Unsurprisingly, the fifth UN Group of Governmental Experts (GGE) ran into difficulties that proved fatal. Previous GGEs operated in a more favorable international climate. The substance of the GGE’s work peaked with its 2013 Report and by the end of the 2015 session, it was clear that the GGE format for negotiating faced difficult and perhaps insurmountable issues. Chief among these issues is the application of international law to cyber operations.
While the Chair held the 2017 GGE open at the conclusion of the fourth round of talks and circulated a revised text in July, agreement was not possible. Disputes over three subjects blocked consensus: the application of international law, agreement on Article 51 of the UN Charter (the inherent right to self-defense), and “countermeasures.” The connecting strand among the three is that Russia and China fear that endorsing self-defense, countermeasures, and international law would be used by the U.S. to justify retaliation for malicious actions in cyberspace. Privately, Chinese officials also say that since they are not yet on a par with the U.S. in cyber capabilities, they are reluctant to commit to how law should be applied.
It’s worth noting that the 2015 GGE also almost failed because of intense disagreement over the treatment of international law. A reference to international law first appeared in the 2013 report and its seminal language on how the UN Charter, sovereignty, and international law applied to cyberspace. Western democracies want language that is more explicit and precise in defining how international law is applied. This was a dilemma for three reasons.
First, the GGE does not need to re-endorse things already agreed to elsewhere and in more binding form. Second, there is no international agreement on how international law should be applied, perhaps reflecting a lack of practical experience with cyber conflict. One thing that the U.S., Russia, and China can agree on is that they do not like the Tallinn Manual (although it is much favored by smaller countries). Third, precision is the enemy of agreement in international negotiations – these are not business contracts and while smaller countries called for greater precision and a more logical order in the text of the GGE report, this failed to recognize that there was logic to earlier texts – the logic of negotiation. A desire for a detailed agreement on the application of international law doomed the 2017 negotiations.
Nor did the GGE need to re-endorse Article 51 and the inherent right of self-defense. While it is comic that Russia and China call for a greater role of the UN while at the same time objecting to the Charter, these objections are frivolous. Article 51 applies unless Russia and China abrogate their agreement, something neither will do, and the U.S. does not need agreement in the GGE to apply it.
The 2015 GGE came close to including language on countermeasures but failed, in part because it ran out of time. Countermeasures are retaliatory acts that do not involve the use of force that an injured state can take against its attackers. They encompass a wide range of actions, including sanctions or indictments. One dilemma for reaching agreement on countermeasures is that the 2001 “Final Articles on the Responsibility of States for Internationally Wrongful Acts” while agreed to in the International Law Commission, remains (in the complicated UN process) a draft.
The roots of Russian and Chinese opposition are found in the 1990s intervention in Serbia and the 2003 invasion of Iraq, where the U.S. used what they regard as force unsanctioned by the international community. The Chinese in particular view international law as a tool used by the U.S. to advance its interests rather than an impartial system of rules. Counter-arguments that the U.S. was justified in these actions or that their position is hypocritical are unpersuasive to Beijing. Similar concerns explain the opposition to Article 51 – a Chinese negotiator remarked in 2015 that the U.S. does whatever it wants and then calls it self-defense. Russia and China prefer an older view of sovereignty where a State’s rights are preeminent. They seek to expel the U.S. from what they regard as their spheres of influence, and they fear U.S. intervention, a fear shared by other nonwestern nations.
Nor can the discussion of norms make much more progress. The norms laid out in 2013 and amplified in 2015 embed cyber activities in the existing framework of international relations. This runs contrary to the current academic pursuit of developing a norm for every letter of the alphabet, but as a former GGE chair stated, “we don’t need any more norms.” It will be hard to expand the 2013 and 2015 norms without more experience in cyber actions to inform state practice, and currently no state is ready to make concessions that would constrain their own activities.
GGE discussions are at an impasse. The likeminded insist on including a discussion of how international law applies to cyberspace. Russia and China will not concur. The GGE faces other problems. As cybersecurity has become a more prominent issue, many nations want to participate in the discussion and say they are uncomfortable with a small group negotiating in secret, and to conclude that this is only a dispute between Russia and China versus the likeminded would be wrong – the Non-Aligned Movement is finding its voice on cybersecurity.
This impasse does not mean that there will not be another GGE. While there are alternatives, it remains the easiest course to ensure continued multilateral talks. There is a need for global discussion, which most nations would prefer to be under the auspices of the UN (the most likely alternative, “London Process” created by the UK in 2011 cannot produce commitments from states). The Russians will propose something (even if the U.S. does not), perhaps an open-ended working group in the UN’s First Committee (Peace and Security) in which all nations can participate. There may be other vehicles for discussion, and the form of future discussions will remain in flux at least until the fall meeting of the UN General Assembly.
For the U.S., however, a two-part approach makes more sense. We need to engage other countries multilaterally in the UN and continue bilateral discussions (formal and informal) with opponents and partners, but these must be reinforced by something new, a group of likeminded countries, perhaps initially involving only a dozen countries, who agree on norms but, more importantly, also agree to impose consequences for failing to observe the norms established in the 2013 and 2015 GGEs norms.
Creating a likeminded group faces a number of issues. These include finding the right institutional framework, developing a shared understanding on attribution, and agreeing on appropriate consequences. None of these issues are insurmountable, but they require diplomatic nimbleness and sustained senior level engagement by the U.S. if there is to be progress. Creating a likeminded group will involve a complex effort that most nations believe will require U.S. leadership.
An ad hoc arrangement will be too weak to sustain unity of purpose when it comes to consequences. A likeminded group will need a light institutional framework, perhaps using the “Chair and Secretariat” model found in other cooperative like-minded regimes, rotated annually among the members, accompanied by a regular meeting and a network for consultation and information exchange.
Attribution of the source of a norms violation is a major issue. Few countries can match the U.S.’s ability to identify the source of an attack. The disparity in attribution capabilities creates problem for cooperation (some member countries won’t take U.S. assertions on faith and the U.S. and UK won’t want to share sources and method as attribution often involves intelligence activities (one reason why calls for an IAEA-like body for attribution are nonsensical). Norms must be linked to consequences for violation if they are to have effect, but there will rarely be perfect evidence.
A like-minded structure will need to consider the degree to which consensus among members is required for imposing consequences. Smaller nations may wish to avoid being dragged into a contest with powerful opponents; larger nations will want to preserve the ability to act. Flexible processes for the imposition of penalties could help manage this problem.
Defining the relationship with non-members and with significant organizations like the European Commission and NATO will be important for winning support of an initiative with potential members. A likeminded group will be greeted with suspicion and complaint (this has been true for all nonproliferation regimes initiated outside the UN) and would need a process of engagement for important countries like Brazil and India that keeps them informed without giving them an opportunity to obstruct. The goal should be to build first with a small number of likeminded nations, and then open it for others to join. Some point to the Proliferation Security Initiative, which began with only twelve members, as a precedent.
This is only a very cursory discussion of a complex topic, but the failure of the last GGE means we cannot avoid deciding what comes next. The three successful GGEs created a useful framework for the norms discussion but the time to rely on the GGE has passed. The U.S. and its allies need to take action to replace it.
