Edward Snowden may have exposed countless secrets about the way governments are conducting cyber espionage on their own citizens and each other, but even he couldn’t have been aware that as the National Security Agency/Prism scandal broke this past summer, Aaron Shull was quietly figuring out where the legal boundaries of online spying should lie.
In August, Shull was appointed counsel and corporate secretary at the Centre for International Governance Innovation, a Waterloo, Ont.-based think-tank founded by former co-CEO of Research In Motion Jim Balsillie. Besides the more traditional duties expected of an in-house lawyer and corporate secretary, Shull’s appointment has also seen him jump head-first into CIGI’s Global Security Program, contributing research that explores the legality of cyber espionage and the rules of attribution and state responsibility for offensive cyber activities.
In October, for example, Shull travelled to Bali, Indonesia, where he presented a paper on cyber espionage and international law at the Global Internet Governance Academic Network (GigaNet). While the media was filled with headlines about Canada reportedly spying on Brazil and the United States monitoring German Chancellor Angela Merkel’s mobile phone, Shull was making an argument that these activities may be even more legally contentious than most people realize.
“The first question around cyber espionage is, is it illegal? And most people would tell you no,” he says. “All you have to do is look at state practice. Countries spy on each other routinely, and as a consequence of that practice there are no rules prohibiting it.”
You could even go one step further, Shull says, and look at a famous case involving the SS Lotus which was put before the Permanent Court of International Justice in 1927. It was a jurisdictional dispute between the French and Turkish governments involving the collision of two steamships. Though many of the details have been forgotten, it gave rise to the Lotus principle, which says sovereign states may act in any way they wish so long as they do not contravene an explicit prohibition.
Shull has a different take. His paper points to the 1970 Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in Accordance with the Charter of the United Nations. Better known as the Friendly Relations Declaration, it was used by the International Court of Justice in The Republic of Nicaragua v. The United States of America to prohibit any form of interference with the political, economic, and cultural elements of another state.
“That’s a starting point: We now know that there’s a rule in international law that prohibits foreign interference. Then the question becomes, do international acts of cyber espionage offend that rule?” Shull asks. “And if they do, well then, it should be rightly considered illegal, notwithstanding that states routinely engage in it.”
Unfortunately, the problems don’t end there, Shull says. “The rule itself is amorphous, it’s hard to understand and it doesn’t place clear constraints on state behaviour,” he says. “Now what you’re seeing is countries like the United States and China working in a bilateral form to try and articulate what the rules should be.”
In response, one of Shull’s next tasks is to put together a high-level panel of experts that will hold a series of meetings over the next few months to explore these issues in greater detail. A web site, OurInternet.org, provides a consultative mechanism to other stakeholders and a report with recommendations around Internet government will be tabled before the next World Summit on the Information Society in 2015.
“In my own view, the question is, can we meet all of the competing interests?” Shull asks. “Governance is a series of counterbalancing trade-offs. How do we balance these and put a view forward where the Internet has responsible governance, is stable, encourages innovation, economic growth, free speech, and human rights? This is the challenge. I think it’s one of the challenges of our generation.”
Shull has been able to move so quickly on these issues in part because they build upon research he had already been doing during his studies at Columbia Law School, where he attained his LLM and graduated as a Harlan Fiske Stone scholar. He says he was always interested in the notion of the Internet as a weapon, and pursued research in cyber security and cyber espionage long before Snowden’s revelations came to light.
“I didn’t know when I was focused on those discrete issue areas how complicated this space was, how many interests are involved, and how many actors are involved,” he says. “As I transition into this role, I’m starting to appreciate a greater appreciation, almost by the day, of how complex the policy space is.”
The job has also allowed him to be closer to home and family — he grew up 15 minutes outside of Waterloo — even as other opportunities beckoned, like an acceptance to the University of Cambridge to pursue a PhD in international politics. “I turned that down to take a position here, because of the reputation of CIGI, because of the Internet governance program, and because of the community here,” he says. “It’s a beautiful city that is close to my heart.”
Shull’s role is multifaceted. When he’s not working on research he’s busy facilitating board meetings or providing day-to-day policy advice. He waves off this workload as typical of a busy in-house counsel who needs to manage time effectively, but he takes the notion of practicing law, which he began after being called to the bar in 2009, with great seriousness.
“I think the profession is sometimes the butt of jokes — people tend to have a negative view of lawyers. I never had that,” he says. “I always thought of the law as an esteemed calling, and a noble profession. And the more time I spend in this career, the more I come back to that being the case.”
“The problem is that people committing cyber espionage don’t leave a calling card. They don’t tell you why they’re doing it,” he says. “There’s no clear line between national security and economic interests.”
A government might use the Internet to get information about another country’s nuclear reactor core, for example. Is that because they want to avoid the R&D costs of developing one themselves, or because they want to target that core for military purposes? “Trying to pretend like the rules will clearly differentiate between the two is a misnomer and, I think, a mistake,” Shull says.
Helping to resolve some of these debates gives Shull a particular sense of purpose in his work at CIGI, particularly with the possibility that some governments could wind up creating virtual border crossings to prevent espionage online.
“I would say that the fears are realistic,” he says. “The reason the Internet works so well and that we share in the knowledge is because it’s free and it’s open,” he says. “Balkanizing the Internet or having certain states cut themselves off and their people off is significant. It will change the way that the Internet works.”
Shull is determined that if there are changes, they have to be for the better.