On January 29, 2024, the African Union Peace and Security Council (PSC) unanimously adopted Communiqué 1196 (2024) pursuant to which it adopted the Common African Position on the Application of International Law to the Use of Information and Communication Technologies in the Cyberspace. The Common African Position (CAP) and all four Communiqués that the PSC adopted on this topic can be found here.
The CAP consists of eleven sections. In addition to a preamble and a conclusion, which include important statements of law and policy, it includes sections on the following concepts, rules, or fields of international law: sovereignty, due diligence, non-intervention, the peaceful settlement of disputes, the prohibition on the threat or use of force, international humanitarian law, international human rights law, and the attribution of conduct to states. In addition, the CAP includes a section on capacity-building, which was proposed by Algeria. This section is not framed in terms of rights and obligations under international law, but is a policy statement on international cooperation and technical assistance in the area of cybersecurity.
With the exception of the section on capacity-building, each section of the CAP begins with a restatement of the rules that constitute the doctrinal foundation of the field of international law covered in that particular section followed by a brief discussion on how these rules apply in cyberspace. Section II on sovereignty, for instance, begins by noting that “sovereignty is an attribute of States” and affirming that “[t]he obligation to respect the territorial sovereignty of States is a primary rule that is firmly established in international law.” This is followed by several paragraphs that apply this rule to cyberspace. For example, the CAP states: “[t]he African Union affirms that international law, as it applies to the use of ICTs in cyberspace, does not permit a State to exercise enforcement authority on the territory of a foreign State in response to unlawful cyber activities,” and in the following paragraph it states: “[t]he African Union affirms that by virtue of territorial sovereignty, any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State is unlawful.” Similarly, Section VI starts by underscoring that “[t]he prohibition on the threat or use of force is a rule of jus cogens and a fundamental and cardinal rule of general international law that is also a cornerstone of the U.N. Charter,” and that “[t]he prohibition on the use of force admits only two exceptions: the use of force in self-defense if an armed attack occurs, and the use of force that is authorized by the UN Security Council acting under Chapter VII of the UN Charter.” This is followed by applications of these rules in cyberspace: “a cyber operation that destroys, inflicts damage, or permanently disables critical infrastructure or civilian objects within a State, may be considered as amounting to a use of force under international law. Similarly, a cyber operation that targets a military asset by destroying, damaging, or deactivating a missile defense system, could constitute a violation of the prohibition on the use of force.”
Given its depth and breadth, there is much to say about the legal reasoning and policy rationale underlying the positions expressed in the CAP. As an instrument that was negotiated and adopted by 55 AU member states, the CAP is a rich source of evidence of opinio juris on a broad range of rules and concepts of international law. In this blogpost, however, I will share some thoughts on the process through which the CAP was developed. This is because, first, the AU’s experience could serve as a blueprint for other regional organizations that might consider formulating similar statements. And second, the way in which the CAP was articulated provides a unique – and hopefully replicable – example of a non-western international organization that successfully brought together a large number of states and a diverse set of experts with different but complimentary professional backgrounds for the explicit purpose of contributing to and shaping international law.
The CAP is the outcome of a multi-stage, multistakeholder process. Naturally, the process was open to all AU member states. Institutionally, it was co-led by two AU organs: the PSC and the AU Commission on International Law. Officials from the relevant departments within the AU Commission, including the Office of the Deputy Chairperson, the Political Affairs and Peace and Security Secretariat, the Office of the Legal Counsel, and the Department of Infrastructure and Energy, also contributed to the process. Other AU bodies that cover policy-areas that relate to cyberspace also participated. In particular, given that the lawfulness of espionage is a contentious question in debates on the application of international law in cyberspace, experts from the Committee of Intelligence and Security Service of Africa (CISSA) were present throughout the process. Furthermore, to broaden participation in the drafting of the CAP and to ensure that it enjoyed greater legitimacy as an expression of African views on international law and cyberspace, several leading African jurists were invited to join the process. These were: Dire Tladi, Makane Mbengue, Erika de Wet, Mamadou Hébié, and Martha Bradley.
The development of the CAP proceeded in two stages. Stage one focused on capacity-building. State representatives and my counterparts who previously served as Special Rapporteurs on this topic in other regional organizations have often noted that capacity constraints are a major obstacle facing states that have attempted to articulate national positions on the application of international law in cyberspace. That is why most national statements on this topic have been issued by western states. Governments of non-western states often have far fewer lawyers and operational experts who can dedicate the necessary time and energy to engage with the complex legal and policy questions posed by the unique nature of cyberspace and cyberoperations. Therefore, our first step was to organize a three-part capacity-building program for African diplomats, experts, and government lawyers. This program, which was funded by and co-organized with Global Affairs Canada, was attended by over 200 participants.
Part one of this capacity-building program was held online in March 2023; part two was held in Addis Ababa in June 2023 for delegates based at the AU headquarters, experts and lawyers from foreign ministries and other government agencies, and officials from the AU Commission; and part three was held in New York in July 2023 for delegates of African states at the UN General Assembly’s First and Sixth Committees. The trainings in this capacity-building program were delivered by Cyber Law International, involving leading scholars in the field, including Michael Schmitt, Liis Vihul, Dapo Akande, and Marko Milanovic. As readers know, Schmitt, Vihul, and Milanovic are the editors of the hugely influential Tallinn Manual, and Akande is a co-founder of the Oxford Process on International Law Protections in Cyberspace. To ensure that the African participants in these training also heard African voices, Professors Mbengue, Hébié, Bradley, and (now) Judge Tladi were also invited to provide critical commentary, questions, and responses to the positions espoused by the Cyber Law International trainers.
Stage two of the process of developing the CAP was the actual drafting of the text. I submitted the first version of the CAP to the AU Commission on International Law in May 2023. The Commission unanimously adopted it on first reading. I then shared this version with Professors Mbengue, Tladi, de Wet, Hébié, and Bradley who provided excellent feedback. Moreover, because the PSC in its first Communiqué on this topic (also available here) instructed me to consult with other stakeholders, I shared this draft with colleagues from international and regional organizations, especially the OAS and the ICRC, and African and non-African legal scholars and technical specialists in the field, who also provided valuable input.
On the basis of this feedback, I prepared a second version of the CAP that was formally circulated to AU member states on June 26, 2023. Moreover, on the final day of the capacity-building trainings that were held in Addis Ababa and New York we held closed-door briefings for the representatives of AU member states on these early drafts of the CAP. Then, on August 24, 2023, the PSC adopted communiqué 1171 (also available here) that welcomed the draft CAP and decided to establish an expert-level working group to review this draft and prepare it for submission to the PSC. This working group consisted of: (1) the PSC Committee of Experts, which are diplomats serving with the missions of the AU member states currently on the PSC; (2) all other AU member states, which ensured that the process was not limited to PSC members; (3) members of the AU Commission on International Law; (4) the relevant departments of the AU Commission; and (5) the African jurists who were involved in the process. As stated in PSC communiqué 1171, the working group was composed in this way to “ensure inclusivity and ownership of the process by all Member States.” The PSC instructed the working group to submit the final version of the CAP to the PSC by December 2023, so that it could be forwarded to the Assembly of the Union.
With financial assistance from the German and UK governments, the expert-level working group met in Tunisia from November 29 – December 1, 2023. During this meeting, the member states achieved consensus on almost the entire document. However, a small number of paragraphs was still outstanding. Therefore, an additional meeting was held on January 9, 2024, during which the remaining paragraphs were discussed, agreed, and adopted. The PSC then met on January 29, and unanimously adopted Communiqué 1196 that formally adopted the CAP and submitted it to the Assembly of the Union.
Looking back, I think that a unique feature of this process was the collaborative and collegial spirit in which it was conducted. This was a process in which the collective expertise and resources of Africa were leveraged. This was especially evident during the meetings of the expert-level working group. The delegations of member states included diplomats, lawyers, military and intelligence officers, engineers from ICT ministries, cybersecurity and operational experts, and academics. Naturally, not every state had experts from all of those fields. However, these experts, while expressing the views of their governments, also offered their political, legal, or technical expertise, which enriched the conversation and advanced the process. For example, when the section on sovereignty was considered, cybersecurity experts from Morocco, which was especially active throughout the process, explained to the diplomats and lawyers the various types of intrusive cyberoperations that could be conducted against African states. Similarly, when due diligence and attribution were discussed, the representatives of Cameroon and Tanzania, who were digital forensics and cybersecurity experts, explained the difference between legal and technical attribution, and highlighted the challenges that could face African states in upholding the obligation of due diligence. This led to an added emphasis in the CAP on the importance of international cooperation to enable states to exercise due diligence and combat malicious or hostile cyberoperations.
Similarly, the active engagement of Judge Tladi and Professors Mbengue, de Wet, Hébié, and Bradley, and the members of the AU Commission of International Law, clarified the complex doctrinal discussions that were ongoing and streamlined the drafting process. The presence of operational experts, especially intelligence officers and the representatives of CISSA, meant that the security dimension of these policy and legal issues was covered. Also, diplomatic experts, some of whom like Ambassador Amr Al-Jowaily, the strategic advisor to Deputy Chairperson of the AU Commission, who represented Egypt in the UN General Assembly First Committee, provided institutional memory on the discussions on cybersecurity at the UN, which reassured the lawyers, academics, and operational officers that the CAP was consistent with the policy interests of African states. In short, the participation of this diverse group of government representatives and other African experts facilitated the negotiations, added to the legitimacy of the process, and created a sense of collective ownership of the CAP.
In conclusion, I should note that I am not oblivious to the reality that the adoption of the CAP reflects the general alignment of political interests between the AU member states on this topic. African states are not the principal targets of hostile cyberoperations nor are they at the forefront of operators that engage in conduct of this nature. However, from a policy perspective, given their young populations and growing economies, African states have an interest in keeping cyberspace open, peaceful, secure, and stable. African states also recognize the importance of protecting their populations and infrastructure against foreign cyberoperations that could infringe on their rights and interests or that might be routed through networks on their territory. From a legal perspective, Africa also has a keen interest in protecting the integrity of the international legal order and preserving the inviolability of the bedrock principles of international law, especially the respect for territorial sovereignty, non-intervention, non-use of force, the peaceful settlement of disputes, and upholding the rules of international humanitarian and human rights law. These considerations facilitated the adoption of the CAP. However, in addition, the manner by which the AU developed and adopted the CAP, especially the engagement of multiple stakeholders and experts, greatly facilitated the negotiating process and contributed to enhancing its legitimacy.
The Common African Position on the Application of International Law in Cyberspace: Reflections on a Collaborative Lawmaking Process
Written by Mohamed HelalOn January 29, 2024, the African Union Peace and Security Council (PSC) unanimously adopted Communiqué 1196 (2024) pursuant to which it adopted the Common African Position on the Application of International Law to the Use of Information and Communication Technologies in the Cyberspace. The Common African Position (CAP) and all four Communiqués that the PSC adopted on this topic can be found here.
The CAP consists of eleven sections. In addition to a preamble and a conclusion, which include important statements of law and policy, it includes sections on the following concepts, rules, or fields of international law: sovereignty, due diligence, non-intervention, the peaceful settlement of disputes, the prohibition on the threat or use of force, international humanitarian law, international human rights law, and the attribution of conduct to states. In addition, the CAP includes a section on capacity-building, which was proposed by Algeria. This section is not framed in terms of rights and obligations under international law, but is a policy statement on international cooperation and technical assistance in the area of cybersecurity.
With the exception of the section on capacity-building, each section of the CAP begins with a restatement of the rules that constitute the doctrinal foundation of the field of international law covered in that particular section followed by a brief discussion on how these rules apply in cyberspace. Section II on sovereignty, for instance, begins by noting that “sovereignty is an attribute of States” and affirming that “[t]he obligation to respect the territorial sovereignty of States is a primary rule that is firmly established in international law.” This is followed by several paragraphs that apply this rule to cyberspace. For example, the CAP states: “[t]he African Union affirms that international law, as it applies to the use of ICTs in cyberspace, does not permit a State to exercise enforcement authority on the territory of a foreign State in response to unlawful cyber activities,” and in the following paragraph it states: “[t]he African Union affirms that by virtue of territorial sovereignty, any unauthorized access by a State into the ICT infrastructure located on the territory of a foreign State is unlawful.” Similarly, Section VI starts by underscoring that “[t]he prohibition on the threat or use of force is a rule of jus cogens and a fundamental and cardinal rule of general international law that is also a cornerstone of the U.N. Charter,” and that “[t]he prohibition on the use of force admits only two exceptions: the use of force in self-defense if an armed attack occurs, and the use of force that is authorized by the UN Security Council acting under Chapter VII of the UN Charter.” This is followed by applications of these rules in cyberspace: “a cyber operation that destroys, inflicts damage, or permanently disables critical infrastructure or civilian objects within a State, may be considered as amounting to a use of force under international law. Similarly, a cyber operation that targets a military asset by destroying, damaging, or deactivating a missile defense system, could constitute a violation of the prohibition on the use of force.”
Given its depth and breadth, there is much to say about the legal reasoning and policy rationale underlying the positions expressed in the CAP. As an instrument that was negotiated and adopted by 55 AU member states, the CAP is a rich source of evidence of opinio juris on a broad range of rules and concepts of international law. In this blogpost, however, I will share some thoughts on the process through which the CAP was developed. This is because, first, the AU’s experience could serve as a blueprint for other regional organizations that might consider formulating similar statements. And second, the way in which the CAP was articulated provides a unique – and hopefully replicable – example of a non-western international organization that successfully brought together a large number of states and a diverse set of experts with different but complimentary professional backgrounds for the explicit purpose of contributing to and shaping international law.
The CAP is the outcome of a multi-stage, multistakeholder process. Naturally, the process was open to all AU member states. Institutionally, it was co-led by two AU organs: the PSC and the AU Commission on International Law. Officials from the relevant departments within the AU Commission, including the Office of the Deputy Chairperson, the Political Affairs and Peace and Security Secretariat, the Office of the Legal Counsel, and the Department of Infrastructure and Energy, also contributed to the process. Other AU bodies that cover policy-areas that relate to cyberspace also participated. In particular, given that the lawfulness of espionage is a contentious question in debates on the application of international law in cyberspace, experts from the Committee of Intelligence and Security Service of Africa (CISSA) were present throughout the process. Furthermore, to broaden participation in the drafting of the CAP and to ensure that it enjoyed greater legitimacy as an expression of African views on international law and cyberspace, several leading African jurists were invited to join the process. These were: Dire Tladi, Makane Mbengue, Erika de Wet, Mamadou Hébié, and Martha Bradley.
The development of the CAP proceeded in two stages. Stage one focused on capacity-building. State representatives and my counterparts who previously served as Special Rapporteurs on this topic in other regional organizations have often noted that capacity constraints are a major obstacle facing states that have attempted to articulate national positions on the application of international law in cyberspace. That is why most national statements on this topic have been issued by western states. Governments of non-western states often have far fewer lawyers and operational experts who can dedicate the necessary time and energy to engage with the complex legal and policy questions posed by the unique nature of cyberspace and cyberoperations. Therefore, our first step was to organize a three-part capacity-building program for African diplomats, experts, and government lawyers. This program, which was funded by and co-organized with Global Affairs Canada, was attended by over 200 participants.
Part one of this capacity-building program was held online in March 2023; part two was held in Addis Ababa in June 2023 for delegates based at the AU headquarters, experts and lawyers from foreign ministries and other government agencies, and officials from the AU Commission; and part three was held in New York in July 2023 for delegates of African states at the UN General Assembly’s First and Sixth Committees. The trainings in this capacity-building program were delivered by Cyber Law International, involving leading scholars in the field, including Michael Schmitt, Liis Vihul, Dapo Akande, and Marko Milanovic. As readers know, Schmitt, Vihul, and Milanovic are the editors of the hugely influential Tallinn Manual, and Akande is a co-founder of the Oxford Process on International Law Protections in Cyberspace. To ensure that the African participants in these training also heard African voices, Professors Mbengue, Hébié, Bradley, and (now) Judge Tladi were also invited to provide critical commentary, questions, and responses to the positions espoused by the Cyber Law International trainers.
Stage two of the process of developing the CAP was the actual drafting of the text. I submitted the first version of the CAP to the AU Commission on International Law in May 2023. The Commission unanimously adopted it on first reading. I then shared this version with Professors Mbengue, Tladi, de Wet, Hébié, and Bradley who provided excellent feedback. Moreover, because the PSC in its first Communiqué on this topic (also available here) instructed me to consult with other stakeholders, I shared this draft with colleagues from international and regional organizations, especially the OAS and the ICRC, and African and non-African legal scholars and technical specialists in the field, who also provided valuable input.
On the basis of this feedback, I prepared a second version of the CAP that was formally circulated to AU member states on June 26, 2023. Moreover, on the final day of the capacity-building trainings that were held in Addis Ababa and New York we held closed-door briefings for the representatives of AU member states on these early drafts of the CAP. Then, on August 24, 2023, the PSC adopted communiqué 1171 (also available here) that welcomed the draft CAP and decided to establish an expert-level working group to review this draft and prepare it for submission to the PSC. This working group consisted of: (1) the PSC Committee of Experts, which are diplomats serving with the missions of the AU member states currently on the PSC; (2) all other AU member states, which ensured that the process was not limited to PSC members; (3) members of the AU Commission on International Law; (4) the relevant departments of the AU Commission; and (5) the African jurists who were involved in the process. As stated in PSC communiqué 1171, the working group was composed in this way to “ensure inclusivity and ownership of the process by all Member States.” The PSC instructed the working group to submit the final version of the CAP to the PSC by December 2023, so that it could be forwarded to the Assembly of the Union.
With financial assistance from the German and UK governments, the expert-level working group met in Tunisia from November 29 – December 1, 2023. During this meeting, the member states achieved consensus on almost the entire document. However, a small number of paragraphs was still outstanding. Therefore, an additional meeting was held on January 9, 2024, during which the remaining paragraphs were discussed, agreed, and adopted. The PSC then met on January 29, and unanimously adopted Communiqué 1196 that formally adopted the CAP and submitted it to the Assembly of the Union.
Looking back, I think that a unique feature of this process was the collaborative and collegial spirit in which it was conducted. This was a process in which the collective expertise and resources of Africa were leveraged. This was especially evident during the meetings of the expert-level working group. The delegations of member states included diplomats, lawyers, military and intelligence officers, engineers from ICT ministries, cybersecurity and operational experts, and academics. Naturally, not every state had experts from all of those fields. However, these experts, while expressing the views of their governments, also offered their political, legal, or technical expertise, which enriched the conversation and advanced the process. For example, when the section on sovereignty was considered, cybersecurity experts from Morocco, which was especially active throughout the process, explained to the diplomats and lawyers the various types of intrusive cyberoperations that could be conducted against African states. Similarly, when due diligence and attribution were discussed, the representatives of Cameroon and Tanzania, who were digital forensics and cybersecurity experts, explained the difference between legal and technical attribution, and highlighted the challenges that could face African states in upholding the obligation of due diligence. This led to an added emphasis in the CAP on the importance of international cooperation to enable states to exercise due diligence and combat malicious or hostile cyberoperations.
Similarly, the active engagement of Judge Tladi and Professors Mbengue, de Wet, Hébié, and Bradley, and the members of the AU Commission of International Law, clarified the complex doctrinal discussions that were ongoing and streamlined the drafting process. The presence of operational experts, especially intelligence officers and the representatives of CISSA, meant that the security dimension of these policy and legal issues was covered. Also, diplomatic experts, some of whom like Ambassador Amr Al-Jowaily, the strategic advisor to Deputy Chairperson of the AU Commission, who represented Egypt in the UN General Assembly First Committee, provided institutional memory on the discussions on cybersecurity at the UN, which reassured the lawyers, academics, and operational officers that the CAP was consistent with the policy interests of African states. In short, the participation of this diverse group of government representatives and other African experts facilitated the negotiations, added to the legitimacy of the process, and created a sense of collective ownership of the CAP.
In conclusion, I should note that I am not oblivious to the reality that the adoption of the CAP reflects the general alignment of political interests between the AU member states on this topic. African states are not the principal targets of hostile cyberoperations nor are they at the forefront of operators that engage in conduct of this nature. However, from a policy perspective, given their young populations and growing economies, African states have an interest in keeping cyberspace open, peaceful, secure, and stable. African states also recognize the importance of protecting their populations and infrastructure against foreign cyberoperations that could infringe on their rights and interests or that might be routed through networks on their territory. From a legal perspective, Africa also has a keen interest in protecting the integrity of the international legal order and preserving the inviolability of the bedrock principles of international law, especially the respect for territorial sovereignty, non-intervention, non-use of force, the peaceful settlement of disputes, and upholding the rules of international humanitarian and human rights law. These considerations facilitated the adoption of the CAP. However, in addition, the manner by which the AU developed and adopted the CAP, especially the engagement of multiple stakeholders and experts, greatly facilitated the negotiating process and contributed to enhancing its legitimacy.
Share this:
Related
Categories
Tags
Leave a Comment
Comments for this post are closed
Comments