To identify how traditional international legal norms may be usefully managed with a view to creating a common regulation mode for the cyberspace, that would take into account the interface between multiple actors at different regulatory levels and would cover both instances of conflicts caused by the absence of cyberspace sovereignty or by contradictory interests of the States operating in the same cyberspace, and
To determine whether a new multi-pillar, horizontal, open model of cybergovernance may be currently developing, either as a change in paradigm away from the State-centred system or as a nuanced evolution thereof.
The idea of sovereignty, as illustrated by the physical barrier of the border, is particularly challenged in the cyber world. Defined as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures”, cyberspace is created by people to serve people. Almost invisible by nature, it involves uncontrolled amounts of data in motion, mainly supported by digital platforms and networks, which provide cutting-edge technological services to an increasingly digitalized planet. Effectively by-passing State boundaries, the cyberworld raises new challenges to governance, potentially in direct conflict with State sovereignty, security and human rights enforcement.
Jurisdiction, the traditional link to the sovereign State, does not always work efficiently or even adequately in the cyberspace: in practice, it is essentially an extension of jurisdiction over the relevant infrastructure that hosts the cyberspace in the territory of a State. Cyber-attacks from computers situated in one country against hardware or communication networks situated in another country can also be regarded as an armed attack under international law. On a lower threshold, domestic authorities are called upon to enforce their criminal legal frameworks within the insurmountable limits of their territorial jurisdiction while perpetrators are free to move within the borderless cyberspace. In any case, the international rules of State responsibility govern the establishment of responsibility for cyber operations orchestrated by State officials or the State’s failure to address –with due diligence– violations caused extraterritorially by private actors. The limits of this approach are better illustrated in the current wave of information cyber warfare through the widespread use of ‘fake news’, where information becomes the ultimate counterforce against existing or emerging threats and control of the flow or indeed the quality of information to the adversary is critical to the (cold or even lukewarm) war effort.
Unlike technological standardization, the legal frameworks, purporting to regulate these challenges, differ significantly. Normative solutions remain sparse and sectoral, such as the EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (Michels, 2018); or regional (even with global aspirations) such as the 2001 Council of Europe Convention on Cybercrime (ETS no. 185). Indeed, reliance to the traditional norm-generation process, through multilateral agreements or general State practice giving rise to customary rules, seems eminently deficient as it would be almost impossible to catch-up, contain and eventually regulate the rapid technological developments in the cyberspace. Resort to existing rules seems to be the only possible alternative in this context, imperfect as it may be: the real question, however, is whether it would also be sustainable in the long run.
In fact, the practical aspects of the cyberworld are regulated mostly at the sub-Statal level, as a network of transactions between private individuals with a minimum of interaction with the power of the State. The flow of information, which constitutes the backbone of cyberspace, is considered an expression of the individual freedom guaranteed by the domestic and international safeguards for human rights protection; and seems to be carried out within the legal space created by the existing international framework for human rights protection, respect for intellectual property rights, effective privacy protection for internet users and the ability to deflect both cybercrime and aggressive acts in cyberspace. In terms of governance, however, the system clearly lacks distinct authority structures and transparent decision-making processes. There seems to be an understanding that the whole field must ensure global interoperability, network stability, reliable access, multi-stakeholder governance and cybersecurity due diligence. However, who is going to ensure that these emerging principles are to be respected and implemented remains an open question. Sovereign responses on the international level remain again sparse and unequal in character: a typical example is the sharp contrast between the soft-law enunciation of a general principle to digital privacy, as evidenced in the UN General Assembly resolution 68/167 (2013), and the detailed technical rules of the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). Instead, domestic regulations and guidelines may well have a disproportionate impact on the laissez-faire character of the system, as exemplified in the FCC 2017 rules on net neutrality. In practice, the sovereign States have opted for a distant oversight role over previously existing private enterprise initiatives, operating on the basis of voluntary codes of conduct: thus ICANN, a non-profit private US corporation that oversees global IP address allocation and other internet protocol-related symbols and numbers, is supervised by the Governmental Advisory Committee, consisting of 111 States and a number of international organizations. In essence, the States concerned exercise an atypical government function, stepping in only to uphold international and national human rights standards, including through the human rights review and implementation mechanisms. Is that a blueprint for the future or simply one of the possible governance options available in a brave new world?
The present project attempts to reorient existing international law theory in the pursuit of sustainable governance structures for the next century. It is evident that the risk of failure involved is significant; however, even the affirmation or negation of perceived trends and suggested options in cyber governance during this era of transition would be of benefit to the on-going global sovereignty debate.
The research project was supported by the Hellenic Foundation for Research and Innovation (H.F.R.I.) under the “1st Call for H.F.R.I. Research Projects to support Faculty Members & Researchers and the Procurement of High-Cost research equipment grant” (Project Number: HFRI-FM17-1415).