Cyber-space is no man’s land. There are rules of international law to be respected, sanctions and counter-measures that those who violate them incur. It is now recognized as a “fifth domain” where state sovereignty is exercised, so much so that NATO also applies article 5 of its treaty, the clause of collective defense in the face of aggression by a third state, to the cyber world.
Of course, applying rules and good manners in a world still dominated by anarchy is not easy. Putting them in black and white is a first, important step. Italy did so by publishing for the first time the “Italian position on the applicability of international law to the cyber space”. A document born after the unanimous effort of the Farnesina, the presidency of the Council of Ministers, in particular the Dis (Department for Information and Security), and the Ministry of Defense. Objective: to draw up an Italian road map for the governance of cyberspace.
The first news: Italy brings it back under the hat of the UN charter. And in fact the document of the Italian government responds to some recommendations of the UN. Starting from the final report of the Open Ended Working Group of the First Commission of the UN General Assembly which in two years, between 2019 and 2021, discussed international law and information technologies, and from the latest report of the Gge (Group of governmental experts) which is about to land in the Assembly.
But what the Italian strategy essentially says
That “a cyber operation of one state against another state” constitutes “the use of force”. These are not details: just as in the case of NATO, the Italian government recognizes an aggression by a foreign state in cyberspace as an attack on its sovereignty. Hence the necessary consequence: in the case of an online “armed attack” by another State, Italy has the right to “self-defense”. And it has the right to impose “countermeasures” that “do not involve the threat or use of force”, for example sanctions, in response to “cyber operations that constitute a hostile international act that does not exceed the limit of an armed attack”.
There are obviously well-defined limits in the strategy. A cyber attack is comparable to an armed attack only when “the scale and effects are comparable to those of conventional armed attacks, with significant damage to property, and the injury or loss of life, as well as the destruction of critical infrastructure “. It is no coincidence that intelligence also worked on the drafting of the document. That, even more so now that it has “contracted out” the task of “cyber-resilience” to the new National Cybersecurity Agency (Acn), it must deal with “cyber operations”, including counter-measures (yes, offensive) to a external attack.
Yes, but how to ascribe a hacker attack to a state with certainty
It is an ancient worry for insiders. The direct accusations can be counted on the fingers of one hand, the best known in recent times and the one made by the US government in the Kremlin for interference in the 2016 presidential elections through the secret services of the GRU. However, it is not easy to clear the field of doubts: the attribution “is a complex affair”, we read in the Italian document, and remains “a national prerogative”.
The document “reaffirms on the one hand the commitment to multilateralism of a country, Italy which has an important international legal projection – explains Ambassador Laura Carpini to Formiche.net, United Head for the policies and security of the cyber space of the Farnesina – on the other hand confirms the refusal of the use of force codified in the Charter of the United Nations and the right to defend one’s sovereignty ”.
It should be noted “how Italy rightly declares that it attaches central importance to the application of the principle of sovereignty in cyberspace, including its ancillary rules, as well as the principle of non-intervention in the internal affairs of a state”, says Stefano Apples, partner and Head of Cybersecurity of Studio Gianni & Origoni – A clear signal of positioning on the very topical issues of influence activities by foreign states aimed, for example, at undermining the ability of a state to safeguard public health during a pandemic or to manipulate the democratic process of electoral voting “.
These activities include the lack of control, often not accidental, of cyber criminal organizations that operate in their own state to the detriment of foreign countries. The government’s stance on the principle of “due diligence”, ie the obligation of each State not to allow its territory to be used for acts contrary to the law of other States, is “a clear signal to those governments that they continue, even if only through their “unconscious” inaction, to allow more than well-known criminal organizations to continue to fuel their business through vast cyber attack campaigns ”, adds Mele.
But Italy also has its say on human rights. A politically hot and central passage in the competition between the United States and China also in the cyber field. In fact, the document declares that “every state is obliged to protect human rights both online and offline”, and among these “freedom of opinion and expression, the right to access information, the right to privacy”. That is, it applies International Humanitarian Law to the cyber domain. “Dedicating an entire paragraph to rights is a deliberate and not obvious choice”, comments Ambassador Carpini. “Italy reiterates its opposition to the use of armed conflicts as a solution to international disputes and replicates in the cyber space the protections and limits identified, not without difficulty, over the centuries”.
