Robert Morgus is a policy analyst and Dan Ward a cybersecurity fellow for New America’s Cybersecurity Initiative. They’re also the authors of the informative (and entertaining) Professor Cy Burr’s Graphic Guide to International Cyber Norms. They agreed to sit down with Cyber Editor-in-Chief Michael Lenart to discuss their graphic guide as well as the major issues associated with developing international cyber norms.
Q: As you do in the International Cyber Norms graphic guide, let’s start with the basics: What do we mean when we talk about “international cyber norms,” and how are they developed?
Dan: Norms are the informal, unofficial standards of behavior that guide the way people and nations interact. They get formed in several different ways – sometimes they emerge organically, other times they are developed strategically and deliberately. There’s a whole adoption process that we outline in the comic.
Robert: Dan is spot on. In this case, norm is short for normative behavior. In the most basic sense, a norm is a description of existing behavior. However, in the international cybersecurity context we’ve seen the emergence of two different types of norms: actual norms—which are a description of actual behavior—and aspirational norms—which describe ideal behavior.
Q: Along with norms, the graphic guide identifies coercion and treaties as the other means by which states can limit destructive behavior. What is the relationship among norms, coercion, and treaties – especially in a cyber context?
Dan: They all intersect and overlap a bit. For example, using treaties instead of coercion (or vice versa) can be a norm. The types of coercion or retaliation a country chooses to engage in are largely determined by norms.
Q: Did treaties and/or coercion contribute to the development of the Obama-Xi pact, i.e., China’s acceptance of a norm against industrial espionage? Or is there a better real-world example of the linkage among norms, treaties, and coercion?
Robert: Coercion and international law (treaties) most certainly played a role in the development of the Obama-Xi pact. People close to the indictments of five People’s Liberation Army hackers in the Western District of Pennsylvania would suggest to you that those indictments, a form of coercion, were more or less responsible for bringing Xi to the table. The legal side of this particular case study is complicated. There are international institutions like the World Trade Organization and various trade pacts (like the Trans-Pacific Partnership and Transatlantic Trade and Investment Partnership) that could provide the victim of economic espionage with a legal platform to seek some form of remuneration. However, there is no universal international law that directly addresses the issue of economic espionage.
Q: With regard to how one defines “cybersecurity,” you discuss major philosophical differences between two camps, roughly divided between western liberal democracies in one camp and Russia, China, and various other non-western states in the other. Can you describe these philosophical differences about cybersecurity and, broadly speaking, the political efforts each camp has undertaken to advance their particular perspective?
Robert: For the last decade, the diplomatic policy of much of the west has been to treat cybersecurity and information security as two separate issues. This means that when the US engages other camps on cybersecurity norms, the discourse has been limited to discussions on norms for engagement around attacks on physical infrastructure and what the US calls computer network operations. However, in other parts of the world, like Russia and China, cybersecurity and information security are deeply interwoven. Thus, a codification of national sovereignty over a given state’s cyberspace—which refers to information and communications technology (ICT) infrastructure, but not the content on it—has been met with a call for national sovereignty over information space—a thinly veiled attempt to allow states to control the internet and communications content that flows over their ICT infrastructure. The U.S. and rest of the west have been hesitant to engage on these topics as part of their diplomatic strategy. However, given the attention paid to the alleged Russian information operation around the U.S. election, it may be time for the west to reconsider this staunch separation.
Q: In two of Robert’s recent articles, he refers to statements by NSA and Cyber Command Chief Admiral Mike Rogers about a "series of ongoing conversations" the U.S. is having with other states on developing cyber norms. What can you tell us about these conversations?
Robert: Admiral Rogers is right to point to ongoing conversations the U.S. is having with other states. We engage at the multilateral and bilateral level with the likes of our partners in Europe, as well as some nations that are seen as more adversarial in this space like Russia and China. However, in part due to disagreement over the content of these conversations, they have stalled. One of the forums that has been instrumental in illuminating areas of agreement has been the United Nations Group of Governmental Experts (GGE) in the Disarmament Committee. However, at the end of last year’s meeting in August, the representative to the GGE from Russia is said to have stated that he thought all the agreement that could be reached on the topic has been, and some states have backtracked a bit on commitments made during past meetings.
Q: In the graphic guide, “Professor Cy Burr” briefly introduces Chris Painter, the State Department’s Coordinator for Cyber Issues and a major player in the U.S.’s work on cyber norms. Do you have any recommendations for how the Defense Department can improve its collaboration with State and/or other federal agencies to advance the development of international cyber norms?
Dan: Norms are generally informal and unofficial, which means cooperation is the key to getting a norm adopted. That’s why I think the various federal agencies have to make collaboration on this issue a priority. No single agency has complete jurisdiction over cyberspace, no agency has complete autonomy, and norms are almost never adopted just because one stakeholder wants it to be. Precisely because cyberspace is a shared domain, precisely because we all have interests and priorities and opinions about what norms should be adopted, it is crucial that we talk and collaborate, both at the senior leadership level and the lower levels.
Q: Since a norm is essentially an agreement among stakeholders who must share at least a basic level of trust, how large a role can norms play in the interactions of states like the U.S. and Russia (or China), whose relations often lack that basic element of trust?
Dan: Norms present us with an opportunity to develop a virtuous cycle (as opposed to a vicious cycle), because while norms require a certain amount of trust, they also help foster trust. So if we can get the ball rolling a little, with a few basic, easily-agreed upon norms, they can serve as building blocks to greater levels of trust and cooperation.
Robert: Dan is right, of course, but at the same time, breaching a norm can cause increased tension and further disintegration of trust. In the case of cybersecurity norms, this is a particularly realistic concern because, while many norms have been clearly articulated in writing, some are simply assumed and sometimes not necessarily assumed universally. This can lead to confusion should one state violate the perceived norm of another and also give potential norm defectors cover to plead ignorance.
Q: Can you give an example or two of the type of basic, easily agreed upon norm that could get the ball rolling, like you mention above?
Dan: The best place to start is with norms already in place in other areas of international activity, such as the law of armed conflict (LoAC). Nation-states already have general agreements on things such as distinguishing between civilian and military targets, ensuring proportionality of response, and avoiding unnecessary suffering. So while we don’t have universal agreement that current international agreements and laws of war translate in full to cyberspace activities, there are certainly pieces and components of existing agreements we can use as these initial building blocks.
Robert: I’m not so sure there is a ton of low hanging fruit here, and I’ll break a bit from Dan in my answer. For the last decade, the U.S. has focused their strategy on negotiating or translating norms mostly from the armed conflict space, like LoAC. Over the last year I’ve become increasingly skeptical that this is the right approach to negotiating international cybersecurity norms. When I look at the vast majority of state cyber operations, I do not see military operations that should therefore be governed by the laws of armed conflict. Instead, I see intelligence operations that are far more akin to traditional espionage practices. From my perspective, it is important for those developing our norms strategy to understand and tease out what this means with regard to what sorts of existing norms we should be pushing for application in cybersecurity and where the key pressure points are for the development of new norms.
Q: This is admittedly a complex question that doesn’t lend itself to simple answers, but roughly speaking, how would you assess the international community’s current progress on developing and implementing a set of workable cyber norms?
Dan: As we explain in the comic, we’re very much in the early stages of this activity, largely because we are still in the early stages of learning to live in cyberspace. We’re still exploring. We are still figuring out what questions to ask and how to find answers, so it’ll be a while before we have a robust, shared set of cyber norms. The other thing to understand is that norms are not static. They tend to emerge and evolve over time, so I don’t think we should expect to ever have a set of norms as a complete, finished product. Norms are always a work in progress.
Robert: Absolutely. I would also say that we’re still in the exploratory phase wherein the international community wrestles with what should be the content for norms (recall the cybersecurity vs. information security debate). Recent events could push this stage to a culmination as western countries are pushed to acknowledge the relevance of information security.
On behalf of Cyber and the Military Cyber Professionals Association, I’d like to thank Mr. Morgus and Mr. Ward for taking time out of their busy schedules to share their valuable knowledge and insights with us. Integrating an understanding of cyber norms with traditional military cyber competencies can lead to a more thoughtful, strategic, and ultimately more beneficial application of cyber capabilities and capacities.
I strongly encourage all readers to review the graphic guide that prompted this interview.
-M. Lenart, Editor-in-Chief
Photo credit: TR Service Learning Academy