In recent months, the United States has been pushing a new policy of “international cyber stability.” In a speech in Seoul in May, Secretary of State John Kerry explained that this goal requires “broad consensus on where to draw the line between responsible and irresponsible behavior.” To define the line, the United States proposed several norms that states should observe in peacetime, and according to media reports, the UN Group of Governmental Experts (GGE) has adopted several of the norms, which will be included in a forthcoming consensus report. In particular, Politico reports that the agreed upon norms include “understandings that nations should not intentionally damage each other’s critical infrastructure with cyberattacks; should not target each other’s cyber emergency responders; and should assist other nations investigating cyberattacks and cybercrime launched from their territories.” The exact language of the agreed-upon norms will not be clear until the final report is released in about six weeks.
The GGE includes not just the United States and close allies like the United Kingdom, but also cyber-antagonists China and Russia, along with Brazil and Germany, which have been especially aggrieved by allegations of US spying. Getting agreement among that group on anything—especially anything championed by the United States—is a significant diplomatic victory. However, even with agreement on the norms in general, ambiguity in their application may spark future discord, and significant differences of opinion remain about the role of international law.
In written testimony before a Senate Foreign Relations Subcommittee in May, State Department Cyber Coordinator Christopher Painter set out four norms:
A State should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public.
A State should not conduct or knowingly support activity intended to prevent national CSIRTs [Computer Security Incident Response Teams] from responding to cyber incidents. A State should also not use CSIRTs to enable online activity that is intended to do harm.
A State should cooperate, in a manner consistent with its domestic law and international obligations, with requests for assistance from other States in investigating cyber crimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from its territory. States must take robust and co-operative action to investigate criminal activity by non-State actors.
A State should not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors.
The United States apparently proposed the first three norms to the GGE, and it will be interesting to see whether (and if so, how) the norms included in the final GGE report differ from the version the United States proposed.
Even if the text remains the same, however, the devil is in the details and, in this case, in the application. For example, what counts as critical infrastructure? As a domestic matter, the United States has defined critical infrastructure very broadly to include 16 sectors, such as communications, the defense industrial base, financial services, nuclear reactors, and transportation. But some of the sectors are less obvious. The Department of Homeland Security lists as examples of the “commercial facilities sector” professional sports leagues, casinos, campgrounds, and motion picture studios. Many countries might be surprised to discover that the United States considers the Iranian hack of the Las Vegas Sands Corporation and the North Korean hack of Sony Pictures to be attacks on “critical infrastructure.” To avoid creating potentially dangerous confusion over what the norm encompasses, the GGE should agree (if it doesn’t do so in the final report) to a definition of critical infrastructure in the international sphere.
While the GGE countries reached agreement on the norms, it appears that international law did not fare as well. In 2013, the GGE reached consensus on the statement that “[i]nternational law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible [information and communication technology] environment.” (As I discussed in an earlier post, China and Russia have since seemed to back away from the applicability of international law and the UN Charter.)
In a blog post on this year’s GGE, State Department Deputy Cyber Coordinator Michele Markoff noted that the US intended to build on the 2013 consensus about the applicability of international law in this GGE. She explained, however, that “[m]ore robust statements on how international law applies were contested by a few key States, and we did not achieve all of the progress we would have liked in this area.” Politico identifies Russia, China, Pakistan, Malaysia, and Belarus as among the states opposing the US position on international law.
However, Markoff also claims that the GGE “took a step forward in its report by highlighting that the UN Charter applies in its entirety, affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the Charter, and noting the applicability of the law of armed conflict’s fundamental principles of humanity, necessity, proportionality, and distinction.”
Agreement among the GGE members that the law of armed conflict principles apply would be significant, but here again, the exact language of the report will matter. And there will likely remain an open question about whether there is an agreed interpretation of the text. GGE rapporteur Jim Lewis of the Center for Strategic and International Studies described the international law portion of the report as “workaround language.” Whether the workaround language actually works to create consensus in practice may become clear only over time.