Cybersecurity and Deterrence

Private-Sector Initiatives for Cyber Norms: A Summary

By Garrett Hinck
Monday, June 25, 2018, 7:00 AM

The U.N. panel charged with developing rules to govern cyberspace (formally called the Governmental Group of Experts, or GGE) failed to make a consensus report last June for its 2016-17 meeting. After five previous efforts successfully agreed on guidance for the U.N. General Assembly on related topics—the application of international law in cyberspace, norms and confidence-building measures among them—last year’s GGE deadlocked over differences on international law issues during its last round of deliberations.

In good news, where the Group of Experts failed, others are trying to fill in the gaps. Since last summer, proposals for new norms of responsible behavior in cyberspace have sprung from many corners. States continue to make bilateral agreements; China has been particularly active in this practice. But, Tim Maurer has noted, the proposals that are best suited to help shape global governance have come from corporations and civil society groups, not states.

This post summarizes where the last GGE report on norms left off and what these new proposals add to the debate over cyber norms.

Norms at the U.N. GGE

The Governmental Group of Experts was the U.N. working group intended to address emerging threats in cyberspace and craft rules for states to govern information technologies. Each group works over a two-year period—the first of five began in 2004. The fourth GGE, which worked from 2015-16, was composed of one expert from each of 20 countries, including every permanent member of the U.N. Security Council; other significant states such as Japan, South Korea and Brazil participated as well. The General Assembly charged the group with reporting on:

existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence building measures, the issues of the use of information and communications technologies [ICTs] in conflicts and how international law applies to the use of information and communications technologies by States …

The 2016-2017 group had a similar mandate. To send a report to the General Assembly floor, each group had to reach consensus—so its conclusions were usually broad and uncontroversial.

The GGE’s 2015 report was the first to explicitly detail a set of proposed norms for state behavior in cyberspace. The NATO cyber defense center summarized them as:

Limiting norms:

  1. states should not knowingly allow their territory to be used for internationally wrongful acts using [information and communications technologies, or ICT];
  2. states should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure;
  3. states should take steps to ensure supply chain security, and should seek to prevent the proliferation of malicious ICT and the use of harmful hidden functions;
  4. states should not conduct or knowingly support activity to harm the information systems of another state’s emergency response teams (CERT/CSIRTS) and should not use their own teams for malicious international activity;
  5. states should respect the UN resolutions that are linked to human rights on the internet and to the right to privacy in the digital age.

Good practices and positive duties:

  1. states should cooperate to increase stability and security in the use of ICTs and to prevent harmful practices;
  2. states should consider all relevant information in case of ICT incidents;
  3. states should consider how best to cooperate to exchange information, to assist each other, and to prosecute terrorist and criminal use of ICTs;
  4. states should take appropriate measures to protect their critical infrastructure;
  5. states should respond to appropriate requests for assistance by other states whose critical infrastructure is subject to malicious ICT acts;
  6. states should encourage responsible reporting of ICT vulnerabilities and should share remedies to these.

The 2015 report made significant progress toward describing specific norms of state conduct. Alex Grigsby hailed it as progress for U.S. efforts to establish norms on critical infrastructure protection. But as Elaine Korzak pointed out in Lawfare, these norms were voluntary, nonbinding statements of principles, limiting their impact.

And progress made after the 2015 round came to a halt with the 2016-2017 group. According to the U.S. delegate, Michelle Markoff, “[T]he reluctance of a few participants to seriously engage on the mandate on international legal issues has prevented the Group from reaching consensus on a report.” The panel apparently divided over the applicability of international humanitarian law and self-defense in cyberspace.

Earlier this year, Tim Maurer and Kathryn Taylor outlined three possible avenues for  development of cyber norms. First, the process could continue at the United Nations, either through another GGE or a new committee in the General Assembly. Second, states could take up “tailored initiatives” to create specific norms on an issue-by-issue basis, modeled on the 2015 U.S.-China cyber-espionage agreement. Third, states could sign on to a broad agreement built on Microsoft’s proposal for a “Digital Geneva Convention.”

Microsoft’s initiative is the most prominent of the private-sector proposals for cyber norms in the wake of the U.N. group’s failure. Its scope significantly broadened the conversation, which led to a number of other proposals from different organizations for cyber norms.

The ‘Digital Geneva Convention’ and Cybersecurity Tech Accord

Microsoft President and Chief Legal Officer Brad Smith proposed a three-part plan for governments to “implement international rules to protect the civilian use of the internet” in his keynote address at the RSA conference in early 2017. Smith called for the United States and Russia to “hammer out” a bilateral agreement to “ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures.” Then he proposed a “Digital Geneva Convention,” or multilateral accord, “to protect civilians on the internet in times of peace.”

According to a Microsoft policy paper, this treaty would commit states to:

  • Refrain from attacking critical infrastructure, including systems critical to the safety of civilians and vital to the global economy.
  • Refrain from hacking the data of journalists and “private citizens involved in electoral processes.”
  • Refrain from stealing intellectual property and trade secrets.
  • Refrain from mandating or installing backdoors in commercial tech products.
  • Adopt a common policy on vulnerabilities equities for mass-market products.
  • Limit and control the development of cyber weapons.
  • Agree to cease the proliferation of cyber weapons and to penalize those that proliferate.
  • Refrain from using offensive cyber weapons to cause “mass damage” to civilian infrastructure.
  • Assist efforts to respond to cyberattacks, including Computer Emergency Response Teams (CERTs), and refrain from inhibiting those efforts.

Smith also suggested that the proposed convention include provisions on an international organization for the investigation and attribution of cyberattacks, akin to the International Atomic Energy Agency’s role in monitoring counterproliferation.

Further, Smith argued for tech companies to cooperate on preventing and responding to cyberattacks. That vision came closer to fruition in April when 34 tech companies—including Microsoft, Facebook and FireEye—signed the Cybersecurity Tech Accord.

The accord has four core principles:

1. Protect all users and customers from cyberattacks, regardless of nationality.

2. Oppose attacks on civilians and businesses—including commitments to:

a) Protect against the exploitation of tech products through vulnerabilities;

b) Promise not to help states attack civilians.

3. Strengthen cybersecurity protection by:

            a) Providing users and customers with tools to detect cyberthreats.

            b) Supporting capacity-building efforts to advance security.

4. Work together and with others to enhance cybersecurity by:

            a) Developing partnerships to improve technical collaboration on vulnerability disclosure and threat sharing.

            b) Encouraging global information-sharing efforts.

Dan Efrony, the former top legal official for the Israel Defense Forces, called the tech accord a “limited success,” noting that while no country had endorsed the accord, no state had expressed opposition either. (Efrony gave a warmer endorsement to Smith’s proposal to establish an international cyber-attribution agency.)

Others are skeptical of the proposed accord’s scope: As Bruce Schneier noted, tech giants Google, Amazon and Apple have thus far not signed on to the agreement.

While Smith’s efforts have generated headlines and gained support from some major tech firms over the past year, no state has officially endorsed his proposals. It remains to be seen whether Smith can bridge the gap between the corporate and geopolitical worlds.

The Global Commission on the Stability of Cyberspace

The Global Commission on the Stability of Cyberspace is a group of experts brought together by two European think tanks. The commission receives funding from Microsoft; the Internet Society; and the governments of France, the Netherlands, Singapore and Estonia. These experts include prominent former officials and academics such as former homeland security secretary Michael Chertoff, “father of the internet” Vint Cerf and political scientist Joseph Nye. In the past year, the commission has put forth two notable proposals on cyber norms.

First, in November the commission called for a norm for state and non-state actors to safeguard the “public core of the Internet.” It defined the public core as including elements such as internet routing, the domain-name system, certificates, trust authorities and communications cables. These services are critical to the internet’s function—and the group cited past instances when state actors compromised them, such as the 2011 DigiNotar incident in which actors in Iran issued false certificates from a Dutch company that enabled them to access data from Iranians using Gmail.

Already, this proposal has gained traction. Marietje Schaake, a Dutch member of the European Parliament who is a commissioner of the group, submitted an amendment to a resolution on EU cyber defense endorsing the proposed norm. The amendment was included in the committee’s approved draft text, which has been sent to the floor of the European Parliament for a vote.

Second, in May, the Global Commission on the Stability of Cyberspace proposed that “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.” In its explanatory text, the commission described the proposal as an extension of the existing norm of non-interference in the affairs of other states, suggesting it has a “principle of legal, and thus, binding character” because Article 2(4) of the U.N. Charter prohibits the use of force against other states. Given public concerns about cyber interference in elections around the world, the commission seeks to encourage multilateral cooperation to mitigate reasons for worry.

In announcing its proposed norm for electoral non-interference, the commission noted it made on additional norms that include:

  • Barring the insertion of vulnerabilities into essential cyberspace products and services;
  • Advocating that governments actively consider disclosing software and hardware vulnerabilities to vendors; and
  • Further defining the elements of the public core of the Internet.

Siemens’ Charter of Trust

At this year’s Munich Security Conference, leading European tech companies—including Airbus, Allianz and Siemens—announced that they had signed a “Charter of Trust” outlining 10 guiding principles to enhance confidence in technology. The principles are:

1. Ownership: Governments and businesses should designate specific departments and officers as responsible for IT and cybersecurity.

2. Supply-chain protection: Companies and governments should establish baseline security standards for Internet of Things devices involved in supply chains.

3. Security by default: Security should be incorporated at all stages of product development.

4. User-centricity: Companies should meet the security needs of users.

5. Innovation: Encourage collaboration between government and private-sector actors to adapt cybersecurity practices.

6. Education: Schools should implement cybersecurity courses.

7. Critical infrastructure certifications: Companies and possibly governments should issue third-party certificates for critical infrastructure systems.

8. Transparency: Companies should participate in an industrial cybersecurity network to share information on threats.

9. Regulatory framework: Companies and governments should promote cybersecurity rules and standards through multilateral collaboration and include cybersecurity provisions in trade agreements. 

10. Joint initiatives: Companies should work with governments and other stakeholders to implement these principles.

The Carnegie Endowment’s Norm Against Manipulating Financial Data

While both the Microsoft and Siemens initiatives aim to establish a comprehensive set of principles for international cyber norms, the GCSC focused on specific issues. The Carnegie Endowment for International Peace, a D.C.-based think tank, proposed a similarly targeted norm in a 2017 white paper that argued that states should agree to not compromise the integrity of financial institutions’ data or algorithms.

The report’s authors—Tim Maurer, Ariel Levite and George Perkovich—proposed that the G20 adopt the following language:

A State must not conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions’ data and algorithms wherever they are stored or when in transit.

To the extent permitted by law, a State must respond promptly to appropriate requests by another State to mitigate activities manipulating the integrity of financial institutions’ data and algorithms when such activities are passing through or emanating from its territory or perpetrated by its citizens.

The authors argued that adoption would help affirm existing state practices to restrain from harming the global financial system, build confidence to address non-state actors that target financial institutions and complement other efforts to create cyber norms. Maurer and legal scholar Michael Schmitt made the case that despite the legal ambiguity about cyber operations against data integrity, such a norm will be vital to protecting the financial system.

Concluding Observations

The international community does not lack for ideas about norms to govern behavior in cyberspace. The various proposals outlined above span sweeping agreements to rewrite how governments and businesses act in the cyber domain to narrow proposals on specific issues for smaller sets of states or firms.

Each of these proposals builds on the norms reflected in the 2015 GGE report in different ways. Microsoft’s Digital Geneva Convention seeks to make its principles binding through a treaty. The GCSC applies the U.N. norms to internet infrastructure and electoral systems. The Siemens Charter of Trust calls on companies to complement governmental efforts to stabilize cyberspace. And Carnegie’s financial stability norm applies the GGE principles to financial systems.

Importantly, these ideas come from the private sector—businesses and civil society groups. Absent a reconstituted U.N. working group or other state-led initiative on cyber norms, private-sector proposals will be the only options. So far, none of the ideas detailed above has gained official endorsement from any state. Whether companies and civil society can actually persuade states to accept their proposed norms is unclear. It is clear, however, that the future of cyber norms may well rest on these efforts.