Ready to Respond to the Cyber Norms Debate
In 2017 cyber norms hit their stride in the public policy lexicon with practitioners climbing out of the woodworks to lay stake in the space and ultimately mourn at the ‘collapse’ of that year’s UN Group of Governmental Experts (UNGGE). While the conversation around norms may seem like just another sideshow in policy cyber-fication, they represent an important piece in the wider policy ecosystem and whether welcome or not, incident response teams have been pulled to the center of discussions around norms and confidence building measures. In fact, two years earlier, the UNGGE endorsed a norm explicitly identifying ‘authorized [computer] emergency response teams’ as off-limits to state driven attacks. With 2018 set to be a bellwether year in the norms debate, it is important that the CERT community enter the discussions well-informed and ready to navigate what is truly a maze of acronyms and pitfalls.
So what are norms anyways?
In the simplest terms norms are the ‘collective expectations about proper behavior for a given identity.’ The concept is rooted in anthropology and sociology and includes anything from holding doors open for others to if you should remove your shoes when entering a house.
The incident response community has formalized and informal norms of its own. The dynamics that surround trusted information-sharing networks are largely governed by norms around roles and responsibilities rather than explicit legal agreements, particularly the expectations surrounding the sharing, use, and dissemination of sensitive information. The expected use and treatment of voluntary standards such as TLP or STIX/TAXII can also fall under this umbrella.
For policymakers this wave of cyber norms, for the time being at least, largely refers to the space of state-to-state relations. While exploration of cyber norms often gets mired in debates around codified international legal regimes and treaties, norms refer more broadly to collective expectations of responsible state actors. So for these purposes we can stick with Ian Manners' short but sweet definition of norms as ‘what passes as ‘normal’ in world politics.’
Who defines what is normal?
Norm creation can be a rather complex space, but for cyber norms there are some standout avenues that have come to the fore:
UNGGE: The United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, or the UNGGE for short, has been crowned the be-all-end-all of cyber norms and its recent fall from grace has catalyzed interest in the concept. However, being housed in the First Committee of the UN General Assembly (Disarmament and International Security), the scope of the effort has in fact been relatively narrow, focused specifically on state activities within the frame of promoting peace and stability.
Proposed in 1998, these particular UNGGEs have been established five times since 2004, with incredible success on several occasions. The 2013 report stipulated that international law applies in cyberspace and in its 2015 iteration the group set forth a set of 11 norms, including the previously mentioned provision to provide a sort of protected status to CERT teams.
This UNGGE process has outstripped the typical lifespan of UNGGEs and has made remarkable progress, especially when considering the lack of movement and degree of disagreement on similar international cyber policy efforts at the General Assembly, ITU, and in other forums.
Beyond the landmark reports, the spread of the UNGGE’s work speak to its normative impact. The 2013 report has spawned the Tallinn Manual Process, a non-binding normative process that seeks clarity on how international law can be applied in the digital domain. More recently ASEAN Ministers referenced the 2015 report when expressing support for developing such norms for the region and the reports have been cited directly or indirectly in numerous Cyber Strategies, with Australia going as far as to include the 11 norms as an appendix to its International Cyber Engagement Strategy. The future of this particular UNGGE process may be uncertain, however it is short sighted to call the process, even just 2016/2017 edition, a ‘failure’ as it is through these efforts and discussions that real progress is borne.
Bilateral Agreements: Bilateral agreements, whether voluntary or binding, have also proven to be a strong means to develop, demonstrate, and proliferate norms. The 2015 U.S.-China Cyber Agreement where, among other things, the two economies agreed to refrain from cyber-enabled theft of intellectual property is cited as the most impactful. The agreement alone represented a strong line in the sand and there has been evidence of a decline in this type of IP theft. Another indicator of its impact can be seen in the subsequent adoption of similar language in further bilateral agreements including between the US and South Korea, UK and China, and even in the 2015 G20 Leaders Communique.
Indictments, Sanctions, and Strategy: Unilateral action can also help to define norms of acceptable behavior for states. The U.S. indictment of five PLA officers in 2014 and the 2015 sanctions on North Korea following the Sony Hack are two more forceful examples of unilateral action. With very low expectations of arrests or significant economic cost, the true impact of these actions was in setting a precedent and sending a clear indication of the U.S. perspective on the acceptability of certain activities.
A less dramatic means of sending these signals can be in the publication of doctrine or strategy that clearly articulates a governments position on international cyber matters. The announcement of capabilities and guidelines that outline a state’s view on what is and is not an acceptable use of Internet technologies by a responsible international actor can be used to set a position and define intentions as well as push the conversation to build consensus into the open. This is particularly true for discussions surrounding the announcement of offensive cyber capabilities and in what circumstances a government views their use as appropriate.
Global Commission on the Stability of Cyberspace (GCSC): One of the newer efforts to shape cyber norms is the GCSC. An effort technically outside official policy channels, the GCSC gains legitimacy through the credentials of its Commissioners, its multistakeholder make-up, and a bureaucratic maze of processes and consultation mechanisms including several Research Advisory Groups (RAGs). It has yet to be seen how impactful this group will be, however similar efforts in other areas have progressed the discussion, such as the Canberra Commission on the Elimination of Nuclear Weapons.
A carry over from work at the 2015 Global Conference on CyberSpace (GCCS) and the 2017 UNGGE, the first declaration of the Commission has been a call to protect the ‘public core’ of the Internet. This declaration directly involves the wider technical community, and with the current vague definition of the public core, it is particular important that the community enters the conversation as an equal partner to help ensure such conceptualizations are informed by the technical realities of how the Internet functions.
Cyber Norms and the Technical Community
The technical and policy communities are often characterized as at opposite ends of the spectrum, with differing goals, approaches, working methods, and often with mutual distrust if not disdain. While there is a value to distinction, if not occasional isolation, like with all things Internet the interdependence of the ecosystem necessitates that the communities communicate.
Whatever the starting point or perspective, at some point in their lifecycle, policy will impact the development, application, and functioning of technology and conversely the technical realities of the Internet will empower or limit the ability of policy to function as intended.
The incident response community in particular has quite a bit at stake in these efforts. In policy discussions incident response teams, national CERTs in particular, have occasionally been characterized as a mythical cure-all to domestically build resilience across the board and as a confidence building measure (CBMs) internationally. This is harmful, placing unrealistic expectations on these entities and ignoring the complexity of the technical, as well as relational, reality of the security community. This effects CERTs well beyond just national teams, with poorly formed policy and norms directly impacting a CERT’s ability to act, react, share information, and potentially indirectly alter the way the Internet functions technically and even more so as an industry.
There is a mutual responsibility for both communities to engage and build an understanding of how each functions. As entities that exist in and overlap numerous different industries and sectors, Incident response teams provide a particularly useful perspective and voice. In December, FIRST hosted an Incident Response for Policymakers workshop alongside the 2017 Internet Governance Forum (IGF), an important initial foray and building on efforts started in 2014. This type of engagement will help to ensure more informed policy making, instilling a do-no-harm approach to what works and encouraging effective efforts to build an enabling environment where the Internet can reach its full potential. After all beyond the technology, the real value of the Internet is derived in its application, in a space where policy, society, economics, and technology all converge.
This post first appeared on the FIRST.org blog.