The UN experts recently agreed to suggest stricter rules of responsible state behavior in cyberspace and the use of information and communications technologies. Both Russia and the U.S. applaud the move, but for different reasons.
Members of 'team Red' work on laptop computers during a mock cyberattack scenario with teams of amateur computer experts taking part and trying to fight this simulated attack in London, Friday, March, 14, 2014. Photo: AP
In late August, the United Nations Group of Government Experts (UN GGE) released a new report that can be best viewed as a code of conduct defining a new era in cybersecurity policy. The report indicates that the world’s leading cyber powers, including the U.S., Russia, China and the United Kingdom, alongside developing nations, largely agree on a more restrictive regulation of the Internet and cyberspace.
In general, the UN GGE panel — a team of representatives from 20 countries acting voluntarily — decided that information technologies (ICT) should only be used to achieve peaceful goals. For example, ICT could be used to tackle any attempts at cyber crime, including espionage and hacking.
Just a few months ago in April 2015, the global Conference on Cyberspace didn’t give much optimism to those expecting any sort of unanimous international agreement on norms of state behavior in cyberspace. Despite the clear understanding that the international community does need to search for a common denominator for global peace and security, any mention of a legally binding treaty was mostly frowned upon. The discussions on the nuances of the application of international law in cyberspace revealed a wide array of differences of interpretations.
And four months later, the UN GGE has emerged from their fourth session in the past decade with a vision of the minimum norms to be adopted by states to ensure a more secure digital future. While the resolution outlining the agreed upon measures is clearly a sign of progress and success for the Group at a time of scarce trust and mutual understanding among nations, there are certainly caveats and challenges to these achievements to face and consider in the following months and years.
Rules of the game in cyberspace require a concerted effort by all major international players
The movement towards this settlement started a while ago, and Russia has been putting a lot of effort into lobbying for a commitment to certain rules of the game in cyberspace, including within the UN GGE framework.
The best known endeavors so far to set forth a concrete proposal are the Shanghai Cooperation Organization (SCO) Code of Conduct for information security and the Russian draft UN convention on international information security in 2011. Both take the same focus on ensuring information space stability, sovereign control over national Internet segments, and the demilitarization of cyberspace. These concepts have not found much support from Western nations.
This might have put a stigma on the revised version of the Code submitted in January 2015; however, both contain generally recognized recommendations on technical cooperation as well as the protection of individual rights online. Moreover, the new Code also mentions confidence and capacity building measures.
Bilateral attempts at codification of state relations in cyberspace were made between Russia and the U.S.in 2013 and most recently between Russia and China in 2015. The former ground to a virtual halt after the eruption of the conflict in Ukraine, while the latter is yet to prove its viability.
However, all these documents share the same language and conceptual understanding in certain instances – and these very instances are now reflected in the UN GGE report as the common denominator, the foundation and launch pad for any further consensus.
In particular, the report calls for commitment to peaceful use of information and communications technologies (ICT) and warns against committing cybercrimes. In addition, it warns against inflicting damage on each others’ critical infrastructure and cyber emergency responders, or knowingly allowing third party illegal cyber activity from their territory. In addition, the Code assumes a duty to assist in the investigation of cyber attacks and cybercrimes launched from a country’s territory.
What makes this agreement a milestone is the fact that it not only shows visible progress on these issues since the previous report was published in June 2013, but it also reveals the goodwill of the participants to flesh out the minimum of measures they do see eye-to-eye on despite a host of conceptual differences.
The increasing amount of illegal activity online and the threat of terrorism with the use of Information and communications technologies have made a strong point in favor of fleshing out the principles of maintaining stability. This is especially true when cyber aggression can all too easily lead to a kinetic conflict in the absence of well-defined attribution and verification mechanisms. As Special Representative of the President of Russia on International Cooperation on Information Security, Ambassador at Large Andrey Krutskikh, who represents Russia within the UN GGE, remarked in his recent interview to Kommersant newspaper on the shared responsibility for fighting threats in cyber space.
“We all understand that in the sphere of information and communication technology (ICT), threats are common and transnational,” he said. “We can only fight these threats jointly.”
He pointed out, however, that the consensus was far from an easy one. However, it was the desire to find a palatable decision and wording that helped the Group come up with a final resolution. At the same time, as follows from the above, the differences in threat assessment and differences in ideas of how to respond to those threats, combined with a lack of trust, currently set a limit to the scope of possible agreement.
For instance, the clauses on the commitment not to attack critical infrastructure and to cooperate in dealing with such attacks on another state does not spell out the exact types of these attacks, while the definitions and classifications of critical infrastructure differ per country. In fact, it was expected earlier that more specific agreements could emerge for the banking and financial industry or nuclear energy sector, two areas where it is probably the easiest to find a consensus.
The applicability of the international law and the law of armed conflict to cyberspace is generally accepted and its nuances are being debated at global platforms. Photo: AP
The clause on non-compromising ICT products with exploits (“harmful hidden functions”) is hard to meaningfully implement without a viable tool of verification, which is yet to be developed. While signals intelligence is part and parcel of each country’s foreign policy it’s not clear whether the states that have such a capacity are indeed ready to commit at this time of geopolitical turbulence.
Equally, the commitment to investigate thoroughly cyber attacks before pointing the finger at a culprit runs against the problem of attribution, which despite all existing tools and approaches, is still an assumption based on a collection of usually indirect evidence.
All these lead to the essential question of the value of an agreement, which even if binding, is tough to implement. In fact, its voluntary, non-binding nature, while begging the same question of practical use and real commitments, allows for tentative rule setting. This, in turn, seems to be an inevitable and important stage in the process of potentially establishing clear legal norms in the future.
At this stage, the Group is focusing on crystallizing what appear to be “customary norms,” i.e. norms already widely accepted in the respective communities. It is also preparing the ground for “aspirational norms” that are yet to be digested and accepted. These are “the expectations of the international community, to set standards for responsible State behavior and allow the international community to assess the activities and intentions of States.”
“One step at a time” looks like the most feasible strategy here as the agreed upon principles of behavior lay the groundwork for more details. At the same time, they are helping to build a new culture of international interaction in this field and an ecosystem for relations with non-state actors. As Krutskikh argues, the principles do not exist in a vacuum and the new legal context eventually should help national and international counterterrorist and anti-crime activities.
At the same time, one shouldn’t overestimate the restrictive potential of the norms set out in the agreement. Defined in the text as mere moral obligations at present, they don’t have a sufficiently strong deterrence mechanism guaranteeing the implementation to “prevent conflict in the ICT environment.”
The Group admits that, “Their implementation may not immediately be possible, in particular for developing countries, until they acquire adequate capacity.” As such, the Group commits to developing more norms over time. The report will be presented at the 70th UN General Assembly this autumn and the Group intends to continue its work at the development of the norms next year if approved by the General Assembly. Therefore we might be in for a long journey towards a document which is ripe, detailed and balanced enough to become binding. However, the next big cyber conflict would be a good litmus test of the signatories’ commitments and the amount of political leverage behind them.
What Russia and the U.S. get out of the UN GGE agreement
The first media accounts of the Group’s work in both the U.S. and in Russia praised the new code of conduct as a success for their country. This is not just complacency, as it took a long time to reconcile very differing stances, but also a sign that both sides saw their points of view reflected in the final document.
For Russia, it was essential to highlight its principal position that the prevention of the use of ICT for political and military goals should remain a priority ahead of conflict regulation, which indirectly legalizes their mere existence. The emphasis is therefore on their peacetime regulation rather than on the application of the law of military conflict in cyberspace, which, however, was agreed on in principle in the UN GGE 2013 report.
This also fits Russia’s consistency of norms building efforts through the SCO and BRICS (Brazil, Russia, India, China and South Africa) partners towards an internationally binding convention under the aegis of the UN on the maintenance of global information security, which the Russian negotiator openly admits, with the caveat that this is a long route to take but it is worth taking.
Besides, it was important to reiterate the principle of the states’ “refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations” as well as “non-intervention in the internal affairs of other States.”
This clause, echoing the SCO Code of Conduct, is one of the paramount principles of international law application to cyberspace for Russia.
The U.S. sources specifically praised the agreement on not attacking the critical infrastructure of other nations and other nations’ duty to assist in the investigation of cyber attacks and cybercrimes launched from their territories, as well as other confidence and capacity building measures.
All of these reflect the official White House vision of the principles of behavior in cyberspace voiced in particular by U.S. Secretary of State John Kerry in May 2015 in Seoul, apart from one on the obligation not to “conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain,” most probably blocked by China.
Another stumbling block was Article 51 of the UN Charter enabling a nation to retaliate upon being attacked, which Russia didn’t want singled out in the text of the Group report as suggested by the US since it already follows from the UN Charter provisions applying to cyberspace.
Recommended: "Is a cyber arms race between the US and Russia possible?"
The entire Group didn’t advance much on spelling out further how “the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction” apply to cyberspace in wartime. This work has previously been attempted in the Tallinn Manual (TM) on the International Law Applicable to Cyber Warfare. Also work is currently being carried out in the Tallinn Manual 2.0 on the application of international law to situations below the “armed attack” threshold.
Finally, the sections on confidence and capacity building indicate the intention to make a big step forward in proactive cybersecurity and stability. The former stems from the work done by the Organization of Security of the Council of Europe (OSCE) in its 2013 set of draft confidence-building measures (the second set is being developed).
The detail in which it is laid out in the UN GGE report suggests much optimism about the goodwill of the United Nations to engage in mutual threats and risks revelations, vulnerability patching, security awareness and bridging the knowledge and skills divides.
However, the actual implementation is yet to be seen. If actively implemented as recommended at the bilateral or regional level, cooperation and development alone would mean a very positive step forward. At the same time, capacity building is very much reliant on the private sector, and the states will have to establish and/or promote an even more dynamic relationship with market leaders to implement the recommendations. For example, an attempt to bring together states and business for capacity building in cyber was made earlier on the sidelines of the GCCS2015 where the Global Forum on Cyber Expertise was launched.
All in all, the UN GGE has achieved a remarkable accomplishment – and managed to do despite serious mutual trust issues among any of the 20 participating nations. This renders the presented consensus even more significant. But, as it happens, time will show its true value.