2
UK approach
The United Kingdom is clear that international law applies in cyberspace, as it does
in all other domains of operation, including the UN Charter in its entirety. In his
speech in May 2018, the then UK Attorney General set out the UK’s view on the
applicability of international law in cyberspace. We reaffirm our commitment to a
free, open, peaceful and secure cyberspace.
The foundation for responsible state behaviour in cyberspace is our mutual
commitment to existing international law, including the respect for human rights and
fundamental freedoms, and the application of international humanitarian law to cyber
operations in armed conflict. We reaffirm that the UN Charter applies in its entirety to
state actions in cyberspace, including the prohibition of the use of force (Article 2(4)),
the peaceful settlement of disputes (Article 33), and the inherent right of states to act
in self-defence in response to an armed attack (Article 51). The law of state
responsibility applies to cyber operations in peacetime, including the availability of
the doctrine of countermeasures in response to internationally wrongful acts.
The UK is also clear why the use of ‘cyber security’ rather than ‘information security’
is an important distinction. ‘Cyber security’ denotes efforts aimed at the preservation
of confidentiality, availability and integrity of information in cyberspace, including the
internet and other networks and forms of digital communication. The term
‘information security’ may cause potential confusion as it is used by some countries
and organisations as part of doctrine regarding information itself as a threat against
which additional protection is needed.
It is also important to ensure cyber security efforts are not used to impose
restrictions on freedom of expression beyond those in accordance with the Universal
Declaration of Human Rights and ICCPR; the rights people enjoy offline must also
be protected online.
The UK’s approach to cyber deterrence has four principles. First, we will always seek
to discover which state or non-state actor was behind any malign cyber activity.
Secondly, we will respond. That could include public attribution, in concert with
partners, exposing not only who carried out the action but, so far as possible, how it
was done, thereby helping the cyber security industry to develop protective
measures. Thirdly, we will aim to prosecute those who conduct cybercrime,
demonstrating they are not above the law. And finally, with partners, we will consider
further steps, consistent with international law, to make sure we don’t just manage
current cyber attacks but deter future ones as well.