Establishing Norms in Cyberspace

Establishing norms for shared global common goods and tackling common challenges has long been a concern in international relations, largely because doing so is in tension with the traditional view of state sovereignty. For example, sustainability concerns and maritime competition challenged the unrestricted freedom of the seas while the rise of nuclear weapons created an urgent security threat that demanded global norms. In each of these cases, collaborative efforts were undertaken to establish regimes and common principles that would ease tension and increase the likelihood of peace.

In today’s geopolitical environment, cyberspace is the latest frontier for conflict among a variety of state and non-state actors. The number and severity of cyber attacks over the last decade has undermined our foundational trust in the internet, even as it has become a cornerstone of both the economy and our society writ large. Just as with the challenges associated with maritime law and nuclear proliferation, advanced collaboration is now required to improve the trust, security and stability of cyberspace.

Fortunately, promising efforts are already underway. For instance, the United Nations General Assembly endorsed the conclusion of the UN Group of Governmental Efforts’ (UN GCE) work in 2015, which established a consensus among 20 states to guide norms of responsible behaviour in cyberspace. Since then, we have seen a growing number of international accords building on and broadening this effort.

Among these is French President Emmanuel Macron’s Paris Call for Trust and Security in Cyberspace, unveiled in November 2018 with the support of dozens of countries and major companies. Since this announcement the initiative has been endorsed by 74 nations, over 350 public sector organizations, and more than 600 private sector entities including Microsoft, Google and IBM. Despite its extensive list of signatories, the United States has yet to endorse the Paris Call. In my view it is well past time for the United States to embrace and advocate for the development of international norms in cyberspace, reflected by efforts such as the Paris Call. Failure to do so threatens to undermine the inherent value of the internet as we know it.

As Co-Chair of the Global Commission on the Stability of Cyberspace (GCSC), I helped oversee the November 2019 release of the Commission’s report on Advancing Cyberstability. The Commission’s work proceeded under the assumption that international peace and security—traditionally the sole province of states—could not  be adequately addressed in the cyber realm without engaging a diverse team of stakeholders. Our report advocated for a set of principles and norms to better ensure the stability of cyberspace—such that everyone can be reasonably confident in their ability to use cyberspace safety and securely, where integrity and availability of services and information is generally assured, change is managed in peace, and tensions are resolved in a non-escalatory manner. In our efforts, the Commission sought to build on the work of the UN GGE, the Paris Call, and others while also considering implementation challenges, technical details to address specific types of cyber attacks, and (perhaps most notably) the responsibilities of non-state actors.

The GCSC report outlines nine foundational norms for behaviour in cyberspace. These include prohibiting both state and non-state actors from engaging in activity that damages the general availability or integrity of the internet; disruption of electoral processes and systems through cyber operations; tampering with products and services in development; and commandeering the general public’s information technology resources for use as botnets. The report further calls on states to create frameworks for vulnerability disclosure decision-making, as well as to enact appropriate measures to ensure basic cyber hygiene principles are met. Related, the proposed norms urge product developers to prioritize security. Finally, the norms establish that non-state actors will refrain from engaging on their own in offensive cyber operations.

While the GCSC addresses issues beyond the Paris Call, there are many commonalities between them, such as their shared emphasis on supporting efforts to strengthen basic cyber hygiene, preventing malicious interference in elections, and prohibiting activity that damages the general availability or integrity of the Internet. Perhaps the most encouraging aspect of the Paris Call is that signatories from private sector organizations have thus far outnumbered nation states. This demonstrates significant progress toward creating the diverse, multi-stakeholder environment advocated for by the GCSC that is vital to building norms for cyberspace.

Importantly, the United States recognizes the scope of the cyber threat, even if the current administration is skeptical of multi-lateral efforts to address it. In April 2019 an announcement from my former agency, the US Department of Homeland Security, formally identified ‘internet routing, access, and connection services’ as a national critical function, effectively defining these services as so vital that disruption to them would ‘have a debilitating effect on security, national economic security [and] national public health or safety.’

Given the importance of such functions to our economy and national security, I believe that the establishment of norms in cyberspace—and US participation in this process—is of critical importance for three key reasons: (1) To maintain the modern economic benefits of the Internet; (2) To address security concerns related to the protection our nation’s critical infrastructure; and (3) To protect American values by preserving the free flow of reliable, accurate information.

On the first point, the global economy is now unquestionably tied to individuals’ trust in the internet. The United Nation’s 2018 Measuring the Information Society report found that the proportion of the global population using the internet increased from 15.8% in 2005 to 51.2% in 2018. It is widely understood that digital technologies play a leading role in economic development by facilitating the delivery of public goods and services to hard-to-reach communities, encouraging entrepreneurship and education, and contributing to job growth. Furthermore, incentives for technology investment are critically tied to security, as individuals and organizations are reticent to invest in products the longevity of which are called into question. Without broad-based efforts to create a secure cyber environment, perceived fear in the security of information technology systems may prevent the full economic benefits of them from being realized.

Second, information technology is now foundational to the effective operation of much of our nation’s critical infrastructure. The systems that support electricity, transportation, communications, and other critical national functions are increasingly reliant on the Internet. Geopolitical adversaries conduct offensive cyber operations on these critical systems, driving a cyber arms race that will further threaten our national security and way of life, if left unchecked. As nations continue to shift investments to the development of offensive capabilities, we can expect others to react by doing the same. In this state of ever-escalating global cyber insecurity, it will be increasingly difficult to rationalize and accomplish the creation of norms for cyberspace at the international level. The time is now to engage in norms development, and the United States’ strength, and reliance on the internet, necessitates our involvement. 

Finally, the internet was founded, in part, to facilitate the free flow of reliable, accurate information, a goal that naturally aligns with the United States’ founding values of freedom and democracy. The Internet empowers citizens, giving them the tools and resources to make more informed decisions and even to hold their government accountable, even in an age of disinformation. Efforts must be undertaken to ensure the continuity of these values in cyberspace, by establishing norms and protecting the general reliability of the Internet that facilitates these benefits.

The United States has presumably withheld its endorsement of global cyber norms such as the Paris Call perhaps in part so as not to unduly constrain its use of offensive or deterrent cyber capabilities. However, it is vital that we recognize that the aforementioned risks far exceed the potential short-term disadvantages that embracing reasonable cyber norms might pose to our cyber toolbox. This imperative is only increasing as US power in cyberspace is beginning to diminish compared to the increasing capabilities of less responsible, state and non-state actors, who have proven their ability to inflict significant damage.  

Sceptics may also argue that establishing norms among like-minded Western nations is a fruitless and strategically disadvantageous endeavor, when countries such as Russia, China, Iran and North Korea are those that pose the greatest threat to the network. We must remember that the creation of norms does not guarantee compliance, but rather increases attention among the international community to violators and lays a foundation for a stronger, more enforceable framework to one day emerge. The Barbary pirates defied international norms at sea, but few saw this as an argument for all states to embrace piracy.

Both the Paris Call and the Global Commission on the Stability of Cyberspace’s work present a significant opportunity to cultivate multi-stakeholder engagement in the creation of cyber norms and mark an important step in the development of norms to ensure greater cyberstability. The United States must not allow its short-term concerns to prevent it from engaging in the development of vital international cyber norms that will help protect its economic and national security interests. Indeed, if we are not engaged in building the foundation for these norms, we run the risk of ceding the field to nations pursuing agendas that may be inimical to free speech and open economies. The time is now for our government to engage in these efforts, before trust in the Internet erodes and the proliferation of cyber attacks in peacetime reaches a point of no return.