As nations continue accusing each other of being behind cyber attacks and manipulating social media, another international meeting is taking place this week trying to get some sort of agreement on what countries and technology firms shouldn’t do on the Internet.
The two-day meeting in Geneva of the Global Commission on the Security of Cyberspace, hosted by a United Nations agency, is the fifth public hearing run by the commission, which is trying to create momentum behind a set of unacceptable norms of online behavior.
However, an expert warns this is an uphill fight.
“It’s going to be a process,” said Eric Jardine, assistant professor of political science at Virginia Tech and fellow at the Centre for International Governance Innovation, a Waterloo, Ont.-based think tank. “It’s not going to come from the top, in my view. It’s restrictions [on activity] that emerge through practice and small negotiations.
“There’s going to have to be self-restraint first: Governments, for example, are going to have to recognize that targeting the companies of another country is bad for their own businesses — there could be reciprocal retaliation — and stop doing it. Once that starts to happen, then you can start talking about the emergence of a norm with teeth.”
“Norm building is a very incremental process, and it can lead to stability over time. The problem is the rest of the ecosystem moves at a way faster pace.”
A think tank of prominent people from around the world (but with no Canadian representative), the commission hopes to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.
After holding public hearings Tuesday, today commission members will hold their first meeting of 2019 to discuss a definition for cyber stability. In addition, they’ll try to stitch together “a way forward for the international peace and security architecture in cyberspace. ”
One of its achievements so far was the creation last fall of the so-called Singapore norms package, six points of what might be called rules of the road.
- “Non-state actors [businesses] should not engage in offensive cyber operations and state actors should prevent and respond to such activities if they occur.”
- “State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace;”
- “State and non-state actors should not commandeer others’ ICT resources for use as botnets or for similar purposes;”
- “States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure;”
- Developers and producers of products and services on which the stability of cyberspace depends should prioritize security and stability, take reasonable steps to ensure that their products or services are free from significant vulnerabilities, take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process;”
- “States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.”
The commission isn’t the only body trying to rein in countries and businesses who think they have the right to conduct offensive activities on the Internet. There’s a UN Group of Government Experts on IT that meets regularly; the Global Commission on Internet Governance (GCIC), which is part of the Waterloo Centre for International Governance; the Internet and Jurisdiction Policy Network, which last year held a conference in Ottawa. It meets next in Berlin in June; and the Internet Governance Forum. After calling for a ‘Digital Geneva Convention,’ Microsoft launched a Digital Peace Now online petition. Meanwhile at last summer’s G7 meeting in Quebec countries issued a declaration on fighting online threats to democracy.
However, in 2017 for the first time, the UN Group failed to reach unanimity on the applicability of law in cyber space (see Related Articles above).
In his welcome Tuesday to the hearings Jon Fanzun, Switzerland’s special envoy for cyber foreign and security policy said it will be a challenge to bring together the different initiatives, but encouraged those interested to “work towards our common goal of an open, free and secure cyberspace.”
The sensitivity to the possibility of things getting out of hand comes amid a number of international incidents:
- Two crippling attacks on Ukraine’s power grid, believed by many to have been launched by Russia;
- Detailed accusations by U.S. prosecutors against Russia for allegedly trying to interfere through social media with the 2016 federal election;
- Allegations that Chinese technology companies can’t be trusted because a recent law allows the government to force companies to work with its intelligence agency.
At the end of last year in its first publicly-issued national cyber threat assessment, Canada’s Communications Security Establishment (CSE) said state-sponsored actors will “very likely” try to manipulate Canadians’ opinions through social media in this federal election year.
“State-sponsored cyber threat actors will continue to conduct cyber espionage against Canadian businesses and critical infrastructure to advance their national strategic objectives,” the report added.
While many nations agree cyber norms are in their best interest, Jardine said, some may not want to give up their advantage — particularly small countries who see cyber power as an equalizer to the military power of larger countries.
So while Jardine believes the number of publicly-reported data breaches has leveled off, he has no doubt 2019 will see an increase in new threats like attempts to meddle in elections — unless there is a threat of retaliation.
He noted that the tough attitude of the Obama administration in the U.S. in 2015, which issued indictments, threatened economic retaliation and ultimately got an agreement with China to limit commercial intellectual property theft.
But, Jardine added, threats have to be tailored and backed by evidence: “You can’t run around threatening everyone.”
Meanwhile, groups continue to try to form an international consensus.
“I think it’s worthwhile they continue,” said Jardine, “to point to potential no-go areas, to try to stabilize some of what we’re seeing in cyberspace. But the challenge is that ‘norms’ have two definitions: What you should do, and what does happen. What we’re seeing is a really big disjunction — the norms are toward less offensive behaviour, no hoarding of zero-day vulnerabilities, non-state actors and governments should refrain from targeting businesses. The trouble is that’s the opposite of what we see” is really going on.