A United Nations body has agreed for the first time that there are rules of the road in cyberspace that all nations should respect, even during peacetime, a senior State Department official tells POLITICO.
It’s a breakthrough for U.S. diplomats, who have been pushing these “norms” as an alternative to formal treaties as a way to help tame the lawless frontier of cyberspace.
The next U.N. General Assembly must adopt the norms before they’re binding on nations — an endorsement that’s far from assured.
Still, it’s more likely they will be adopted by other international organizations or individual nations, the State Department official told POLITICO.
The Group of Governmental Experts “has tended to be the beacon, the framework that other states really look to for these types of issues,” the official said.
The norms are included in the consensus document produced by the panel of experts from 20 nations.
That report was sent to U.N. Secretary General Ban Ki-moon after the group completed its work last week and will be officially released in about six weeks after it’s been reviewed and translated, the official said.
Excluded from the consensus document was another U.S. proposal: One that sought to spell out the implications of a 2013 experts’ group agreement that international law generally applies in cyberspace just as it does on land or at sea.
That proposal was rebuffed by a bloc of nations — including Russia, China, Pakistan, Malaysia and Belarus — that argued the move would institutionalize U.S. hegemony in cyberspace, said James Lewis, the experts’ group rapporteur and director of the Center for Strategic and International Studies’ Strategic Technologies Program.
Specifically, the U.S. wanted to include a reference to Article 51 of the U.N. Charter, which authorizes the use of force in self defense against an “armed attack” and would add legitimacy to a military response to a cyberattack that caused death and destruction.
“The Chinese line was ‘we don’t want to say Article 51, because that would militarize cyberspace and that’s a zone of peace,” Lewis said.
Unspoken, he said, was a concern that “the U.S. will use this to legitimize some kind of counteraction for things like OPM,” a reference to the breach of millions of federal employee records at the Office of Personnel Management that officials have anonymously attributed to China.
As a result of the objections, the experts’ group ultimately agreed to workaround language that endorsed the essence of Article 51 without referencing the document, Lewis said.
“There’s language in there that makes it clear that the right of self defense applies and you have to observe principles of [the Law of Armed Conflict] in doing it,” Lewis said. “Some of this was thinking of ways to say Article 51 without saying it.”
In general, Lewis said, the discussions were dogged by anger from Russia, China and other nations over non-cyber issues, including the U.S. use of drones to hunt terrorists abroad and, to a lesser extent, NSA surveillance.
“People say: ‘[the U.S.] violates national sovereignty; you do what you want; this is contrary to international law and you don’t care. That’s a little hypocritical,’” Lewis said, “but this is the U.N. after all. The Russians and Chinese want to really damage the U.S., to destroy the system of international relations we’ve created and undo a lot of things we’ve done since the Cold War.”
The takeaway, Lewis said, is that the world’s a long way from agreeing on basic principles of cyber sovereignty and those principles may not be written on U.S. terms.
“We’ve assumed that countries have a common understanding of how the world works and this shows that’s increasingly not the case,” he said.
Lewis added that the Russian delegation requested that another GGE be held in 2016.
“The Russians seem to think they have the upper hand and they think they can dominate another GGE and get it to endorse what they want, so that’s a dilemma,” he said. “They’re probably not wrong, but it’s not as easy as they make out.”
As rapporteur, Lewis’ job was to be a neutral arbiter helping the delegates reach consensus.
The State Department official described the document’s international law section as “a very worthwhile step forward from 2013” but also “more ambiguous than we would have liked.”
“Certain countries had always been sensitive about being more specific and that sensitivity continued,” the official added.
The agreement on norms that the U.S. government has successfully lobbied for, however, suggests the U.S. does maintain significant influence in the world of cyber diplomacy, despite anger over larger foreign policy issues, analysts said.
“Even in the face of all the ways these countries can distrust each other, we still have stuff to agree on,” said Jason Healey, a senior fellow and former director at the Atlantic Council’s Cyber Statecraft Initiative. “That, to me, is really the important message out of this. As crappy as the world has been the last two years … that we can still find stuff to agree on is a wonderful bellwether for maybe we’re starting to come to terms and have more agreement on this.”
An interagency group in the U.S. government adopted the three norms as official government policy earlier this year along with a fourth stating the U.S. will not use cyber surveillance to steal information about foreign companies to benefit U.S. firms — something the U.S. has frequently accused the Chinese of doing, including in indictments against five members of the People’s Liberation Army last year.
Secretary of State John Kerry also outlined similar principles during an address in Seoul May 18. That address also prominently criticized North Korea for its 2014 cyberattack against Sony Pictures Entertainment.
The GGE report also includes meaty sections about confidence building measures nations can take in cyberspace, the State Department official said, and on helping developing nations build digital infrastructure and Computer Emergency Response Teams.
“Parts of this were highly contested, but, all in all, [we’re] pleased with most of it,” the official said.
The development of peacetime norms may ultimately be more important than establishing how international law applies during armed conflict, said Catherine Lotrionte, director of Georgetown University’s Institute for Law, Science and Global Security and former assistant general counsel at the CIA.
That’s because the majority of current cyber conflict takes place beneath the level of armed conflict.
Lotrionte urged more specificity on how the norms would apply, for example, by outlining precisely what assistance nations should offer other nations investigating cyberattacks.
When Russia pummeled Estonia with cyberattacks in 2007, she noted, Estonia asked Russia to investigate the attack under an existing mutual legal assistance treaty. Russian officials declined, she said, saying their reading of the MLAT’s wording did not obligate them to assist in that instance.
The adoption of the norms also marks the latest in a string of cyber policy victories by the Obama administration, Healey noted, even as it’s been less successful at warding off cyberattacks from its own networks. In particular, he said, violation of the norms could be used to justify imposing cyber-specific sanctions recently developed by the Treasury Department.
“I’ve been a critic of the White House because I want to see a slugger come in and aim for the fences and the White House has been playing small ball, just a little bit at a time,” Healey said. “But they’ve been getting runs across the plate.”