In June 2021, the 25-member United Nations (UN) “Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security” (GGE) produced a report, building on its previous meetings to get the international community on the same page with respect to cyber attacks.  Typically, final reports are only produced when the members have reached consensus.  Notably, where previous GGEs succeeded, the 2016-2017 GGE did not produce such a report, with disagreements over key issues such as self-defense and the right to take countermeasures in response to cyber attacks.  The latest report is noteworthy, particularly coming on the heels of some of the most prominent cyber attacks suspected of being executed by the very governments represented in the GGE, as well as the Open-Ended Working Group that addresses the same issues but is open to all UN members.

According to one analysis of the report by a leading expert in these matters who received an advanced copy, the most important development was the agreement that international humanitarian law 9IHL) applied to cyber operations during armed conflict.  As such, the regulations of cyber weapons would be consistent with any other weapon used in any other domain, regardless of if the domain was natural (sea, air, land, space) or manmade (cyberspace). This principle could not be agreed upon during the 2016-2017 GGE.  Such an acknowledgement lays the necessary foundation from which other contentious issues can be framed and discussed.

The question of state sovereignty in cyberspace remained at a standstill, though more governments supported the position that sovereignty was a rule than a nonbinding principle.  This was interesting given that any State cyber offensive against another represented at least theoretically an infringement on state sovereignty.  As it often does when it comes to legal wrangling, definitions matter and are the obstacles to obtaining universal agreement.  Just what is the criteria that constitutes an infringement on state sovereignty in cyberspace will likely not be easily agreed upon, and one that will be hotly discussed and is the crux of what is acceptable state cyber behavior against another state.  This is important given a state’s right to execute countermeasures in response to such infringements against its sovereignty.  While there was consensus on a states rights to perform countermeasures under the parameters set forth under international law, states assisting one another in conducting them collaboratively or on another state’s behalf remained controversial.

Other noteworthy agreements in the GGE report included acknowledgment that all cyber-related disputes should be handled responsibly so as not to threaten international peace and security, and states affirming not to use proxies to commit cyber malfeasance, as well as ensuring that such individuals and/or groups are not operating within their borders.

The fact that the GGE was able to put out a report is a positive sign that there is more appetite for coming together to address the problems of state activity in cyberspace. But when diverse stakeholders try to hammer out rules of the road for the global community, it’s best to be cautiously optimistic at best.  The quest for international consensus for state norms of behavior in cyberspace is ongoing an arduous, a Sisyphean task that often finds itself back at the bottom of a long hill with a heavy load to push.  States have frequently said the right things, leaders made the right speeches, and governments affirming and reaffirming commitments to not hack each other’s critical infrastructure in peacetime or shelter cyber criminals who conduct attacks on other countries.  These type of agreements have been made in the past with the G20 doing so in 2015, and individual countries making such deals with counterparts (e.g., U.S.–China. in 2015, China-Russia in 2015).  And yet despite such “agreements,” suspected state-executed, state-condoned, or state-affiliated cyber activity not only perseveres, based on the past 18 months, has only increased in severity.

The mandate of the Sixth GGE bears particular note, as the group’s objective was “to study… possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behavior of States…”  The key word is “cooperative” as the interconnected complexity of cyber space requires just that if any hope of reducing the volume of threats that operate within.  It’s a pragmatic approach demanding all states – adversaries and allies alike – to find enough common ground for the common good.  Coordination must come from all parties, not just allies and friendlies.

Enter the U.S.-Russia meeting in Switzerland, the first test between the Biden Administration and Putin when they discuss cyber attacks, among other things.  The U.S. government has publicly identified Moscow as being the perpetrator behind the notorious SolarWinds supply chain attack, and Russian cyber criminals to be behind the Colonial Pipeline and JBS ransomware attacks.  The last two are notable in that they represent civilian critical industries which are relied up on for fuel and foot, respectively.  The U.S. public felt the sting of these attacks, which caused gas and meat prices to spike.  In an interview prior to their meeting, Putin expressed interest in establishing a cyber crime extradition agreement with the United States, signaling a willingness to meet the U.S. half-way.  Most believe that Moscow maintains some level of control over its cyber crime gangs and allows them to operate as long as they don’t target Russia or any former Soviet country.  Biden subsequently has backtracked on any possible agreement.

A former U.S. cyber official has said that “norms have moral force,” the implication being that by promising something there is an expectation that it will be observed and upheld.  One must wonder if Biden’s walk-back prior to his meeting with Putin may have been rooted in knowing the U.S. did not want to commit, thereby limiting its ability to operate in cyberspace.  However, governments not honoring their agreements is not uncommon, especially in the cyber domain.  Ultimately state actors take orders and direction from the state.  If a government feels that executing cyber offensives is in its national security interests, then it will do so, regardless of what agreement they have made and with whom.  

Ultimately, the question must be asked: does the world want a reduction of cyber malfeasance or not?  If the answer is yes, then governments must compel the cyber powers to step up and lead by example, and to find mutual areas for collaboration.  Crime is the logical area because it is pervasive and impacts all countries. Any headway to break up criminal forums and gangs via collaborative measures will gradually instill confidence. What’s learned in the process can feed directly into GGE efforts and start to bring clarity to those problem areas where consensus remains elusive. Otherwise, efforts like the GGE are destined to dwell in academic thought-exercise limbo, doomed to repeat the same acts over and over again like that Greek king suffering eternal punishment.

 

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast