The Uncharted Waters of Cyberspace: Applying the Principles of International Maritime Law to the Problem of Cybersecurity
The Internet poses legal challenges similar to those encountered in maintaining order in the use of the world's oceans. UNCLOS, which imposes law and order in the seas, entered into force based on "the notion that all problems of ocean space are closely related and needed to be addressed as a whole."" Similarly, the Internet is shared globally and the consequences of actions taken by an Internet user in one jurisdiction can be borne globally. As a result, the legal challenges posed by cyberaggression are similar in many respects to the problems posed by piracy and other criminal activity on the high seas. UNCLOS specifically addresses piracy by defining conduct that constitutes piracy178 and describing the duties of all nations with respect to combating piracy.179 For example, UNCLOS balances the territorial jurisdiction of nations with the concept of universal jurisdiction. Article 105 provides that "[o]n the high seas, or in any other place outside the jurisdiction of any State, every State may seize a pirate ship or aircraft" and that "[t]he courts of the State which carried out the seizure may decide upon the penalties to be imposed."180 Moreover, if a vessel engaged in piracy is captured in international waters by a nation that does not have criminal law that applies beyond their territorial borders, other nations that do have such criminal law may prosecute the pirates based on universal jurisdiction.181
If members of the international community were able to develop a convention structured after UNCLOS, mandating international cooperation on cybersecurity and applying universal jurisdiction to acts of cyberaggression, the benefits would be palpable. One such benefit would be an opportunity to create a U.N. agency comparable to the International Maritime Organization (IMO) 210 whose purpose would be to ensure the safety and security of the Internet.
The IMO was created pursuant to the adoption of the Convention on the International Maritime Organization,211 which entered into force in 1958. The purpose of the IMO as stated in Article 1(a) of the Convention is to facilitate cooperation among governments in order to ensure that the "highest practicable standards in matters concerning maritime safety" are in place. The IMO also maintains detailed records of all incidents of piracy,213 which supports the IMO's policy recommendations and efforts to develop new law when the need arises.214 One such legal instrument is Resolution A.738(18), which was intended to facilitate States' duties to cooperate in the repression of piracy under Article 100 of UNCLOS.215 Generally, Resolution A.738(18) encouraged intergovernmental cooperation in all aspects of piracy prevention and solidified the IMO's antipiracy strategy. The IMO's "strategy consist[s] of compilation and distribution of periodical statistical reports, piracy seminars and field assessment missions to regions affected by piracy and the preparation of a code of practice for the investigation and prosecution of the crime of piracy."216
An agency similar in function to the IMO dedicated to tracking incidents of cyberaggression and fostering cooperation between member nations would help to consolidate the international effort to monitor and deter cyberaggression. Moreover, such an agency would help to legitimize the international legal regime that created it, and would provide sound policy rooted in empirical evidence.
The recent cyberattacks on Estonia, Georgia, and Iran demonstrate the shortcomings of both international criminal law governing cybercrime and he absence of international law addressing cyberterrorism and cyberwarfare. In a world where internet commerce is increasingly important to the growth of the global economy, nations cannot afford to shape cybersecurity law unilaterally in furtherance of provincial interests at the expense of a concerted international effort to develop uniform cybersecurity law. As the economic futures of nations become ever more intertwined, international consensus on issues like cyberaggression is essential to global security and economic well-being.
Analogizing cyberthreats to the concerns that spawned cooperation in developing international maritime law is a useful starting point for analyzing and developing an international response that is necessary to meaningfully address global cybersecurity. Without an international agreement that defines the spectrum of cyberaggression, provides for some form of universal jurisdiction over perpetrators, and establishes an international organization focused on cybersecurity policy, the threat to international security posed by cyberaggression will continue to grow. To that end, the mere existence of an international cybercrime tribunal would go a long way toward encouraging cooperation on the development of international norms relating to cybercrime, while allowing nations to retain some level of autonomy in the development and enforcement of domestic cybersecurity policy.
Although international maritime law has not established an international tribunal to prosecute acts of piracy, some experts believe that creating such a tribunal would provide a long-term solution to combating piracy.217 Employing an international tribunal with respect to acts of cyberaggression would ensure that offenses are not treated differently across jurisdictional lines. At the very least, the existence of an international tribunal with universal jurisdiction over acts of cyberaggression would deter such acts and provide a venue for prosecution where nations otherwise often refuse to prosecute such acts. As with piracy, it may be difficult to compel nations to prosecute acts of cyberaggression in the absence of an international tribunal, where the concept of universal jurisdiction confers a right but does not impose an obligation to prosecute such crimes.218 It has been suggested that "while every state should retain the right to redress piracy, the United Nations could create an ad hoc tribunal to have the obligationto redress piracy."219 As has been suggested for handling the prosecution of piracy under UNCLOS, an international agreement addressing acts of cyberaggression could allow nations to retain the right to redress cybercrime, while creating an international tribunal that has an obligation to prosecute cybercrime. This type of tribunal would help to preserve national autonomy, while providing nations and private actors with an international forum for redressing their grievances. Since cybercrime, like piracy, has a large impact on private actors who are often the victims of these types of crimes, allowing private actors to pursue justice via access to an international tribunal would encourage nations to bring domestic policies in line with international standards.220 The availability of an international cybercrime tribunal could also lessen nationalistic resistance to international standards by empowering private actors with the ability to seek international redress for economic injury inflicted by acts of cybercrime.