A Canadian expert on nation-state cyberattacks is among those eagerly looking forward to the release of a closed-door United Nations committee report on guidance for adhering to norms of behaviour by nations in cyberspace.
The guidance might limit the ability of countries to launch cyberattacks, and more importantly, help the less technically advanced countries to defend against them.
Josh Gold, a visiting fellow at the Canadian International Council who closely follows U.N. cybersecurity governance processes, told IT World Canada on Tuesday that little has been said publicly beyond the fact that on May 28, the committee, known as the Group of Governmental Experts on stability on IT and telecommunications security (the GGE), reached consensus after two years of talks.
But judging by the few remarks of diplomats, the report “appears to be a positive step forward in the global effort to further develop meaningful and practical ‘rules of the road’ for governing how countries are allowed to behave in cyberspace.”
He noted in an email that in March, the U.N.’s Open-Ended Working Group (OEWG) – which includes all U.N. countries – achieved consensus in a separate report which highlighted the need to clarify further how countries can actually implement the 11 norms for responsible behaviour in cyberspace. While non-binding, Gold added, “their legitimacy was only solidified” with the re-affirmation of the norms.
“Given that this kind of agreement [by the GGE] comes at a time when geopolitical tensions are still relatively heightened (e.g., with Russia and China), the fact that the GGE succeeded may show that issues of peace and security in cyberspace are very important to all kinds of countries, and may indicate that the behavioural norms which have been agreed to thus far are universally desirable,” Gold wrote.
His reference to Russia and China relates to allegations that Russia was behind the attack on SolarWinds’ Orion network monitoring platform. A group based in China is reportedly behind the exploitation of vulnerabilities in the on-premise versions of Microsoft Exchange Server.
Russia targeting 11 vulnerabilities
The non-binding norms of behaviour were agreed to by a GGE session in 2015. Since then, it has been struggling to put meat on the bones. Notably, the GGE failed to reach consensus in 2017.
But during a recent GGE session on May 28, several countries finally announced a consensus and a path forward for developing guidelines.
According to one American expert, it could be weeks until the final document is released. And even then, it isn’t clear whether this will lower the use of cyberattacks by nation-states on critical infrastructure, including software companies.
But hints in the wording of statements by some countries are seen as encouraging.
One of those statements came from Michele Markoff, acting coordinator of the Office of the Coordinator for Cyber Issues for the U.S. State Department.
“We have achieved a substantial new body of guidance on the 11 norms to which all UN member states have committed to adhere,” Markoff said. “States will no longer be left asking questions about what it means to implement each of those norms that have gained so much attention. We have provided detailed explanations about the intent of each norm as well as what it would mean to implement or adhere to it. The international community has been asking for such guidance since the 2015 report. With our current text, we have answered those calls.
“We should all be proud of this report. It is a product of all of our hard work. In our final sessions, much of our energy was devoted to resolving controversial issues, and we have largely succeeded at that. But this entire document is truly remarkable.”
In a series of tweets, the U.S. State Department said the consensus report answers calls for detailed explanations about the intent of each of the 11 norms of responsible state behaviour and outlines what it would mean to implement or adhere to them.
The department also noted that the report offers guidance to states that fall victim to a cyber incident, helping them think through issues ranging from requests for assistance to attribution.
UPDATE: A few days after this story was published an advance copy of the final release was avaiable. Asked to comment on this document, Christian Leuprecht, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute, noted that one norm is that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs, they have the discretion to act or not act. “What exactly that obligation means is pretty nebulous,” he said.
He also noted that Iran and North Korea aren’t part of the GGE that signed this agreement.”it’s going to take years for these norms to take root,” he said.
The GGE is, as its name suggests, a committee of experts from a small group of U.N. countries. There have been six groups since 2004. The current version, which includes representatives from 25 countries, began meeting in 2019.
Although Canada has been a member of some GGE sessions, it is not a current one. A spokesperson for Global Affairs said Canada hadn’t seen a copy of what was agreed to and can’t comment.
The 11 norms are:
(a) States should co-operate in developing and applying measures to increase stability and security in the use of information and communications technologies (ICTs) and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.
(b) In dealing with an incident, states should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences.
(c) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
(d) States should consider how best to co-operate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other co-operative measures to address such threats. States may need to consider whether new measures need to be developed in this respect.
(e) States should respect Human Rights Council resolutions on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression.
(f) A state should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.
(g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions; (h) states should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another state emanating from their territory, taking into account due regard for sovereignty.
(i) States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.
(j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.
(k) States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams (CERTs) or cybersecurity incident response teams) of another state. A state should not use authorized emergency response teams to engage in malicious international activity.
Who cares about a ‘norm of behaviour’ if it isn’t an enforceable law? Lots of people
Josh Gold admitted that scholars of norms show they can take some time to be adopted or internalized by countries. So focusing on how countries can align with and adopt specific norms “could be quite helpful.”
For example, he said that crafting domestic legislation can help prevent cyberspace’s misuse within a given country’s territory or provide guidance on how countries can protect their critical infrastructure. It can lead to countries working together in response to cybersecurity incidents.
As a component of this, he wrote, the recent GGE report apparently provides practical guidance for states that are victims of cybersecurity incidents, including practical requests for assistance and guidance related to the attribution of cybersecurity incidents to specific actors.
If that’s the case, Gold said, “practical guidance from a U.N, report is welcome and probably quite valuable.”