Hostname: page-component-cd9895bd7-gvvz8 Total loading time: 0 Render date: 2024-12-28T18:38:08.877Z Has data issue: false hasContentIssue false

Global cybersecurity governance: A constitutionalist analysis

Published online by Cambridge University Press:  22 March 2018

INGOLF PERNICE*
Affiliation:
Alexander von Humboldt Institute of Internet and Society, Französische Straße 9, 10117Berlin, Germany

Abstract:

With the progressive digitisation and use, in particular, of the internet of things and artificial intelligence by industries, commerce, financial services, science and education, the public administration, health services as well as individuals, our society and daily life gets more and more dependent on the security of the net: cybersecurity. The new risks are self-made, a threat to almost everybody and new in kind. And they have a global dimension. For the difficulty of attribution of cyber attacks traditional concepts of deterrence and defence are not a solution. Given the new conditions of the ‘digital constellation’ this article aims at exploring instruments and methods of cybersecurity governance in a broad sense, learning from internet governance and taking a constitutional perspective. It is based upon shared responsibility, resilience and citizens’ participation in the making and future application of an inclusive global rule-making system. Multi-stakeholder mechanisms are combined with deliberative processes, standardisation and legislative action. In accordance with the principles of global constitutionalism this new framework of global rule generation would emerge as a common democratic instrument of people to meet common challenges in addition and complementary to action for cybersecurity at the local, regional, national and supranational levels.

Type
Research Article
Copyright
Copyright © Cambridge University Press 2018 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 For the case of the European Union see Pernice, I, ‘E-Government and E-Democracy: Overcoming Legitimacy Deficits in a Digital Europe in Papadopoulou, L, Pernice, I and Weiler, JHH (eds), Legitimacy Issues of the European Union in the Face of Crisis (Nomos, Baden-Baden, 2017) 287.Google Scholar

2 Pernice, I, ‘Global Constitutionalism and the Internet: Taking People Seriously’ in Hofmann, R and Kadelbach, S (eds), Law Beyond the State: Past and Futures (Reihe des Frankfurter Exzellenzclusters, Campus-Verlag, Frankfurt am Main, 2016) 151.Google Scholar

3 Ibid 176–84.

4 See Solon, O and Hern, A, ‘‘Petya’ Ransomware Attack: What Is It and How Can It Be Stopped?’ The Guardian (29 June 2017) at <https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how>>Google Scholar.

5 Wanka, J, Opening speech at the conference of 14 February 2017 on ‘Selbstbestimmt und sicher in der digitalen Welt at <www.bmbf.de/de/selbstbestimmt-und-sicher-in-der-digitalen-welt-3906.html>>Google Scholar.

7 German Ministry of Defence, Press release of 30 March 2017: ‘Bundesministerin der Verteidigung stellt neues Kommando Cyber- und Informationsraum auf’ at <www.bmvg.de/resource/blob/10780/c868d16eae69008e936b6da227518020/30-03-17-bundesministerin-der-verteidigung-stellt-neues-kommando-cyber-und-informationsraum-auf-data.pdf>>Google Scholar.

8 Wanka (n 5).

9 Regarding the case of China see Goldsmith, J and Wu, T, Who Controls the Internet? Illusions of a Borderless World (OUP, Oxford, 2006) 87–104, 183–4.CrossRefGoogle Scholar See, on the other hand, Mueller, M, Will the Internet Fragment? (Polity Press, Cambridge, 2017) 3641, 60, 96–9.Google Scholar

10 Mueller (n 9) 44–8, explaining this with the ‘network effect’.

11 For the development and elements of self-constitution see Viellechner, L, Transnationalisierung des Rechts (Velbrück, Weilerswist, 2013) 128–43, 257–64Google Scholar. The originally established stewardship of the US government ended 1 October 2016, see ICANN Announcements of this date ‘Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends’ at <https://www.icann.org/news/announcement-2016-10-01-en>.

12 Goldsmith and Wu (n 9) 49–63 (‘Why Geography Matters’) and 65–85 (‘How Governments Rule the Net’).

13 Regarding platform responsibility for criminal content on social networks see the 2017 German ‘Netzdurchsetzungsgesetz’ (Act to Improve Enforcement of the Law in Social Networks – BMJV), at <https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/NetzDG_engl.pdf?__blob=publicationFile&v=2>.

14 With a warning: Donahoe, E, ‘Don’t Undermine Democratic Values in the Name of Democracy’ at <https://www.the-american-interest.com/2017/12/12/179079/>>Google Scholar. For an initiative of China, Russia and others at the UN to establish an ‘international code of conduct for information security’ see Müller (n 9) 82, and the Letter dated 9 January 2015 (UNGA Doc A/69/723 of 13 January 2015), with an updated version of the draft. The Shanghai Cooperation Organisation continues discussing the initiative, see the SCO website at <http://eng.sectsco.org/news/20170204/209441.html>.

15 This is the proposition of the very deep 2006 analysis of Goldsmith and Wu (n 9) 184.

16 Mueller (n 9) 11, finding the mismatch between global cyberspace and the territorial state ‘nowhere … more evident than in the domain of cybersecurity’.

17 Ibid 71–104, concluding that even ‘alignment is an illusion’ (ibid 103–4).

18 See Stone, J, ‘Theresa May says the internet must now be regulated following London Bridge terror attack’ Independent (4 June 2017) with the explanation: ‘We cannot allow this ideology the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide internet-based services provide, Ms May said’, at <http://www.independent.co.uk/news/uk/politics/theresa-may-internet-regulated-london-bridge-terror-attack-google-facebook-whatsapp-borough-security-a7771896.html>>Google Scholar.

19 Habermas, J, The Postnational Constellation: Political Essays (Polity Press, Cambridge, 2001).Google Scholar

20 The term was coined by Pernice, I, ‘Risk Management in the Digital Constellation – A Constitutional Perspective’, IDP Conference Barcelona (30 June 2017) HIIG Discussion Paper Series No. 2017-07, at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3051124> 10–14+10–14>Google Scholar.

21 For explanation of these terms see e.g. Digital Attack Map, ‘What is a DDoS Attack?, at <https://www.digitalattackmap.com/understanding-ddos/>: ‘A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources’; Techtarget, ‘Botnet’ at <http://searchsecurity.techtarget.com/definition/botnet>: ‘The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network, or net, of infected devices controlled by a single attacker or attack group’.

22 Bannelier, K and Christakis, T, Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors, Les Cahiers de la Revue Défense Nationale (Paris 2017) 11Google Scholar: ‘the extreme complexity of the problem, marked by the great diversity of the actors involved: potential perpetrators of cyber-attacks (States, ‘‘proxies’’, private actors supported or tolerated by States, terrorists, cybercriminals, companies conducting espionage or wanting to gain a competitive advantage, individual hackers, patriotic hacker groups, etc.); potential victims of attacks (States, administrations and communities, companies, media, individuals, etc.); those involved in these attacks (e.g. the States through which cyber-attacks transit, companies and individuals whose systems are used by the attackers without the knowledge of the owners); and, finally, those to be potentially involved in a response to a cyber-attack (States, private companies acting for their own benefits, private companies undertaking a response on behalf of another company, etc.)’.

23 For a conceptualisation of governance as ‘flexible coordination’ see Hoffmann, J, Katzenbach, C and Gollatz, K, ‛Between Coordination and Regulation: Finding the Governance in Internet Governance’ (2016) New Media & Society, also at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2836068>Google Scholar 19: ‘Governance, we propose, should be defined as coordinating coordination or reflexive coordination, because it questions and potentially redefines the rules of the game.’

24 For the concept see von Lucke, J, ‘Wie uns die intelligente Vernetzung zum Leitbild ‘‘Verwaltung 4.0’’ und einem smarten Regierungs- und Verwaltungshandeln führt’ Whitepaper (14 September 2015) at <https://www.zu.de/institute/togi/assets/pdf/ZU-150914-SmartGovernment-V1.pdf>>Google Scholar, and id, ‘Deutschland auf dem Weg zum Smart Government – Was Staat und Verwaltung von der vierten industriellen Revolution, von Disruptionen, vom Internet der Dinge und dem Internet der Dienste zu erwarten haben’ in (2016) Verwaltung und Management 171–86. M Flügge et al., ‘Public IoT: Das Internet der Dinge im öffentlichen Raum’ at <http://publica.fraunhofer.de/eprints/urn_nbn_de_0011-n-4047629.pdf>. Djeffal, C, ‘Leitlinien der Verwaltungsnovation und das Internet der Dinge: Vom E-Government Zum Smart Government durch Verfassung, Gesetz, Organisation und Strategie’ (Principles of Renewing Public Administration by the Internet of Things) (13 April 2017) at <https://ssrn.com/abstract=2952494>>Google Scholar.

25 Industry representatives, though, claimed at the international conference titled ‛Construire la paix et la sécurité internationales de la société numérique’ at UNESCO in Paris on 6–7 April 2017 (<https://www.ssi.gouv.fr/uploads/2017/03/jesuisinternet-today_programme_20170404.pdf>) that the capabilities exist to technically retrieve the origin of a cyber-attack, but they would not give any names, for the offender may be their own client (some capability of this kind seems also to be behind the proposal of Microsoft, referred to in n 40 below).

26 Private IT undertakings, however, claim that they are able to attribute cyber-attacks, and offer a public–private partnership. See the account by Bannelier and Christakis (n 22) 57–8, stating, however: ‘this occult and informal “partnership” in attribution is, as it has been pointed out correctly, tenuous and even dangerous’.

27 Interestingly, it is the renowned expert of constitutionalism Häberle who qualifies the ‘spaces of the internet today as a partially law-free “status naturalis” to be developed into a “status culturalis”’ (my translation); see Häberle, P, ‘Stichworte zum heutigen Konstitutionalismus – eine deutsche Sicht’ in Häberle, Vergleichende Verfassungstheorie und Verfassungspraxis. Letzte Schriften und Gespräche (Duncker & Humblot, Berlin, 2016) 15, 25CrossRefGoogle Scholar.

28 I Pernice, ‘European Constitutionalism and the Constitutions of the Member States. Implications for Brexit’ (2017) Coimbra Faculty of Law Bulletin (available as: WHI-paper 01/2017).

29 For the concept borrowing from Jürgen Habermas’ concept of ‘postnational constellation’ see Pernice, I, ‘Risk Management in the Digital Constellation – A Constitutional Perspective’ (2018) IDP: Revista d’Internet, Dret i Política (forthcoming)Google Scholar.

30 Bannelier and Christakis (n 22) 13, 16.

31 For a definition with more details see the Technical Report of the ITU-T Telecommunication Standardisation Sector of ITU, Focus Group on Smart Sustainable Cities (2/2015) 2, at <https://www.itu.int/en/ITU-T/focusgroups/ssc/Pages/default.aspx>.

32 Discussing arguments pro and contra hack-backs: Bannelier and Christakis (n 22) 60–7. With regard to ‘wild’ hack-backs by private parties in particular see ibid 68–71.

33 For recommendations to this effect of the US Department of Homeland Security see <https://ics-cert.us-cert.gov/Recommended-Practices>.

35 A start-up called Deutsche Cyber Sicherheitsorganisation; see <https://dcso.de/>.

36 Finneran Dennedy, M, Fox, J and Finneran, TR, ‘The Privacy Engineer’s Manifesto. Getting from Policy to Code to QA to Value’ (2014) at <https://link.springer.com/book/10.1007%2F978-1-4302-6356-2>Google Scholar.

37 See the blog post of the speech of Brad Smith at <https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.0000pqr5pplgte46q5j12kemuejwn>. For the document see Microsoft, ‘A Digital Geneva Convention to Protect Cyberspace’ at <https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QH>.

38 Microsoft, ‘A Tech Accord to Protect People in Cyberspace at <https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW6iCh>.

39 Microsoft, ‘An Attribution Organisation to Strengthen Trust Online’ at <https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QI>.

40 Ibid.

41 For other instruments: Microsoft, ‘Cybersecurity Policy for the Internet of Things’ 13–17, at <https://mscorpmedia.azureedge.net/mscorpmedia/2017/05/IoT_WhitePaper_5_15_17.pdf>.

42 Online-Durchsuchungen, judgment of 27 February 2008, BVerfGE 120, 274, English translation at <http://www.bverfg.de/e/rs20080227_1bvr037007en.html>.

43 Ibid, paras 262ff.

44 ECJ Judgment of 15 February 2016, case C-161/15 – PPU ECLI:EU:C:2016:84, paras 47–53.

45 ECJ Judgment of 8 April 2014, cases C-293/12 and C-594/12 – Digital Rights Ireland and Others, EU:C:2014:238, para 44.

46 For this interpretation see Leuschner, S, Vom Grundrecht zum Grundsatz. Sicherheit als Schutzgut der europäischen Grundrechtecharta – eine grundrechtsdogmatische Rekonstruktion und ihre Folgen für die Sicherheit im Cyberraum (Mohr Siebeck, Tübingen, 2017).Google Scholar On positive obligations of states arising from the human rights in the ECHR see Krieger, H, ‘Positive Verpflichtungen unter der EMRK: Unentbehrliches Element einer gemeineuropäischen Grundrechtsdogmatik, leeres Versprechen oder Grenze der Justiziabilität?’ in (2014) 74 Zeitschrift für ausländisches öffentliches Recht und Völkerrecht 187–213, also at <http://www.zaoerv.de/74_2014/74_2014_2_a_187_214.pdf>>Google Scholar.

47 For an overview of the German legislation see Djeffal, C, ‘La cybersécurité en Allemagne’ Revue de droit allemande (2017) at <http://www.droit-allemand.org/>Google Scholar. See also Leisterer, H, Internetsicherheit in Europa: Zur Gewährleistung der Netz- und Informationssicherheit durch Informationsverwaltungsrecht (Mohr Siebeck, Tübingen, 2017)Google Scholar.

48 For details, problems and limits see Haase, A, Bekämpfung der Computerkriminalität im Raum der Freiheit, der Sicherheit und des Rechts. Kompetenzen, Harmonisierungen und Kooperationsperspektiven’ (Mohr Siebeck, Tübingen, 2017)Google Scholar.

49 An attempt to counter this is section 13(7) TMG (the law on telemedia –Telemediengesetz – TMG) providing for the duty of the telemedia and, in particular internet providers, to take appropriate measures on cybersecurity in accordance with the best available technologies.

50 See the report on a leaked document preparing for meeting of the EU Ministers of the Interior: ‘Beschlusspapier der Innenministerkonferenz: Plan gegen Spionage im Kühlschrank’ in RP Online (23 May 2017) <http://www.rp-online.de/politik/deutschland/innenminister-planen-it-guetesiegel-fuer-smart-home-geraete-aid-1.6838817>.

51 Bannelier and Christakis (n 22) 10.

52 See section (1) phrase 3 N° 8 of the G10-law (G10 Gesetz). See also section 6 of the Law on the Foreign Intelligence Service (BND-Gesetz), with regard to communications and information from foreign countries. For a critical analysis see Wetzling, T, ‘Germany’s Intelligence Reform: More Surveillance, Modest Restraints and Inefficient Controls’ SNV Policy Brief (June 2017) at <https://www.stiftung-nv.de/sites/default/files/snv_thorsten_wetzling_germanys_foreign_intelligence_reform.pdf>>Google Scholar.

53 Macron, E, ‘Humboldt Speech’ in Berlin on 10 January 2017 (<https://www.rewi.hu-berlin.de/de/lf/oe/whi/FCE/2017/rede-macron>>Google Scholar): ‘We must also create a common intelligence system, overcoming national reluctance, that enables an effective tracking of criminals and terrorists, and, in the longer run, a common police force against organised crime and terrorism. We must face together, without being naive, the actual threats of the virtual world, cyberterrorism as well as any type of cyberattack’.

54 Originally based on a Russian initiative, the UNGA Resolution 53/70 on ‘Developments in the Field of Information and Telecommunications in the Context of International Security’ at <http://undocs.org/A/RES/53/70>. See the latest UNGA Resolution 68/243 of 9 January 2013: Developments in the field of information and telecommunications in the context of international security, <http://www.un.org/ga/search/view_doc.asp?symbol=A/RES/68/243>.

55 See the overview of national reports at <https://www.un.org/disarmament/topics/informationsecurity/>. The latest examples of GGE reports to the UN Secretary General are the Report of 22 July 2015 at <http://undocs.org/A/70/174> and the Report of 19 July 2016 at <http://undocs.org/A/71/172>.

56 See Valeriano, B and Pytlak, A, ‘Cyber Security and the Coming Failure of the UN’s Group of Governmental Experts’ in Foreign Policy & Defense (31 August 2016) at <https://niskanencenter.org/blog/cyber-security-coming-failure-uns-group-governmental-experts/>>Google Scholar.

57 Resolution 64/211. Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures (21 December 2009) at <https://ccdcoe.org/sites/default/files/documents/UN-091221-CultureOfCSandCI.pdf>. Similarly already the UN General Assembly Resolution 58/199 at <http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/58/199>.

58 GA Res 70/237 of 23 December 2015, point 5. For a critical comment see Korzak, E, UN GGE on Cybersecurity: The End of an Era? The Diplomat (31 July 2017) at <https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe/>>Google Scholar.

60 See ITU-T Telecommunication Standardisation Sector of ITU, Focus Group on Smart Sustainable Cities (2/2015), link to pdf file at <https://www.itu.int/en/ITU-T/focusgroups/ssc/Pages/default.aspx>.

62 Para 1(a) reads: ‘Each State Party undertakes to promote the culture of cyber security among all stakeholders, namely, governments, enterprises and the civil society, which develop, own, manage, operationalize and use information systems and networks. The culture of cyber security should lay emphasis on security in the development of information systems and networks, and on the adoption of new ways of thinking and behaving when using information systems as well as during communication or transactions across networks.’ In February 2018 10 of 54 contracting parties have signed the Convention, one ratification so far, see at <https://au.int/sites/default/files/treaties/29560-sl-african_union_convention_on_cyber_security_and_personal_data_protection_1.pdf>.

63 See the text referred to (n 37).

64 See the report of 18 December 2017 by DigitalWatch, ‘High-Level Thematic Session: Shaping our Future Digital Global’ at <https://dig.watch/sessions/high-level-thematic-session-shaping-our-future-digital-global-governance>.

65 See Article 8 of the Convention and the Decisions on non-compliance in Handbook for the Montreal Protocol at <http://www.efcc.eu/media/1079/2016-ods-montreal_protocol-handbook.pdf> 348–473.

66 Article 15 of the Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters, and the Guide to the Åarhus Convention Compliance Committee, at <http://www.unece.org/fileadmin/DAM/env/pp/compliance/CC_Guidance/Guide_to_the_ACCC_for_CC56_clean.pdf>.

67 Bannelier and Christakis (n 22) 82.

68 See (n 23).

70 One of the best practice forums at IGF 2016, however, was on cybersecurity: see Chair St. Amour at the preparatory 2017 MAG meeting day 3, at <http://www.intgovforum.org/multilingual/content/igf-2017-first-open-consultations-and-mag-meeting-day-3>.

71 See Kummer, M in the preparatory consultations: ‘cybersecurity, as we all know, has really been an issue that has come to the fore’ at: <http://www.intgovforum.org/multilingual/content/igf-2017-first-open-consultations-and-mag-meeting-day-1>>Google Scholar. See also Kummer’s statements at the 2017 MAG meeting day 3 (n 70), where he said that ‘cybersecurity is an issue which is high on the agenda and it was also highlighted in the GA resolution which extended the IGF’s mandate, so it is definitely, I think, an issue that is of interest to the broader community’.

72 See the EU website on New Approach Standardisation in the Internal Market, at <http://www.newapproach.org/>, and J Pelkmans, ‘The New Approach to Technical Harmonization and Standardization’ (1987) 25 Journal of Common Market Studies 249.

73 See section III.

77 Schmitt, MN (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare. Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (Cambridge University Press, Cambridge, 2013) at <https://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf>Google Scholar.

78 For some comments on this impressive document see Pernice, I, ‘Vom Völkerrecht des Netzes zur Verfassung des Internets: Privacy und Digitale Sicherheit im Zeichen eines schrittweise Paradigmenwechsels’ in HIIG Discussion Paper Series No. 2017-02CrossRefGoogle Scholar at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2959257> 14–21.

79 See <http://assets.cambridge.org/97811071/77222/frontmatter/9781107177222_frontmatter.pdf>. According to the advertising of CUP, ‘it addresses such topics as sovereignty, state responsibility, human rights, and the law of air, space, and the sea. Tallinn Manual 2.0 identifies 154 ‘black letter’ rules governing cyber operations and provides extensive commentary on each rule.’ On the same questions see also Bannelier and Christakis (n 22) 49–54.

80 For the theoretical basis and an outline of the processes see Pernice (n 2) and I Pernice, ‘E-Democracy, the Global Citizen, and Multilevel Constitutionalism’ in Prins, C et al. (eds), Digital Democracy in a Globalised World (Edward Elgar, Cheltenham, 2017) 27CrossRefGoogle Scholar.

82 See section 4 (with n 72).

83 Mueller (n 9) 125–51.

84 Ibid 130, 131–7.

85 Ibid 142, 144–5, inspired by Perry Barlow’s Declaration of Independence of Cyberspace (ibid 149).

86 For the concept originally: Pernice, I, ‘Constitutional Law Implications for a State Participating in a Process of Regional Integration. German Constitution and “Multilevel Constitutionalism”’ in Riedel, E (ed), German Reports on Public Law Presented to the XV International Congress on Comparative Law (Nomos, Baden-Baden, 1998) 40Google Scholar.

87 See Pernice, I, ‘The Global Dimension of Multilevel Constitutionalism: A Legal Response to the Challenges of Globalisation’ in Dupuy, PM et al. (eds), Völkerrecht als Wertordnung/Common Values in International Law: Festschrift für/Essays in Honour of Christian Tomuschat (NP Engel, Arlington, VA, 2006) 973.Google Scholar

88 For more details see Pernice (n 80) 37–44.

89 With regard to Article 6 of the European Charter of Fundamental Rights and Article 6 of the ECHR see Leuschner, Vom Grundrecht zum Grundsatz (n 46).