Moving the needle on cyber norms

In an increasingly crowded field of international frameworks for cyber norms, a non-governmental organization is seeking to shape the terms of the debate.

Shutterstock ID 1041857944 By Lagarto Film
 

Cyberattacks like NotPetya and WannaCry can have consequences in the physical world and devastating financial fallout, even if they fall below the traditional definition of war. But U.S. officials, international organizations and independent experts have so far been unable to frame a consensus about where to draw that line.

The nongovernmental Global Commission on Stability in Cyberspace recently wrapped up a series of meetings in Geneva to hash out fundamental principles that states, non-state actors and private industry should follow.

The commission, co-chaired by former Secretary of Homeland Security Michael Chertoff and former Estonian Foreign Minister Marina Kaljurand, has spent the past two-and-a-half years courting public and private stakeholders and developing language around behavior in cyberspace that it hopes will help guide not just governments but also private companies who work in the murky, somewhat norm-less field of offensive cyber operations. It plans to release a report detailing its final recommendations at the end of 2019.

"We say that international law applies to all areas of the digital sphere, but how it applies is a very difficult question," said Fabrizio Hochschild, assistant secretary general at the United Nations, in comments to the commission Jan. 22.

This ambiguity, Hochschild argued, creates a state of "unpeace," between nations: falling short of armed conflict but hardly qualifying as peaceful coexistence.

Last year, the commission settled on six broad principles for state and non-state actors

  • Avoid tampering with products and services if doing so impairs the stability of cyberspace
  • Don't hack connected devices to create botnets
  • Governments should have a clearly communicated Vulnerabilities Equities Process with a default presumption in favor of public disclosure
  • Companies that make products or provide services important to the stability of cyberspace should have effective policies to identify and mitigate bugs and vulnerabilities
  • States should enact baseline regulations around cyber hygiene
  • Non-state actors should never engage in offensive cyber operations against governments.

Chris Painter, a former cyber coordinator for the State Department who attended the Geneva meetings as a GCSC commissioner, told FCW the group was looking to thread the needle between not duplicating work from other frameworks, while also keeping in mind that any end product will need to accord with any future binding international agreements. The commission is not affiliated with any government or international body, and compliance with any agreement that comes out of the process will be voluntary. The Trump administration did not send a representative, although many former senior U.S. officials are involved, including Chertoff and Painter.

"The idea is that these are a number of people in the multi-stakeholder community who can discuss it, but it doesn't have the same effect as states discussing it," Painter said. "We're not states, but we're trying to make recommendations to states."

Bruce McConnell, global vice president at the East West Institute, which supports the Global Commission on the Stability of Cyberspace, told FCW that one of the challenges is finding a way "to show a road map for getting these norms taken seriously."

McConnell told FCW the commission keeps in contact with the White House and other countries to ensure they are no major objections to the principles. They also make sure to periodically touch base with Beijing and Moscow to keep them in the loop and solicit feedback.

The commission faces an increasingly crowded field of competing frameworks. The United Nations has taken multiple cracks at the task, developing consensus reports around cyber norms that established lines in the sand -- like a prohibition on cyberattacks against critical infrastructure -- that have since garnered broad agreement among world powers in theory if not always in practice. The UN is now split between two dueling working groups led by Russia and the United States.

The Paris Call for Trust and Security in Cyberspace, unveiled last year by the French government, garnered widespread support from governments, private industry and charities, but thus far the Trump administration has not joined. Nor have countries like China, Russia, Iran and North Korea, who are widely recognized as the prime actors when it comes to global offensive cyber operations.

As long as the organization views its mission as complimentary, McConnell said he believes the lack of consensus on the international stage actually works in the GCSC's favor. If there's no digital Geneva Convention in place, the commission's work can clarify and inform one in the future.

"As the UN [working groups] show, it's tough sometimes to make progress through official channels. Issues about things like privacy, encryption, trade issues -- all these other factors influence the debate," McConnell said. "And I think it's a very confusing environment. More frameworks could make it even more confusing. … Nobody has the right answer yet and I think it's good to have a lot of different discussions."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.