Cyberspace is a realm in dire need of global norms. Despite the growing number and staggering impact of cyberattacks — across both private and public sectors — cyberspace remains largely ungoverned. Most cyberattacks, like the technology they ride on, cut across borders, rendering national laws and regulations inadequate. The threat is transnational — rules and frameworks must be as well.
As striking as the need for global norms are the challenges in developing them. Global norms will have to bridge ideologies and sectors, as well as to contend with states’ sharply divergent interests and visions of the internet. The most formidable cyber powers aren’t incentivized to yield to global governance frameworks that would have them fetter their own operations. And while some nations recognize the need for global cooperation on cyber governance and security, others have adopted an approach rooted in sovereignty and state control.
The Authoritarian Quest for a Sovereign Internet
Meanwhile, states aren’t the only, or even most important, players in the cybersecurity field. Much of the infrastructure and expertise of cyberspace lies in the hands of private companies. Norms will need their buy-in.
In the face of these challenges, major world powers have yet to agree upon a viable, global agreement on cyber. But nonprofit, multilateral and private sector actors have made progress developing frameworks for navigating cyberspace. Any global, comprehensive effort to develop norms should build on these existing initiatives, capitalizing on their strengths and heeding their shortcomings.
Since 2004, the United Nations has periodically convened meetings to develop cyber norms. The meetings from 2012 to 2015 yielded some important but measured steps forward, with the working group arriving at a consensus that international law does apply to cyberspace — a conclusion that China and Russia publicly signed onto.
However, in the years since, discord among member states has stalled progress and led to equivocal, vague statements and resolutions. The UN itself has not established any norms. It has instead recommended that states do so. It has also failed to draw conclusions on precisely how international law applies to states’ operations in cyberspace. Most recently, during the 2018 General Assembly, the UN approved two separate and divergent resolutions to form further cyber working groups — one tabled by Russia and backed by the likes of China and Cuba, and the other tabled by the United States.
Taking a two-pronged approach risks splintering cyber discussions into groups of like-minded nations and negating the core value of UN resolutions — a truly universal consensus from a globally recognized authority.
The Tallinn Manual is the product of a NATO-led effort to develop an authoritative view on how international law applies to states’ use of cyber force. The manual is intended to serve as a guidebook for governments, providing detailed analysis of when and how laws — including those covering use of force and peacetime espionage — apply to cyber conflict. It pays particular attention to the question of when it is legitimate for a state to retaliate in response to a cyberattack, using either cyber or traditional military means.
The manual finds that, in some cases, a state may be legally entitled to take countermeasures in response to an illegal cyberattack. But the countermeasure must be levied against a state, not a private actor, and the initial attack must be attributed to the state itself, and not another entity acting on its behalf.
Unlike many international collaborations on cyber, the Tallin Manual is both thorough and specific. As a guidebook without signatories committing to the conclusions, authors did not need to equivocate and dilute content to win diverse buy-in. However, the manual is quite security-focused and addresses government challenges. It does not deal with several contentious but important issues of concerns for companies, like intellectual property and trade law.
GCSC Norm Package
Two think tanks — the EastWest Institute and The Hague Center for Strategic Studies — created the Global Commission on the Stability of Cyberspace (GCSC) with the goal of “supporting policy and norms coherence” on security in cyberspace. The Norm Package, published in 2018, is the product of consultations with governments, companies, civil society and various branches of the UN. The GCSC norms are comprehensive, covering areas of concern across sectors, with both state and non-state actors encouraged to implement the norms.
Some of the norms are quite straightforward. For instance, they call for commitments to reduce significant cyber vulnerabilities and avoid tampering with online products and services. More complex (and of particular interest for the private sector) is a norm calling for states to “enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene” — a sound concept, but the devil will lie in the details.
The document leaves important questions unanswered. For instance, should states develop voluntary frameworks, along the lines of the US NIST Cybersecurity Framework, or create binding regulations with enforcement mechanisms? Many thorny issues will get punted to states, whose approaches are likely to diverge. So while the norm is a strong start, it doesn’t go far enough in supplying a detailed, thorough foundation on which globally harmonized regulations can be built.
Budapest Convention on Cybercrime
The Budapest Convention on Cybercrime, drawn up by the Council of Europe in 2001, is the first international, legally binding treaty to address cybercrime. It aims to harmonize national laws on cybercrime and establish an efficient regime for international cooperation in cybercrime investigations.
Its signatories — over 60 in total — extend beyond Europe to include the United States, Canada, Japan and others. But global inclusivity has proven a challenge. Russia opposes the convention on the grounds that it violates state sovereignty by allowing signatories to access data housed in other jurisdictions during cybercrime investigations. It has instead proposed a UN global treaty that would not allow for cross-border access to data without a license from national security agencies.
Other large nations, like India and Brazil, have also declined to sign on. They protest not being included in the drafting process, reflecting the ongoing tension between rich and middle-income nations in developing international agreements.
The Paris Call for Trust and Security in Cyberspace is an attempt to solve the challenge of norms fragmentation and the proliferation of sector, and even industry-specific, initiatives. It is the most ambitious state effort to engage all major actors in cyberspace, across various sectors, and create a broad, overarching umbrella agreement that assimilates existing agreements and norms. It has been largely successful on these counts, with over 50 nations and hundreds of private companies, universities and nonprofits endorsing the Paris Call.
However, some of the world’s greatest cyber powers — the US, Iran, Russia, China and Israel — opted out. And the content of the call is more a series of high-level aims than specific norms or rules for signatories to adhere to.
Microsoft Cybersecurity Tech Accord
Given that many, if not most, of any country’s attack surfaces are in private hands, it is unsurprising that some companies have championed collaborative efforts to strengthen security, and none more so than Microsoft. Brad Smith, Microsoft’s president, has called for a “Digital Geneva Convention” that would commit governments to following norms for protecting civilians online.
In the meantime, Microsoft has led cybersecurity efforts among private actors, corralling fellow tech companies to develop the Cybersecurity Tech Accord. Signatories commit to core principles, including pledging to protect users and customers around the globe from cyberattacks, such as by delivering products and services that prioritize security and privacy, and agreeing not to help any governments launch cyberattacks against innocent civilians or companies.
Nearly 100 companies have signed on since Microsoft launched the accord in 2018. But several major players, like Google and Amazon, have held off, not wanting to preclude the possibility of future government contracts that might run afoul of the accord’s stance against assisting state cyberattacks.
Many of these efforts are high-level and ambiguous. Some are more symbolic than substantial. And the efforts that do offer robust guidance and specific norms tend to represent only subsets of actors (like the Budapest Convention or Microsoft Tech Accord) or serve as resources, not sign-on agreements (like the Tallinn Manual).
Nevertheless, cumulatively, these frameworks begin to lend structure and “rules of the road” to cyberspace. Broader, cross-sector global norms that move the world closer to a common standard should build upon these initiatives. Greater proliferation of disparate norms will not make the internet safer. Weaving together the best elements of an existing foundation can.
*[Sabina Frizell is a global public policy manager at Visa, Inc., focused on technology policy in emerging markets. Views are the author’s own and do not reflect Visa enterprise views.]
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.