International collaboration on cybersecurity is possible. Here’s how it can be done.
Developing global norms in cybersecurity
A decision to adhere to a norm reflects three related factors: a state’s decision on the norm’s utility for its own interests, based on the state’s assessment of the likelihood that others will observe it; the value the state places on appearance in the international community; and how well the norm comports with the state’s own values. The dynamics of fragmentation in the international system limit the scope for global norms development.
A Western approach to cybersecurity norms would emphasize constraints on attack and the use of force, defining malicious behavior as states’ use of cyber techniques for force or coercion, and reiterate commitments to human rights and the existing Internet governance structure. The non-Western alternative places emphasis on the political effect of information and the belief that content is used against states to destabilize their regimes. This explains the long-standing Russian assertion that “information is a weapon.” The non-Western alternative is accompanied by a desire for a greater recognition of sovereign rights in cyberspace and a greater role for sovereign states in Internet governance.
Western and non-Western views, while often diametrically opposed, do not preclude all possibility for agreement.
Norms for sovereignty and the use of force by states in cyberspace offer the most promising field for agreement among disparate and competing groups of countries. These two issues are compelling as they directly affect the survival of the state. Sovereignty and warfare are, in some ways, facets of the same issue: the state’s ability to remain as an independent actor. Fears about potential diminution of state independence, combined with concerns over what is perceived to be a new and powerful form of attack, have a destabilizing effect on international relations.
Nations share a concern over the possibility of cyber attacks that could damage their political independence, drawing on the experience of the 2007 actions against Estonia. They also share concerns over cyber attacks’ ability to damage critical infrastructures, as shown by the Stuxnet and Aramco attacks. In these shared concerns, there is ground for agreement. While the nature of offensive cyber operations is poorly understood, it should be possible to build on the progress made by previous GGEs to define general principles for stability and security.
An informal tally of national experts suggests that there are areas where agreement is unlikely — Internet governance and human rights, particularly involving freedom of expression and access to information. Previous GGEs simply took governance off the table as an issue and papered over the difficulties with rights through the frequent invocation of the Universal Declaration of Human Rights and other instruments.
Cyber “terrorism” is also an area where agreement is unlikely. Since there has been no terrorist use of cyber attack and since no terrorist groups possess these capabilities, the discussion of norms on cyber terrorism becomes a debate over online content and of extraterritorial rules to restrict speech. Similarly, some nations would like to extend the Wassenaar Arrangement restrictions on exports of surveillance technologies, but given the difficulties of defining technologies of concern, it will be difficult to achieve meaningful agreement to restrict acquisitions or transfers.
Such disagreements are not necessarily fatal to agreement. The most salient example is the UN charter itself, which in Article 2.4 forbids member states from using force against another state, without the approval of the Security Council, and in Article 51, recognizes their inherent right to use force for self-defense without Security Council approval. Underneath this apparent dissonance in the charter is a more complicated discussion of aggression versus defense, but the occasional ambiguity in an agreed text is essential for successful diplomatic negotiation.
Next Steps for Negotiations
Differing national views on the use of force, control of content, governance, and international crime shape the space for agreement on cybersecurity norms and create the landscape for negotiation. There is no consensus among nations on these topics, which creates a challenging environment for continued, meaningful progress on cybersecurity norms. However, parsing different substantive aspects of the GGE’s work, combined with developing a less ad hoc negotiating process, suggest a path forward.
A broad agenda for cybersecurity negotiations that attempts to address the full range of issues, including crime, intellectual property protection, espionage, and military action, may have seemed appropriate in the early days of negotiating but is now impractical. A mature negotiating process would have a different structure than the GGE, with baskets of issues, working groups, and a plenary body. This approach would require a greater investment of time and resources than countries, despite the salience of the cybersecurity issue, are prepared to make. If we discount the constant iteration of banal generalities, cybersecurity norms remain a tertiary issue for the international community.
The disjointed nature of the global discussion reflects a larger problem with the term “cybersecurity,” which means different things to different communities, who define the problem and any solution in varying ways (usually through the prism of their own experience and expertise), and often assert that they naturally should lead. Dissonance can be reduced by defining the objective of international negotiation: to reach agreement on state responsibilities for peace and security in cyberspace, including states’ responsibility for the actions of their citizens, companies, or others subject to their laws, and a commitment to ensure that actions in cyberspace do not contravene their international commitments.
The nexus for negotiation lies at the intersection of political rights, sovereignty, and use of force, and the primary purpose for cybersecurity norms is to limit the risk of conflict.
Norms can also be used to reaffirm commitments to a free and open Internet, but these issues are contentious and perhaps tertiary, and if it is possible to reach agreement on measures to improve security and stability using commitment from states to renounce certain behaviors without compromising fundamental freedoms, this may be the best outcome now possible. A formal approach to negotiation focused on security would not address all issues or assuage all communities, but it would be the approach most likely to succeed in reducing risk.
James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.
This report is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2017 by the Center for Strategic and International Studies. All rights reserved.