Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Since 2013, each year has been incrementally better for the United States in its effort to set the ground rules on how states should behave in cyberspace. U.S.-backed norms have received international endorsement at the United Nations, the G7, the G-20, and the Organization for Security and Cooperation in Europe. That successful track record got a slight blemish this June when the UN Group of Governmental Experts failed to agree on a report in which the United States sought explicit detail on how international law applied to cyberspace, particularly the applicability of the law of countermeasures and the inherent right of self-defense.
The reasons for the collapse of the 2016-17 GGE has been covered extensively elsewhere. Since June, two narratives have emerged to explain the absence of consensus. One focuses on the players in the room, whereby participants obtained consensus on about 95 percent of the report and were close to striking a deal had it not been for Cuba’s intransigence at the eleventh hour. The other narrative argues that the collapse was inevitable given the irreconcilable differences in the way in which China, Russia, and the United States view cyberspace as a domain for conflict.
Whatever the cause of the collapse, the United States seems to be shifting course on its norm promotion efforts. In recent months, senior U.S. officials have signaled that they are less interested in creating new norms as they are enforcing those that are already on the books. Washington is looking to work with like-minded states to call out norm violating behavior and impose costs on those who don’t play by the rules. In doing so, the United States could shift its attention away from the UN and the multilateral system and forge ahead with a “coalition of the willing” to promote norm adherence.
The possible shift in the United States’ focus has not prevented the UN from contemplating its future role. In October, UN member states floated ideas on what should happen next in the development of cyber norms. India and Switzerland have suggested the creation of a cyber committee of the General Assembly, largely modelled on the Committee on the Peaceful Uses of Outer Space (COPUOS) set up in 1959. Brazil has suggested that states should consider a new legal framework (at 2:20) that would proscribe offensive first use of cyber operations, deliberately inserting vulnerabilities into IT supply chains, and compromising the “information security” of other states. A number of states have suggested creating an open-ended working group of the General Assembly, a process that would greatly expand the GGE’s membership, but also make the discussion unwieldy and challenging to obtain consensus.
None of these options are particularly appealing. An open-ended working group of the General Assembly would greatly broaden the cyber debate beyond the GGE’s membership, but also make the discussion unmanageable. As I’ve mentioned previously, a COPUOS-like body for cyberspace is unlikely to gain traction with the United States given that COPUOS led to the creation of at least four outer space treaties, something Washington has long resisted for cyberspace. Same goes for Brazil’s proposed legal framework or Russia’s updated information security treaty, which it is allegedly shopping around the UN for support.
As much as the United States will want to create a loose norm-enforcement regime, it is likely to be pulled back into the UN debate, if only to prevent these unpalatable ideas from materializing. There’s a good chance that the United States, Russia, and a select few states will agree to start new GGE talks sometime next fall, pick up where the last one left off and try to keep out as many potential spoilers as possible. The UN GGE process may in fact have something in common with democracy—it’s the worst model, save for all of the others.