27. November 2019

This fall in New York, the United Nations held the first session of a new process to develop norms of responsible state behaviour in cyberspace. Since 1998, the UN has been addressing the challenge of defining the “rules of the road” for state activity in cyberspace, under the rubric of “Developments in the field of Information and Communication Technology (ICT) in the context of International Security.”

Such rules are desperately needed as this unique domain is being subjected to a growing assault by state-conducted cyber operations of ever-greater sophistication and magnitude, while remaining under a mantle of secrecy. A key question is whether the underlying great power rivalries that are generating this increase in offensive cyber capabilities will be amenable to diplomatic efforts to prevent conflict in cyberspace.

Diplomacy has lagged well behind the pace of militarization of cyber space in recent years. The US director of national intelligence has estimated that over 30 states now possess offensive cyber capabilities. State-on-state cyber interference, be it for espionage or more damaging military aims, is on the rise, with civilians becoming only so much collateral damage in the process. The costs of this trend will not be limited to degrading international cyber security. The potential of the digital world for advancing the UN’s Sustainable Development Goals could be undermined if the international community is unable to fashion some normative governance framework for state cyber operations.

At the UN, a series of groups of governmental experts (known as GGEs) — each with a restricted membership of about 15-20 UN members — managed to issue consensus reports in 2010, 2013 and 2015, which proposed a set of norms to govern state behaviour in cyber space. In 2018, however, the UN General Assembly was faced with an unprecedented situation in which the usually noncontroversial resolution authorizing these groups became a battling ground between a Russian-led resolution establishing an Open Ended Working Group (OEWG) in which any UN member state can participate and a US-led resolution continuing the traditional approach of a restricted GGE that meets behind closed doors. Ironically, Russia became the champion of the new, more transparent and inclusive process while the US was backfooted in having to advocate continuation of the limited, opaque GGE process. A befuddled General Assembly ended up adopting both resolutions, despite their almost identical mandates and the practical strain two processes place on UN resources and policy coherence.

It seems likely that the OEWG, with its earlier commencement and reporting deadline (fall 2020), is going to eclipse the GGE (not due to report out until 2021). The open nature of the working group, with its possibility for many more states to become involved, will likely raise the profile of state conduct in cyberspace at a time when this unique environment is becoming ever-more militarized.

Who’s at the table?

The initial session of the OEWG, held in September, demonstrated that “openness” is a relative concept at the UN. Some 18 NGOs that had requested accreditation to attend the proceedings were refused. This exclusion was a result of opposition from unnamed member states, presumably because some of these NGOs, like the University of Toronto’s Citizen Lab, had highlighted cyber-enabled abuses of human rights by certain states.

The four civil society organizations that were permitted to attend (because they have pre-existing consultative status with the UN) tried to appeal to the collective interest in preserving cyberspace as a domain for peaceful purposes, as opposed to “war-fighting,” as the US has officially characterized it. The Women’s International League for Peace and Freedom voiced its concernwith “the militarisation of cyber space” and its support of “solutions that move us closer to cyber peace.” ICT4Peace (with which the author is affiliated) called for the operationalization of the norms proposed by the earlier GGEs and in particular the prohibition on targeting critical infrastructure on which the public depends. With reports of rival cyber powers installing malware in each other’s electricity grids, ICT4Peace advocates that the prohibition on cyber operations against critical infrastructure should be respected at all times, and that states should publicly pledge to honour this restraint.

The national statements made and working papers submitted during the week-long inaugural session suggest that existing policy divides among leading cyber powers are persisting in the new context and will make it challenging for the OEWG to fulfil its mandate to further develop “norms, rules and principles of responsible state behaviour in cyberspace.” These policy differences principally revolve around the extent of sovereign control of cyberspace and the degree to which states are willing to accept restraints on their cyber operations abroad.

What about sovereignty?

The issue of sovereign control of cyberspace has been a long-standing point of debate amongst states. States in the West (broadly understood) have tended to advocate the free flow of information via the Internet and minimal controls over the activity of users. States of a more authoritarian character have espoused the concept of “information security” and stressed the right of states to safeguard their “information space.”

Typical of this orientation was the working paper submitted by China that affirmed the right of states “to make ICT-related public policies consistent with national circumstances to manage their own ICT affairs and protect their citizens’ legitimate interests in cyberspace.” ‘Protection’ in this case, the Chinese paper made clear, was from states “using ICTs to interfere in internal affairs of other states and undermine their political, economic and social stability.” In a similar vein, Iran affirmed the primary responsibility of states for maintaining a secure ICT environment and warned against states “with subversive aims [which] attempt to overtly or covertly use cyberspace to intervene in the political, economic and social affairs and systems of other states.” There is no readily available standard by which the international community can judge what type of information would be de-stabilizing, and such decisions will remain the preserve of the sovereign states themselves.

“A sharp uptick in the conduct of offensive cyber operations by states has occurred in recent years.”

The degree to which states are prepared to accept constraints on their foreign cyber operations is another open question. Although the utility of cyberspace for achieving a wide array of benefits for humanity is widely acknowledged, it has not gained the status of a ‘global commons’ reserved for ‘peaceful purposes’ akin to that agreed in multilateral treaties for the Antarctic and outer space. A sharp uptick in the conduct of offensive cyber operations by states, including those which can produce destructive effects as well as those aimed at political and social disruption, has occurred in recent years. This activity has largely been carried out covertly, with only a handful of states offering any transparency as to the policies and doctrine governing such offensive cyber operations. The negative impact of such activity is not lost on the majority of UN member states, which are conscious of the fact that they are both vulnerable to such attacks and lack the means to retaliate if affected by them. At the OEWG, Indonesia on behalf of the Non-aligned Movement — the group of 120 states from the developing world — expressed its concern over “the militarization and weaponization of cyberspace through the development of cyber offensive capabilities in a manner that would turn cyberspace into a theater of military operations.”

Echoing these concerns, China decried that “some states take cyberspace as a new battlefield.” Russia warned that “cyber confrontation is on the rise, and if we fail to find joint efforts [and] effective ways to fight these threats, the global cyberwar will be just down the road.” Iran tried to leverage its status as the initial victim of a state conducted destructive attack (the “Stuxnet” episode targeting its nuclear program) in denouncing “certain states with offensive doctrines [which] violate the prohibition of the use of force against other countries.” Employing a phrase of questionable taste, the Iranian statement referred to the country as being “the first cyber Hiroshima in the world.”

Although the above-mentioned states are suspected of engaging in offensive cyber operations of their own, their criticism of militarization of cyberspace creates presentation problems for those Western states which openly acknowledge that they have developed offensive military cyber capabilities. Statements by states such as the UK, Australia and the Netherlands have affirmed that they possess offensive capabilities while asserting that these are employed only in a manner compatible with their obligations under international law. These states assert that they are prepared to respect the norms of responsible state behaviour that have been generated by the UN process to date.

How cyber operations fit into international law

This issue of what constitutes responsible state behaviour in cyberspace is further complicated by problems with the scope of international law and attribution for cyber operations. While earlier GGEs have affirmed the applicability of international law to cyber activity, the exact nature of that applicability remains in dispute. In a situation of armed conflict, it is generally recognized that international humanitarian law would apply to cyber operations. The International Committee of the Red Cross reaffirmed this in its statement to the OEWG: “There is no question that cyber operations during armed conflicts are regulated by international humanitarian law – IHL – just like any other weapon or means or methods of warfare used by a belligerent in a conflict.” A grey zone exists, however, regarding cyber operations below the threshold of armed conflict, and the right of states to take counter measures against cyber actions directed at them that they view to be hostile.

The legal uncertainty is compounded by the problem of attributing an offensive cyber operation to a specific state. To date, attribution has been at the discretion of individual states with no neutral forum available to judge the merits of the accusation levied by one state against another. The UN Secretary-General has called for the peaceful settlement of cyber conflict and has advocated “fostering a culture of accountability,” but as ICT4Peace pointed out in its statement, in the absence of a mechanism for the impartial attribution of wrongful cyber acts, it is very difficult to hold states to account.

Canada’s role and moving forward

Canada was an active participant in the OEWG, delivering a statement as well as submitting a working paper. It was one of only a few states that criticized the exclusion of the 18 NGOs and called for consideration of gender equality issues in the OEWG’s work in addition to human rights concerns, such as the need to protect human right defenders from being targeted using digital technology.

Canada also stressed the importance of keeping the OEWG focused on the operationalization and implementation of the norms already identified by the previous GGEs rather than diluting its work in the pursuit of further norms. Given the existing tensions amongst the leading cyber powers, it will require sustained leadership by middle powers like Canada (and Australia, which has made an impressive investment in its international cyber diplomacy) to narrow the prevailing policy fractures and promote common understandings.

Putting norms of responsible state behaviour into practice will require not only the efforts of concerned states. The private sector and civil society have a vital stake in ensuring that cyberspace doesn’t become just another battleground. These constituencies are slowly beginning to mobilize their lobbying efforts directed at governments and will need to sustain the pressure. An example of an initiative to preserve a peaceful cyberspace that bridges the public and private sectors is the Paris Call for Trust and Security in Cyberspace launched by France last November. This set of principles for responsible state behaviour in cyberspace has now been endorsed by 74 states, 333 international and civil society organizations and 608 private sector entities. Such a broad-based coalition is a welcome addition to global discussions but it is worrisome that many key states are missing from the list of state supporters (China, Russia, the US, India, Iran, Brazil and South Africa, to name a few). These hold-outs will eventually have to be brought on board if UN-negotiated “norms of responsible state behaviour” are ever to be effective.

The next session of the OEWG in early December is to be devoted to receiving input from the private sector and civil society. Much will depend on how these inputs are fashioned and on the willingness of states to embrace their appeals for responsible behaviour in cyberspace. Whether the current “Wild West” of cyber operations is to give way to “Peace, Order and Good Government” is still very much an open question.

This article by Paul Meyer was first published in Opencanada.org on 18 November 2019.

Paul Meyer is an International Security Fellow, Simon Fraser University, and a Senior Advisor, ICT4Peace Foundation.