International agreement over cyberspace is one of the most challenging issues of the 21st century. It is different compared to regulating other domains such as sea, land, air, and even space.
Cyberspace is a dynamically evolving domain, full of contradictions: on the one hand, it exists beyond national borders; however, every country has different legislations around it. The ubiquitous spread of information technologies has made civilian infrastructure vulnerable; however, governments and the military have very limited ability to ensure security because private IT companies have significant leverage.
Addressing these challenges implies finding the proper balance between government responsibility without hampering the development of civilian infrastructure and consumer demand at both the national and international levels.
It is notable that cybersecurity regulations have appeared to be a controversy in Russia-West relations long before their 2014 deterioration over Ukraine.
Russia has promoted the idea of International Information Security (IIS) since the late 1990s. According to Russian officials, IIS implies that all countries commit to refrain from the military use of information technologies. That idea was relevant in the 1990s and early 2000s, when the international community was exploring the new opportunities of cyberspace. IIS implied establishing government control over the information field and take responsibility for illegal activities. Russia consistently promoted the idea of IIS through the UN. In 2004, Russia established a Group of Government Experts to discuss and exchange opinions around international cyber regulations. The GGE process produced a number of reports, which contained a detailed explanation of different countries’ positions and approaches to cyberspace regulations.
Today, it is interesting to note that cyberspace regulation became a sticking point in Russian-US relations long before their dramatic deterioration in 2014. The United States has never shared the Russian approach towards the issue. The US has developed military cyber capabilities and never wanted to make a commitment that might somehow hinder this particular form of self-defense. Besides, the American economy depends on global demand for IT goods and services (most of which are American). Russia sees this as a way to establish a unipolar world order, led by the US.
Russia’s IIS approach may be explained as opposite to the principle of American net neutrality. The US government, especial under Democratic administrations, has adopted the idea that technology itself is non-political. And the role of the government is to ensure equal opportunities for those who use information technologies. Such approach implies limited government responsibility and encourages individual empowerment.
In 2018, Russia’s suggestion to create the Open-Ended Working Group (OEWG) was supported by the majority of UN members. Washington never promoted an alternative to IIS, however, in 2018, it chose to continue the discussion around global cybersecurity regulations within the GGE framework – a decision which came as a surprise to many countries, including the US. That is how the discussion of cybersecurity regulation was divided into two formats under the auspices of the United Nations. The support of two UN resolutions over OEWG and GGE highlighted the existence of a global digital divide, with the cosponsors of the Russian resolution – mostly Asian, African, and Latin American countries – on the one hand and the American project on the other, which was mostly supported by Europe and Western democracies.
Along with the development of information technologies, the global cybersecurity agenda expanded, too. Many countries have developed military cyber capabilities; however, it became clear that nonmilitary cyberthreats may be even more dangerous. The global demand for social networks and social media content has made internet technologies a priceless political tool. It became possible to influence public opinion and interfere with domestic politics, especially electoral processes. Criminal activity on the internet has also reached unprecedented scale and keeps growing. National infrastructures have become more critical for national security and equally vulnerable to civilian hackers as well as military specialists.
The need for an international agreement on cybersecurity has become more urgent. It is great that both the new GGE and OEWG have finished the first stages of their work with consensus reports. The UN resolution aimed at countering cybercrime is also a significant accomplishment.
Crucially, the reports of the two working groups didn’t force the international community to choose between Russian and American approaches to cybersecurity. It is notable that most of the participants of GGE and OEWG processes also participate in other organizations and contribute to working out the norms of global cybersecurity – such as NATO, OECD, SoC, CSTO, and others. As such, the United Nations and other international organizations may be efficient in developing the norms, related to the issues that states can take responsibility for.
However, different perceptions of the nature of cyberthreats keep clashing. Russia insists on information security, stressing that the problem is mostly related to the content of information rather than the technical vulnerability. The US, in turn, continues to emphasise the cyber nature of the problem, meaning that once the technical safety of communication is ensured, security will also be guaranteed.
The military aspect of the global cybersecurity debate is very important. However, approaching cyberconflict prevention with cyber doomsday devices seems a little misguided. In fact, the single use of a cyber weapon is less likely to inflict damage like a nuclear weapon might. It is instead likely to be used as a tactical tool in conflict along with many other forms of influence and aggression.
Critically, obscure definitions and different national perceptions of the very phenomenon of aggression in cyberspace are a serious obstacle to international negotiations. Thus, the international community needs to work out a mutually acceptable definition of the notions of cyberaggression, national sovereignty in cyberspace, and cyberweapons.
Finally, cooperative efforts should be aimed at preventing conflict escalation in general, not only in cyberspace. The only possible way to do that is through dialogue.