To the west, Russia’s Vladimir Putin would appear an unlikely proponent of cyber diplomacy. His appeals to former US president Trump to embrace joint cybersecurity responsibilities, and agree to ‘non-intervention into electoral processes’ were scorned. But since 1998, Russia has spearheaded cyber diplomacy initiatives through the UN, including a recent effort that unexpectedly saw members agree to a report advocating peace and security in cyberspace.
Although not radical in its contents, nor legally binding, the UN’s Open-Ended Working Group (OEWG) pushed the boat by persuading UN members to commit to an international agreement on cybersecurity. Since it started, the process has involved around 150 countries and has produced almost 200 written submissions and more than 110 hours’ worth of statements.
“I’ve been talking to a lot of diplomats recently, and at the beginning of the process, there were very few people that believed that this was going to actually happen,” says André Barrinha, senior lecturer in international relations at the University of Bath, UK.
With the arrival of Covid-19, and all the discussions moving online, “the feeling was that this was going to be even more difficult, because those corridor conversations, those compromises that are established over a glass of wine – you couldn’t have any of that because people were just stranded in their respective countries”.
The fact that an agreement was reached is therefore surprising. However, it will not reduce the incidence of state-sponsored cyberattacks, Barrinha says flatly.
The UN cybersecurity agenda
The global cybersecurity agenda has historically been driven by the UN’s cybersecurity Group of Governmental Experts (GGE) process, which convened only a small group of countries. But in September 2018, the UN General Assembly signed off on the creation of two parallel processes: the US-backed sixth edition of the GGE and the Russia-proposed OEWG, open to all UN member states. There were 109 votes in favour of Russia’s OEWG proposal, signifying widespread international interest in discussing and shaping the norms for cyberspace.
One of the main achievements of the OEWG process was the reaffirmation of the recommendations of the GGE, but among a much broader range of countries. “The fact that this was achieved can be seen as a success in itself, even if it doesn’t really advance the agenda significantly,” says Barrinha.
The report recommends a continued focus on emerging threats, international law, capacity building, and creating a regular forum to discuss such issues within the UN. Ratification of the 2015 GGE agreements marks a substantive step in establishing a set of norms to help countries navigate cyberspace. Discussions about protecting medical and other critical infrastructure from attacks also took place in the OEWG for the first time.
“Capacity building is a key thing, and the fact that the UN OEWG has recognised that it is central to international cooperation in the cyber domain – that has been a big move,” says Andrea Calderaro, director of the Centre for Internet and Global Politics at Cardiff University. He explains that most countries in the Global South are connected in terms of ICT networks, which means they are exposed to the same risks. “Because of that, in addition to connectivity capacity, [countries] need to develop the capacity to use the connectivity safely.”
Data is transferred between countries constantly, meaning that a national approach to infrastructure would be counter-productive. Calderaro points out that if the UK locates data centres in Iceland, it needs to ensure that Iceland has a good cybersecurity capacity too. “Because of that, capacity building is clearly becoming a crucial pillar of any cyber cooperation in the cyber domain. The internet is a transnational infrastructure, in order to protect the internet we need to take a transnational approach.”
The agreement was especially unexpected given the fractiousness of early meetings. A major bone of contention was whether a new set of norms should be created to deal with the complexities of cyberspace, or whether existing norms were sufficient to govern this realm.
One bloc of countries – including Russia, Syria, Cuba, Egypt and Iran, with some support from China – advocated for the former; the US, UK and other western liberal democracies argued that the voluntary, non-binding norms agreed to by all states in the UN General Assembly in 2015 are enough.
There is a perception in Russia, and not just in Russia, that the current norms and practices that govern how cyberspace is used are very much shaped by the West.
André Barrinha, University of Bath
“I think there is a perception in Russia, and not just in Russia, that the current norms and practices that govern how cyberspace is used are very much shaped by the West, and so there needs to be an agreement that takes into consideration the different views that these countries have,” says Barrinha. “This is the point that Russia and China make very often – the idea that we need an international treaty and that currently cyberspace is a bit like the Wild West, where there is no set of specific rules.”
The UK and US, on the other hand, tend to say an international treaty is unnecessary because international law already applies to cyberspace. “The sceptics would probably say there’s also an interest, particularly from the United States, of keeping some leeway, in the sense of allowing the United States to engage in cyber-operations without necessarily being accused of breaching international law,” says Barrinha.
Another point of contention was the militarisation of cyberspace. States including Iran, Russia, Cuba, and China called for a flat ban on military cyber operations and offensive cyber capabilities – again, something resisted by the US and its allies.
In cyberattacks, attribution can be extremely difficult, even in cases where geolocalisation is possible. “This means that even if we know that an attacker came from Russia, it’s going to be very difficult for us to identify that there was a state sponsor that’s coming from Russia,” says Calderaro. Attributing a cyberattack to a certain country’s government is a geopolitically fraught act in itself.
In the West, cyberattacks attributed to the likes of Russia and China, such as the Solar Winds and Microsoft Exchange attacks, attract the most coverage. However, the US and its allies, including the UK and Israel, wield some of the most advanced offensive cyber capabilities in the world.
In 2019, the US openly placed malware inside Russia’s electric grid as “a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cybertools more aggressively”, according to the New York Times.
NSA whistleblower Edward Snowden revealed that the US hacked into Chinese mobile phone companies, and spied on Tsinghua University, one of China’s biggest research hubs and home to major backbone network, the China Education and Research Network. It even infiltrated servers in the headquarters of Chinese telecoms company Huawei, and planned to exploit its technology so when the company sold equipment to other countries, the NSA would be able to conduct surveillance and offensive cyber-operations on their computer networks.
The US also offered “winking acknowledgement” of its involvement in the devastating Stuxnet attack on Iran’s nuclear facility in Natanz in 2010, which is thought to have destroyed more than 1,000 nuclear centrifuges. The Wannacry and NotPetya attacks, while attributed to a hacking collective and Russia respectively, were carried out using zero-day exploits hoarded by the NSA that were published in the Snowden leaks.
This all goes some way in explaining why, despite being regularly accused of perpetrating cyberattacks themselves, countries such as Iran are eager to introduce stronger rules in cyberspace.
Meanwhile, a non-aligned group of countries, including Indonesia, India and South Africa, supported neither the Western view nor that espoused by the likes of Russia, China and Iran. “You are now seeing progressively a group of states that do not identify with this clash between the West and Russia and China,” says Barrinha. “They don’t identify with this, they don’t think that the issues discussed between those actors are those that necessarily interest them, or are particularly important for their own economic development. They would much prefer to focus on other issues – namely, capacity building.”
At the beginning of the process, the non-aligned group released a statement that emphasised state sovereignty in cyberspace and non-interference in other states’ affairs. European states, on the other hand, released a statement stressing the importance of an open, free, and secure cyberspace.
In the end, and despite pleas from Russia and some others, a majority of countries decided that a new framework for cyberspace is not needed, opting instead to clarify how international law applies in cyberspace. Some suggestions centred on protecting the ‘public core’ of the internet, such as election infrastructure, from attacks.
Concessions were made. The US and other western democracies accepted the removal of references to international humanitarian law and less of an emphasis on human rights. At China’s demand, the final report included support for responsible reporting of vulnerabilities by states, and the encouragement to secure the integrity of supply chains for ICT products.
However, some were not appeased by the final outcome. Iran opted to “disassociate” from it – an unusual UN practice that could provide grounds for saying its behaviour is not bound by the report. At the beginning of the process, Iran’s delegation derided the pre-existing norms as “not consensual anymore,” and proposed a new set of norms predicated on perceived threats to the country’s sovereignty. It was strongly in favour of introducing a binding treaty, something which was rejected by a majority of countries.
Overall, though, the process was considered a success. Because of this, the GGE, set to conclude in May, is likely to be the last one. A French-Egyptian proposal for a Programme of Action, supported by the US will commence, and another OEWG will get underway between 2022-2025. But it remains to be seen whether this will really shift the dial on cyber offensives in the coming years.