Christopher Painter has been on the vanguard of U.S. and international cyber issues for over twenty-five years and serves as a current Commissioner on the Global Commission for the Stability of Cyberspace. He is also a Perry Fellow at the Center for International Security and Cooperation at Stanford University.
Painter created the Office of the Coordinator for Cyber Issues at the Department of State and will be moderating a discussion on global cyber norms next week at the International Cyber Conference on Engagement in Washington D.C., produced by Dr. Catherine Lotrionte and The Atlantic Council.
(The event is free for government employees and students. We’re also pleased to share that Cipher Brief readers receive a 50% discount by using code TIK50 when registering.)
The Cipher Brief caught up with Painter ahead of the conference to talk about the progress, or lack of, when it comes to the development of international cyber norms, how important they are, and what the latest thinking is on just how they would be enforced.
The Cipher Brief: Let's chat a little bit about where we are today on the issue of norms.
Painter: Achieving stability in cyberspace requires a framework that includes international law, norms and confidence building measures. One important area of agreement has been that international law applies in cyberspace, which most people now agree to, although how it applies in cyberspace is still unclear. Even with international law applying, there is still a lack of clarity when cyber activity falls below the threshold of armed conflict. An important part of international law that kicks in when you're in wartime. Despite all the rhetoric that's been on the headlines, we're not really in a cyber war. We're seeing lots of very bad things happen, but they are at a lower threshold where some of the rules are unclear. So, the question is, what are the norms or, rules of the road for this activity? What are the understandings of what states should agree to do or not do? It's imperative that it shouldn't be the wild, wild west, and that there have to be some rules.
There's been an important effort underway in the UN and an effort by other stakeholders as well, including the Global Commission for Stability of Cyberspace, to try to articulate what those voluntary rules of the road are and there's been good progress. Among other things, there is agreement even between countries with very different views, like Russia and China and the U.S., on some basics like countries shouldn't attack the critical infrastructure of another country in peacetime. Countries shouldn't attack the computer emergency response teams – which are like the hospital or the ambulances in peacetime. In another context, the G20 agreed that countries should not steal the intellectual property of another country to benefit their commercial sector. Agreement is important, but that doesn’t mean states always comply with what they agree as we’ve seen in the last few years.
There was a lot of progress made on norms between 2013-2017 particularly in the UN. There was also a lot of progress on cyber Confidence Building Measures in the OSCE and other venues that help de-escalate potential cyber conflicts. The ICCE conference, which I’ve been a part of every year, has been an important venue to discuss and mark progress on these issues as Catherine’s asked me to talk with many of my international counterparts at the conference about progress on the cyber stability framework. Some of the progress we were seeing reached a stalemate back in 2017 when we couldn't get agreement on some critical issues in the UN and couldn’t make progress on how international law should apply. We talked about that at the ICCE conference as well.
But the norms process is continuing. We need to get more countries to sign up to them and to understand them. There needs to be more than just a small, select group of countries that are committed. The problem is, though, and I think this is what the conference panel will address this year, is how do we get these norms implemented and how do we make sure there are consequences for states that transgress them? With no accountability or enforcement, norms and rules of the road are just words on paper.
What we've seen, particularly over the last year and a half, is a lot of really bad acts by states in cyberspace. Clearly the election interference in the U.S. that was started by Russia, is a huge one. Wannacry that was attributed to North Korea and NotPetya that was attributed by Russia were also very destructive. We’ve done a better job of calling out this activity but not such a great job of imposing meaningful costs on bad state actors.
We need to start thinking about how we will hold countries accountable and how will we achieve deterrence in cyberspace. How will we impose costs that ensure that there are consequences for these bad acts that might help us collectively achieve in the future?
It's good to have public attribution of these acts. It builds public confidence. It gets people to understand why something is an issue, but you still need to marry that up with something that's really going to change behavior, and that's something that I know a lot of countries that will be on the panel have ideas about. The US is promoting a cyber deterrence strategy with partners. The EU has a cyber toolkit that they can use to help impose sanctions and take other measures, so countries are moving in that direction.
It still is not going to be easy because that kind of collective action is going to take a while. You have to build alliances and confidence and be able to share information, but I think it's critical that we be able to do it as soon as possible.
There are a range of tools available when trying to impose costs on a bad actor. Sanctions are one possibility; cyber operations are another and you can bring diplomatic pressure or take law enforcement actions. You’re not going to use kinetic measures unless you really are in a war. But we also need to think creatively about new tools.
We also need to consider how can countries join collectively in like-minded groups to respond to bad actors and enforce norms. You’re not going to have a treaty in this space any time soon, so we need to make sure that we have accountability and consequences for these bad actors that will hopefully lead us to a more stable cyberspace in the long term.
There is a lot for states to discuss, but also a lot that other stakeholders can contribute to this debate.
The Cipher Brief: You mentioned that the conversation on norms reached a bit of a stalemate in 2017, but the development of new technologies and the numbers of attacks and the capabilities of adversaries are not slowing down to wait, so how important is it for more countries to come together and tackle this issue and not let it take so long to come up with this standard set of norms and a way to enforce them?
Painter: We're seeing not just advancements in capabilities, you're absolutely right about that, but we’re also seeing the willingness of some countries to use them. What happens when there are no consequences for bad actors? That has the exact opposite effect of norms. It creates a norm of inaction basically reinforcing that are no real costs to launching cyber attacks. It also serves as a message to other countries who may be considering malicious cyber actions that maybe they should do this, too. There is great urgency in changing this dynamic.
Part of that goes beyond norms. We’ve got to, as countries, start thinking about cyber not just as this bright, shiny object, but as something that is a core issue of our national security and our economic security. We've come a long way from where we were 10 years ago but still have a long way to go.
Consider the poisoning that happened in Salisbury, in the UK. Prime Minister Theresa May was able to reach a conclusion about who did it within four days. She gathered a coalition of other countries within a week and a half, and imposed consequences on Russia in a short time, partly because at the leadership level, British authorities understood those physical world issues. Cyber issues are still seen as separate boutique issues. I think we really need to get, at the leader level, the understanding this is a core issue that needs to be part of our national security and part of our everyday response. We're getting there, but we're not there yet.
