Andrene Hutchinson | Responsible state behaviour in the cyberspace

Not long ago, at the end of each month, banking halls were inundated with long lines as persons collected their salaries and encashed cheques. Utility companies were usually crowded, as one had to be present at the office with their wallets with cash to pay bills.

Now the lines have moved on the outside of the banks to automated teller machines, and crowds have moved to websites and mobile applications. Wallets are no longer just bulky leather squares, but can be a cell phone application. Recently, motorists being charged by the police for road traffic offences do not have to wait for a ticket to be written, as one is generated and printed in a jiffy by the new digitised traffic ticket management system. The JCF has even established Jamaica’s first smart police station that has replaced the infamous big books with computerised systems and smart devices.

Digital transformation has enabled individuals, institutions and even governments to communicate and engage with each other in a more efficient way. However, cyberspace comes with many risks, as malicious activities abound. Perpetrators, who are not always easily identified, target not just individuals, but also states and their critical infrastructure.

It is against this background that the United Nations has established a framework of responsible state behaviour in cyberspace consisting of four pillars. This framework promotes responsible conduct by states in the use of information and communications technologies (ICTs).

THE FOUR PILLARS

The first pillar deals with the international law which applies to state conduct in the cyberspace. The second pillar focuses on 11 voluntary non-binding norms which set out what states should and should not do in the digital space. The third and fourth pillars focus on strengthening capacity and implementing confidence-building measures. This framework is aimed at promoting peace and stability online, reducing conflict, building trust, ensuring respect for existing legal rules, and facilitating cooperation.

Since 2004, several Groups of Governmental Experts (UN GGEs) on cybersecurity have been convened. The initial aim of the UN GGE was to study developments in information security. In 2015, 11 norms, or principles, were agreed upon, which set clear expectations of states in order to promote an open, secure, stable, accessible and peaceful ICT environment. This was outlined in the 2015 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Of the 11 norms, eight refer to actions that should be encouraged by states, and the remaining three are actions to be avoided by states.

The first norm promotes interstate cooperation and security. As such, states are expected to “cooperate in developing and applying measures to increase stability and security in the use of ICTs, and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security”.

STOP CRIME AND TERRORISM

Cooperation is not just limited to security, but is also expected in the drive to stop crime and terrorism. The fourth norm encourages states to “consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs, and implement other cooperative measures to address such threats”.

In the case of ICT incidents which must be anticipated, states are expected to “consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment, and the nature and extent of the consequences”.

A state’s responsibility to protect human rights and privacy also extends to the cyberspace. The fifth norm highlights the importance of states considering Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age.

Critical infrastructure of states, such as that of hospitals and, perhaps, smart police stations ought to be secured, and states should take appropriate measures to protect them from ICT threats. States are expected to encourage responsible reporting of ICT vulnerabilities and respond to appropriate requests by another state whose infrastructure has been affected by malicious acts. Additionally, they “should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products”.

In the same vein, states are expected to avoid certain actions, such as allowing their territory to be used for malicious acts and conducting or supporting activity that would harm the critical infrastructure of another state or its cyber incident response teams.

Jamaica has long acknowledged that ICT is imperative for national development, and malicious acts, in the form of cybercrimes, have the potential of impairing national development. Hence, a national cybersecurity strategy has been published and the Cybercrimes Act and Data Protection Act are in place. Additionally, Jamaica cyber incident response team supports the secure operations of the Government of Jamaica information technology resources and provides support to protect these assets from cyberattacks.

Andrene Hutchinson is a crown counsel and member of the Cybercrimes and Digital Forensics Unit at the Office of the Director of Public Prosecutions. Send feeedback to columns@gleanerjm.com.