The prospects of developing norms of state behavior in cyberspace have been looking positively bleak recently. The Lazarus Group, which appears to have ties to North Korea, is suspected of being behind the WannaCry ransomware attacks that spread to 150 countries and hobbled the UK’s National Health Service. Russian hackers have been named as the culprits in the hacking of the Democratic National Committee (DNC), and are suspected of being responsible for blackouts in Kiev in 2015 and 2016. This week’s attack, Petya/NotPetyta, first looked like a new version of ransomware, but now seems designed for disruption and destruction. The attack appears to have originated in Ukraine, on the day before a holiday marking the 1996 adoption of that country’s first constitution, so early suspicion is that Moscow is behind the attacks, though this is still highly speculative (Russia itself has also suffered from Petya).
Despite the proliferation of state-backed attacks, for a brief window, there did seem to be some forward movement on cyber norms. This week China and Canada agreed not to conduct cyber espionage for commercial gain against each other. Beijing has now signed similar agreements with the United States, United Kingdom, Australia, and the G-7 and G-20. In 2013, a group of government experts (GGE) at the UN agreed that international law, and especially the UN Charter, applies to state activity cyberspace. In 2015, the same group agreed to four peacetime norms promoted by the United States: states should not interfere with each other’s critical infrastructure; they should not target each other’s computer emergency response teams; they should assist other nations investigating cyberattacks; and they are responsible for actions that originate from their territory.
That process seems to have reached a dead end. Last week, Michelle Markoff, deputy coordinator for cyber issues in the State Department published an explanation of the U.S. position at the end of the 2016-2017 GGE process. Markoff’s frustration is palpable, as she writes the current “report falls short of our mandate and doesn’t meets the standard that the previous GGEs have set for us.” The sticking point is the application of international law. The United States wanted to use the report to begin explaining exactly how international law applies in cyberspace, especially in the areas of the exercise of the inherent right of self-defense and the law of state responsibility, including countermeasures. Other participants argued that it was too early in the development of cyberspace to have such deliberations, and would in themselves be destabilizing. They would be “incompatible with the messages the Group should be sending regarding the peaceful settlement of disputes and conflict prevention.”
Markoff does not call out the obstructionist states by name, but it is safe to assume China and Russia were among them. Beijing has never liked the idea that international law applies to cyberspace, and began walking back the 2013 report almost as soon as the ink was dry. Chinese officials have consistently stressed the UN Charter and the importance of sovereignty without mentioning the rest of international law. During the 2015 meeting of the UN group, China’s representative proposed taking out all references to international law in the upcoming report. In the wake of the DNC hack, Moscow would certainly not support discussions about countermeasures, which might cover U.S. reprisals for hacking and information operations.
The pessimist would argue that this was a fool’s errand from the beginning. But if this is the end of the GGE process, where to next? Within the U.S. government, there has been considerable debate on the best way to develop cyber norms. One side argues that it is best to build norms with U.S. adversaries first to set the ground rules with those most likely to challenge U.S. interests. The other side argues that it is best to build a coalition of norm adherents—“good guys” in the words of the cybersecurity coordinator at the State Department—that would help build cooperative responses and act as a deterrent. With the deadlock of the UN process, White House Homeland Security Advisor Tom Bossert seems to be signalling that the United States is going to put less emphasis norm building with adversaries and spend more time working with the good guys, calling out bad behavior, and, eventually, hopefully, imposing costs for disruptions.
Correction: A previous version of this post associated countermeasures with the law of self-defense. It is in fact associated with the law of state responsibility. Thank you to the lawyers who pointed this out.