UK Government sets out position for applying international law in cyberspace

Speaking at Chatham House, an independent policy institute based in London, Attorney General Suella Braverman recently set out the UK government’s position on applying international law to cyberspace.

During the speech, Braverman acknowledged that our reliance on cyber has “created huge challenges”  and that “events over the past 10 years, in particular, have demonstrated the vulnerability of critical sectors to disruptive State cyber activity.”

Braverman mentioned the ongoing conflict in Ukraine, claiming Russia has shown a “callous disregard for established international rules.” However, when setting out how the government considers international law applies in cyberspace, she gave particular focus to rules applicable in peacetime, specifically relating to non-intervention.

According to Braverman, the UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.

She went on to say that a core element of the non-intervention rule is that the offending behaviour must be coercive. “In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty,” said Braverman.

Braverman then went on to outline various response options for states that fell victim to a cyberattack, which included economic sanctions, restrictions on freedom of movement, exclusion from international groupings, and wider diplomatic measures.

The Attorney General then clarified that this means when states like Russia or China carry out irresponsible or hostile cyber activity, the UK and its allies can take action, whether or not the activity was itself unlawful.

Oliver Pinson-Roxburgh, CEO of Defense.com, commented on the speech: “This speech is an important line in the sand on appropriate security standards in cyberspace. We live in an era of evolving and unprecedented threats, with threat actors able to deploy automated attack methods to operate at pace and at scale.

“Facing a sprawling threat landscape, where individual actors out for financial gain are mixed in with the geopolitical disruption favoured by nation-state actors, businesses need this sort of clarity from the government to help them monitor and respond to threats when they occur.

“It was welcome to hear the Attorney General highlight the responsibility of both the public and private sector to maintain cyber resilience. Businesses cannot entirely rely on the briefings and intelligence provided by the NCSC. Hostile actors will look for vulnerabilities across any organisation – large or small.

“There are quick and easy steps businesses can take to build up an end-to-end approach to cybersecurity, from password best practices for staff right the way through to the latest in vulnerability scanning and monitoring technology. As legislation for cyberspace evolves, businesses can look to outsourced cybersecurity experts to help them make sense of the latest directives and understand how to remain compliant.”