Can the Law Restrain Nations in Cyberspace?

The top U.S. cyber diplomat will no longer have the direct ear of Secretary of State Rex Tillerson. The impending closure of the U.S. State Department’s Office of the Coordinator for Cyber Issues, established under President Barack Obama in 2011, has left some in dismay on how cybersecurity plays into the Trump Administration’s “America First” foreign policy. The task of conducting U.S. cyber diplomacy abroad is rumored to now fall under the State Department’s Bureau of Economic and Business Affairs.

The news came in quick succession after the failure of the 5^th United Nations Group of Governmental Experts (GGE) discussions on “developments in the field of information and telecommunications in the context of international security” to reach consensus on the applicability of international law to actions taken in cyberspace. While past GGE negotiations have proved relatively successful – largely because they focused on establishing fluid norms, rather than strict legal frameworks – the collapsed platform, taken alongside the regelation of America’s cyber diplomacy to the background, could suggest a U.S. withdrawal from the conversation on state use of cyber capabilities. This comes at a time when militaries around the world have been tasked with undertaking offensive cyber missions.

Why did the most recent GGE negotiations fail when past discussion found success?

The discussions were initially prompted by Russia, when Moscow submitted an agenda to the First Committee of the UN General Assembly in 1998, calling upon member states to “promote at multilateral levels the consideration of existing and potential threats in the field of information security” – using the term “information security” as opposed to “cybersecurity” to convey focus on the control, rather than free flow, of information.

The first GGE, established in 2004, failed to produce consensus over disagreements over whether the free flow of information across borders was a national security concern. The second 15-member discussions in 2009, following disruptive Russian cyber operations in Estonia and Georgia, did little but urge dialogue on norms for state use of cyber capabilities, particularly for the protection of critical infrastructure – with little definition of what the term actually entails.

Then, in 2013, following the demonstration of the physical damage a cyber attack could cause by the Stuxnet worm’s sabotage of an Iranian nuclear facility in Natanz, the GGE hit a landmark, agreeing that “international law, in particular, the UN Charter, is applicable to the cyber-sphere.”

A year later, the 4^th GGE was established, expanding their membership to 20 countries ranging from the P5 powers to emerging digital players like Brazil, Colombia, Egypt, Kenya, Malaysia, India, and Pakistan. The group produced language indicating that state sovereignty applies to conduct and jurisdiction within a state’s borders, state cybersecurity efforts must go hand-in-hand with respect for human rights and fundamental freedoms, and states must not use proxies to commit wrongful acts and must ensure that their territories are not used by non-state actors for unlawful cyber operations.

But while the growth in membership of the 5^th and seemingly final GGE up to 25 countries was intended to add credibility to the discussions – so it did not appear that the larger countries were merely determining the fate of conduct in cyberspace without the input of up-and-coming powers – it also complicated the matter further. Once members delved into the details of international law, particularly issues of self-defense under Article 51 of the UN Charter, the law of countermeasures in response to actions below the threshold of the use of force, and international humanitarian law – to include requirements of necessity, distinction, and proportionality – certain countries, led by Russia and China, began to back away from consensus.

Think of the recent NotPetya worm targeting Ukrainian tax software that propagated, encrypting data around the world as it moved from network to network, or the 2015 disruptive cyber attack on the Ukrainian power grid, which caused a six-hour blackout, affecting civilian businesses and utilities in the dead of winter. These cyber attacks did not adequately differentiate between civilian and legitimate targets, and the definitions of what is proportional and distinct in cyberspace has been blurred.

In a similar vein, should the U.S. respond in proportion to the cyber capabilities Russia used against the Democratic National Committee or to the ripple effects of interfering in the 2016 presidential elections? As emerging countries seek to develop their own cyber capabilities, they don’t want to be held to a strict legal framework that could put them at a disadvantage when experimenting – minor mistakes could lead to serious repercussions. Take, for example, the WannaCry ransomware attack that some believe could have been accidentally deployed by North Korean actors, spreading beyond their control.

What’s more, emerging players began arguing that discussions to apply the law of armed conflict to cyberspace were urging the militarization of the virtual domain when the purpose of the GGE was to build cooperative measures for peace and conflict prevention, not mechanisms of escalation. Michele Markoff, the Deputy Coordinator for Cyber Issues at the State Department who was involved in the GGE process, rebuffed this argument in her letter of explanation for the U.S. position at the conclusion of the negotiations.

“A report that discusses the peaceful settlement of disputes and related concepts but omits a discussion of the lawful options States have to respond to malicious cyber activity they face would not only fail to deter States from potentially destabilizing activity, but also fail to send a stabilizing message to the broader community of States that their responses to such malicious cyber activity are constrained by international law,” she wrote.

Instead of legal arguments against the application of international law to cyberspace, it is much more likely that member states were covering for their own national interests. Cyber capabilities are an asymmetric advantage for smaller countries, such as, for example, Pakistan engaging in operations against India; Pakistan is less vulnerable to any cyber operations conducted in response. If suddenly India could legally conduct proportional responses in self-defense outside of cyberspace, then Pakistan would no longer enjoys the asymmetric advantage cyberspace provides them over their conventionally superior adversary.

“As a political position, it is understandable that weak states would object to the use of countermeasures in the context of cyber operations since they would rarely be able to induce strong states to comply with their international obligations by violating their own obligations in response,” says Catherine Lotrionte, a Distinguished Fellow at the Atlantic Council. “These positions, while politically reasonable and arguably potentially politically necessary, are not legal positions.”

What’s more, “the GGE does not need to re-endorse things already agreed to elsewhere and in more binding form,” argues James Lewis, a Senior Vice President and Program Director at the Center for Strategic and International Studies. “Article 51 [of the UN Charter] applies unless Russia and China abrogate their agreement, something neither will do, and the U.S. does not need agreement in the GGE to apply it.”

International negotiations are often based on vague statements applicable over time. But the desire to lock down the legal framework of conflict in cyberspace through the GGE vehicle – merely meant to give credence to international norms – may have ended the process entirely. As Arun Mohan Sukumar, the head of the Cyber Initiative at the Observer Research Foundation in New Delhi, wrote in Lawfare, “both sides missed the forest for the trees.”

International law applies whether countries find it politically convenient or not, and whether in cyberspace or not. So, the U.S. must find a way past the diplomatic standoff at the GGE. While future GGE discussions remain possible, there are other avenues of negotiating international norms for acceptable state behavior in cyberspace.

At the Aspen Security Forum last month, Thomas Bossert, the Assistant to the President for Homeland Security and Counterterrorism, told the audience that he would “like to move forward in a bilateral way, keeping the United States in a position of being able to enter into those agreements first with preconditions.” Bossert gave the example of the recent bilateral cyber agreement between the U.S. and Israel as a model for moving forward. Ultimately, he said, “we will end up, hopefully, with a multilateral group of likeminded people that have all come together with us in a willing bilateral fashion.”

Lewis believes the U.S. must continue to pursue multilateral discussions at UN while complimenting it with formal and informal bilateral discussion with opponents and partners. But similar to how the U.S. pact with China to end economic cyber espionage broadened to the G-20 countries, these bilateral agreements “must be reinforced by something new, a group of likeminded countries, perhaps initially involving only a dozen countries, who agree on norms but, more importantly, also agree to impose consequences for failing to observe the norms established in the 2013 and 2015 GGEs norms,” argues Lewis.

Over time, norms over acceptable behavior and perhaps even international law governing activity in cyberspace will take shape. But until then, Lewis and Lotrionte both believe the Trump Administration needs to reiterate America’s diplomatic commitment to shaping discussions surrounding what is and is not acceptable behavior in cyberspace.

“The three successful GGEs created a useful framework for the norms discussion but the time to rely on the GGE has passed,” says Lewis. “The U.S. and its allies need to take action to replace it.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.