Cyberspace is not a no man’s land. There are rules of international law in place, as well as sanctions and counter-measures incurred by those who violate them. Cyberspace is now recognised as the “fifth domain” where state sovereignty is exercised; so much so that NATO also applies Article 5 of its treaty, the clause of collective defence in the face of aggression by a third state, to the cyber world.
Enforcing rules and good manners in a world still dominated by anarchy is not easy, but putting them in writing is the first key step. Italy did so by publishing for the first time the “Italian position on the applicability of international law in the cyberspace,” a document born of the coordinated efforts of the Foreign Ministry, the presidency of the Council of Ministers (especially the Department for Information and Security) and the Ministry of Defence.
The first novelty: Italy calls back to the relevant UN charter as the document. In fact, the country is responding to the body’s suggestions, including the final report of the Open-Ended Working Group of the UN General Assembly’s First Commission and the latest report of the Group of Governmental Experts that’s about to land in the Assembly.
Essentially, the Italian strategy says that “cyber wrongful acts from one State to another” constitute improper use of force. These are no mere details: just as is the case with NATO, the Italian government recognises aggression by a foreign State in cyberspace as an attack on its sovereignty.
Thus, in the case of an online attack, Italy reserves itself the rights to “defend itself” and to impose “countermeasures” that “do not involve the threat or use of force,” such as sanctions, in response to “cyber operations that constitute an international wrongful act below the threshold of an armed attack.”
There are well-defined limits. A cyberattack is comparable to an armed attack only when “when its scale and effects are comparable to those of a conventional use of force, resulting in physical damage of property, human injury or loss of life,” as well as “significant physical damage of property, human injury and loss of life, or disruption in the functioning of critical infrastructure.”
It is no coincidence that the Italian intelligence contributed to the drafting of the document. Especially now that it has outsourced the task of cyber-resilience to the new National Cybersecurity Agency, it must deal with “cyber operations,” including counter-measures (including offensive ones) to an external attack.
How may one ascribe a hacker attack to a given State with certainty? This is an ancient worry for insiders and the reason why direct accusations are scarce. The best-known one in recent times was made by the US government to the Kremlin for interfering in the 2016 presidential elections through the GRU secret services. However, it is not easy to clear the field of doubts: attribution is a “complex matter,” reads the Italian document, and remains a “national sovereign prerogative.”
On the one hand, the document “reaffirms the commitment to multilateralism of a country, Italy, that has an important international legal projection,” according to Ambassador Laura Carpini, head of the Policy and Cyberspace Security Unit at the Foreign Ministry. On the other hand, she told Decode39, “it also confirms the rejection of the use of force as codified in the UN Charter and the right to defend one’s sovereignty.”
It should be noted “how Italy rightly declares that it attaches central importance to the application of the principle of sovereignty in cyberspace, including its ancillary rules, as well as the principle of non-intervention in the internal affairs of a State,” said Stefano Mele, partner and Head of Cybersecurity of the Studio Gianni & Origoni legal firm.
This amounts to “a clear positioning on the very topical issues of influence activities by foreign States” aimed, for instance, at “undermining the ability of a State to safeguard public health during a pandemic or to manipulate the democratic process of electoral voting.” These activities include the lack of control (which is often not accidental) of cybercriminal organisations operating in their own State to the detriment of foreign countries.
The government’s stance on the principle of “due diligence” – that is, the obligation of each State not to allow its territory to be used for acts contrary to the law of other States – is “a clear signal to those governments that continue, even if only through their ‘unintentional’ inaction, to allow well-known criminal organisations to continue to fuel their business through vast cyberattack campaigns,” added Mr Mele.
Finally, the document also touches on human rights – a politically heated and key issue in the competition between the United States and China, including within the cybersphere. In fact, the government states that “each State is bound to protect human rights both on-line and off-line,” including “freedom of opinion and expression, the right to access to information, and the right to privacy.
This amounts to applying the International Humanitarian Law to the cyber domain. “Dedicating an entire paragraph to rights is a deliberate and not obvious choice,” commented Ambassador Carpini. “Italy reiterates its opposition to the use of armed conflicts as a solution to international disputes and replicates in the cyberspace the protections and limits that have been identified, not without difficulty, over the centuries.”