Cyberspace is a strategic competitive environment where continuous activity short of use of force has cumulatively threatened international peace and stability. States have sought to both manage and regulate this threatening behavior through the U.N. Group of Government Experts (GGE) and Open-Ended Working Group (OEWG) processes. These processes have resulted in deliberative products proposing peacetime cyber norms and an agreement by U.N. member states that international law applies in the context of cyberspace.
However, the proposed prohibitive norms do not address ongoing threatening behavior, and traditional norms conformance mechanisms are failing. Although all U.N. member states now accept that international law applies, it will likely take years for states to reach agreements on how it applies—a milestone that, if reached, would contribute to establishing new rules of customary international law in the context of cyberspace. Some argue that the slow, steady pace over decades of state interaction and U.N. processes is consistent with how states have historically responded to major disruptive technological change (namely, the “usual way”). But time is not a luxury we can afford in cyberspace, as strategic ground is already shifting; conceding to the “usual way” threatens peace and stability.
Prohibitive cyber norms efforts must identify ongoing state and non-state cyber behaviors that immediately and cumulatively threaten peace and stability. Several prohibitive norms proposed by the Global Commission on the Stability of Cyberspace (GCSC) serve as credible and salient examples because they speak to ongoing destabilizing behaviors. In addition, the international community should adopt a new approach for cultivating conformance to cyber norms that acknowledges and leverages cyberspace’s strategic imperative and incentives for cyber persistence while also minimizing the potential for further instability. Over time, opinio juris emerging from the U.N. processes can converge with this new approach to conformance and set the stage for new, binding rules of customary international law for the cyber context.
GGE and OEWG Proposed Prohibitive Norms: Missing the Mark
The U.N. GGE and OEWG processes have produced deliberative products proposing peacetime cyber norms, but these do not constitute norms in and of themselves. International norms should be considered as such only when they become state practice, not merely aspirations of state practice. Of the 11 proposed norms identified in these products, many are best practices or positive duties, such as protecting one’s own infrastructure and supply chains, as well as responsibly reporting vulnerabilities and sharing remedies. Two are prohibitive norms describing behaviors that states should eschew. For example, one norm proposes that states should not conduct or knowingly support activity to harm the information systems of another state’s emergency response teams and should not use their own teams for malicious international activity, and another holds that states should not conduct or knowingly support information and communications technology (ICT) activity that intentionally damages critical infrastructure.
States are engaging in a range of cyber behaviors that undermine peace and stability, but these proposed prohibitive norms do not address those behaviors. There is no reported instance of states engaging in cyber operations against another state’s cyber emergency response teams or using their teams for malicious purposes. And, although states have targeted critical infrastructure in armed conflict and non-state actors have done so in peacetime, the proposed prohibitive norms are not framed in a manner addressing that context or those actors, respectively.
GCSC Proposed Prohibitive Norms: Credible and Salient
Unlike the U.N. GGE and OEWG products, the GCSC report proposes prohibitive norms addressing ongoing destabilizing behaviors. For example: State and non-state actors must not pursue, support, or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites; state and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes; and state and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace. These proposed prohibitive norms are more credible than the U.N.’s prohibitive norms because they align with open source reporting of malicious actors’ destabilizing behaviors and are more salient because they comport with state experience; thus, they are more likely to motivate action.
Threats to technical election infrastructure are of considerable strategic concern for the United States. The U.S. Senate Select Committee on Intelligence reports that, throughout 2016, Russia engaged in “an unprecedented level of activity against [the] state election infrastructure” of all 50 U.S. states. The report identifies many failed efforts and a small number of successful exploitations. Russian cyber actors were in a position to delete or change voter data in the Illinois voter database and in a position to modify county data in another state (other reporting suggests this is Arizona). Threats persisted beyond 2016, as numerous actors continued to regularly target election infrastructure for different purposes, including disruption.
Threats to technical election infrastructure are also at the forefront of concerns for several European governments. Many have been subject to influence campaigns attributed to Russian advanced persistent threat (APT) groups. Fearing Russian attempts to disrupt vote counting technology, the Dutch government ordered municipalities and electoral regions to tally all votes manually for the 2017 parliamentary election. Concerns about an “extremely high risk” of cyber disruption led France’s National Cybersecurity Agency to prohibit electronic voting—banned in France since 2012, with an exception for French overseas voters—entirely in the June 2017 legislative elections. Germany’s Interior Ministry shared similar concerns when it reported in September 2021 that a development server for the national census was “affected” by a cyber operation. This server is part of Germany’s Federal Statistical Office’s infrastructure, which also includes servers for elections and other inherently governmental functions.
Botnet threats abound. In October 2016, the Mirai botnet distributed denial of service operations against Dyn—an infrastructure company that offers domain name system services—disrupted internet traffic for most of the U.S. East Coast and served as an early indicator of what is possible through commandeering public ICT resources. At its peak, this botnet comprised 600,000 commercial Internet of Things devices (devices that connect to the internet). On May 23, 2018, Cisco Talos published an alert regarding its discovery of VPNFilter malware on over 500,000 small and home offices routers and storage devices spread across at least 54 countries. The malware was designed to conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control systems, and conduct destructive operations.
Finally, recent operations against SolarWinds and Kaseya make evident that supply chain exploitations can cause significant disruption. Malware inserted into SolarWinds’s network management system software, Orion, rapidly spread to customers’ servers when they logged into the company’s software development website. In addition, a malicious actor launched a supply chain ransomware operation by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers.
These proposed prohibitive norms, because they are credible and salient, resonate more strongly than U.N. proposed norms, but absent an effective conformance mechanism, they also are merely aspirational.
Cultivating Conformance: The “Usual Ways” Are Failing
Norm creation on important contentious issues takes significant effort; they do not magically appear. Consider as examples the challenges faced by the women’s suffrage global movement, those pursuing the banning of landmines and cluster munitions, and the initial struggles of the precursor organization to the International Committee of the Red Cross to convince military commanders that protecting the wounded was compatible with their war aims. Norm entrepreneurship plays a critical role in this process. This can entail calling attention to an issue and proposing aspirational norms; states calling for the GGE and OEWG processes and the organizers of the GCSC have played this role. Another goal for entrepreneurs is cultivating conformance. The same actors need not play both roles, although they may.
Martha Finnemore and Duncan Hollis outline three discrete mechanisms for cultivating conformance: persuasion, socialization, and incentives (positive and negative inducements). Finnemore and Hollis define persuasion as causing an actor to do or believe something in the absence of coercion by asking, arguing, or giving reasons. Persuasion describes a cognitive process of information exchange and argumentation to change minds, opinions, and attitudes. The U.N. processes leverage this mechanism to seek voluntary conformance. They also leverage socialization, a mechanism that rests on social relations and the identity ingredient of a norm. An actor wanting to establish or maintain a relationship with another actor or group of actors will conform to a proposed norm, not necessarily because of its content, but because doing so is expected within a valued relationship. Socialization underpins declarations of proposed norms by “like-minded” states: for example, the 2015 G-20 leaders’ communique and the 2017 G-7 declaration on “responsible” behavior. Norm entrepreneurs leveraging this mechanism may also adopt coercive tactics such as naming and shaming to pressure an actor concerned with reputational costs into conformance. While this form of coercion seeks behavioral changes through speech and social relations, the third mechanism for cultivating conformance, incentives—specifically, negative inducements—cultivates conformance through material coercive actions ranging from economic sanctions to threats or uses of military force.
All three mechanisms have a poor track record, in isolation and in combination, for cultivating conformance by malicious state and non-state actors with proposed prohibitive peacetime cyber norms.
Evidence that the persuasion mechanism has failed is bountiful, though not systematically documented. It is clear even to the casual observer that numerous states persistently act in and through cyberspace in ways that do not conform to the GCSC’s, U.N.’s, and other proposed voluntary and nonbinding prohibitive norms. Efforts premised on socialization to sustain a valued relationship have encouraged conformance among like-minded states. Although that population does not include the most egregious malicious cyber actors. Moreover, socialization premised on naming and shaming those actors has not succeeded, either. When discussing the issue of Russian cyber operations seeking to influence the U.S. presidential election, former President Barack Obama stated, “[T]he idea that somehow public shaming is going to be effective, I think doesn’t read the thought process in Russia very well.” Coercive inducements applied most frequently by the U.S., such as indictments and economic sanctions, have also failed to stem the tide of malicious activity.
These mechanisms fail not because they lack sufficient time to produce conformance—that is, the usual way. Rather, they fail because they do not take into account the core characteristics and dominant behaviors of cyberspace. Some may also be counterproductive by encouraging escalation.
A New Approach
A new approach for cultivating conformance accepts that the dominant behavior requiring management, and ultimately regulation, is cyber persistence, which manifests as a threat through the malicious exploitation of cyber vulnerabilities. Cyber norm entrepreneurs seeking peace and stability must acknowledge and work through, rather than marginalize or disregard, cyber persistence. Namely, security-minded, status quo norm entrepreneurs must themselves persist and responsibly leverage exploitation-based activities that preclude, inhibit, or otherwise constrain behaviors inconsistent with proposed prohibitive norms. Such activities could include, for example, exploiting and then closing a vulnerability for the sole purpose of removing malicious malware and denying its reinstallment and revealing publicly indicators and warnings of malicious activity, the techniques, tactics, and procedures associated therewith, and malicious malware itself that was discovered after an opponent’s intrusion or in anticipation of one. This approach to conformance holds promise because it acknowledges and aligns with cyberspace’s structural imperative for achieving security: persisting in seizing and maintaining the initiative to set security conditions in one’s favor by exploiting adversary vulnerabilities and reducing the potential for exploitation of one’s own.
This approach can reinforce credible and salient prohibitive norms proposed through the explicit deliberations of the U.N., the GCSC, and other fora and also adapt more quickly to the rapid emergence of novel behaviors engendered by the dynamism of cyberspace and the ingenuity of malicious actors. Considering the U.N. processes as a valid indicator, it can take states years, if not decades, to first propose such behaviors as prohibitive norms and then deliberate about them through an explicit process. This is time during which unconstrained malicious behaviors threaten peace and stability. It is time better spent tacitly communicating to the malicious source by exposing, disrupting, and contesting threatening behaviors. Persistence supports tacit communication through an “unusually dense interaction” of cyber activities that creates a basic interpretive framework for normative evaluation and conformance cultivation at the speed of relevance.
A cyber persistence-based approach also minimizes potential further instability relative to socialization (naming and shaming) and negative material inducements (economic sanctions). Covert operations scholarship suggests that secrecy dampens risks of instability by reducing potential pressures from domestic or other audiences and by allowing states to manage reputational concerns. Leveraging the “open secrecy” of persistent cyber campaigns is thus not just a more promising approach but also a more prudent one. When considered in this light, overt naming and shaming, which seeks to exert such pressures to achieve conformance, may be counterproductive to stability. Similarly, material coercive inducements, given their coercive character, make the emergence of an escalation dynamic more likely than would responsible, persistent exploitative cyber campaigns.
Operationalizing This New Approach
Cultivating conformance through a cyber persistence-based approach should aim to coordinate campaigns among government agencies with cyber capabilities and authorities and, where possible, with private-sector actors that have legal standing to engage in such behavior. Reported activities by the United States and its private sector offer examples of coordination, and the potential for more.
The U.S. Department of Defense’s defend forward cyber strategy as operationalized by U.S. Cyber Command’s (CYBERCOM) doctrine of persistent engagement embodies the notion of achieving security through responsible, persistent exploitation-based operations, campaigns, and activities. By operating off the Department of Defense Information Network, CYBERCOM seeks to preclude, inhibit, or otherwise constrain malicious cyber activity as close as practical to the threat source. This same doctrine can be leveraged to cultivate conformance with explicitly proposed prohibitive norms and to tacitly communicate a desired prohibition of emergent malicious behavior until a norm is explicitly proposed through a deliberative process. In fact, efforts to achieve security and cultivate norms in and through cyberspace must be deeply intertwined.
For example, to preclude technical disruption and interference in the 2020 U.S. elections, CYBERCOM reportedly engaged in an operation to temporarily disrupt what was then the world’s largest botnet: Trickbot. This provided an immediate security benefit. Had this operation been extended and expanded to a persistent campaign, it could have served as a conformance mechanism for the GCSC’s proposed prohibitive norms that address technical infrastructure essential to elections and the commandeering of public ICT resources for use as botnets.
Persistent campaigning is critical to cultivating conformance, as state and non-state actors can often quickly reconstitute cyber capability after being targeted with an exploitative operation. Two months after the CYBERCOM operation against Trickbot, Trickbot administrators updated communication mechanisms and built a new command-and-control (C2) infrastructure based on a different router to better secure the infrastructure from exploitation. Similarly, after a 2015 combined FBI and U.K. National Crime Agency exploitation-based disruption operation against the Dridex botnet’s C2 servers, security vendors reported that Dridex was back in operation less than 48 hours after the operation, albeit at a far lower capacity.
CYBERCOM has reportedly targeted other malicious botnets, including a coordinated effort with the FBI and an unidentified third country to disrupt the REvil ransomware group in November 2021. The FBI itself recently removed the CyclopsBlink C2 malware associated with a Russian APT-built botnet off of thousands of devices before it was activated toward malicious ends. It also closed the external management ports being exploited to access the C2 malware. While these operations provided immediate security benefits, extending and expanding them into persistent campaigns could cultivate conformance to the proposed botnet prohibitive norm.
These responsible, exploitation-based operations also enable the United States to operationalize some of the positive duties outlined in the GGE and OEWG products, including protecting one’s own infrastructure and supply chains and responsibly reporting vulnerabilities and sharing remedies. These duties are akin to anticipating persistent exploitation by malicious actors. CYBERCOM’s hunt-forward operations enable anticipatory resilience by discovering adversary malware, techniques, tactics, and procedures as well as indicators of compromise and releasing this information through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA) alerts to inoculate U.S. companies from malicious cyber activity.
Many U.S. private-sector companies have strong corporate incentives to support conformance with proposed prohibitive norms. Some also have the capacity, capability, and legal standing to engage in responsible, exploitation-based activities. The U.S. government should coordinate with these companies to bolster proposed prohibitive norms cultivation campaigns. As a case in point, consider Microsoft, a company that has proposed prohibitive norms through its Digital Geneva Convention policy paper. Its Digital Crimes Unit applies legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state-sponsored activity. This helps cultivate conformance by state and non-state actors with the three GCSC proposed prohibitive norms highlighted above. Although no claims of coordination with CYBERCOM have been reported, less than two weeks after CYBERCOM disrupted Trickbot’s operations, Microsoft engaged in operations toward that same end. Microsoft has previously coordinated botnet disruptive operations with the FBI, including the 2013 operations against the Citadel and ZeroAccess botnets and the recent disruption of the Zloader botnet. However, there is no reported Microsoft coordination with CYBERCOM or the FBI specifically with the intent of cultivating conformance with proposed prohibitive norms.
The U.N. GGE and OEWG processes are not an immediate solution to ongoing cyber threats to peace and stability. However, the processes support the continuing effort to create new, binding rules of customary international law for the cyber context. A subset of the GCSC’s proposed prohibitive norms are more credible and salient, but the conformance mechanisms being applied by states and organizations—persuasion, socialization (naming and shaming), and negative inducements (sanctions)—are failing. A new approach to conformance is needed—cyber persistence—which derives from the core characteristics of cyberspace and, where possible, seeks to coordinate the actions of state agencies and private-sector actors based on common desired outcomes. This approach addresses the immediate security need and, in regard to state actions, further establishes state practice, which can converge with the opinio juris being coaxed from member states by the U.N. processes. In so doing, it creates momentum for setting the stage for new, binding rules of customary international law for the cyber context.