The stumbling process toward the formulation of norms of state conduct in cyberspace in the United Nations Group of Governmental Experts (GGE) on “Developments in the Field of Information and Telecommunications in the Context of International Security” seems to have hit another bump in the road. Setting out the U.S. position at the end of the GGE’s most recent iteration, State Department official Michele Markoff, stated that, while the task of the GGE was to explore potential consensus of the application of international law in cyberspace, including the law of armed conflict, state responsibility and humanitarian law, “I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions.” Moreover, Markoff indicated that “repeated assertions on the part of some participants that a discussion of certain bodies of international law, including the jus ad bellum, international humanitarian law, and the law of State responsibility, would be incompatible with the messages the Group should be sending regarding the peaceful settlement of disputes and conflict prevention” present a false dichotomy.
While Markoff does not explicitly name the nations to which she refers, they are highly likely to include Russia and China. Both countries have taken a skeptical position concerning the application of international law in cyberspace, and sponsored a proposed Code of Conduct in the United Nations General Assembly as an alternative. China in particular proposes a conception of state relations in cyberspace based on a strong assertion of State sovereignty, excluding other elements of international law, and an expanded role for the United Nations and its specialized bodies.
Yet while this diplomatic process is stalling, the number and intensity of (potentially state-sponsored) cyber-attacks continue to escalate, with the recent WannaCry and Petya attacks as only the latest in a troubling series of incidents. Some norms of conduct do seem to be called for if this trend is to be bucked. That, in turn, requires us to explore how a norm could be successfully generated and implemented.
Perhaps the most important point is that, however much one might like to “formulate” a norm in a diplomatic process, norms tend to be formed and reproduced through social practice, not through rhetoric. In other words, for a norm to be validly espoused, it needs to be broadly exercised by those it covers. How does one engender such espousal? The reasons why individuals and organizations conform to social norms are complex. They certainly include simple cost-benefit analyses, which may be backed up by formal sanctioning mechanisms. Yet they also include indoctrination, socialization and habituation: much softer devices to inculcate and perpetuate norms in communities. Essential for that purpose is that both the community and the norm are considered legitimate by the norm-taker.
This is where trouble already starts brewing: basic mutual trust about means and purposes already seems to be lacking among the major players of the GGE. This is not merely the case concerning specific issues affecting cyber policy, but concerning basic positioning in the geo-strategic landscape. Russia, the successor of a once-superpower, has seen the expansion of NATO and the EU as encroachment into its erstwhile sphere of influence. China has developed a keen sensitivity for the fact that regime change in Beijing has been quasi-stated policy in Washington, and followed U.S. interventions elsewhere in the world with close interest. For the U.S., merely the fact that neither Russia nor China subscribe to the idea of a U.S.-led rules-based international order as Washington perceives suffices to consign them to the political dustbin.
The manifestation of distrust in the overall relationship directly informs perceptions about cyber-related affairs. China and Russia, both acutely aware of their comparative weakness against the might of the U.S. military, see cyber tools as an asymmetric and low-cost means of neutralizing some of those capabilities and becoming more competitive elsewhere. They therefore see U.S. norm-creation efforts as an attempt to curtail their space for action where it has the most potential for effect. Moreover, they see it as a hypocritical attempt, pointing to the Stuxnet attack on an Iranian nuclear facility, the Snowden revelations and the recent cache of NSA cyber tools leaked by the Shadowbrokers hacking collective as evidence that the U.S. has little desire to abide by the norms it claims to promote. In other words, norms require forbearance of potential capabilities, as well as credible mean to establish trust about everyone’s abiding by that norm.
This level of distrust has led to a pernicious circle, in which constructive measures become suspect: either a counterpart is further obfuscating its true and cynical purpose when it claims to be constructive, or suspicions are confirmed when another attack takes place or another trove of information is leaked. This is furthermore exacerbated by the fact that hawkish, nationalist voices seem to have become ever more successful in bending the ear of their governments, while pro-engagement voices have become sidelined. Because that too bears remembering: governments themselves are internally conflicted about how to act in cyberspace. The U.S. government both funds TOR and seeks to crack it. The Chinese government both seeks to promote the global success of its national ICT champions, and to erect ever higher walls along the borders of what it perceives to be its own cyber territory. If states can’t come to a coherent position on cyber affairs domestically, what chances for success are there for a body such as the GGE, seeking to lay the groundwork for a comprehensive agreement?
With the GGE now on ice, the initiative in this realm will likely shift to more fragmentary, bilateral or regional initiatives. Since China concluded an agreement with the United States that included clauses opposing economic cyber espionage, it has signed similar accords with the UK, Germany and Canada. A similar consensus was reached at the G20 in 2015. Equally, the private sector may have an important role to play. Microsoft and Huawei jointly published a buyer’s guide for secure tech product, as they both are concerned about expanding regulation and protectionism by each other’s government. For the moment, these initiatives are embryonic. They lack enforcement mechanisms (although that could unkindly be said of most of international law), and economic espionage is something rather different than matters of national security. For the moment, therefore, it is likely that things will get worse before they get better, particularly as ever more actors develop the capabilities to engage in cyber-related attacks. That said, it also must be remembered that, for all the hype, cyber has been, and remains, more a nuisance than a life-and-death threat. The risk of cyber conflict cannot be seen separately from the broader probability of armed conflict between major states. And while cyber activities do exacerbate the risk of unintended escalation, few bellicose intentions can be discerned among major actors.