Report from the 2018 ECSL Practitioners' Forum - Cyber Issues in Space: Legal Tools

Prof. Marchisio briefly welcomed the participants, introduced ECSL and the Practitioners’ Forum. His introductory words were followed by the Director General of the European Space Agency, Prof. Dr. J.D. Wörner, who addressed the main paradigm shifts resulting from what he dubbed ‘Space 4.0’, including the ongoing digitalization and commercialization of space activities and space-based services. He noted a new race in space in Europe was gradually evolving, not only as between the member states but also with the European Union and ESA as further players. In this context, the increasing issues of cyber interference represented another layer of complexity in efforts to maintain a coherent space environment for beneficial and legitimate, as well as properly regulated activities.

Prof. Von der Dunk further introduced the topic of the Forum, by warning in particular for the use of phrases such as ‘cyber war’, ‘cyber force’ and ‘cyber attack’, as such terms already carry longstanding international legal connotations and understandings which might not necessarily be appropriate in the context of addressing cyber issues in space. He also pointed at the need to apply international law concepts such as ‘customary international law’ and ‘treaty interpretation’ in the correct manner, citing the apparent endorsement by a reputable space law institute of the claims of Asgardia to be the first space nation as a particular example of terminological pollution giving rise to legally incorrect analyses and conclusions.

The morning session, “Laying out the Land: Cyber Issues and International Law”, was introduced by its chair, Dr. K. Nyman-Metcalf, Chair of ESA International Relations Committee. She warned that new topics of international law and relations such as outer space and cyber space still have to be embedded in certain legal structures like sovereignty, jurisdiction and general international law principles, and that it would be counterproductive to assume one could start legal discussions as if from a blank slate.

The first speaker then was Dr. S. Zatti of the ESA Security Office, who spoke on “Cyber Security and the ESA Perspective: Incidents and Challenges”. He pointed out that ‘New Space’ almost by definition results in new cyber threats, especially as for Europe in the context of Galileo and Copernicus, and outlined some details of ESA’s general approach to such threats, focusing on redundancy, situational awareness, encryption and adequate personnel screening and monitoring. Cyber security, however, also had become a matter of competitiveness for the European industry; care should be taken that buying cheap components such as ‘open source technology’, which is often the basis of ‘New Space’ activities, should not go at the expense of cyber safety and security.

He was followed as a speaker by Mrs. J. Tapio, of the University of Helsinki and of Bird & Bird, who addressed “Cyber Issues in the Commercial Sector”. Her focus was on the interaction between regulation and contracts, especially when it came to legal responsibility and liability for non-availability of data or services in critical (commercial) use cases. Because of the complications resulting from compound chains of communications, as well as the increasing use of machine-to-machine interfaces and artificial intelligence, following the contractual chain would help to determining where along the chain responsibility and liability should lie, for instance as evidenced by extended data security clauses in contracts relevant contracts.

The next speaker was Mr. P. O’Keeffe, of NATO’s Centre of Excellence for Operations in Confined and Shallow Waters, who spoke on “Cyber Security in Space - Global Challenges and Operational Responses”. He clarified how cyber worked as an enabling technology in all four ‘classical’ domains of military operations, while at the same time straddling all four – land, sea, air and outer space. This also crucially made for complexities in applying a single, coherent strategy and approach to the issues arising. He pointed out that the more important cyber security was in a given context, the better (and more expensive) the technology deployed to protect it, by which token the human factor became the weakest link of the chain. Education, dedication and awareness consequently played a major role in mitigating cyber security risks.

The last speaker before lunch, Mrs. A. Jamieson, who worked with iDefense at Accenture on helping governments and other organizations counteract cyber breaches and threats, addressed “Behaviour and Motivation of Cyber-attack Groups and Security Strategies”. She explained how, generally, four motivation groupings were discerned in analyzing and countering cyber security threats: politically motivated, financially motivated, ideologically motivated, and those seeking notoriety – and how determining motivation helps to understand what the attackers are after and how, consequently, to best defend against them. She warned however that attribution continued to be a major problem – and that, with 20 billion devices expected to be connected to the Internet by 2020, for any cyber system an effort to break in is not a question of ‘if’ but of ‘when’.

The afternoon session was chaired by Prof. Dr. A. Kerrest de Rozavel, Vice-Chairman of the Board of ECSL, and was entitled “Towards the Future: How to Address Cyber Threats to Space Activities?”.

The first speaker, Mr. Siim Alatalu of NATO’s Cooperative Cyber Defence Centre of Excellence, addressed “Cyber Security and NATO’s Approach to Cyber Threats”. He explained how cyber threats came to fall within the remit of NATO’s core task, and the escalation ladder of general threats from pacta sunt servanda via internationally wrongful acts and the use of force to armed attack, where the dividing line between where NATO would become involved was between internationally wrongful acts and the use of force. Where exactly that dividing line was to be drawn in the context of cyber threats or interference, would have to be decided on a case by case basis. For instance, in the case of a hacked satellite the question of whether loss of life would result from the hack would likely be decisive.

The next speaker was Prof. Dr. Marco Roscini of the University of Westminster, who analyzed “Cyber Operations and the Use of Force in International Law”. He also addressed the escalation ladder, where he made the crucial distinction between cyber interference aimed at causing damage and that merely constituting intrusion into a system. Also, he pointed out that while currently there might be little justification for considering a cyber ‘attack’ to equate with the ‘use of force’ or even an ‘armed attack’ as per the UN Charter and the law on the use of force, in the future such a conclusion might well come to shift. Finally, he warned against making new law too soon – ‘haste makes waste’; where it may not be possible to understand all ramifications it would be preferable to apply existing rules which would be sufficiently flexible for the time being.

The third speaker was Prof. Dr. Georgios Kyriakopoulos, National and Kapodistrian University of Athens, who spoke on “The Cyber Terrorist Threat in Outer Space: Some Responses Provided by International Law”. He also warned for using terms imprecisely, although he pointed out that in the case of ‘terrorism’ the absence of a general single definition did not prevent it from being adequately addressed by specific treaties in specific contexts – such as aviation and maritime. This might provide a pointer for handling cyber issues in space as well. He then briefed the audience on the two academic fora so far addressing those, the IISL Working Group on Cyber which was making an inventory of the issue, and the MILAMOS project.

The last speaker, Prof. Jack Beard of the University of Nebraska College of Law, Space, Cyber & Telecommunications Law Program, further addressed these issues as he spoke on “International Law Applicable to Military Activities in Outer Space, Cyber Operations and the Shortcomings of the Tallinn Manual.” He emphasized the need to carefully apply international law to a wide spectrum of information operations which may affect space activities and to avoid analysis that begins by labeling diverse uses of information as “cyber weapons.” As the speaker further noted, the approach to, and inconsistent use of, normal concepts in international law such as ‘manuals’, ‘customary international law’, ‘state practice’, use of force’ and ‘(armed) attack’ gave rise to continuing confusion. The most dangerous result thereof would be that the barriers to the use of force in outer space would be considerably lowered: if cyber interference would be so easily equated to the use of force (which no state so far had ever claimed, negating any claim to state practice and/or opinio iuris in this respect) responses which would consist of more classical uses of force might suddenly become legitimate or even lawful.

To conclude, Prof. Von der Dunk then offered some final remarks. He noted, inter alia, the importance in the cyber security-domain of addressing the escalation ladder and trying to arrive at common thresholds for when, for instance, something might turn into a ‘use of force’ and/or trigger certain legitimate reactions; whereas the main area of focus of legal development in the civil cyber domain might well lie in elaborating and spelling out in detail the legal responsibilities and liabilities for breaches of data security to be allocated to various partners in a contractual context. The role of education was highlighted in creating a level of cyber security awareness which, both in the security and in the civil domain, should go some way in preventing threats from emerging alternatively tackling them appropriately, but there was no doubt that with the enormous and ongoing increase of Internet-connected devices the problem would only become larger for the foreseeable future.

Frans G. von der Dunk

 
PS. We will unfortunately not be sharing the PowerPoint presentations from the Practitioners' Forum.