In 2007, cyberwarfare nearly became real warfare when Russia waged a series of Distributed Denial of Service attacks against Estonia.
A DDoS attack makes a website inoperable by overloading its servers with excessive traffic. “The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Estonia’s Minister of Defense told Wired shortly after the event. “All major commercial banks, telcos, media outlets, and name servers—the phone books of the Internet—felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”
In light of this clear act of aggression, Estonia’s NATO allies considered invoking Article 5 of the NATO treaty, which establishes the organization’s principle of collective defense. According to Article 5, an “armed attack against one or more [NATO members] … shall be considered an attack against them all.” Thus, in the event of an enemy power attacking a NATO member, Article 5 stipulates that all other members of NATO should join in their ally’s defense. Although Estonian online infrastructure suffered real damage from these cyberattacks, Estonia’s NATO allies were unsure if they should invoke Article 5 and take up arms against Russia. It remains unclear whether similar attacks would be considered “armed attacks” should they take place in the future.
The 2007 conflict between Russia and Estonia underscores a major problem with international convention and law: cyberspace is largely a grey area. A majority of the modern world communicates and stores information through the Internet, but there are no official conventions that police how states may or may not use it. This ambiguity should not exist; internationally-accepted norms must be established to define appropriate cyber behavior. Although the United Nations has made some important progress in determining what these norms should look like, the dialogue surrounding norms must appreciate the fact that most cyber threats today are not aimed at infrastructure, but at information.
Russia and The Need for Norms
Harvard Kennedy School professor Joseph S. Nye noted that the term “cyberwar” doesn’t even have a concrete definition. In an op-ed for Project Syndicate, Nye likens strategic studies of the cyber domain to nuclear strategy of the 1950s, in that “analysts are still not clear about the meaning of offense, defense, deterrence, escalation, norms, and arms control.”
The cyberattack on Estonia happened nearly a decade ago, but attacks between state powers have become more frequent in recent years. Today’s cybercrimes have the potential to not only destroy critical infrastructure, but undermine trust and cost governments and companies tremendous sums of money. On the heels of a U.S. presidential election in which Russia has been accused of meddling with America’s democracy, the need to define internationally-accepted cyber behavior is more vital than ever before.
Unless clear norms are set in place, Russia and other countries will continue to test the tolerance of their peers. Eventually, some experts believe this game of tactical trial-and-error may lead to catastrophe.
The Present Landscape
The largest-scale effort toward establishing norms to date has come from the United Nations, which has put together a series of Groups of Governmental Experts to report on the impact of information and communication technology on national security. Published in 2010, 2013, and 2015, the GGE reports contain recommendations for norms, rules, principles, and other measures by which the international community may approach the issue of cybersecurity in a more unified manner. Notably, the group concluded in 2013 that cybersecurity norms should reflect existing international principles and laws.
The United Nations’ work in this area has centered primarily around the military implications of the cyber domain. In a December 2015 event at Harvard’s John F. Kennedy Jr. Forum, Former Secretary of Defense Ash Carter underscored the defensive utility of cybersecurity norms: “Norms won’t necessarily offer that kind of hard protection, but norms do two things: they keep many people, most of the time, from doing something bad, and they provide the rationale that helps everyone else understand what must be done to protect them.”
The 2015 UN GGE report suggested that “states should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure Variations on this theme are at the core of the United Nations’ project to establish norms: states should refrain from inflicting intentional damage upon critical infrastructure. “This is a pretty ambiguous and nebulous concept,” New America cybersecurity policy analyst Rob Morgus told the HPR. “What does it mean to attack? What is critical infrastructure? Are you hacking critical infrastructure if you gain access to a financial institution and you just sit there and you watch, and you’re not doing anything, just collecting data?”
Some degree of focus on the military consequences of cybercrime is undoubtedly important in labeling aggressive actions. Nevertheless, consider how almost every recent cybercrime is called a “cyberattack” by the media. North Korea’s hack into Sony Pictures, China’s theft of American personnel records, and Russia’s attack on Estonian online infrastructure were all dubbed “cyberattacks,” despite their significant differences. The repeated use of this simplistic label has muddied dialogue surrounding this issue by obscuring the unique qualities of different cybercrimes—making it difficult to keep track of what actions warrant retaliation.
In the past, a lack of precision might have worked to the advantage of the norms movement. Since the start of the decade, experts have warned of an impending “Cyber Pearl Harbor” in order to draw attention to the fact that cyberattacks are a legitimate threat. “The focus is no longer on simply trying to get attention,” Tim Maurer, who co-leads the cyber policy initiative at the Carnegie Endowment for International Peace, told the HPR. “We are rather trying to figure out how we can channel that attention into some meaningful output.”
When it comes to establishing norms, Morgus emphasized, “the precision of language is of the utmost importance … Because you’re talking about restricting certain activities and if you get too ambiguous or too narrow you either restrict too much or too little.”
Focusing on Intelligence
Any attempt at establishing norms must consider that most recent encounters between states have not involved damage to critical infrastructure. Today’s cybercrimes usually consist of acts of espionage, or the theft of government and company information. The aforementioned North Korean and Chinese hacks of Sony Pictures and U.S. government personnel records were acts of espionage, as was the recent Russian breach of the Democratic National Committee’s private servers. Although they were offensive, none of these acts would fall under the purview of any of the norms proposed by the United Nations GGE.
As David Fidler of the Council on Foreign Relations wrote, “international law does not prohibit or regulate espionage.” Thus, any of the norms proposed by the UN GGE would not be able to address cyberespionage, despite it being “one of the most important state uses of ICTs that causes international security problems.”
This lack of espionage regulation comes from the fact that cyber intelligence, like traditional intelligence, is not always used to facilitate aggressive acts. Germany and the United States are among the nations which have been caught engaging in cyber espionage against their own allies. As President Obama explained in a December interview with NPR, “Among the big powers, there has been a traditional understanding that everybody is trying to gather intelligence on everybody else. It’s no secret that Russian intelligence officers, or Chinese, or for that matter Israeli or British or other intelligence agencies, their job is to get insight into the workings of other countries that they’re not reading in the newspapers every day.”
Morgus believes cybersecurity norms can enable states to continue operating strategically in the cyber domain while avoiding future conflict. “What I’d like to see,” he says, “is [the United States] focusing on negotiating norms that focus more on stipulating what states should and should not do once they have [intelligence] information.”
The 2016 election illustrated the necessity of these kinds of intelligence norms when Russia leaked unflattering information relating to the Democratic Party and Hillary Clinton’s presidential campaign after hacking into the DNC. While the collection of this data could have been looked upon as a routine intelligence exercise, the release of the data had extraordinary political and geopolitical consequences. Whether or not the leaked information helped elect Donald Trump, as some argue, it certainly worked to the Kremlin’s advantage by undermining public confidence in the American political system. Illustrating the gravity of this hack, the Obama administration imposed heavy sanctions against Russia and expelled 35 Russian intelligence agents from the United States.
To address precisely this sort of intelligence incident, Morgus proposes that states “can conduct espionage to gain information on political parties, but cannot release that information to the public. So, intelligence gathered by the state should be intelligence for the state.”
From Private Sector to Public Policy
Although the verdict is still out on exactly how cyber norms can be used to manage the theft of state secrets, they have shown early promise in preventing the theft of commercial secrets.
In 2015, China President Xi Jinping pledged to work with the United States to curtail the spread of commercial espionage. “Cybertheft of commercial secrets and hacking attacks against government networks are both illegal,” the Xi said in a September 2015 interview with the Wall Street Journal. “Such acts are criminal offenses and should be punished according to law and relevant international conventions.”
Xi’s emphatic opposition to cybercrime initially seemed like lip service—it came on the heels of Obama’s threat to bring sanctions against China in response to China’s breach of millions of U.S. federal employee records. Nevertheless, Chinese economic espionage against the United States has plummeted since the announcement of the 2015 agreement, signaling that it has—at least so far—been successful.
The success of last year’s agreement is compelling evidence that norms can be effective if implemented properly. This is also evidence that cyberespionage norms—both commercial and political—may need to come from individual agreements between states rather than from the United Nations, which governs based on international law. Indeed, China has been a trailblazer in this area, striking deals with Germany and the United Kingdom similar to the one with the United States.
In order for more of these agreements to come about, many states must change their militaristic focus on cybersecurity. Indeed, part of why Russia has been able to get away with so much hostile behavior may be its comprehensive understanding of information security. “[The United States has] looked at cybersecurity very much from a military operations perspective,” Maurer told the HPR. “The Russian doctrine on information security is much more comprehensive and includes that information operations piece.” Maurer sees a silver lining in the DNC hack, insofar as it “has elevated [information security] in terms of awareness among policymakers. I think there is now a greater willingness … to cut a deal with the Russians.”
Whether or not a deal between the United States and Russia is realistic in the near-term, the international community as a whole must reconsider whether the United Nations is the avenue by which norms can be meaningfully established, or if negotiations between individual countries may prove more effective. Whatever the method, precision of language and a focus on information security will be vital to ensuring that cyberspace can be used safely and strategically in the years ahead.
Image Source: Pixabay/bykst