“It’s high time to have a serious discussion about the international legal framework in which cyberwars take place,” UN Secretary General António Guterres said during his opening remarks at the Munich Security Conference earlier this month. It was the first time the head of the UN had made such explicit remarks on creating cyber norms. And he repeated them a few days later, in a speech at the University of Lisbon, urging world leaders to agree on global rules applying to cyberspace.
But his comments aren’t out of the blue. Last year witnessed the most disruptive cyber incidents to date. New kinds of exploits targeted governments, industries, and organizations across the world, from the international spread of WannaCry and Petya/NotPetya ransomware to dozens of large data breaches, including those that hit Equifax and Deloitte. Meanwhile, efforts by the international community to advance more robust rules of the road collapsed. In June, the UN Group of Governmental Experts (UN GGE) – a working group of experts from 25 countries, including the U.S., Russia, and China, which was created by the UN to study emerging threats in information security – failed to come to a consensus in its efforts to advance norms for responsible state behavior in cyberspace.
It’s not all bad news though. Much progress has in fact been made over the past decade in various global and regional fora. The Cyber Norms Index, produced by the Carnegie Endowment for International Peace, depicts a promising pattern of bilateral and multilateral activity that has resulted in commitments and declarations that outline shared interests, concerns, and goals in the cyber domain. These remain primarily aspirational for now, but international diplomacy tends to move at the speed of decades rather than years. In this context, this is arguably remarkable progress. An open question is how and where to further advance these efforts. Here is a summary of three options, which are not necessarily mutually exclusive.
Continuation of the UN GGE Process
Despite recent setbacks, all hope has not been lost in the UN GGE process, though each of the potential next steps comes with trade-offs. Last year’s GGE breakdown has raised the question how the process could continue in the future. Some states have been discussing that the GGE’s work should transition to an open-ended working group, which would convene a much larger group of states, thereby increasing its legitimacy but also likely exacerbating existing obstacles to consensus. Alternatively, the GGE’s work could be transferred to an entirely new cyber committee of the General Assembly, much like the UN Committee on the Peaceful Uses of Outer Space, which has guided the adoption of a series of treaties and principles to govern the exploration and use of space. Others have floated the idea to move parts of the discussion into other committees of the UN General Assembly, for example, its 6th Committee focusing on the legal questions. The differences between the options may seem benign from the outside but could significantly shape the outcome of the diplomatic negotiations depending on who gets to sit at the table, what will be discussed, and whether discussions are bundled together or separated.
Another scenario is that states agree to embark on a new round of GGE talks. This effort would pick up where the 2017 GGE left off in its work toward cyber norms, but would also revive the same questions that plagued previous discussions, namely how best to apply international law. Finally, diplomats might find a new hybrid format that would satisfy the various expectations among member states. Ultimately, the challenge of overcoming past divisions within the GGE may prove less daunting than that of realizing more ambitious and far-reaching proposals such as Microsoft’s Digital Geneva Convention.
A Digital Geneva Convention
The most ambitious proposal at present is Microsoft’s idea for a Digital Geneva Convention. Originally announced in early 2017, the company doubled down on its push for the plan last month when its president, Brad Smith, outlined it at the World Economic Forum in Davos, Switzerland. Microsoft’s recommendations involve three components covering governments, industry, and non-governmental organizations. The Digital Geneva Convention would ask nation-states to refrain from launching cyberattacks targeting the private sector, critical infrastructure, or intellectual property. It would call on the tech sector to agree on shared principles and behaviors such as conducting “100 percent defense and zero percent offense” and operating as a “neutral Digital Switzerland,” ensuring protection for all customers regardless of country. It would also create an independent non-governmental organization that would investigate and publicly attribute cyberattacks to specific states. While significantly different in substance, Microsoft’s proposal is similar in its level of ambition to the international code of conduct for information security, a proposed set of rules backed by Russia and China that would enshrine their vision for state sovereignty and information control in cyberspace. Realizing such broad achievements would require significant global agreement and participation across the public and private sectors, something that has thus far proved impossible in the cyber domain where states continue to disagree even about the meaning of cybersecurity and information security respectively.
More Tailored Initiatives
A third approach to further advance cyber norms would follow the thinking behind the 2015 agreement between the U.S. and China regarding the cyber-enabled theft of intellectual property. It remains the most effective commitment to date, with multiple reports that it has contributed to a decrease in malicious activity between the two countries. White House Homeland Security Adviser Tom Bossert has stated that the American approach to cyber norms under the Trump administration will shift from multilateral to bilateral engagement. This reflects a practical judgment that addressing specific relationships or aspects of cybersecurity will be more fruitful than pursuing a grand bargain approach for norms. This sort of narrowly tailored deal-making shows a separate path of more specific commitments that also provides greater opportunities to engage industry. A more narrowly defined approach is the logic behind the Carnegie Endowment’s proposal for an agreement at the G20 focusing on cybersecurity and financial stability. By zooming in on a more narrowly defined area of common interest, such a proposal effectively avoids having to reconcile states’ competing philosophies concerning the overall governance of cyberspace, allowing otherwise-opponents to arrive at specific consensus.
Which Path Will Be Taken?
At this crucial point for global cyber norms, how individual states choose to engage will greatly impact the future of the collective endeavor. The White House is currently working to produce a new cybersecurity strategy, which will shed light on which of these three options—or mix thereof—the Trump administration will pursue, and, as a result, on what will be possible on the international stage. Much remains to be seen about the specific path that cyber norms-building efforts will take, but international engagement on this issue—including the recent discussions in Munich—are clearly a necessity. This makes the 2017 UN GGE’s truncation more of a temporary pit stop than long-term abandonment for a norms-based international order in cyberspace.