code Blue became the first advocacy campaign focused specifically on sexual exploitation committed by peacekeeping personnel. The group has leaked internal UN reports, placing new pressure on the UN, troop-contributing states, and major funders of peace operations—including the United States. More recently, in July, the UN’s deputy high commissioner for human rights, Flavia Pansieri, stepped down after Code Blue’s leaked reports revealed that she had failed to act after being informed of allegations against French soldiers in the Central African Republic. This unprecedented confluence of factors—including high-level attention from the UN, national governments, the media, and advocacy groups—suggests that real reform could be in the offing. But it is by no means guaranteed. This attention provides a window of opportunity for action against sexual violence by peacekeepers, but that window will not stay open long, as interest inevitably shifts to other international crises and scandals. Moreover, this brief window of opportunity may not be open to all possible reforms. True progress on this issue would entail greater transparency and cooperation from troop-contributing countries, a consistent process for handling allegations and determining sentences, and some form of UN enforcement capability to deal with states that refuse to comply. But with little being done to combat the UN’s problem of high troop demand and low supply, peacekeeping missions are unlikely to see these major reforms any time soon. The danger is that UN member states and the UN itself will continue to take cosmetic steps, such as a nonbinding General Assembly resolution that condemns sexual violence by peacekeepers and directs troop contributors and mission commanders to take steps, including improved predeployment training and mission monitoring, to curtail such abuse. Another risk is that the UN will hail the report as a watershed moment, only to let recommendations get lost in bureaucratic limbo. While promoting norms is important, accountability and consequences matter even more. The UN needs to establish some mechanism to hold UN troops and civilian personnel to account for sexual crimes committed during peace operations, so that they cannot be shielded behind national sovereignty. True change will require three ingredients: greater transparency, generous funding, and high-level political pressure. First, the UN must improve its mechanisms for victims to report abuse and mandate new reporting requirements for troop-contributing countries. Missions must detail and publicly disclose the number of victims and perpetrators, broken down by nationality, and the disciplinary action taken as a result of substantiated allegations. Greater transparency would expose the scope of the problem and help civil society groups hold troop-contributing countries accountable by naming and shaming governments that give their soldiers a pass when it comes to committing sexual violence. Second, wealthy donor nations should provide legal, technical, and other assistance to help well-intentioned governments that are willing to hold their troops accountable but lack financial and other capacities to do so. Finally, the United States must lead on this agenda. President Obama should use the UN special session on peace operations this September to spotlight the problem of sexual abuse by peacekeepers, and his administration should keep the pressure on in ensuing months to ensure that the UN’s fine words translate into action.

Benjamin Brake is an international affairs fellow at the Council on Foreign Relations and a foreign affairs analyst in the Bureau of Intelligence and Research at the U.S. Department of State. The views expressed in this article are those of the author and do not necessarily represent those of the Department of State or the U.S. government. Claims that technical experts have solved attribution ignore legal challenges that could slow or limit how states might lawfully respond to a major cyberattack. First, a country hit with a major cyberattack would face the novel challenge of persuading allies that the scale and effects of a cyberattack were grave enough to trigger a right to self-defense under the UN Charter. No simple task, given that the UN rules were drawn up seven decades ago by countries seeking to end the scourge of traditional, kinetic warfare. Jurists still debate how self-defense applies in cyberspace and U.S. officials admit building a consensus could be a challenge. If a victim state does corral a consensus that the right to use force in self-defense has been triggered, a second legal question could compound the attribution challenge even further. Can the actions of a hacker be attributed to a nation-state as a matter of law? Answering this question presents a major legal hurdle if the attack is launched by an ostensibly non-state hacker with murky ties to an adversary government—a growing trend already seen in cyberattacks linked to Russia and Iran. Legal precedents born out of traditional conflicts and proxy wars suggest the evidentiary burden to attribute the actions of non-state hackers to a state will be substantial. And experiences from recent incidents offer a discouraging preview. It took less than 24 hours for a prominent cybersecurity expert to cast doubt on claims by unnamed U.S. officials that China was behind the breach of OPM’s networks. Official accounts of Pyongyang’s role in the Sony attack played out similarly, with news outlets featuring competing expert accounts of responsibility—a line-up of suspects that included North Koreans, Russians, hacktivists, cyber criminals, and disgruntled employees. Old Law in New Battles In 2013, some of the world’s major cyber powers reached a consensus that law applies in cyberspace, including principles of the law of state responsibility. Attributing conduct to a nation-state under this body of customary international law, however, requires extensive evidence of state control over a hacker—a significant ask of intelligence agencies already burdened with looking out for and mitigating the cyberattacks themselves. Under the law of state responsibility, a state is accountable for the actions of individuals acting under its “effective control.” Legal scholars debate what “effective control” looks like in practice, but the International Court of Justice has ruled that violations of the law of armed conflict by private individuals can be attributed to a state only if it could be shown the state “directed or enforced” an operation. In a landmark 1986 case, evidence the United States financed, organized, trained, supplied, and equipped the Nicaraguan contras, as well as aided in the selection of targets and planning of contra operations, was not enough to show the United States exercised effective control over the contras. Contra war crimes, it followed, could not be attributed to the United States. Extending the Nicaragua precedent to cyberspace, a victim of a cyberattack would likely have to prove more than an adversary supplied a cyber weapon to a non-state actor. A victim would instead have to show the state ordered or had “effective control” over all aspects of the cyberattack. Without such evidence, a victim’s lawful response options may be limited to actions against the non-state actors—cold comfort for a nation reeling from a cyberattack perpetrated by hackers financed, organized, trained, supplied, and equipped by a nation-state adversary. The victim state can of course decide for itself whether it has met the burden of proof in its attribution and unilaterally unleash an armed response—attribution, it has been said, is what states make of it—but a desire for international legitimacy could require meeting international law’s significant evidentiary burden before acting in self-defense. Sovereign Impunity Together, clearing these two legal thresholds will pose a significant challenge for countries seeking to respond to cyberattacks. Only after both are cleared is a victim endowed with a right to use force in self-defense against an attacker’s armed forces or other military objectives. This double burden could leave a victim state choosing between two bad outcomes: responding with force in a manner deemed illegitimate in the eyes of the international community; or responding with “non-forcible countermeasures” (criminal sanctions or diplomatic measures such as a demarche). Either outcome would lend support to the growing sense of cyberspace as a lawless frontier. Expert contributors to the Tallinn Manual, an influential treatise on how international law applies to cyber warfare, are attempting to develop a consensus around how the law of state responsibility applies to the use of proxies in cyber operations. But until a shared understanding of state responsibility in cyberspace emerges, governments must themselves push for and enforce—as publicly as possible to ensure their behavior sets responsible precedents—a standard that punishes the use of proxies for cyberattacks and holds countries accountable for the consequences of those attacks. Public attributions, declassification of relevant intelligence, and the responsible use of countermeasures will do far more than tribunals and legal scholars can to shape how we deal with attribution and responsibility in cyberspace.

In cybersecurity, protecting critical infrastructure has long been important. In the early days of this policy area, the Clinton administration identified the need to protect critical infrastructure from cyberattacks. The Obama administration’s Framework for Improving Critical Infrastructure Cybersecurity highlights the importance of protecting critical infrastructure from cyber threats. Other governments exhibit similar concerns. Recently, Germany passed legislation mandating critical infrastructure operators improve their cybersecurity. Internationally, the United States has advocated a non-binding or “soft law” norm that countries should not damage critical infrastructure in other nations, and the UN Governmental Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) apparently accepted this idea during its 2015 session. Given national and international activity on critical infrastructure protection, is this area producing new norms for cyberspace? As Henry Farrell observed in his CFR Cyber Brief on promoting norms in cyberspace, “U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems.” Addressing cyber threats to U.S. critical infrastructure, Admiral Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, asserted, “We have got to develop a set of norms or principles in this space.” Such emphasis on developing norms suggests that norms do not exist. However, cyberattacks by state or non-state actors against critical infrastructure are illegal under international law. In short, we have lots of norms, rather than a shortage of them. In terms of criminal activities against critical infrastructure, the Council of Europe’s Convention on Cybercrime provides substantive and procedural rules that support states parties’ responses to such activities. The International Convention for the Suppression of Terrorist Bombings applies to attacks against infrastructure facilities through weapons or devices that can cause death, serious bodily injury, or substantial property damage, which can encompass cyberattacks by terrorist groups. A cyberattack by a state that damages critical infrastructure in another state would violate the international legal principle of non-intervention and, if sufficiently bad, might violate international law’s prohibition on the use of force. If binding international law prohibits states from damaging critical infrastructure in other countries, what does a non-binding norm against the same activity contribute to norm development in cyberspace? The GGE agreed in 2013 that the UN Charter, including its principles on non-intervention and the use of force, applies in cyberspace, so the norm on not attacking critical infrastructure could be a cyber-specific application of these general rules. But, if so, this corollary should be binding under international law. Norm development usually does not move from binding rules to voluntary guidelines. Another way to interpret the non-binding norm is that the rules against intervention and the use of force are not effective in cyberspace, which requires building consensus around a cyber specific norm. But, it’s not clear why a non-binding norm will be more effective than two of the most fundamental rules of international law. Less commented upon is the possible emergence of a norm requiring national and international action to defend critical infrastructure against cyberattacks. Countries can improve national critical infrastructure cybersecurity without needing international norms. However, as cyber threats to critical infrastructure have grown more serious, states have started to use international law to address these threats. This activity highlights international interest in strengthening cybersecurity in national critical infrastructure and reveals the need for more cooperation. This potential norm arises from states using international law to advance critical infrastructure protection in two ways. First, countries increasingly use multilateral, regional, and bilateral processes to address critical infrastructure cybersecurity, including activities in, for example, the International Atomic Energy Agency, International Civil Aviation Organization, NATO, the EU, and ASEAN. Generally, these efforts involve non-binding efforts to strengthen national cyber defenses for critical infrastructure, improve information sharing on cyber threats, and facilitate assistance to other countries. Second, some countries use international law directly. An EU directive on critical infrastructure requires operators to protect themselves against cyber threats. The African Union Convention on Cyber Security and Personal Data Protection mandates that states parties take action to protect critical infrastructure in their jurisdiction. Such international activities perhaps indicate the development of a “soft law” norm that includes “cyber due diligence” obligations on countries with respect to national critical infrastructure and responsibilities to cooperate with other nations in strengthening cybersecurity for critical infrastructure. Such a norm could have other implications, including, for example, how countries deal with “zero day” vulnerabilities of concern for critical infrastructure operations. State behavior is not yet sufficient to claim that this norm is anything more than incipient, but perhaps this aspect of protecting critical infrastructure deserves more attention as efforts on developing norms for cyberspace continue.

The irony of Hacking Team—an Italian company that sells surveillance software—being hacked (or as Wired put it, “disemboweled”) is delicious, especially given Hacking Team’s denials it sold to governments with notorious human rights records. Hacking Team still insists it broke no laws and has behaved ethically. Whether Hacking Team survives remains to be seen, but this episode’s importance extends beyond one company. What the hack revealed touches on important policy issues. Cyber Surveillance Tools and Sanction Regimes The disclosed materials indicate Hacking Team sold its wares to the Sudanese government and a state-owned Russian company that produces military radar. Marietje Schaake, member of the European Parliament, argues that the sale to Sudan violates sanctions imposed by the UN Security Council—sanctions implemented through EU law. Schaake also states that the sale to the Russian company appears to violate EU sanctions imposed in response to Russian activities in Ukraine. Whether Hacking Team violated these sanctions I leave for others to decide, but the accusations suggest that future sanction regimes should explicitly cover the type of surveillance tools Hacking Team sold. In March 2015 correspondence, the UN Panel of Experts involved in monitoring the Sudan sanctions stated that Hacking Team’s software “may potentially” fall within the prohibited categories of “military equipment” or “assistance” related to prohibited items. This less-than-definitive phrasing invites questions about the interpretation of the UN sanctions. Such questions can be avoided in the future by including surveillance software within the scope of prohibitions imposed by UN sanctions. Wassenaar Arrangement Rules on Intrusion Software The Hacking Team disclosures focuses new attention on rules adopted in December 2013 that subjected intrusion software to the Wassenaar Arrangement, an export-control regime for dual-use technologies involving forty-one countries. As Kim Zetter noted, this change sought “to restrict the sale and distribution of computer surveillance tools to oppressive regimes,” though some argue it could chill cybersecurity research. Experts identified Hacking Team products as falling within these new rules. However, revelations that Hacking Team’s customers included countries with poor human rights records reinforce why the Wassenaar regime included intrusion software. The episode gives momentum to the Wassenaar approach of regulating cyber surveillance companies. While the momentum does not resolve the security research community’s concerns, the incident strengthens the position of governments and human rights groups interested in more regulation in this area. The Future of Lawful Hacking Hacking Team’s clients include not only repressive governments but also government agencies in democracies, including EU members and the United States, which connects the disclosures with controversies about “lawful hacking.” In June 2015, Senator Charles Grassley, Chair of the Senate Judiciary Committee, wrote to FBI Director James Comey seeking information about the FBI’s use of spyware, their legal justification that authorizes deployment of such software, and whether the FBI has purchased spyware from, among others, the Hacking Team. The disclosure that the FBI has been a Hacking Team customer will intensify scrutiny of its use of hacking in criminal investigations. The same might occur in other countries where government agencies are listed as Hacking Team clients, such as Australia, Chile and Mexico. This trajectory will increase tensions building between government interest in exploiting digital technologies for law enforcement and advocates for privacy and other civil liberties. International Human Rights in the Digital Age The nature of Hacking Team’s products and the global scale of its sales make the leaked information important for international human rights. Concerns about the threat government surveillance poses to the use of digital technologies existed prior to the Hacking Team disclosures. But, like the Snowden leaks, these disclosures will heighten worries that governments are engaging in surveillance that violates human rights. In response to the disclosures, the UN Special Rapporteur on the Right to Freedom of Opinion and Expression tweeted that the documents revealed the depth and extent of digital attacks on civil society and underscored the importance of encryption and anonymity. The disclosures will also be important to the work of the newly appointed UN Special Rapporteur on the Right to Privacy. Making It Too Easy for Authoritarian Regimes Hacking Team might go out of business, but its demise would not affect how authoritarian governments behave. Much like Snowden’s leaks, the Hacking Team contretemps reinforces their perceptions of the hypocrisy of democracies. They can easily point out double standards: multiple U.S. government agencies are clients of a company that sells to a Sudanese regime accused of genocide, even after the Hacking Team has been credibly accused of doing business with Sudan and other repressive governments? And it takes another spectacular criminal act to expose gaps between rhetoric about Internet freedom and the reality of governmental and private-sector behavior? Authoritarian governments do not need the travails of democracies to harness digital technologies for repression, but the democratic world’s struggles with these disruptive technologies are giving cyber repression too much space to metastasize.

For this outsider, the parliamentary and judicial response to the Zuma administration’s failure to detain Sudanese President Omar al-Bashir and turn him over to the International Criminal Court (ICC) provides a window in to the state of South African democracy. To me, it is clear that the Zuma government broke both South African and international law by not only failing to hold al-Bashir, though specifically ordered to do so by the South African judiciary, but also facilitated his clandestine departure. South African law is relevant because the South African government at the time incorporated the ICC treaty into its own legal system. Neither the judiciary nor the parliament is taking the Zuma administration’s violation of the law quietly. The Pretoria high Court has “invited” the National Director of Public Prosecutions to look into how South Africa violated a court order to hold al-Bashir. Judge President Dunstan Mlambo said, “A democratic state based on the rule of law cannot exist or function if the government ignores its constitutional obligations.” The parliamentary debate was raucous. The official opposition, the Democratic Alliance (DA), stated that the Zuma government was in contempt of both the South African court and the ICC. A DA parliamentarian, Steven Mokgalapa said, “The African National Congress (ANC) government, led by Zuma has committed a crime of assisting a wanted man to run from the law.” Congress of the People (COP) leader Mousiuoa Lekota is quoted by the media as saying, “You lied to us. You said you will uphold the constitution, uphold the law and be an example. You have misled the people of our country and now we are ashamed before the nations of the world.” (“Terror” Lekota – his nickname comes from soccer – is a Robben Island veteran and was once an ANC stalwart; a former Minister of Defense, he broke with the ANC when it removed Thabo Mbeki from the party leadership.) The ANC defense boils down to the propositions that heads of state are immune from the ICC. (The Rome Statute specifically says that heads of state are subject to ICC jurisdiction.) Further, that al-Bashir was attending an Africa Union summit, rather than making an official visit to South Africa. However, some ANC leaders are roundly attacking the ICC and calling for South Africa to withdraw. In what is likely to be a swipe at the United States, ANC Secretary General Gwede Mantashe said on local radio that the ICC “is a tool in the hands of the powerful to destroy the weak and it is a court that is focusing on Africa, Eastern Europe, and the Middle East.” He said South Africa should consider leaving the ICC: “If I was in government, I would give notice, get out of that, it was not what was envisioned.” Justice and Constitutional Development Deputy Minister John Jeffrey is quoted as saying that the ICC “has diverted from its mandate and allowed itself to be influenced by powerful non-member states. We signed up for a court that was going to hold human beings accountable for their war crimes – regardless of where they were from. We perceive it as tending to act as a proxy instrument for those states who see no need to subject themselves to its discipline, to persecute African leaders, and effect regime change on the continent.” The al-Bashir episode provides a muddled picture of South African democracy. The government appears to have acted illegally. The judiciary and the legislature have reacted vociferously. But, nobody seems to expect that anything will happen.