The following post is the latest installment of our Monday Reflections feature in which a different Just Security editor takes an in-depth look at the big stories from the previous week and/or a look ahead to key developments on the horizon.
In mid-January, the members of the Shanghai Cooperation Organization (SCO)—China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan—sent a revised draft International Code of Conduct for Information Security to the U.N. Secretary-General. The new document updates an initial draft that China, Russia, Tajikistan, and Uzbekistan circulated in September 2011. The United States, among others, rejected the 2011 version because it seemed to deny the applicability of existing international law to cyberspace, advocated increased government control over the Internet, and legitimized limitations on freedom of expression. Although the revised draft now discusses the right to “seek, receive and impart” information (see par. 7), in other major respects, it doubles down on the 2011 positions. The draft even seems to walk back from a 2013 concession by some of the SCO states that existing international law applies to cyberspace.
Despite its intransigence on major areas of disagreement, the latest draft does include a promising new provision on “develop[ing] confidence-building measures aimed at increasing predictability and reducing the likelihood of misunderstanding and the risk of conflict.” This provision, while desirable in the abstract, won’t make the rest of the Code any more palatable to the United States and others that opposed the initial draft. Its inclusion, however, may signal that China, in particular, is ready to re-engage in bilateral discussions with the United States on cybersecurity issues nearly a year after terminating the countries’ working group in retaliation for U.S. indictments against Chinese officials for hacking U.S. companies.
In their letter to the U.N. Secretary-General transmitting the 2015 draft, the SCO states suggested that they revised the Code in response to comments received on the 2011 version. Chinese diplomats quoted by Xinhua characterized the revised Code as “more comprehensive and balanced” and as having taken into account “reasonable suggestions from the international community.” The Russian Foreign Ministry similarly noted that the revised draft is “based on the new realities and proposals submitted by the states concerned.”
Despite the revisions, the SCO members’ core vision for state control of cyber governance remains largely unchanged. Both the 2011 and 2015 versions (in par. g and par. 8, respectively) seek to establish “multilateral, transparent and democratic” Internet governance, rejecting the current multistakeholder model of governance that includes not just states but civil society, technical experts, and other interested parties. Both also highlight states’ “rights and responsibilities” to protect their “information space” (par. e in the 2011 version, and par. 6 in the 2015 version).
The new draft does concede a somewhat increased role relative to the state for the private sector and civil society. Whereas the old draft declared that states would “lead all elements of society, including its information and communication private sectors, to understand their roles and responsibilities with regard to information security” (par. h), the new draft declares that states must “cooperate fully with other interested parties in encouraging a deeper understanding by all elements in society, including the private sector and civil-society institutions, of their responsibility to ensure information security” (par. 9).
However, this apparent elevation of “other interested parties” comes after and is separate from the new Code’s provision on Internet governance in paragraph 8, which focuses solely on states: “All States must play the same role in, and carry equal responsibility for, international governance of the Internet, its security, continuity and stability of operation, and its development . . . .”
This provision echoes a controversial resolution adopted at the 2012 World Conference on International Telecommunications (WCIT). WCIT was convened to revise the International Telecommunication Regulations, a treaty administered by a U.N. body—the International Telecommunications Union (ITU)—that sets standards for “global interconnection and interoperability” in telecommunications, like telephone calls. In advance of the conference, Vladimir Putin announced Russia’s desire to “‘establish international control over the Internet’” under the auspices of the ITU. Although Russian proposals for ITU control of the Internet were kept out of the final text of the treaty, a version of the proposal was adopted in an accompanying resolution, which declares that “all governments should have an equal role and responsibility for international Internet governance and for ensuring the stability, security and continuity of the existing Internet and it future development” (Res. 3, par. E). As I noted in a prior post, the United States and other key countries, including France, Germany, and the United Kingdom, refused to sign the revised treaty, citing the Internet governance resolution and its incompatibility with the multistakeholder model of Internet governance.
The invocation of the controversial WCIT language in the revised Code makes clear that the SCO member states’ views on Internet governance have not shifted and are not intended as any accommodation to the advocates of the multistakeholder governance model.
The revised draft Code also has two potentially troubling omissions.
First, it makes no mention of agreement reached in a 2013 U.N. report that existing international law applies to cyberspace. The United States has repeatedly asserted that existing international laws, including laws on the use of force, apply to cyberspace (see, for example, here and here). Prior to the June 2013 U.N. report, China had not agreed with that proposition, and with the proposal of the 2011 draft Code, China appeared to suggest that new law was needed because existing law did not apply.
In June 2013, however, the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE)—a group that includes China and Russia—reached consensus that “[i]nternational law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible [information and communication technology] environment” (par. 19).
The revised Code cites the GGE Report, but does not reference the agreement that existing international law, particularly the U.N. Charter, applies. Instead the draft Code cites only an earlier paragraph of the GGE Report on “norms derived from existing international law” and the possible development of additional norms “over time” (par. 16). Maybe the lack of citation to the international law paragraph is simply an oversight; the draft Code does at least cite the GGE report. But China’s reluctance over the course of years to agree to the applicability of existing international law combined with the re-proposal of the Code, which would itself be new international law if adopted, suggest that the lack of reference to the international law paragraph may be best understood as a sign that China continues to resist applying existing international law to cyberspace.
Second, the revised Code entirely omits a provision regarding proliferation of weapons. The 2011 Code would have required states “[n]ot to . . . proliferate information weapons or related technologies” (par. b). This provision is simply missing from the new draft, and the motivation for the omission is unclear. On the one hand, the United States criticized the proliferation provision in the 2011 draft on the ground that it “ignores the fact that this technology is a quintessential dual-use technology.” Perhaps the SCO countries omitted the provision in response to this critique. On the other hand, given the recent attention to zero-day vulnerabilities, including acknowledgements that the U.S. government does not always disclose vulnerabilities of which it is aware, the provision may have been omitted in recognition of the fact that cyber powers stockpile and use vulnerabilities that might be conceptualized as “information weapons or related technologies.”
One provision of the revised Code that should appeal to the United States—if it can be pursued without acceptance of the rest of the Code—is a new paragraph (par. 10) pursuant to which states would:
develop confidence-building measures aimed at increasing predictability and reducing the likelihood of misunderstanding and the risk of conflict. Such measures will include, inter alia, voluntary exchange of information regarding national strategies and organizational structures for ensuring a State’s information security, the publication of white papers and exchanges of best practice, wherever practical and advisable . . . .
This provision may suggest a willingness on China’s part to resume dialogue with the United States on cybersecurity issues. The countries established a bilateral working group on cybersecurity in 2013, but after the United States indicted five Chinese military officials for hacking U.S. companies, China suspended its participation in May 2014. As Adam Segal of the Council on Foreign Relations has noted, the suspension of the working group “is bad for both sides,” which have a “shared interest in confidence building in the areas of cyber conflict and in preventing third party attacks on critical infrastructure.”
If the confidence-building provision of the revised Code can jumpstart renewed dialogue, it would be a significant silver-lining to a proposal that otherwise seems likely to do more to highlight disagreement than to build agreement on international cyber governance.