International Norms in Cyberspace

CAMBRIDGE – Last month, the Netherlands hosted the Global Conference on Cyberspace 2015, which brought together nearly 2,000 government officials, academics, industry representatives, and others. I chaired a panel on cyber peace and security that included a Microsoft vice president and two foreign ministers. This “multi-stakeholder” conference was the latest in a series of efforts to establish rules of the road to avoid cyber conflict.

The capacity to use the Internet to inflict damage is now well established. Many observers believe the American and Israeli governments were behind an earlier attack that destroyed centrifuges at an Iranian nuclear facility. Some say an Iranian government attack destroyed thousands of Saudi Aramco computers. Russia is blamed for denial-of-service attacks on Estonia and Georgia. And just last December, US President Barack Obama attributed an attack on Sony Pictures to the North Korean government.

Until recently, cyber security was largely the domain of a small community of computer experts. When the Internet was created in the 1970s, its members formed a virtual village; everyone knew one another, and together they designed an open system, paying little attention to security.

Then, in the early 1990s, the World Wide Web emerged, growing from a few million users then to more than three billion today. In little more than a generation, the Internet has become the substrate of the global economy and governance worldwide. Several billion more human users will be added in the next decade, as will tens of billions of devices, ranging from thermostats to industrial control systems (the “Internet of Things”).

All of this burgeoning interdependence implies vulnerabilities that governments and non-governmental actors can exploit. At the same time, we are only beginning to come to terms with the national-security implications of this. Strategic studies of the cyber domain resemble nuclear strategy in the 1950s: analysts are still not clear about the meaning of offense, defense, deterrence, escalation, norms, and arms control.

The term “cyber war” is used very loosely for a wide range of behaviors, ranging from simple probes, website defacement, and denial of service to espionage and destruction. In this, it reflects dictionary definitions of “war,” which include any organized effort to “stop or defeat something that is viewed as dangerous or bad” (for example, “war on drugs”).

A more useful definition of cyber war is any hostile action in cyberspace that amplifies or is equivalent in effect to major physical violence. Determining whether an action meets that criterion is a decision that only a country’s political leaders can make.

There are four major categories of cyber threats to national security, each with a different time horizon and (in principle) different solutions: cyber war and economic espionage, which are largely associated with states, and cyber crime and cyber terrorism, which are mostly associated with non-state actors. The highest costs currently stem from espionage and crime, but the other two may become greater threats over the next decade than they are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap.

During the Cold War, ideological competition limited US-Soviet cooperation, but both sides’ awareness of nuclear destructiveness led them to develop a crude code of conduct to avoid military confrontation. These basic rules of prudence included no direct fighting, no first use of nuclear weapons, and crisis communication, such as the Moscow-Washington hotline and the Accidents Measures and Incidents at Sea agreements.

The first formal arms-control agreement was the 1963 Limited Test Ban Treaty, which can be considered mainly an environmental treaty. The second major agreement was the 1968 Nuclear Non-Proliferation Treaty, which aimed at limiting the spread of nuclear weapons. The US and the Soviet Union perceived both agreements as positive-sum games, because they involved nature or third parties.

Similarly, the most promising areas for early international cooperation on securing cyberspace are problems posed by third parties such as criminals and terrorists. Russia and China have sought a treaty for broad United Nations oversight of the Internet. Though their vision of “information security” could legitimize authoritarian governments’ censorship, and is therefore unacceptable to democratic governments, it may be possible to identify and target behaviors that are illegal everywhere. Limiting all intrusions would be impossible, but one could start with cyber crime and cyber terrorism. Major states would have an interest in limiting damage by agreeing to cooperate on forensics and controls.

Of course, historical analogies are imperfect. Obviously, cyber technology is very different from nuclear technology, particularly because non-governmental actors can exploit it much more easily.

Nonetheless, some institutions, both formal and informal, already govern the basic functioning of the Internet. The US wisely plans to strengthen the non-governmental Internet Corporation for Assigned Names and Numbers (ICANN) by having it supervise the Internet “address book.” There is also the Council of Europe’s 2001 Convention on Cybercrime, with Interpol and Europol facilitating cooperation among national police forces. And a UN Group of Government Experts has been analyzing how international law relates to cyber security.

It is likely to take longer to conclude agreements on contentious issues such as cyber intrusions for purposes like espionage and preparing the battlefield. Nonetheless, the inability to envisage an overall cyber arms-control agreement need not prevent progress on some issues now. International norms tend to develop slowly. It took two decades in the case of nuclear technology. The most important message of the recent Dutch conference was that massive cyber vulnerability is now nearing that point.