The Oxford Process on International Law Protections in Cyberspace

What is it?

The Oxford Process on International Law Protections in Cyberspace is an initiative of the Oxford Institute for Ethics, Law and Armed Conflict (ELAC) at the Blavatnik School of Government that was set in motion in May 2020 in partnership with Microsoft. At the core of this initiative lies a collaborative effort between international legal experts from across the Globe aimed at the identification and clarification of rules of international law applicable to cyber operations across a variety of contexts. The Oxford Statements on International Law Protections, which have been a major input of the Process in 2020, articulate short lists of consensus protections that apply under existing international law to cyber operations targeting a range of protected objects. Going beyond the generally accepted view that international law applies in cyberspace, the Process analyses how it applies to specific sectors and objects. The Statements articulate both prohibited and prescribed state behaviour in cyberspace, without necessarily spelling out their specific legal basis under international law. 

Outcomes

To date, the Process has yielded five Statements:

The latest Statement identifies international obligations applicable to ransomware operations, such as the principles of sovereignty and non-intervention, the Corfu Channel principle, requiring states not to allow their territory to used for acts contrary to the rights of other states, positive and negative human rights duties and international humanitarian law. It also proposes steps that states may take to discharge these duties in the ransomware context, such as prohibiting ransomware by law, take feasible steps to stop such operations, mitigate their effects, investigate and punish those responsible, as well as preventing and suppressing ransom payments to the extent possible.

The fourth Statement lays out both positive and negative obligations of States in respect of ‘information operations and activities’, including disinformation, misinformation, hate speech, and other speech acts that cause physical or non-physical harm to individuals, States, and private entities. With over 110 signatories, the Statement clarifies how States must behave domestically and internationally in the digital information environment pursuant to key principles and rules of international law, such as sovereignty, non-intervention, international human rights law and international humanitarian law. 

The third Statement clarifies how international rules, principles and norms apply to prevent and constrain cyber operations that have adverse consequences for electoral processes, including elections, plebiscites and referenda. It received overwhelming support, with over 160 experts in international law becoming signatories.

The second Statement clarified the extent to which international law protects the development, testing, manufacture, and distribution of a COVID-19 vaccine, and was signed by over 100 international lawyers. It was cited by the Acting Assistant Secretary-General for the UN Office for the Coordination of Humanitarian Affairs during the August 2020 Security Council Arria-formula meeting ‘Cyber Attacks Against Critical Infrastructure’.

The first Statement examined the obligations of states to refrain from cyber operations affecting the healthcare sector and to protect it from a range of online harms. It was signed by over 130 international lawyers and cited by the representative of the Dominican Republic as a model of how international law applies in cyberspace during the May 2020 UN Security Council Arria-Formula meeting.

Aims & Methodology

Unlike previous initiatives that have sought to identify the rules of international law applicable to cyber operations, the Oxford Process takes a contextual approach. Instead of elaborating on the applicable international legal rules in abstracto, it examines the law as it applies to specific objects of protection, such as the healthcare sector and electoral processes. In choosing these specific objects of protection, the team behind the Oxford Process is driven by some of the most pressing needs facing the international community. In 2020, these needs were multifaceted, and they continue to evolve. The healthcare sector, which largely shouldered the burden of the covid-19 pandemic, was under attack in 2020 with a steady stream of cyber operations against hospitals, pharmaceutical companies, as well as the World Health Organisation. As soon as covid-19 vaccine development initiatives began, vaccine research, manufacture and distribution facilities became a new target of cyber operations. Cyberattacks have ranged from attempts to steal vaccine and clinical trial data to supply chain disruptions, seriously endangering the worldwide immunisation efforts. Beyond the healthcare context, the Oxford Process focused on the protection of electoral processes. Election insecurity strikes at the core of democracy, and reports of election interference through digital means have now become a pervasive feature of political discourse across jurisdictions.

In May, a two-day virtual workshop at the University of Oxford, co-sponsored by ELAC, Microsoft and the Government of Japan, examined the intersection between cyber operations and covid-19. During that workshop, it became clear that, while differences may exist regarding how the participants reach certain conclusions on the scope of international law protection, there is widespread agreement on the coverage of that protection. This realisation is what led to the first Oxford Statement, which elaborated these points of consensus on the protection of the healthcare sector. The Oxford Statement on safeguarding vaccine research and the Oxford Statement on foreign electoral interference followed the same process and were published in the aftermath of workshops organised by ELAC.

The discussions generated during these workshops lie at the core of the success of the Oxford Process and the three Statements. With a group of recognised experts from diverse regional and disciplinary backgrounds, each state obligation outlined in the Statements has been subjected to careful review. These workshops greatly benefited from the input of computer scientists, engineers, cryptographers, government advisors and representatives of the private sector. The interdisciplinary focus brought by these experts was of great assistance in discerning the types of harm engendered by cyber operations, the measures currently in place to prevent, mitigate and redress such harm, as well as further measures that would be necessary to ensure effective protection. The Process is an ongoing dialogue between academia, states and the industry, which will continue to generate a research-led debate among those stakeholders.

Global crises create unique opportunities for agreement about the interpretation and application of international law protections, and the crises faced in 2020 opened rare windows of opportunity for clarifying the protective scope of the law. Through the Oxford Statements, it was made clear that international law is neither silent nor powerless in the face of such crises, and that international lawyers have an important role to play in clarifying and disseminating the legal rules that protect us all from harm.

All Oxford Statements remain open for signature by international law scholars. International lawyers who wish to append their name to the statement should send an email to oxfordcyberstatement@gmail.com.