The report of the Working Group (WG) on the use of mercenaries as a means of violating human rights and impeding the exercise of the rights of peoples to self-determination was finalized on July 15, 2021 and made publicly available following the General Assembly meeting in September 2021. It calls for urgent attention from States and other relevant stakeholders to prevent further harms and human rights violations based on malicious cyber operations conducted by cyber proxies. In its 2020 report on the evolving forms, trends and manifestations of mercenaries, the WG identified ‘cybermercenaries’ as a contemporary category of actors engaged in mercenary-related activities.
The 2021 report is a thematic study that closely examines the provision of military and security products and services in cyberspace by mercenaries, mercenary-related actors and private military and security companies, and the impact of their actions on human rights. The report reflects on the evolution of the provision of services and activities by these actors, assesses the impacts their activities may have on human rights and examines issues around regulating the provision of cyber capabilities.
The existence of commercially available disruption, interference with, degradation or destruction of computer systems or networks and exfiltration of information is a threat to the safety and stability of cyberspace. Those tools are used to target vulnerable populations such as but not limited to human rights defenders, journalists, and dissidents with the aim to cause harm. An escalation of the production and use of these technologies represents a threat to cyberpeace more generally.
The use of mercenaries poses a particular challenge to accountability in cyberspace as it complicates determination of responsibility for an attack, allows for deniability and reduces adherence to agreed responsibilities, making cyberspace even more insecure.
When a state actor carries out an operation to deliberately disrupt, interfere with, degrade or destroy computer systems or networks and cause harm, a prospect and expectation of regulation and accountability exists. State actors are bound by their commitments under international and domestic law and should aspire to conduct themselves based on the established norms of responsible behavior in cyberspace. As the report highlights, “recruiting private actors to provide military and security services in cyberspace does not relieve States of their obligations under international law.” Yet private operations that are run on behalf of state actors in a self-regulated market provide a stress test to states’ will and capacity to monitor and enforce its obligations to respect, protect and fulfil human rights; some deliberately choose to use mercenaries in an attempt to escape accountability.
The CyberPeace Institute commends the Working Group for adopting a broad approach with regard to definitions that apply adequately to cyberspace. Understanding the difficulty of meeting the definition of “mercenary” under the existing international legal framework, the CyberPeace Institute welcomes the report’s focus on actions, activities and actors that impact human rights during conflict and in peacetime. Any cyber operation conducted by an intermediary to deliberately disrupt, interfere with, degrade or destroy computer systems or networks and cause harm should come under scrutiny.
The CyberPeace Institute endorses the explicit identification of groups at risk, which include human rights defenders, migrants, opposition leaders and journalists, and lesbian, gay, bisexual, transgender, intersex and gender non-conforming persons within the context of gender-based violence. We concur on the differentiated and disproportionate impact of mercenary activities on women, children and other groups, as well as the potential of cyber activities to undermine the right to self-determination and commit human rights abuses. While there is a sophisticated targeting process accompanying the deployment of cyber capabilities, the CyberPeace Institute highlights that we can all become victims if such activities lack oversight.
Acknowledging the geostrategic interests that dominate cyberspace, the report takes a first step towards disentangling the complex relations between State actors, non-State actors and private entities. It provides a framework for distinguishing between two types of companies acting as proxies: (1) large technology platforms supporting governments to access information and run surveillance programmes; and (2) smaller companies providing tailored services and specific capabilities for conducting malicious operations.
The WG recognizes that accurate attribution of responsibility to the perpetrators and their clients is a key challenge in this field: it becomes increasingly complex to determine who is responsible when intermediaries are involved, especially as they may move across borders and escape regulatory control and accountability mechanisms. The CyberPeace Institute calls upon both States and non-State actors to attribute cyberattacks as a first step to achieving accountability. Attribution can and should be done at the technical, legal, and political level in order to provide all of the necessary information to provide evidence and create methodology for public awareness and effective judicial recourse.
The CyberPeace Institute seconds the recommendation for States to “investigate, prosecute and sanction alleged violations of international humanitarian law and human rights abuses by mercenaries, mercenary-related actors and private military and security companies and provide effective remedies to victims” and stand ready to assist in bringing forward the concerns from those who encounter these issues on the ground.
- Cybermercenary activities happen under the purview of States, which triggers due diligence obligations. States also have direct responsibilities to support victims and provide effective remedies when their rights have been violated. We encourage the working group to further explore the avenues for remedy and reparation available to victims.
- The CyberPeace Institute calls for the distinction between offensive and defensive services to be made more clear in the contracts signed by governments and providers, while adding safeguards and control at the procurement level and to have this information publicly available. Both States and non-State actors should be obliged to at least identify what they consider to be defensive services and effective safeguards, in order for other actors – including nonprofits – to better analyse their impact on society. Transparency is key to assess Individual actions, activities and actors for potential violations of human rights.
- We recommend moving beyond a voluntary reporting commitment to work towards an operational framework that can be used by States to commit to and implement transparency with regard to the contracting of military support services.
- To strengthen accountability, the report needs more clarity over the legal status of military and security services provided in cyberspace in order to determine the potential and actual impact upon human security, dignity, and equity. The obscurity of the cyber capabilities market makes it impossible to track their deployment in practice and eludes attempts to introduce oversight mechanisms, which are needed in order to regulate the use of cyber capabilities themselves. The CyberPeace Institute supports the creation of a binding regulatory framework that can complement the existing legal and voluntary mechanisms as discussed by the Open-ended intergovernmental working group mandated to elaborate the content of an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies.
The call to States to initiate dialogue on new and evolving forms of mercenaries and the risks they pose including in cyberspace, resonates with the core interest of the CyberPeace Institute in contributing civil society perspectives to address and counter the harm posed by cyber proxies to individuals, communities, and society as a whole. The CyberPeace Institute stands ready to facilitate and contribute to this necessary dialogue.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.