Jump to Content Jump to Main Navigation
Max Planck Encyclopedia of International Procedural Law [MPEiPro]

Cybersecurity in International Courts and Tribunals

Claire Morel de Westgaver

From: Oxford Public International Law (http://opil.ouplaw.com). (c) Oxford University Press, 2023. All Rights Reserved.date: 16 September 2024

Subject(s):
Internet — Security assistance — Case management — International courts and tribunals, procedure

Published under the direction of Hélène Ruiz Fabri, with the support of the Department of International Law and Dispute Resolution, under the auspices of the Max Planck Institute Luxembourg for Procedural Law.

A.  Introduction

1  In 2017, State Parties to the 1998 Rome Statute of the International Criminal Court (‘Rome Statute’) agreed to activate the jurisdiction of the International Criminal Court (ICC) over the crime of aggression (Coalition for the International Criminal Court, 2021). Given that Article 8bis Rome Statute is broadly drafted, some have argued that it could conceivably encompass cyber-attacks that have taken place between nations (Scheffer, 2017, 84). As international courts and tribunals have engaged with claims relating to cyber aggression in all its forms, there has been a shift to a more cybersecurity conscious manner in which international disputes may be resolved.

2  As a form of international dispute resolution praised for its flexibility, it may be surprising that arbitration has not adapted more swiftly to cyber risks to ensure information security (see for example Pastore, 2016). Ironically, flexibility and party autonomy considerations appear to be at the heart of certain stakeholders’ reluctance to adopt systemic measures to alleviate risks associated with hacking activity.

3  Moreover, whilst practitioners have overwhelmingly cited access to confidential information and the related consequences as the two factors most relevant to the development of cybersecurity strategies in international arbitration, there are myriad attendant issues that can be just as impactful. These have, to date, received relatively little consideration (Bryan Cave Leighton Paisner LLP, 2019). This entry is not intended to address potential ramifications of a data breach in the context of the arbitration but rather aims better to understand the cybersecurity landscape when it comes to types of attacks and ways in which the level of security may be raised.

4  Courts and tribunals such as the International Court of Justice (ICJ), the World Trade Organization Panels and Appellate Body (Panel: Dispute Settlement System of the World Trade Organization (WTO); Appellate Body: Dispute Settlement System of the World Trade Organization (WTO)), and the ICC have received less commentary in comparison to their arbitral counterparts. One may wonder whether the reason is the nature of these bodies or a better application of procedural rules. In examining this issue, this entry will first consider some common examples of cyber-attacks, the impact of the Covid-19 pandemic, and the procedural requirements set out by numerous institutions including whether these are sufficiently broad to address cybersecurity adequately. Finally, this entry will consider ways in which the arbitral world may build upon these points in order to remain a flexible, popular, and secure means of alternative dispute resolution.

B.  Types of Attacks

5  Before we consider attempts to address the issue of cybersecurity, we must first examine what the term ‘cyber-attack’ encompasses in the context of international proceedings conducted by international tribunals and courts. The most common forms of cyber-attack are interception of communication, phishing, malware, waterhole, and distributed denial of service.

1.  Interception of Communication

6  One type of attack is the interception of communication by unlawful or lawful means by an interested party or a third party through actions such as unauthorized file viewing or reading emails. Such interception may occur during proceedings or in parallel with settlement or negotiation discussions.

7  Allegations that an opponent intercepted communications during proceedings have been made in the context of both investment and commercial arbitrations. In the International Centre for Settlement of Investment Disputes (ICSID) case of Libananco v Turkey this took the form of electronic surveillance. Turkey admitted to intercepting Libananco’s correspondence with its counsel and third parties, albeit as part of a separate criminal investigation (Libananco Holdings v Turkey, 2011). More recently, a party alleged that an opposing party intercepted emails from key executives, counsel, and witnesses during arbitral proceedings as part of the unsuccessful challenge of the three members of the arbitral tribunal (Sanderson, 2021).

2.  Phishing

8  One of the most effective means by which attackers can gain access to critical information is also one of the simplest (National Cyber Security Centre, 2018). Phishing attacks normally take the form of seemingly authentic communications from reputable sources that request the user to log in to their account to see the relevant information. This allows attackers to access private accounts and other sensitive information (National Cyber Security Centre, 2018).

9  Recent high-profile instances of phishing attacks focussing on courts and tribunals include emails that were circulated purporting to be from a court service which, once opened, could provide attackers with access to personal and confidential information (HM Courts & Tribunals Service, 2020). Scam emails designed for phishing led to the United Kingdom (‘UK’) Supreme Court issuing an announcement in 2017 to alert users of the court of these attempts (Supreme Court, 2017).

3.  Malware

10  A malware attack generally involves the inadvertent installation of malicious software following the use of a dangerous link or email attachment (Cisco, 2021). Once the malware has been installed it can be used for several different purposes such as ransomware, which is the restriction of access to documents unless payment of large sums is received, or spyware, which involves the undetected monitoring of data transmitted over networks (Cisco, 2021). Spyware may also play a part in the facilitation of other forms of cyber-attacks including ‘man-in-the-middle’ attacks in which an attacker may be secretly acting as an intermediary between parties and filtering/distorting communications and critical information.

11  One recent example of such a threat occurred in May 2020 when courts in the United States (‘US’) state of Texas were faced with system outages and disruption that left civil and criminal courts without a functioning case management system or internet (Bubenik, 2020). The impact of the attack was so severe that the court was forced to issue judgments via Twitter as opposed to traditional channels. In spite of this disruption, little to no sensitive or personal information was compromised. Nonetheless, it illustrates the extent of damage that could result from such an attack not only in relation to the cost of any potential ransom but also the logistical issues that follow and, crucially, the damage wrought against the institution’s credibility.

4.  Waterhole

12  Waterhole attacks involve attackers identifying sites that are frequented by users within a targeted group (National Cyber Security Centre, 2019). Once a site has been identified and compromised, attackers deliver and install malware to the site’s users often without their knowledge and via means such as seemingly innocuous file downloads in order to gain access to and exploit vital information (National Cyber Security Centre, 2019).

13  An example of such an attack in the context of arbitration was against the Permanent Court of Arbitration (PCA) which occurred in July 2015 during hearings between China and the Philippines concerning the South China Sea dispute (Peterson, 2015; South China Sea Arbitration (Philippines v China)). In this instance, attackers were able to gain access to the PCA’s website and engineer the page devoted to the dispute in such a way as to infect visiting users with malware (Peterson, 2015).

5.  Distributed Denial of Service

14  Unlike the aforementioned examples, the primary objective of Distributed Denial of Service (‘DDoS’) attacks is not to obtain confidential information but rather to cause disruption to servers or sites (Kapersky, 2021). This is achieved by overwhelming servers, services, or networks with an increase in internet traffic, leaving the target unable to function (Kapersky, 2021).

15  Such attacks pose a threat given the level of disruption and attendant cost that can result from them. One recent instance of such an attack saw the European Court of Human Rights (ECtHR) come under a sustained cyber-attack for several hours in an attempt to disrupt internal systems (White, 2020). The incident occurred shortly following a ruling by the court in respect of the release of a Turkish opposition politician (White, 2020).

6.  Covid-19 Pandemic and Ensuing Cybersecurity Risks

16  Unfortunately, cyber-attackers have attempted further to capitalize on the sharp rise in remote hearings due to Covid-19 pandemic restrictions. This year (2022), organizations are likely to fall victim to a cyber-attack every eleven seconds (Lozano and Masumy, 2020). It has also been reported that the Federal Bureau of Investigation (‘FBI’) has seen a 400% increase in daily cybersecurity complaints since the start of the Covid-19 pandemic (MonsterCloud, 2020). Furthermore, a recent International Criminal Police Organization (‘INTERPOL’; Interpol) assessment of the impact of Covid-19 revealed that there has been a major shift from attacks against individuals and small businesses to major corporations, governments, and critical infrastructure. From January to April 2020, alone, there were reportedly some 907,000 spam messages, 737 malware-related incidents, and 48,000 malicious URLs all pertaining to Covid-19 (INTERPOL, 2020).

17  Since the onset of the pandemic, preying on practitioners’ fear and unfamiliarity with Covid-19 has continued. Phishing and malware attempts are increasingly relying on ‘coronavirus-themed lures’ in order to entice clicks (Microsoft, 2020). Even where attackers have been unable to gain access to critical information, they have caused disruption in several ways that have cost both a great deal of money and time, such as through gaining access to unsecured videoconferences (Zegers, 2020). There is also evidence to suggest that the legal services industry has seen unparalleled levels of ransomware attacks during the pandemic (Hart, 2021). Late 2020 saw the US courts suffer a significant cyberattack from the SolarWinds hacker group, compromising highly sensitive non-public documents (Greig, 2021). A separate cyberattack on the South African Department of Justice in September 2021 collapsed court systems across the country and led to delays and a backlog of cases (Makhafola, 2021). Furthermore, the International Court of Arbitration of the International Chamber of Commerce (‘International Chamber of Commerce ICA’) rejected a challenge during the pandemic from two parties in arbitration proceedings that an opposing party intercepted emails from key executives, counsel, and witnesses during the merits phase of an arbitration (Sanderson, 2021). The International Chamber of Commerce ICA rejected the challenge on the basis that the parties ought to have made requests in relation to these allegations before bringing a challenge (Sanderson, 2021).

C.  Cybersecurity Measures in International Courts and Tribunals

18  Although there have been international efforts to protect individuals’ digital information, this has largely been through the prism of legislation such as the UK and European Union (‘EU’) General Data Protection Regulation (‘GDPR’). In respect of international courts and tribunals, however, there has been relatively little development, with institutions preferring to react flexibly through their general powers of case management. As we shall see, whilst there have been some transnational efforts to harmonize rules relating to cyber-issues, they have often leaned towards addressing the crimes themselves rather than the means by which to protect against them. Moreover, courts and tribunals such as the ICJ, WTO Panels and Appellate Body, and the ICC have come under relatively little scrutiny with respect to their ability to protect sufficiently against cyber-attacks.

1.  Harmonization of Cybersecurity Measures

19  The first international treaty that sought to address issues of cybercrime was the Council of Europe’s Budapest Convention on Cybercrime (‘Budapest Convention’), which was opened for signature on 23 November 2001, entered into force on 1 July 2004, and was supplemented by the Additional Protocol to the Convention on Cybercrime, which was opened for signature on 28 January 2003 and entered into force on 1 March 2006. The Budapest Convention seeks to harmonize rules relating to cybercrime including providing substantive law elements of offences as well as providing for increased domestic procedural law powers swiftly to investigate and prosecute such offences. In particular, the Budapest Convention deals with cybercrimes that include illegal interception, data and system interference, misuse of devices, forgery, fraud, and various intellectual property rights.

20  Whilst the Budapest Convention largely deals with issues of criminal prosecution rather than cybersecurity, several provisions laid the groundwork for substantive and uniform changes to cybersecurity measures. Article 18 Budapest Convention, for example, deals with issues of production orders. It provides that each signatory to the Budapest Convention shall adopt appropriate measures to empower its authorities to order, inter alia, service providers to provide information including types of communication services used by the signatory’s subscribers as well as traffic data, information pertaining to subscribers more generally, and information pertaining to the nature of subscribers’ communication equipment. In addition, Article 19, which pertains to the search and seizure of stored computer data, requires signatories to adopt measures that empower them to make and retain copies of relevant data and maintain its integrity.

21  These measures along with increased risks have given rise to an international legislative attempt to recognize the importance not only of combatting cybercrimes but also of the need for systems that properly allow for the maintenance of digital information in a manner that does not further weaken those systems’ integrity and confidentiality. That the purpose of the Budapest Convention was to combat cybercrime, therefore, does not detract from its importance in recognizing the means of digital storage itself as a method requiring greater scrutiny and, ultimately, protection. At present, the Convention is the only binding international instrument on this issue (Council of Europe, 2021).

22  Notably, there have been other efforts to build a convention that is fit for combatting cybercrime. On 29 July 2021 the Russian Federation submitted a draft Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes to the United Nations (‘UN’). The draft convention proposes to expand the list of internationally designated cybercrimes from nine to as many as twenty-three cybercrimes. The draft convention has been considered by the Ad Hoc Committee tasked with developing a UN treaty on cybercrime in its first session from 28 February to 11 March 2022.

2.  International Court of Justice, World Trade Organization Panels, and International Criminal Court

23  The global measures employed to ensure cybersecurity are often broadly framed around general duties to protect confidential information rather than being distinct international instruments that address the procedural issues presented by cyber threats. These global measures are typically formulated by international institutions.

24  Chapter III Statute of the International Court of Justice (1945) (‘ICJ Statute’) pertains to the procedure of matters before the Court and concerns elements including the language of hearings and notice requirements. Article 43 (3), in particular, provides that ‘communications [pleadings etc] shall be made through the Registrar’. Whilst the procedural element of the ICJ Statute is silent as to procedure protecting confidential information, the separate Rules of Court (1978) note at Article 24 that the Registrars undertake a specific declaration relating to the performance of their duties ‘in all loyalty, discretion and good conscience’, as does every member of the Court (Art 20 ICJ Statute), and staff-member of the Registry (Art 25 ICJ Rules of Court).

25  By contrast, the Understanding on Rules and Procedures Governing the Settlement of Disputes (1994) (‘DSU’), which sets out the relevant procedure when a dispute is brought pursuant to the provisions of the WTO Agreements, has ostensibly clearly defined confidentiality obligations (Confidentiality of Proceedings). Article 14 and Appendix 3 (3) DSU set out that both the deliberations of the WTO Panel and the documents submitted to it shall be kept confidential. Furthermore, ‘members shall treat as confidential information submitted by another Member to the Panel which that Member has designated as confidential’ (Art 14 (3) DSU). Similarly, Annex II Working Procedures for Appellate Review (2010) of WTO disputes states that ‘each covered person shall at all times maintain the confidentiality of dispute settlement deliberations and proceedings together with any information identified by a party as confidential’. Such clearly delineated terms are welcome. Yet these provisions fail to elaborate on the extent of the confidentiality required. This leaves some uncertainty as to the correct means by which information should be stored and communicated. Instead, Article 12 DSU provides generally that WTO Panel procedures should provide ‘sufficient flexibility’ and those procedures deferring to Appendix 3 may be adopted unless decided otherwise by the WTO Panel after consultation with the parties.

26  Finally, the Rome Statute makes extensive reference to the duty of confidentiality for various parties. Article 45 Rome Statute, for example, requires judges to undertake a solemn oath. Rule 5 ICC Rules of Procedure and Evidence (2002) further elaborates that this oath includes respecting ‘the confidentiality of investigations and prosecutions and the secrecy of deliberations’. Similar confidentiality obligations exist for prosecutors who may ‘take necessary measures, or request that necessary measures be taken, to ensure the confidentiality of information’ (Art 54 (3) (f) Rome Statute). Article 64 Rome Statute provides the Trial Chamber with the power to ‘provide for the protection of confidential information’. Again, this broad drafting appears to afford parties greater procedural flexibility at the cost of the certainty that would flow from more strictly defined rules.

27  Altogether, attempts to address cybersecurity issues by reference to general duties of protecting confidential information leave room for uncertainty. In particular, these rules lack explicit references as to the specific cyber threats against which these protections are designed to guard.

28  Provisions to ensure cybersecurity through confidentiality obligations are also ineffective due to the cloak of immunity which protects judges and arbitrators in international courts and tribunals in relation to the performance of their duties during proceedings. This therefore weakens the strength of the aforementioned confidentiality obligations. Article 19 ICJ Statute, for example, provides that ‘the members of the Court, when engaged on the business of the Court, shall enjoy diplomatic privilege and immunities’ and Article 48 Rome Statute similarly affords broad immunity to judges even after the expiry of their time in office.

29  All of the aforementioned institutions have clear political mandates, and their formation is enshrined in various international agreements. One reason for a comparative lack of scrutiny in respect of their cybersecurity shortcomings may be that such political mandates come with additional pressure for these institutions to be seen to be preserving and addressing issues of confidentiality and, relatedly, cybersecurity. If one party becomes the subject of a serious cyber-attack because of one of the above institutions’ shortcomings, the damage is not only done to the judge in question but the institution overall and this may then lead to doubts being cast upon its mandate. As explained in the following sections, the practice of international arbitration, which is void of such a mandate, has similarly struggled to give effect and meaning to procedural measures pertaining to cybersecurity.

3.  Current Attempts to Address Cybersecurity Concerns in International Commercial Arbitration

30  Whilst the arbitral world has been slow to adopt any singular standard with respect to cybersecurity, in recent years there have been attempts to address these issues through a series of initiatives. One such initiative is the Protocol on Cybersecurity in International Arbitration, 2020 (‘Cybersecurity Protocol’) of the International Council for Commercial Arbitration (‘ICCA’), the New York City Bar (‘NYC Bar’), and the International Institute for Conflict Prevention & Resolution (‘CPR’).

31  The Cybersecurity Protocol seeks to increase awareness about information security risk within the arbitration community. It sets out several principles, including recommended frameworks to guide parties (Principle 1), guidance on ensuring that third parties are aware of all security measures (Principle 3), and guidance on raising information security issues at the earliest possible instance with all parties (Principle 10).

32  A common theme running through this protocol, however, is that of the importance of party autonomy and the reasonableness of the measures that are to be adopted in respect of information security. Whilst party autonomy is certainly of the utmost importance in international arbitration, the reticence of organizations to apply a singular systemic set of rules speaks to the issues that arbitral tribunals have regularly faced in respect of the implementation of cybersecurity measures. Indeed, such measures have been criticized as exemplifying a ‘too little, too late’ approach which fails to address important emerging concerns within the area such as the increase in remote hearings and the related cyber-risks that these present (Respondek and Lim, 2020).

33  Furthermore, the ICCA and the International Bar Association (IBA) have formed a Joint Task Force on Data Protection to create a Roadmap to Data Protection in International Arbitration (‘Roadmap’). The Roadmap sets out practical advice on adhering to data protection best practice in relation to international arbitral proceedings. The newest revisions to the Roadmap were scheduled to be published in September 2021 as part of the ICCA 2021 Congress. Nonetheless, the Public Consultation Draft (2020) notes how the Cybersecurity Protocol stresses the fact that ‘there is no one-size-fits-all solution to information security’ in respect of arbitral proceedings and that the standards will vary depending upon the circumstance. Like the Cybersecurity Protocol, the Roadmap offers helpful guidance and suggestions as to potential ways to deal with issues of data protection and information security. However, it does not offer any systemic solutions to the problem of cybersecurity in international arbitration.

34  In recent years, a few arbitral institutions have updated their rules to include provisions addressing issues of data privacy and information security. By way of example, the new Article 30A 2020 Arbitration Rules of the London Court of International Arbitration (LCIA) provides that the tribunal must consider adopting measures to ‘protect the physical and electronic information shared in the arbitration’. This provision further contemplates the possibility for both the LCIA and the tribunal to issue directions addressing information security and data protection issues, with such measures being binding on the parties, and (in the case of directions issued by the LCIA) also binding on members of the tribunal.

35  Separately, institutions including the International Chamber of Commerce ICA and the Singapore International Arbitration Centre (SIAC) have published rules that provide guidelines on how parties should conduct remote hearings or use information technology in arbitral proceedings (International Chamber of Commerce, 2020; SIAC, 2020). These notes provide assistance with identifying risks and potential considerations. In respect of applicable systemic rules, however, they are also silent, preferring to focus on giving parties the choice of various measures that they may wish to consider adopting.

36  The International Chamber of Commerce Commission Report on Information Technology in International Arbitration sets out numerous issues that may arise through the use of technology such as incompatibility of files, the use of data-rooms, and data security (International Chamber of Commerce, 2017). However, the report is not intended to provide a uniform application of cybersecurity measures. Instead, it points to potential solutions and defers to the International Chamber of Commerce Rules themselves, which require the parties to work together with the tribunal in resolving these issues and apply appropriate procedural frameworks.

37  In the same vein, SIAC’s Taking Your Arbitration Remote guide, which raises issues of confidentiality and cybersecurity including specific problems that may arise, notes that ‘[p]arties and the Tribunal should use best efforts to ensure security in the sharing or exchange’ of various forms of documentation (SIAC, 2020, 3). Whilst the implications of such a ‘best efforts’ injunction are likely to vary from one case to another, in reality most practitioners and arbitrators do not have the technical ability to assess risks or identify suitable measures.

38  Over the past few years, numerous platforms have also been developed to assist with the resolution of disputes remotely. One such example, which has been underexplored for some time, is the EU’s use of online dispute resolution platforms in respect of consumer disputes, which was established by Council Regulation No 524/2013 (Online Dispute Resolution (ODR)). Lozano and Masumy (2020) note that common features of online platforms include the use of multi-factor authentication, encryption, and proper data breach management.

39  Whilst online dispute resolution platforms remain underutilized in international arbitration, the Covid-19 pandemic has given developers and providers the opportunity to highlight their cybersecurity credentials. Some institutions had successfully launched their own platforms well before the pandemic struck. The Arbitration Institute of the Stockholm Chamber of Commerce (‘SCC’) is a notable example. The SCC Platform introduced in September 2019 provides a secure site for participants to aid in the case management process. The platform is a purpose-built and secure cloud-based storage system on which participants file, search, and exchange all their case materials in the arbitration such as procedural orders, submissions, and exhibits (SCC, 2019). Other institutions that may have been unsure about the need to offer such services may now decide to offer these following the increase in virtual hearings and other enhanced cyber risks stemming from the remote working environment. Arbitral institutions make these dispute resolution platforms available to parties and arbitrators involved in arbitrations conducted under their auspices either on a mandatory or opt-out basis. For example, the Russian Arbitration Centre (‘RAC’) at the Russian Institute of Modern Arbitration (‘RIMA’) offers a digital case management system whereby users can start and monitor the progress of their arbitrations (RIMA, 2021). The system expressly mentions that the confidentiality of all information provided is guaranteed, and Article 6 RIMA Arbitration Rules (2019) provides parties with the option to use the system for electronic filings (Lange and Samodelkina, 2019). The use of online platforms across the entire caseload of leading institutions will likely increase cybersecurity in international arbitration proceedings significantly. This development is a step in the right direction and should be welcomed by the international arbitration community.

4.  The Tribunal or the Parties: Who is Responsible?

40  As can be seen from the Roadmap and updated institutional rules and guides, parties are very much responsible for the sufficient imposition of cybersecurity measures and the justification for doing so has been party autonomy. As an arbitral tribunal will normally have the decision-making power in relation to aspects of procedure, one must query who may be at fault for a lapse in such protections. Indeed, whilst there is an undoubted appeal to the procedural flexibility of arbitral proceedings, there appears to be a misunderstanding in respect of the relationship between cybersecurity and procedure.

41  As noted above, international tribunals near universally benefit from immunity in respect of their actions in the function of their role. The position in respect of arbitration, however, is less clear. Section 29 English Arbitration Act, 1996, for example, provides that ‘an arbitrator is not liable for anything done or omitted in the discharge or purported discharge of his functions as arbitrator unless the act or omission is shown to have been in bad faith’. One may wonder whether assessing cybersecurity risks and the adoption of suitable information security measures fall within the scope of arbitrators’ functions within the meaning of Section 29—not least given their lack of training and expertise in this area. In this regard, a provision akin to Article 30A LCIA Arbitration Rules may be seen as a confirmation that arbitrators’ immunity acting under the relevant rules extends to information security measures. However, whether arbitrators’ immunity extends to situations where a breach of security is caused by negligence on the part of an arbitrator is unclear.

42  As noted above, perhaps the ease with which international courts (in comparison to arbitral tribunals) have dealt with imprecise cybersecurity measures involves the notion of public policy concerns and related mandates. International institutions such as the ICJ, WTO, and the ICC are inherently political and are the products of public international law conventions. Through these conventions, member states agree among other things to afford specific immunities to these institutions and their staff, including judges. On the other hand, arbitrators’ and arbitral institutions’ powers and immunities derive from a contract—ie an agreement to arbitrate—as well as the relevant institutions’ policies and rules, and national laws.

5.  Investor-State Arbitration

43  Tribunals established for the purposes of investor-state dispute settlement might be said to occupy the middle-ground between these two contrasting points. Whilst institutions such as ICSID have a political mandate, for example, central to their ethos is the notion of party autonomy and the ‘essentially flexible character’ of proceedings (ICSID, 1965, 42). In practice, however, a balance appears to exist between affording parties the flexibility they so require with the need for greater accountability on the part of the institution itself—be it in its administrative processes or elsewhere.

44  ICSID note on their website, for example, that they ‘benefit from the World Bank’s world-class information technology security’ (ICSID, 2020a). Whilst this is undoubtedly true, it also speaks to the above—ie that ICSID’s cybersecurity concerns and procedures potentially share the same public policy considerations as the aforementioned international courts and tribunals such as the ICJ, WTO, and ICC as well as the various limbs of the EU.

45  Article 19 Convention on the Settlement of Investment Disputes between States and Nationals of Other States (1965) (‘ICSID Convention’) notes that ‘to enable the Centre to fulfil its functions, it shall enjoy in the territories of each Contracting State the immunities and privileges set forth in this Section’. Articles 20 to 24 then proceed to set out the various immunities afforded to the Centre and its arbitrators which protect them in their role. Article 21 (a) provides that arbitrators ‘shall enjoy immunity from legal process with respect to acts performed by them in the exercise of their functions’. It is unclear whether arbitrators’ immunity under this provision broadens the potential political ramifications and possible impacts on the integrity of the Centre itself, which could result from a tribunal’s insufficient cybersecurity measures or negligent practice that might cause or contribute to an information security breach.

46  In the non-ICSID context, Article 7 (3) UN Commission on International Trade Law (‘UNCITRAL’) Rules on Transparency in Treaty-based Investor-State Arbitration (2014) appears, in theory, to place the onus on tribunals. This provision provides that ‘the arbitral tribunal, after consultation with the disputing parties, shall make arrangements to prevent any confidential or protected information from being made available to the public’. It further sets out various means by which this can be achieved, including the imposition of time limits with respect to arguments as to whether information should be determined confidential or not, as well as ‘procedures for the prompt designation and redaction’ of relevant confidential documents.

47  In October 2016, ICSID launched its fourth rule amendment process and invited comments from ICSID member states, with the same invitation being extended to the public in January 2017 (ICSID, 2021). In February 2020, the ICSID Secretariat published its fourth Working Paper on Proposed Amendments to the Rules (ICSID, 2020c), which sets out the proposed changes to the Rules as well as the reasoning behind these proposed changes and the relevant considerations that went into them.

48  As part of this process, ICSID member states provided a number of suggested amendments to the rules. Among these suggestions were comments from Argentina, China, Israel, and Turkey noting various concerns with respect to confidential information. These concerns included the risk to confidentiality posed by the addition of third-party funders (ICSID, 2020b, 16–17), the need for the protection of information pertaining to national security (ICSID, 2020b, 26), and arbitrators’ commitment to maintaining confidentiality (ICSID, 2020b, 21).

49  Notably missing from these suggestions and amendments, however, is a reference to cyber-attacks and their potential effect on arbitration proceedings. One may find a partial reason for this in the most recent commentary for the proposed amendments, which states that in respect of document production information security matters are ‘for the parties and the Tribunal to discuss at the first session and determine in light of the specific circumstances of the case’ (ICSID, 2020c, 309). Apart from the mandatory use of its online platform, which significantly alleviates cybersecurity risks, it would therefore appear that ICSID, despite sharing the political mandate of other international courts, is determined to refrain from imposing strict procedural obligations.

D.  Conclusion

50  As advancements in technology continue to facilitate the ease with which international disputes may be administered and resolved, these issues are likely to be further amplified. Whilst no systemic or uniform cybersecurity procedure has yet been developed or adopted, we must recognize the significant progress that has been made in recent years, especially by commercial arbitration institutions and stakeholders. The introduction of institutional ad-hoc measures addressing cybersecurity by various arbitration institutions and thought leadership by various arbitration users that has raised greater awareness of cybersecurity risks is reflective of the development of cybersecurity protection to the international dispute resolution mechanisms. Although it will be upon each of these bodies to develop their own approach towards cybersecurity, one would expect international courts such as the ICJ, ICC, and WTO to follow the same movement and work towards policies that will safeguard the confidentiality and security of their dispute resolution processes.

E.  Acknowledgements

51  The author is immensely grateful to Kevin Cheung, Jonathan Cowe, Afolarin Shasore, and Jonathan Trinick for their assistance with this article.

Claire Morel de Westgaver Cybersecurity in International Courts and Tribunals

Cited Bibliography

Cited Documents