Waiting for International Cyber Norms
States must agree on responsible behaviour for their operations in cyberspace.
Major intrusions are proliferating but states disagree about appropriate responses
The proliferation of state-sponsored cyber-intrusions over the last decade has led to calls for agreed rules of engagement in cyberspace to help address the uncertainty and potentially catastrophic consequences around warfare in the digital age. While internationally binding legal frameworks exist for conventional warfare, states find themselves in unchartered waters when it comes to battles in cyberspace, with little to no agreement on what sort of intrusion constitutes an “attack” and what countermeasures would be proportionate in response.
As major players in cyberspace, a handful of nation states possess the most resources and professionalism to conduct targeted Computerised Network Attacks against their adversaries for political and economic objectives. Despite several high-profile intrusions into government networks, military facilities, and even critical infrastructure systems over the last years, the international community has failed to construct an international regime based on treaty commitments for cyber.
Without a consensual definition of what an “attack” is and how states can systematically react to intrusions, responses to the problematic concept of “cyber warfare” now heavily rely on semantics and the political context in which they occur. Furthermore, while attribution capabilities have improved, it still remains a challenge in cybersecurity and digital forensics to definitely name a perpetrator of an “attack”, increasing uncertainty even more. This murky state of affairs has resulted in the current norm of “do whatever you can get away with” — a condition that will prove unacceptable in the long-run.
This status has arguably contributed to some of the key nation-sponsored cyber operations of the past years. Only this May, the devastating WannaCry ransomware affected organisations worldwide, and was later attributed to the North Korean-affiliated Lazarus Group. In the United States, an unprecedented investigation is currently underway to identify Russian hacking and influencing efforts to disrupt the 2016 presidential election.
However, it’s not only these usual suspects which can cause havoc in cyberspace. Perhaps the first and most notorious offensive cyber weapon to date was demonstrated by the United States back in 2010 in the form of the Stuxnet virus, a malware which infiltrated the Iranian Natanz nuclear facility and caused its centrifuges to bust. In response, Iranian-backed hackers unleashed a destructive computer virus onto the networks of the world’s most valuable company, oil giant Saudi Aramco, and destroyed over three quarters of the firm’s PCs. And just last month, news broke that United States Cyber Command conducted a Distributed Denial of Service attack against North Korea’s Reconnaissance General Bureau, the nation’s intelligence agency, as part of a military cyber-campaign to pressure the regime over its nuclear weapons program.
The key takeaway here is that networks are targeted daily on a global scale for a multitude of motivations, perpetrated by a multitude of adversaries without clear rules of engagement. With increasing connectivity around the world and the rapid emergence of the Internet of Things, the list of potential targets is ever-growing, making responsible behaviour and regulation in cyberspace more urgent than ever.
Cyber norm process at the United Nations is stalling
In view of these dangerous developments, the United Nations have now for many years hosted negotiations on questions of cybersecurity in the hope of developing a body of rules and guidelines to limit the conflict potential between states in cyberspace and to include cyber into existing international legal frameworks. While the member states generally agree that a debate on cyber warfare and its effects on the foundations of international security is needed, opinions on global norms and best practices in the digital realm could not differ more greatly.
Back in 1998, the Russian delegation to the UN introduced a draft resolution regarding developments in the field of information and telecommunications in the context of international security, expressing concern about their potential to undermine international peace and stability and calling for the development of international principles to guide state behaviour. Fearing Russian attempts to weaken U.S. cyber capabilities, the resolution was met by the Americans with scepticism. When the UN General Assembly formally adopted the draft in 2005, the United States were the sole member state to vote against it.
A year before, a UN Group of Governmental Experts (GGE) was mandated to outline the global cybersecurity agenda. In particular, the experts sought to expedite international norms and regulations and to create confidence- and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. The fact that the United States, Russia, and China were able to agree on this report was seen as an important step to address disputes regarding state sovereignty and internet freedom in the digital realm. Two years later, a consensus report outlined four voluntary norms for state conduct in cyberspace, which member states should follow during peace time: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and that states are responsible for operations originating from within their territory.
While these norms sound promising, they are only of recommendatory nature and thus legally non-binding on member states. Considering the increasing number and sophistication of state-sponsored cyber intrusions, it remains questionable whether the norms will even attract much attention as soft law. Worsening this situation is the current stalling, if not failure of the GGE process. When the group met for deliberations in 2016/2017, its members disagreed vehemently over how exactly certain international law applies to states’ use of information and communications technology. While the United States pushed for clear and direct statements on how international humanitarian law, the right of self-defense, and the law of state responsibility, including countermeasures applies to cyber operations, other participants, likely Russia and China, contended it was premature to determine specific language for the guidelines. The deadlock of the GGE process is exemplary of the distrust between major powers not only in cyberspace but the mutual blockade in issues of international security at the UN.
How can states find common ground?
The question remains whether and how the different interpretations and interests of states regarding international law in cyberspace can be reconciled and harmonised. Unfortunately, it appears that the last result of the GGE also represents its end for the time being. If a multilateral consensus-based format is not the appropriate setting for cyber norms at the moment, other possibilities still exist. As the development of norms and rules for responsible behaviour of states in cyberspace is a pressing issue, states will continue to seek cyber norm development.
One scenario will see states move more toward bilateral agreements for assurances in cybersecurity. Since 2015, China for example has signed several of such agreements with the U.S, Canada, the United Kingdom and Australia or members of the G-20. Other international organisations or frameworks, such as the European Union or Organisation for Security and Co-operation in Europe offer a second path to strengthen norms and form coalitions which could pressure other states through naming and shaming and by unanimously reacting to cyber threats.
Coming to an agreement on responsible state behaviour in cyberspace, in particular regarding offensive capabilities and appropriate responses, is a key national security interest for states. Even though these norms will likely remain unenforceable in the near future, they will be an important step to create stable expectations of how states may or may not react to cyber incidents and set the foundation for future negotiations on more concrete and possibly binding regulations.
Want to find out more? Follow our ProTechMe Series!
