Print Читать на русском
Rate this article
(votes: 13, rating: 5)
 (13 votes)
Share this article
Ilona Stadnik

Doctoral Scholar, School of International Relations, Saint Petersburg State University, Fulbright visiting researcher in Georgia Institute of Technology, RIAC Expert

The domain of international politics has historically been shaped by state actors, especially in the security field. The tradition of political realism has firmly established the privileged position of states not only in the conduct of international politics but also in the establishment of international law. Even with the emergence of influential transnational actors from private sector and civil society and their recognition as full-fledged participants in international relations by the latest neo-theories of IR, they were still not seen as actors capable of formulating and consolidating norms of international law for any of the fields.

The emergence of new information technologies that have posed challenges to the security of states has brought some new actors to the table for talks on cyber norms and responsible behavior in cyberspace.

Thus, today most of the powerful states are evading the development and signing of any legally binding agreements on cyber norms, as it will impose legal responsibility for the violation of obligations. In the “vacuum of power", non-state actors are actively involved in the game and try to benefit from the current uncertain situation in cyberspace.

These new actors — business and technical community - are getting powerful, as they produce content, soft and hardware, own and operate critical Internet infrastructure. Lack of cyber capacities for proper incident response and investigation forced the emergence of computer emergency response teams and computer security incident response teams (CERTs/CSIRTs). They can be national, as well as sectoral, or serve the needs of specific government agencies. Recent Internet Governance Forum in 2017 mentioned the phenomenon of CERT diplomacy, since productive cooperation to respond to cyber incidents requires a high level of trust and sustained personal contacts between members of different CERTs due to the cross-border nature of cyber threats. States may be suspicious of each other for various political reasons, while technology actors are more willing to cooperate on security issues.

Private companies are also interested to actively participate in the formation of norms for cyberspace as they and their clients suffer from cyberattacks in the first place. There is a need for a global code of conduct to protect common cyberspace. Microsoft was first to come out in 2014 with the proposal of the Digital Geneva Convention containing six basic principles of international cybersecurity applicable during the peacetime and actively continues to promote its project today. Since then, non-state sector accelerated its efforts. Over the past year the following initiatives have been presented: Cybersecurity Tech Accord, Siemens Charter of trust, Nornikel Charter of information security for critical industrial facilities, — protection of the "public core" of the Internet and ensuring the security of the infrastructure used for elections and referendums.

The latest regulatory initiatives on cybersecurity have been announced by giants in the IT industry, and the first supporters of such projects are large businesses — 62 companies have signed the Tech Accord and among them Facebook, CISCO, Dell, Microsoft, Nokia, Panasonic, Telefonica, and others. Siemens Charter has 11 supporters, including Airbus, IBM and T-Mobile. In the next few years we are likely to witness a "cascade of cyber norms" proposed by non-state actors, as well as their gradual internalization.

To conclude, the current state of affairs can be described as an intermediate phase in cybersecurity diplomacy: states have made considerable efforts to develop international cyber law, but it was proved impossible to agree on legally binding rules. The most likely scenario for now is that states will closely follow the initiatives of non-state actors and eventually include the most appropriate norms into intergovernmental discussions. At the moment, groups of like-minded states are diametrically opposed in their vision of cybersecurity and are not ready to give up their relative freedom of action in cyberspace for the sake of universal security and stability. In the absence of common rules of conduct, businesses are left to follow their own defined standards and rules of cybersecurity to reduce the costs of cyberattacks to a certain extent

The domain of international politics has historically been shaped by state actors, especially in the security field. The tradition of political realism has firmly established the privileged position of states not only in the conduct of international politics but also in the establishment of international law. Even with the emergence of influential transnational actors from private sector and civil society and their recognition as full-fledged participants in international relations by the latest neo-theories of IR, they were still not seen as actors capable of formulating and consolidating norms of international law for any of the fields.

Today most of the powerful states are evading the development and signing of any legally binding agreements on cyber norms, as it will impose legal responsibility for the violation of obligations.

The emergence of new information technologies that have posed challenges to the security of states has brought some new actors to the table for talks on cyber norms and responsible behavior in cyberspace.

Over the past twenty years, states have made many attempts to reach a compromise on the regulation of information and communication technologies (ICTs). It is noteworthy that ICTs were initially considered in terms of new opportunities and innovations for the development of the country's capacity and economy, while only a small handful of countries drew attention to the potential risks of misuse of ICTs for military purposes to violate international peace and security. [1]Today, however, risks have become a harsh reality — states not only use technology for intelligence and military superiority, but also commit illegal acts, the assessment of which is ambiguous from the point of the application of international law, since the mechanism for such cases has not yet been developed. Nevertheless, states don’t stand away from threatening with the use force in response to cyberattacks. While the problems of reliable technical attribution of cyberattacks have not been solved, we observe cases of political attribution of incidents. The UK National Cyber Security Center released a report in early October that provides information on the political attribution of a number of cyberattacks, including on WADA and the US Democratic National Committee in 2016, as well as the OPCW in 2018, with formulations that with a "high confidence" and "almost certainly" these attacks are related to the activities of the GRU. International support for such accusations in the form of indictment brought by the US against seven GRU officers only aggravates the situation for international security. Accusations based solely on circumstantial evidence and political attribution of incidents, followed by sanctions, set a dangerous precedent for the world politics.

As one may know, regulation of whatever subject on the international level is not a plain task. Besides, the case of cyberspace generally stands out from the existing practice. Although researchers often compare cyberspace to other domains and draw parallels with legal regimes for outer space, the high seas or the Antarctic, these approaches often lead to nowhere, as the cross-border nature of cyberspace becomes a stumbling block. [2] However, it is not only the technical characteristics of cyberspace that present challenges for its future regulation. There are also legal and political issues.

Firstly, there are different discourses of understanding cybersecurity: the interpretation of what is actually “secure” in cyberspace/information space is different among “Eastern” and “Western” countries. There is also a considerable variation in the perception of threats emanating from cyberspace. Such inconsistencies hamper state dialogue on rules and norms of responsible behavior. Secondly, we are witnessing a “crisis of international cyber law”. After five rounds of work by the UN group of governmental experts (GGE), we can see the reluctance of the group's member-states to develop customary international law applicable to cyberspace. The process of recognizing that existing international law is applicable to it took almost ten years after the first meeting of the group in 2003. In 2015 states made a significant progress building upon the reached consensus and expanded the list of voluntary norms and rules of conduct in cyberspace. Unfortunately, the last convocation of the working group in 2017 ended ineffectually and left the continuation of the process at a risk of a standstill. However, Russia is planning the next convening of the GGE in 2019 (despite the failure of the fifth group to complete the work with the consensus report) and hopes to enlist the support of the countries of the so-called group of 77: "Today, the number of people wishing to join has reached 68 countries, who are trying to enlist the support from the Russian side, as the organizers of this process at the UN site". In 2017, the GGE failed, among other reasons, because of the position of the US and its supporters, who said that the GGE format has exhausted itself. Of course, the main fault line between the two camps was the divergence of views on the applicability of international humanitarian law to cyberspace, as it would "legitimize the scenario of war and military actions in the context of ICT".

Other reasons for the states’ inability to agree on the regulation of cyberspace at the state level also deserve attention. It appears that states have adopted a wait-and-see tactic with respect to any normative novelties. In addition, the articulation of any cyber norm automatically imposes relative restrictions on the actions of states in cyberspace: they must recognize the existence of specific cyber capabilities in order to limit them to maintain stability in cyberspace. Previously, none of the great powers was going to recognize the presence of offensive means at their disposal that allow them to conduct espionage, intrude into critical infrastructure networks, or influence the results of elections in other countries. However, the US violated this" tradition" in the spring of 2018 by publishing the new "Command Vision for US Cyber Command”, proclaiming the course to the so-called offensive cyberdefense: "We will pursue attackers across networks and systems to render most malicious cyber and cyber-enabled activity inconsequential while achieving greater freedom of maneuver to counter and contest dangerous adversary activity before it impairs our national power". However, until there is no quantifiable subject of talks in regard to cyber weapons, it is unlikely that states will adopt ideas from the practice of strategic arms limitation treaties, at least in the near future.

It should not be forgotten that cyberspace, despite the arguments above, is not a "lawless territory". On the contrary, it resembles a patchwork of bilateral agreements on cybersecurity, as well as regional systems of collective cybersecurity: for NATO, the CSTO and the SCO, for example. In addition, there is a growing number of national and regional regulations covering cybercrime, data protection and localization. All of these mechanisms are applicable to a limited range of activities in cyberspace, but they should not be neglected, as they provide a framework for member states and therefore define a common view on cybersecurity issues.

Nevertheless, the idea of a comprehensive global treaty on cyberspace, similar to the Antarctic Treaty, seems increasingly unviable. First, the process of its harmonization will take too long, and law-making is always lagging behind technological developments. Secondly, states should conciliate their positions on the key issues of cybersecurity; otherwise, there is no progress to be expected. The last ten years was devoted to the discussion of what is acceptable in cyberspace: different countries have promoted their projects with the support of the expert and international community. It is worth mentioning several well-known initiatives: International Code of Conduct in the field of information security promoted by the SCO countries; the Russian proposal of the Convention on International Information Security; OSCE Confidence Building Measures to reduce the risk of conflicts as a result of the use of ICT; G7 Declaration on Responsible States Behavior in Cyberspace; Global Conference on Cyberspace was launched in London in 2011 to discuss cybersecurity issues at a high level. Despite the fact that all these parallel processes tried to fill the lack of trust between states, they contained competing discourses and distracted states from the real cooperation. Eventually, we can witness a tacit consensus that it would be better to agree on a set of general rules and norms that would be non-binding but acceptable to all.

But with the general rules and norms everything is not so simple, too. Finnemore and Hollis (two prominent theorists of constructivism) pointed out that in the quest for harmonization of norms, all participants had forgotten that the "cultivation of cybernorms" was about process, not about the end result in a coherent text. [3] In addition, the norm itself is a very tricky construct, as not all its adherents have a full understanding of its relationship with the law as such. In addition, the meaning of the norms, although they may be enshrined in the instrument, may change over time, as those who use them constantly interpret the norms in accordance with the current context.

Thus, today most of the powerful states are evading the development and signing of any legally binding agreements on cyber norms, as it will impose legal responsibility for the violation of obligations. In the “vacuum of power", non-state actors are actively involved in the game and try to benefit from the current uncertain situation in cyberspace.

These new actors – business and technical community - are getting powerful, as they produce content, soft and hardware, own and operate critical Internet infrastructure. Lack of cyber capacities for proper incident response and investigation forced the emergence of computer emergency response teams and computer security incident response teams (CERTs/CSIRTs). They can be national, as well as sectoral, or serve the needs of specific government agencies. Recent Internet Governance Forum in 2017 mentioned the phenomenon of CERT diplomacy, since productive cooperation to respond to cyber incidents requires a high level of trust and sustained personal contacts between members of different CERTs due to the cross-border nature of cyber threats. States may be suspicious of each other for various political reasons, while technology actors are more willing to cooperate on security issues.

Private companies are also interested to actively participate in the formation of norms for cyberspace as they and their clients suffer from cyberattacks in the first place. There is a need for a global code of conduct to protect common cyberspace. Microsoft was first to come out in 2014 with the proposal of the Digital Geneva Convention containing six basic principles of international cybersecurity applicable during the peacetime and actively continues to promote its project today. Since then, non-state sector accelerated its efforts. Over the past year the following initiatives have been presented: Cybersecurity Tech Accord, Siemens Charter of Trust, Nornikel Charter of information security for critical industrial facilities, as well as two norms proposed by the Global Commission on Cyber Stability (GCCS) — protection of the "public core" of the Internet and ensuring the security of the infrastructure used for elections and referendums.

To compare these initiatives, we use the norm concept described by Martha Finnemore and Duncan Hollis. [4] Any norm consists of four components: identity — denotes the group to which the norm applies; behavior — specific actions required by the norm from the group; propriety — the basis on which the norms mark the behavior as appropriate; and collective expectations — the general idea of the group members about the appropriate behavior.

Each initiative refers to a variety of identities. The Tech Accord appeals to the technology industry and encourages the development of services and products that protects users from cyberattacks, while discourage states on helping to launch attacks. Microsoft is calling on states to refrain from carrying out attacks on critical infrastructures, limit the cyber arms race, and reduce offensive operations in cyberspace. Siemens requires action from both states and businesses - its proposal looks like organizational cybersecurity policy: there is a requirement to create relevant ministries and appoint heads of information security (CISO); to include courses on information protection and cybersecurity in the school and university curriculum. Nornickel and GCCS propose rules applicable to all stakeholders. The Nornickel Charter condemns the use of ICT for the purpose of unfair competition and damage to industrial facilities, and "welcomes the efforts of the international community to give the basic information and communication infrastructures that form the basis of the global network the status of a demilitarized zone free from violent confrontation of political actors". Here we can see a reference to the norm aimed at protecting the «public core» of the Internet, proposed the GCCS: "state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace". The GCCS also proposes to refrain from cyber operations aimed at undermining the technical infrastructure necessary for elections, referendums or plebiscites.

The overall idea of the all these initiatives is to reduce the level of cyberattacks in a variety of ways: to stop the abuse of networks, software and devices for malicious activities; to improve mechanisms for investigating cyber incidents; and to promote a culture of cybersecurity. Interestingly, each initiative appeals to its own basis of propriety. Tech Accord members use corporate ethics and customer relationships as the basis for internalizing norms. Siemens Charter signatories refer to the concept of trust in the digital future: "People and organizations need to trust that their digital technologies are safe and secure; otherwise they won't embrace the digital transformation — that's why we sign the Charter." The Nornickel Charter has the same ideas, although it also refers to UN General Assembly resolutions on “Developments in the field of information and telecommunications in the context of international security”, adopted annually from 1998 up to the present day. Microsoft directly relies on existing international law, as well as the norms formulated by the GCCS. The latter, incidentally, offers a new base for propriety: stable functioning of the "public core" of the Internet as an important component of cyberspace. It is difficult to determine collective expectations of norms, as the above-mentioned initiatives are only proposals; we will be able to obtain sufficient data for analysis only if the actors voluntarily follow the proposed norms for some period of time. Norm-setting is not a finite process. The interpretation stage of norms is one of the most important in the process of "cultivation", so the collective expectations of norms are also forming over time.

In the next few years we are likely to witness a "cascade of cyber norms" proposed by non-state actors, as well as their gradual internalization.

The form in which the norm is expressed is also important for its internalization. These initiatives show that business usually presents proposals on cyber norms in the form of public commitments. This is an interesting turning point for further research in the field of cyber norms consolidation. For a public commitment to be an effective tool the company must inform the public in a timely manner about its progress in achieving the announced goals. Only Tech Accord members said they would publicly report on their progress. The intention was confirmed at the CyFy conference in India in October 2018. Interestingly, cyber security is sometimes considered from the angle of the public good dilemma, "in which individual group members have to decide on whether or not to contribute to a certain public good". Lockhorst, van Dijk, and Staats found that public commitments help structurally change the behavior of people with different levels of trust. [5] Those with a low level of trust are willing to contribute if they know that the public good is likely to be provided, especially if key players have already committed to contribute. With regard to our topic, the idea can work in a similar way: the latest regulatory initiatives on cybersecurity have been announced by giants in the IT industry, and the first supporters of such projects are large businesses — 62 companies have signed the Tech Accord and among them Facebook, CISCO, Dell, Microsoft, Nokia, Panasonic, Telefonica, and others. Siemens Charter has 11 supporters, including Airbus, IBM and T-Mobile. In the next few years we are likely to witness a "cascade of cyber norms" proposed by non-state actors, as well as their gradual internalization.

To conclude, the current state of affairs can be described as an intermediate phase in cybersecurity diplomacy: states have made considerable efforts to develop international cyber law, but it was proved impossible to agree on legally binding rules. The most likely scenario for now is that states will closely follow the initiatives of non-state actors and eventually include the most appropriate norms into intergovernmental discussions. At the moment, groups of like-minded states are diametrically opposed in their vision of cybersecurity and are not ready to give up their relative freedom of action in cyberspace for the sake of universal security and stability. In the absence of common rules of conduct, businesses are left to follow their own defined standards and rules of cybersecurity to reduce the costs of cyberattacks to a certain extent.



The Cybersecurity Tech Accord

Siemens Charter of Trust

Nornickel Charter of information security for

critical industrial facilities

Microsoft Digital Geneva Convention

Global Commission on Cyber Stability

Identity

Tech industry

States and industry

All actors

States

All actors

Behavior

— Protect all our users and customers from cyberattacks.

— Design, develop, and deliver products and services that prioritize security.

— Oppose cyberattacks on innocent citizens and enterprises.

— Not to help governments launch cyberattacks.

— Help to empower users, customers and developers.

— Partner with each other and with like-minded groups to enhance cybersecurity - establish formal and informal partnerships with industry, civil society, and security researchers.

— Information sharing and civilian efforts to identify, prevent, detect, respond to, and recover from cyberattacks.

— Designate specific ministries and CISOs.

— Establish risk-based rules that ensure adequate protection across all IoT layers with clearly defined and mandatory requirements.

— Adopt the highest appropriate level of security and data protection.

— Combine know-how and deepen a joint understanding between firms and policymakers of cybersecurity requirements and rules.

— Include dedicated cybersecurity courses in school/uni/professional curricula.

— Establish mandatory independent third-party certifications.

— Multilateral collaborations in regulation and standardization to set a level playing field matching the global reach of WTO; inclusion of rules for cybersecurity into (FTAs).

— Drive joint initiatives including all relevant stakeholders in order to implement the above principles.

— Condemn the use of ICT for the purpose of unfair competition and damage to industrial facilities.

— Condemn the development and integration of hidden vulnerabilities in information and communication systems.

— Condemn the activities aimed at the hidden accumulation of information about vulnerabilities.

— Welcome the efforts of States and the international community to establish an effective system and transparent procedures to combat cyber crimes.

— Welcome the efforts of the international community to give the basic information and communication infrastructures, which form the basis of the global network, the status of a demilitarized zone, free from the military confrontation of political actors.

— Welcome the participation of large industrial business in the management of processes to ensure the stability, reliability and security of global information and communication infrastructures.

— Support the creation of industry, national and international centers and distributed systems for detection, prevention and assistance in eliminating the consequences of network attacks.

— Support activities aimed at forming a culture of information security.

— Refrain from attacking critical infrastructures and cloud-based services.

— Refrain from hacking personal accounts or private data held by journalists and private citizens involved in electoral processes.

— Refrain from using ICT to steal the intellectual property.

— Refrain from inserting or requiring “backdoors” in mass-market commercial technology products.

— Agree to a clear policy for reporting of vulnerabilities.

— States should also ensure that they maintain control of their weapons in a secure environment. + restrain development.

— Agree to limit proliferation of cyber weapons. Governments should not distribute, or permit others to distribute, cyber weapons and should use intelligence, law enforcement, and financial sanctions tools against those who do.

— Limit engagement in cyber offensive operations.

— Assist private sector efforts to detect, contain, respond, and recover in the face of cyberattacks. Intervening in private sector response and recovery would be akin to attacking medical personnel at military hospitals.

— Protect the Public Core of the Internet: Without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.”

— Protect the electoral infrastructure: State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”

Propriety

Corporate ethics.

“People and organizations need to trust that their digital technologies are safe and secure; otherwise they won't embrace the digital transformation”.

Refers to the UN GA resolutions on ICT in the context of international security.

International law.

Secure Public core of Internet as a basis

Reference to the UN Charter (non-interference in elections).

The form of norms

Public Commitment.

Public Commitment.

Resembles a UN resolution

Code of ethics, joining which corporations declare their intention to follow the principles of fair play in their actions in the cyber”.

Convention

(proposal).

Expert recommendation.

Collective expectations

TBD

TBD

TBD

TBD

TBD


1. Russia sponsored the first UN resolution on “Developments in the field of information and telecommunications in the context of international security” in 1998. (A/53/576)

2. Eichensehr, K. (2015) the Cyber-Law of Nations. The Georgetown Law Journal, Vol 103: 317-380

3. Finnemore, M., & Hollis, D. B. (2016). Constructing norms for global cybersecurity. American Journal of International Law, 110(3), 425–479. P.438

4. Finnemore, M., & Hollis, D. B. (2016). Constructing norms for global cybersecurity. American Journal of International Law, 110(3), 425–479. P.438

5. Lokhorst, A., van Dijk, E., & Staats, H. (2009). Public commitment making as a structural solution in social dilemmas. Journal of Environmental Psychology, 29, 400–406.


Rate this article
(votes: 13, rating: 5)
 (13 votes)
Share this article

Poll conducted

  1. In your opinion, what are the US long-term goals for Russia?
    U.S. wants to establish partnership relations with Russia on condition that it meets the U.S. requirements  
     33 (31%)
    U.S. wants to deter Russia’s military and political activity  
     30 (28%)
    U.S. wants to dissolve Russia  
     24 (22%)
    U.S. wants to establish alliance relations with Russia under the US conditions to rival China  
     21 (19%)
 
For business
For researchers
For students