Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
A little over two weeks ago, Xinhua, China’s state-run news site, reported that China and Russia, along with their Shanghai Cooperation Organization partners Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan, had jointly submitted an update of their International Code of Conduct on Information Security to the UN Secretary General. The text of the updated code has now been posted to the UN website and is available here.
China, Russia, Tajikistan and Uzbekistan first circulated an International Code of Conduct on Information Security for the consideration of UN member states in 2011. China and Russia framed the promotion of the code as their contribution to the then nascent debate on the promotion of norms for state behavior in cyberspace. Many Western countries, including the United States, largely dismissed the code, arguing that it was an attempt by the four countries to justify greater state control the Internet’s governance structures and online content.
Overall, the new text seems to simply update the 2011 code to take into account developments that have occurred since then. The new code references the 2012-2013 report of the group of governmental experts (GGE) on developments in the field of information and telecommunications in the context of international security and the UN Human Rights Council’s Internet freedom resolution. Not surprisingly, Moscow and Beijing have altered or selectively quoted the text to promote their longstanding positions on cyber issues, such as the need for new international law for cyberspace and the concept of "cyber sovereignty." For example, the code references a line in paragraph sixteen of the GGE report that says that “additional norms could be developed over time” without mentioning the same GGE report stresses that “international law, and in particular the Charter, is applicable and essential” to promoting peace and security in cyberspace. The same thing happens in article seven of the code, which begins by referring to the Human Rights Council’s affirmation that “the same rights people have offline must also be protected online,” but then concludes on how those rights may be restricted to protect national security, public order, health or morals.
Other modifications in the updated code seem to soften China and Russia’s stance on states taking a leadership role on Internet governance issues. For example, the update eliminates language which argued that states had to "lead all elements of society, including its information and communication partnerships with the private sector, to understand their roles and responsibilities with regards to information security." Instead, the code now asserts that "all states must play the same role in, and carry equal responsibility for, international governance of the Internet, its security, continuity and stability of operation" and that "states must cooperate fully with other interested parties [...], including private sector and civil society institutions, of their responsibility to ensure information security." The change is probably more a shift in style and presentation, than one in substance.
It’s unlikely that the Russians and Chinese updated the code to make it more palatable to Western countries. There are no changes that could be deemed an olive branch, such as an affirmation of the applicability of existing international law, to get the United States and its allies to the bargaining table. In fact, the United States may interpret it as a step backwards since it came out of the 2012-2013 GGE meeting trumpeting China and Russia’s agreement that the UN Charter and international law apply in cyberspace. It much more likely that the amendments are designed to appeal to developing and middle-income countries that recognize the power of an open Internet for economic development but fear its cybersecurity risks and disruptive power. China and Russia’s message, which failed to gain traction in 2011, may be more attractive to these middle-ground countries in light of the Snowden revelations and the likely delay of the Internet Assigned Numbers Authority transition process.
There are no indications yet as to what the code’s sponsors intend to do with the updated document. Right now, the code exists only as a letter to the UN secretary general distributed to all UN member states. In essence, it’s a food-for-thought document that its sponsors will use to engage other UN members on cyber issues. It is entirely possible that they could introduce the code as a General Assembly resolution in September 2015, or even as an outcome of the anticipated tenth year anniversary of the World Summit on Information Society high-level event scheduled for December 2015. If they do, we will have a better sense of how attractive the newly updated code is to the rest of the world.