Recent cyberattacks underscore the need for international norms of responsible behavior, and an institutionalized process to support them.
It is not easy for a great power like the United States to admit to having been taken to the cleaners by a rival state, but that is what Washington was obliged to do mid-December. The Department of Homeland Security announced that the U.S. had been the victim of a massive cyber espionage operation that posed “a grave risk” to the government. Offensive cyber operations like this one have been escalating in recent years and to date the United Nations, despite twenty years of discussing cyberthreats to international peace and security, has not been able to agree on effective measures to counter them.
For some six months, a wide array of U.S. government agencies as well as numerous non-governmental entities had been penetrated by a sophisticated “supply chain” attack utilizing compromised software upgrades (an unknown number of Canadian entities were also impacted). “Solar Wind,” the manufacturer of the infected software, indicated that 18,000 of its customers had downloaded the upgrade in their systems. No one may ever know the full extent of the information extracted or whether the intruders succeeded in creating “back doors” that would grant them ongoing access.
Cyber security teams will now have to undertake the Herculean task of expelling the intruders from the infected systems. There will always be the lingering doubt as to whether they have succeeded completely in doing so – the psychological equivalent of planting a “mole” in a rival intelligence service. If this all seems like something out of a spy novel – it is. We are dealing with a real-life incident of espionage. One which given its superior “tradecraft” has led it to being attributed to the Russian foreign intelligence service SVR (a successor to the KGB).
While the previous president has sought to downplay the episode and even has falsely attributed it to China rather than Russia, President Joe Biden has responded with vigour and rather belligerent language. He has vowed to impose “substantial costs” on those responsible and stated: “A good defense isn’t enough. We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place.” This sounds good, but who determines what is a “significant” attack and for that matter what actions are we to understand as constituting a “cyberattack”?
The unfortunate reality is that cyberspace is basically a lawless realm. The prospects for any restraints on state-cyber operations emerging from discussions at the United Nations are not bright. These have made slow, if steady progress over two decades. But for many stakeholders who wish to preserve cyberspace for peaceful purposes, an agreement on concrete measures of international co-operation is now overdue.
Part of the problem in dealing with cyberthreats is that a blanket term – “cyberattack” – has been used to describe them, even though they vary enormously in scope. In order to guide relevant policy, it is useful to distinguish between the three forms of “offensive cyber operations.” They are computer network exploitation, computer network attack and information operations.
Computer network exploitation is a contemporary form of espionage that involves penetrating a foreign computer network and extracting information from it. Preferably this is done without the operator of the network knowing about it. The current Russian operation belongs to this category as does the 2015 Chinese hacking operation that penetrated the U.S. Office of Personnel Management and stole 21 million personal records. The ancient practice of espionage has never been subject to international control and there is scant prospect that it will be now.
Information operations are cyber-enhanced missions of “propaganda” or “psychological operations” that aim to influence public opinion in a foreign state in a manner to advance the interests of the state behind the operation. Given that one man’s “propaganda” is another’s “freedom of expression” it is unlikely that a common understanding of what information operations constitute a threat to international peace and security can ever be reached.
Computer network attack can be viewed as a military-type operation that seeks to disrupt, damage or destroy a foreign computer system or the data stored on it. Computer network attack is arguably the most dangerous type of offensive cyber operation, although the one most amenable to curtailing via international co-operation. Although cyberspace is a unique, human-created environment on which global society has become increasingly dependent for its well-being, recent years have witnessed a sharp increase in its “militarization” with some 30 states estimated to possess offensive cyber capabilities.
Unlike other forms of military operations, states have been extremely secretive about their use of offensive cyber operations and to date have only publicly acknowledged them with respect to non-state targets (such as the Islamic State). State-conducted cyber operations have also caused massive, detrimental impacts on “innocent bystanders” as was the case with the state-originated “Not Petya” (Russia) and “Wanna Cry” (North Korea) cyber operations.
It is the threat of wide-ranging computer network attack operations that have prompted what diplomatic efforts to date have been made in the United Nations to respond. Since 1998, the UN General Assembly has been discussing “norms of responsible state behaviour in cyberspace.” In 2015, an expert group report enumerated 11 voluntary norms that should govern state behaviour. Prominent among these norms is the non-targeting by cyber means of critical infrastructure on which the public depends.
The 2015 norms represent a good basis for elaborating co-operative security measures, but the revival of “great power rivalry” has led to a bifurcation of the UN process on cyber security, with both the launch of a further expert group and the creation of a new Open-Ended Working Group. The Open-Ended Working Group is considering a draft report before its final meeting in March.
Recently a group of states have proposed a “Programme of Action” outcome, which would have a political rather than legal status, but would enable the existing 11 norms to be codified and provided with institutional support to promote their implementation. Specifically, the proposal would create a permanent forum at the UN with annual meetings, secretariat support and periodic review conferences.
Importantly, it would consolidate once more UN work into a single, inclusive body rather than stumble on with parallel processes. After decades of UN consideration, many states and non-governmental stakeholders are eager to have in place a set of agreed “norms of responsible state behaviour” complemented by an institutionalized process to monitor implementation.
Several non-governmental stakeholders have been active in generating proposals for its consideration. As “accountability” has been a concept largely absent from the intergovernmental discussions, ICT4Peace (an NGO I am affiliated with) has proposed a “Cyber Peer Review” mechanism that would provide for a state-led process for scrutinizing state behaviour. It would also allow for inputs from concerned non-governmental entities.
Canada has been among the more active states in the work of the UN’s Open Ended Working Group, having submitted well-received proposals to provide practical guidance as to how states can operationalize the existing norms as well as highlighting the gendered impact of malicious cyber activity. It is also one of the 47 states sponsoring the “Programme of Action” proposal.
This year could prove decisive as to whether damaging state-run cyber operations continue to escalate or if a modicum of restraint can be applied via international agreement. After two decades of UN deliberations on the cyber threat to international security, it is time for concrete results. The “netizens” of the world deserve no less.