Moving the needle on cyber norms

Cyberattacks like NotPetya and WannaCry can have consequences in the physical world and devastating financial fallout, even if they fall below the traditional definition of war. But U.S. officials, international organizations and independent experts have so far been unable to frame a consensus about where to draw that line.

The nongovernmental Global Commission on Stability in Cyberspace recently wrapped up a series of meetings in Geneva to hash out fundamental principles that states, non-state actors and private industry should follow.

The commission, co-chaired by former Secretary of Homeland Security Michael Chertoff and former Estonian Foreign Minister Marina Kaljurand, has spent the past two-and-a-half years courting public and private stakeholders and developing language around behavior in cyberspace that it hopes will help guide not just governments but also private companies who work in the murky, somewhat norm-less field of offensive cyber operations. It plans to release a report detailing its final recommendations at the end of 2019.

"We say that international law applies to all areas of the digital sphere, but how it applies is a very difficult question," said Fabrizio Hochschild, assistant secretary general at the United Nations, in comments to the commission Jan. 22.

This ambiguity, Hochschild argued, creates a state of "unpeace," between nations: falling short of armed conflict but hardly qualifying as peaceful coexistence.

Last year, the commission settled on six broad principles for state and non-state actors

• Avoid tampering with products and services if doing so impairs the stability of cyberspace
• Don't hack connected devices to create botnets
• Governments should have a clearly communicated Vulnerabilities Equities Process with a default presumption in favor of public disclosure
• Companies that make products or provide services important to the stability of cyberspace should have effective policies to identify and mitigate bugs and vulnerabilities
• States should enact baseline regulations around cyber hygiene
• Non-state actors should never engage in offensive cyber operations against governments.

Chris Painter, a former cyber coordinator for the State Department who attended the Geneva meetings as a GCSC commissioner, told FCW the group was looking to thread the needle between not duplicating work from other frameworks, while also keeping in mind that any end product will need to accord with any future binding international agreements. The commission is not affiliated with any government or international body, and compliance with any agreement that comes out of the process will be voluntary. The Trump administration did not send a representative, although many former senior U.S. officials are involved, including Chertoff and Painter.

"The idea is that these are a number of people in the multi-stakeholder community who can discuss it, but it doesn't have the same effect as states discussing it," Painter said. "We're not states, but we're trying to make recommendations to states."

Bruce McConnell, global vice president at the East West Institute, which supports the Global Commission on the Stability of Cyberspace, told FCW that one of the challenges is finding a way "to show a road map for getting these norms taken seriously."

McConnell told FCW the commission keeps in contact with the White House and other countries to ensure they are no major objections to the principles. They also make sure to periodically touch base with Beijing and Moscow to keep them in the loop and solicit feedback.

The commission faces an increasingly crowded field of competing frameworks. The United Nations has taken multiple cracks at the task, developing consensus reports around cyber norms that established lines in the sand -- like a prohibition on cyberattacks against critical infrastructure -- that have since garnered broad agreement among world powers in theory if not always in practice. The UN is now split between two dueling working groups led by Russia and the United States.

The Paris Call for Trust and Security in Cyberspace, unveiled last year by the French government, garnered widespread support from governments, private industry and charities, but thus far the Trump administration has not joined. Nor have countries like China, Russia, Iran and North Korea, who are widely recognized as the prime actors when it comes to global offensive cyber operations.

As long as the organization views its mission as complimentary, McConnell said he believes the lack of consensus on the international stage actually works in the GCSC's favor. If there's no digital Geneva Convention in place, the commission's work can clarify and inform one in the future.

"As the UN [working groups] show, it's tough sometimes to make progress through official channels. Issues about things like privacy, encryption, trade issues -- all these other factors influence the debate," McConnell said. "And I think it's a very confusing environment. More frameworks could make it even more confusing. … Nobody has the right answer yet and I think it's good to have a lot of different discussions."