Last week at a meeting which spent most of its time focusing on how U.S. cyberspace policy could recover in the wake of the Snowden revelations, the panel was asked whether there was any good news to report. I mentioned, with what I thought was some hedging, the June 2013 report from the third UN Group of Government Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security .
For the first time, the group, which is made up of fifteen member nations including Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, Russia, the UK, and the United States, came to a consensus. The report affirms that "international law, and in particular, the United Nations Charter" applies to cyberspace and that there was a norm of state responsibility—states must meet their international obligations regarding internationally wrongful acts attributable to them. That is, states must do something about cyber attacks that come from within their territory.
In the context of the U.S.-China relationship, this seemed like a step forward. The United States has been maintaining that international law, including the Laws of Armed Conflict, covers the use of information and communication technologies (see, for example, this September 2012 speech by Harold Koh, the former legal adviser to the State Department). China, by contrast, has traditionally argued that conventional law has not kept up with technological changes, that it is too narrow, and that it should be supplemented with new treaties, including perhaps arms control treaties for cyber weapons. The State Department used the consensus on the report to push the line that the Laws of Armed Conflict applied to cyberspace, arguing in a statement that all are parties to the UN Charter, which seeks to prevent all kinds of war; that all subscribe to the Geneva Conventions; and that these norms are particularly important for cyberspace.
At the time, I thought it was good of the State Department to make this argument, but we shouldn’t assume that China agreed with the logic. The GGE report also notes that "State sovereignty and international norms and principles that flow from sovereignty apply to State conduct." It seemed more than likely that China would focus on the sovereignty principles of the UN Charter as much as, if not more than, the norms of conflict.
A recent speech given by Lu Wei of China’s State Internet Information Office suggests that the skepticism was warranted. Speaking to the Second China-South Korea Internet Roundtable on Tuesday, Lu spoke of the need to safeguard network security sovereignty. Sovereignty, in Lu’s conception, was an evolving concept. Just as the 17th century saw the extension of national sovereignty over parts of the sea, and the 20th over airspace, national sovereignty is now being extended to cyberspace. Information services could cross borders, "but cyberspace cannot live without sovereignty." States should proceed from the principles of the UN Charter, and Lu suggested that China and South Korea work together to develop a multilateral framework for the governance of the Internet under the UN.
I still think that the GGE was one of the bright spots in a very difficult year. And I doubt the State Department ever thought the GGE was the ending and not the beginning of the argument. But Lu Wei’s speech is a bracing reminder that the norms of cyberspace remain highly contested.