The stability of global financial, healthcare, and security systems is increasingly at risk from cyber threats. As more critical infrastructure and industrial control systems are connected to the internet, a growing number of state and nonstate actors have developed, purchased, and deployed tools, weapons, and strategies to deter and disrupt cyberspace. The WannaCry, NotPetya, and SolarWinds hacks represent a few examples of recent cyber attacks with significant geopolitical consequences. In addition, the coronavirus pandemic has precipitated new attacks against critical medical organizations (such as ransomware attacks against hospitals).
Businesses and government agencies around the world, including in Georgia, India, Iran, Israel, and the United States, have reportedly been compromised by state-sponsored cyber attacks. Receiving less media attention is civil society, which faces the same persistent threats experienced by states and major corporations, yet lacks the resources needed to defend itself. These trends illustrate that the proliferation of information technologies that facilitate digital attacks is threatening the security and integrity of the internet, as well as internet users’ safety and privacy, which should be of concern to governments worldwide.
UN member states have attempted to devise rules for responsible state behavior in cyberspace to help maintain international peace and security. The most recent initiative, the UN Open Ended Working Group (OEWG) on Information and Communication Technologies (ICTs)—created by a Russia-sponsored resolution—resulted in the adoption of a consensus report in March 2021. Unfortunately, long-standing disagreements between countries on the need for a global, interoperable, and open internet have resulted in a consensus report that largely fails to deliver on the OEWG’s key objectives, namely, to address the root causes of global cyber instability today. Consequently, the international system remains beset by a lack of accountability and inadequate safeguards for civilians and critical infrastructure, leading to unpredictability and harmful outcomes.
A Brief History of Cyber Norms at the UN
The OEWG is not the first attempt by UN member states to create common rules of the road for cyberspace. As far back as 1999, Russia proposed a set of “principles of international information security” to the UN secretary general but it received little support. In 2004, the UN established a Group of Governmental Experts (GGE) to develop norms of responsible state behavior in cyberspace. Six subsequent GGEs have been established thus far, including the GGE in 2019–2021, which was created by a U.S.-sponsored resolution. The most notable development stemming from the GGE process was the adoption of a consensus report in 2013 outlining a set of foundational norms for the governance of cyberspace (or “cyber norms” for short) and reaffirming that international law, state sovereignty, and human rights apply to cyberspace. The GGE’s 2015 report elaborated on the principle of nonintervention in other states’ internal affairs and emphasized that states should protect their own critical infrastructure and should refrain from carrying out cyber attacks that damage critical infrastructure. These developments have served as a basic framework for subsequent cyber norm discussions, including those at the OEWG.
Fundamental Disagreements Among States
Russia’s objectives in creating the OEWG stand in opposition to the views held by the United States and its allies. Russia, like China and its other allies, seeks to revisit existing cyber norms and establish new binding commitments that more closely reflect its interests. Russia also argues that because the OEWG involves all interested UN member states—unlike the GGE, which has fifteen to twenty-five rotating members—it represents a more inclusive process and thus should have the power to substantively change or rewrite existing cyber agreements and norms. The United States and its allies, on the other hand, argue that while the OEWG can help elaborate on agreed-upon norms and international law, establishing new binding obligations falls well beyond its mandate. A third category of “swing states,” composed mostly of developing countries like India, Indonesia, and South Africa, have been largely “non-committal” in the cyber norms debates at the UN First Committee and have not devoted significant diplomatic resources to these negotiations.
Another issue that has created discord among states that are active in the norms debate is the “information sovereignty” concept, advanced primarily by China and Russia. As China defines it, information sovereignty (also known as internet sovereignty or cyber sovereignty) grants each country the right to regulate ICT activities within its territory as it deems necessary. Western liberal democracies charge that this concept provides justification for China’s highly restrictive media environment and its use of censorship or other techniques to control information flows. In the OEWG process, Russia and China continued to push their agenda of achieving greater state or multilateral control over the internet, particularly under the guise of combating the “dissemination of false or distorted news.” Their stance contrasts with the 2018 U.S.-led resolution for the GGE, which stressed the need for an “open, interoperable, reliable and secure information communications technology environment,” a core principle underlying the United States’ and its allies’ engagement with cyber norms processes. This fundamental disagreement—combined with the need to reach an accord among 193 UN member states for a consensus report to be adopted—impeded any real progress on solidifying the rules of the road for cyberspace.
Missing Accountability and International Humanitarian Law
The purpose of the OEWG, as articulated in the resolution that led to its establishment, was to “further develop the rules, norms and principles of responsible behaviour of States,” as outlined by the GGE. However, the OEWG report fails to make concrete additions and eschews key questions. Perhaps the two biggest omissions from the OEWG consensus report are the lack of references to accountability, and international humanitarian law (IHL). The omission of accountability is glaring given the group’s essential role in preserving security and stability in cyberspace both during peacetime and armed conflict. Indeed, the word (or even the concept of) accountability cannot be found anywhere in the report. Arguably, efforts toward ensuring responsible state behavior will have little consequence without mechanisms to hold states accountable for actions in cyberspace that harm international security and stability.
The lack of references to IHL, the legal regime designed to protect civilians during times of armed conflict, is equally troubling. A growing number of states have developed or are developing offensive cyber capabilities—for example, using cyber weapons to incapacitate water, power, or health systems during armed conflict. The potential human costs of cyber warfare make it essential to incorporate IHL into cyber norms discussions. Yet, any reference to IHL is missing from the OEWG consensus report, likely due to objections by China, Cuba, Venezuela, and others who have argued against its applicability to cyberspace. Opposition to the incorporation of IHL by these countries, as articulated by Cuba, had also prevented the adoption of the 2017 GGE consensus report. Cuba, backed by China and Russia, argued that incorporating IHL would normalize the militarization of cyberspace and legitimize cyber wars. Yet, offensive cyber capabilities are already being ramped up and deployed against a variety of targets. As a result, it is imperative to carve out restraints, derived from IHL, to limit collateral damage and mitigate further threats to the integrity of the internet. In sum, the OEWG consensus report breaks little new ground, as it mostly repeats what has already been outlined in previous GGE reports and relegates many of the major issues that could not find consensus to the Chair’s Summary document, which is not subject to approval by member states.
International Policy Consequences
Fragmentation on fundamental issues remains in cyber norms deliberations. China, Russia, and their allies are primarily concerned that the openness principles supported by Western liberal democracies could be used to interfere in their internal matters. In a speech at the 2015 World Internet Conference in Wuzhen, China, for example, Chinese President Xi Jinping spoke out against “internet hegemony” and “foreign interference in [China’s] internal affairs” through the internet. Therefore, China has sought to increase the global acceptance of the internet sovereignty concept. The United States and its allies, on the other hand, contend that cyber sovereignty is a concept that is used as a proxy for authoritarian states to run roughshod over human rights. Further, while China and Russia would like for the OEWG to create an internationally binding framework on ICTs, the United States and its partners maintain that “existing international law, complemented by the voluntary, non-binding norms that reflect consensus among States” is currently sufficient. These fractures are unlikely to heal anytime soon, given the lack of consensus and political will to resolve them.
After two years of deliberations with 200 written submissions and 110 hours of on-the-record statements by UN member states and intergovernmental and nongovernmental organizations, the OEWG process has led to a stalemate. The OEWG and its consensus report have failed to establish greater accountability by states over their actions in cyberspace and to better safeguard the security of civilians and critical infrastructure. International diplomacy in the name of global consensus takes time, but threat actors looking to launch cyber attacks are not holding still.
While states continue to delay establishing rules of the road for cyberspace, the sophistication of threat actors with destructive cyber capabilities has only increased. Mere months after the adoption of the 2015 GGE report, for example, Russia-linked hackers used digital tools to knock out a Ukrainian power grid, causing civilians to lose electricity for almost seven hours. This incident is one of many that demonstrates a dire need for significant progress on cyber norms. As long as negotiations continue in second gear, the trust and confidence that the public places on states to build a secure and resilient cyberspace will only deteriorate further.
Carnegie’s Digital Democracy Network is a global group of leading researchers and experts examining the relationship between technology, politics, democracy, and civil society. The network is dedicated to generating original analysis and enabling cross-regional knowledge-sharing to fill critical research and policy gaps.