A British intelligence agency warned this week that cyberattacks threatening the United Kingdom’s security doubled in a year, and similar challenges face every nation with digital infrastructure, leading policymakers to pursue the development of new norms of behavior in cyberspace. What has already been achieved in the area, and what obstacles stand in the way of further progress?
As the target of much cyber activity, the United States has faced significant pressure to take the lead on the issue. Last week, five Congress members issued a bipartisan call for Washington to spearhead the formation of comprehensive international principles, which followed a House bill calling for a plan of action incorporating “bilateral and multilateral” activities.
On the bilateral level, the US and China already concluded an agreement on economic cyberespionage in September, though it remains to be seen whether this will have any concrete effect. US officials have been cautious in their opinions, and policy experts have also taken a wait-and-see approach. Nonetheless, it remains significant that there is now a framework in place between the world’s two biggest economies for dealing with the challenge.
Ensuring the political will on both sides to effectively implement the deal will now be crucial. In this regard, China’s President Xi Jinping may experience domestic political pressure to tread softly. As one analyst pointed out, members of China’s People’s Liberation Army (PLA) have been known to “moonlight” in hacking US companies. If that source of extra income is threatened, the PLA may act to undermine or circumvent the agreement.
These potential impediments aside, China concluded a second such agreement with the UK in October, with terms that are essentially the same as those reached with the US. Together, these developments offer evidence, at least rhetorically, that major nations are starting to define and shape the contours of acceptable practice and conduct in cyberspace.
The emergence of international norms in this domain is significant. Many have compared the current state of affairs to “the Wild West,” with substantial potential for unforeseen consequences and associated harm to innocent third parties. On the other hand, the task of specifying and building fundamental rules that can be agreed upon by the global community is much easier said than done.
For one thing, national governments may be loath to limit their own freedom of action, unless presented with a clear and convincing case that doing so will be in their best interests. That calculus is further complicated by the multitude of actors with possible influence and impact. Many sub-state and non-state groups and individuals possess significant cyber capabilities, which national governments must factor into their strategies.
Iran is a good example of the task facing policymakers. Having been on the receiving end of the Stuxnet worm—thought to have been developed by the US to slow Tehran’s progress towards a nuclear weapon—it proceeded to invest heavily in both offensive and defensive cyber capabilities. Iranian “cyberweapons” have already targeted the navy, banks, and a casino in the US, and the largest oil producer in Saudi Arabia.
During talks leading up to the recent nuclear deal, Iran-based cyberattacks on US targets were reported to have been scaled back. Whether the actual deal being in place will continue to moderate Iran’s cyber behavior, or allow it to double down on its activity, is now the question. Some argue that Tehran’s successful diplomatic foray may see it curb the use of cyberattacks as an instrument of statecraft. Some contend it may simply redirect its efforts and resources into cyberespionage. The latest indicators are not promising, with the Wall Street Journal reporting the US had recently detected a “flurry” of Iranian hacking.
Despite these inherent difficulties, there are already multiple efforts underway on developing larger, multilateral regimes that would apply to actions in cyberspace and their intersection with the physical world. The Tallinn Manual, along with its scheduled follow-up Tallinn 2.0, is one such example. The work of a global group of independent global experts contracted by the NATO Cooperative Cyber Defence Centre of Excellence, it explores how existing international legislation applies to cyber warfare. Upon its 2013 release, the project’s director noted that there was “plenty of law that applies to cyberspace.”
The Tallinn Manual is the first wide-ranging effort of its nature. Though non-binding, it has become a key document for legal scholars and government officials. Tallinn 2.0, which is expected to arrive in the latter half of 2016, will reflect input and feedback from an even broader range of sources, including governments and external academics.
A group of national governmental experts working under United Nations auspices is also exploring cyberspace norms and principles, as well as confidence- and capacity-building measures. Among other things, the group’s latest report addresses the protection of critical infrastructure against “malicious” information and communication technology (ICT) threats. Noting that timely assistance has not always been forthcoming, it recommends that states respond to appropriate requests by others whose critical infrastructure is threatened.
The UN group’s report also calls for a baseline criterion for justifiably and publicly characterizing cyber activity as state-sponsored: “the indication that an ICT activity was launched or otherwise originates from a State’s territory…may be insufficient.” As one commentator observes, the report contains some small but genuinely important steps.
Cybersecurity provisions were also contained in the Trans-Pacific Partnership (TPP) trade deal recently agreed between 12 Pacific Rim countries. Its authors claim these are the first-ever commitments made in a free trade agreement for cooperation on responding to cyber threats. Specifically, the TPP encourages “cooperation on policies regarding personal information protection, online consumer protection, cybersecurity threats and cybersecurity capacity.”
Nonetheless, TPP critics contend that the pact, which encourages “the free flow of data between borders,” may hinder privacy, and thus be counterproductive. The manner in which the TPP was negotiated is also a concern, with many arguing that key stakeholders did not have a seat at the table.
As with agreements of any nature, the challenge of effectively implementing international cyber regimes will be more difficult if attempts are made to introduce legally binding clauses, rather than to merely encourage cooperation or compliance. Reconciling the often divergent views of states by other means may also be impracticable at particular moments or in certain circumstances. The development of norms is therefore proceeding in incremental fashion, even if the associated challenges are manifold and complex. Still, there does seem to be a growing desire for at least a roadmap, with basic signposts established in important quarters. The question is, can its development keep pace with that of new threats to cybersecurity?
Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber and Homeland Security, Washington, DC.