The prevailing analogy for the cyber domain, specifically conflict therein, is that of the Wild West. Over the last decade, the world has witnessed the dizzying expansion of cyber conflict. Malicious actors’ recognition that weaponizing cyberspace provides asymmetric benefits over traditional, kinetic domains has only been assisted by the ballooning of digital products and services that introduce additional cyber vulnerabilities. Despite the multilateral diplomatic work on norms in cyberspace dating back to 2004, we seem no closer to a secure and stable internet.
Against this backdrop, the March 2021 adoption of the Russian-led Open Ended Working Group (OEWG) report by all 193 UN nations is remarkable. The report reaffirmed all 11 norms set forth by the previous 2015 Group of Governmental Experts (GGE). Despite the progress made during the OEWG, specifically to bring in more perspectives from external experts, progress is still left to individual states that must now implement those norms, should they choose to. Russia’s explicit advancement of the OEWG, while simultaneously carrying out the SolarWinds cyberattack, only adds to the perception that states can act in bad faith to utilize UN negotiations to change perceptions without changing their actions. What happens now, given that all member nations agreed, at least on paper, to the principles of responsible state behavior in cyberspace? Where do we go from here to hold states accountable to this voluntary, non-binding agreement?
To answer these questions, it may be useful to revisit the concept of norms in the first place. Tracing the general lines of thinking among the major blocs uncovers limitations of the OEWG and GGE processes, even against the backdrop of geopolitical conflict and a theoretical shared goal of stability and security in cyberspace.
In the late 1990s, during the internet revolution, most Americans cheered the dawn of rapid, interconnected communications. Russia took the opposite view, fearing the internet and other information and communications technology (ICTs) as a further threat to their post-Soviet sovereignty and security. Moscow looked to the UN as a forum for arms control discussions on cyberspace; the US, however, thought existing international law should apply to conflict in cyberspace, arguing for the adoption of norms, based on existing international law, for responsible state behavior.
Beginning in 2004, the United Nations established the GGE process to study responsible state behavior in cyberspace within the context of international security, which was open to a select group of members. While the GGE process produced some consensus reports and even concluded that international law does apply in cyberspace, activity throughout the mid-2010s underscored deficiencies in the process: a handful of nations conferring behind closed doors were unable to prevent the federal and state government entities and the private sector from getting pummeled by cyberattacks that didn’t reach the threshold of cyberwar or declared cyber conflict.
By 2017, the world dealt with WannaCry, CrashOverride, NotPetya, the Equifax hack, and the 2016 election interference — not to mention the ransomware attacks against small entities and innumerable instances of intellectual property theft — all cyberattacks which caused businesses to lose billions of dollars and sensitive information. At the same time, as the UN GGE collapsed over disagreements between member states, Russia proposed expanding the discussion of cyber rules to all member countries and external organizations with the OEWG, effectively enabling Russia to sidestep the previous GGE consensus reports that recommended international law applied to cyberspace. Despite the US’s issue with the proposal, support for the OEWG grew because of its inclusion of more outside experts from different countries and sectors, which represented an important development.
Even so, GGE and OEWG processes present a number of challenges with the creation and adoption of norms, particularly within the UN system. The first, of course, is that they are non-binding, providing states a parachute should they decide to put their interests ahead of international agreements. Relatedly, such norms do not explicitly address espionage, a practice that most agree will not be barred especially in cyberspace, but which comes very close to cyberattack. While norms do say that states “should not knowingly target critical infrastructure” and should seek to prevent “the use of harmful hidden functions,” they are broad enough to allow for loopholes. The SolarWinds operation, at its most basic level, was (at this point in our understanding) one that targeted a software company to gain information on its customers in the public and private sectors. Its alleged perpetrators deny the operation; in fact, Russia denies all offensive cyber capabilities, which makes it difficult — if not impossible — to have a constructive dialogue on responsible state behavior in cyberspace.
Norms also seem to imply state activity and its security impacts on state entities, not necessarily on businesses or other private sector organizations and the resulting grave economic and societal damage, underscoring the challenges of mapping norms neatly onto the threat landscape. Recognizing these challenges and limitations of norms is a first important step.
The next step is to offer a potential way forward. An international body or partnership is needed to hold countries accountable while incentivizing compliance. A smaller grouping of countries could agree to a declaration that not only sets a higher bar for responsible state behavior in cyberspace, but also addresses the need for cybersecurity principles and the protection of an open, interoperable, and reliable internet. Similar to the Open Government Partnership, countries that endorse the declaration could detail national action plans for satisfying the principles. Capacity building and technical assistance could be provided to member nations through a pooled financial instrument like the Three Seas Initiative Investment Fund, which supports infrastructure investments for European countries located between the Black, Baltic, and Adriatic seas. Unfortunately, existing bodies will not suffice: the OECD does not have enough representation from the global south, geopolitical battling at the UN would dilute the initiative’s initial momentum and efficacy, and neither are necessarily the correct forum to establish a pooled investment fund.
Instead, the Biden Administration should seize the opportunity afforded by the forthcoming Summit for Democracies and partner with like-minded nations to move past norms and into action. What better way to demonstrate that democracies can work for their citizens than by meaningfully impacting state behavior in cyberspace, decreasing harms caused by cyberattacks, and ensuring the internet remains open to all?