This week 27 countries signed a joint agreement that is meant to determine what constitutes fair or foul play in cyberspace. The broadly written agreement, which was released on Monday at the United Nations, called upon nations to follow international law – even online.
The signatories included the members of the Five Eyes intelligence alliance, which is made up of the United States, Canada, the United Kingdom, Australia and New Zealand; as well as Belgium, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain and Sweden.
“Information technology is transforming modern life, driving innovation and productivity, facilitating the sharing of ideas, of cultures, and promoting free expression,” the Joint Statement noted. “Its benefits have brought the global community closer together than ever before in history. Even as we recognize the myriad benefits that cyberspace has brought to our citizens and strive to ensure that humanity can continue to reap its benefits, a challenge to this vision has emerged. State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them.”
All’s Not Fair Online
The joint agreement attempts to create at least something resembling “common ground” on what is acceptable in cyberspace. For example, intelligence services generally agree that hacking targets to gather intelligence or to attack military targets is in fact “fair game.”
What isn’t would be to attack civilian infrastructure or to provide a nation with an economic advantage. Hence, it is clear that this was also meant to send a strong message to Russia and notably China – although neither nation was actually called out.
China has been called out numerous times for its hacking efforts and economic espionage, and Russia was believed responsible for a ransomware worm that caused significant damage around the world – exactly the kinds of activities prohibited by the cyber pledge.
Does the Agreement Have Teeth?
Exactly what will come from this agreement has yet to be seen, but some cybersecurity experts suggest it is a good stepping stone.
“You have to start somewhere,” said Dr. Daniel M. Gerstein, senior policy researcher for the RAND Corporation.
“We could go back to 1969 when President Richard Nixon said the United States would no longer produce biological weapons,” Gerstein told ClearanceJobs. “It was a small first step, but three years later the world renounced using biological weapons.”
However, agreements such as this one are only as good as the nations that signed it and more importantly those that agree to it.
Cyber has become a platform of the 21st century for nation states to engage in what could be seen as akin to the “proxy wars” of the late 20th century, and moreover are ways for nations to engage with rivals instead of firing artillery shells at one another. Pakistan and India are two examples of nations that have targeted each other in cyber.
The danger is that cyber presents as great a danger of such a conflict spiraling out of control, with the trickle down effects and opportunities for amplification even more significant.
“Cyber is very much like the ‘Wild West’ right now,” warned Gerstein. “There is little control, and things can get out of hand.”
Gerstein cited the Stuxnet worm that was likely developed as a joint American-Israeli effort to damage Iran’s nuclear program. “It eventually got out into the ‘wild’ and hit other systems,” he explained. “That is just one concern.”
China and Russia are unlikely to take this agreement with much more than a grain of salt – at least not immediately.
“I don’t think this will reduce attacks, especially when you have government cyber attack groups,” said Jim McGregor, technology analyst at TIRIAS Research.
“However, it may help bring more consistent security standards and help push more innovation, such as AI, for security applications,” McGregor told ClearanceJobs. “Over time, it will also help pressure countries like China and Russia to be better global cyber citizens.”
The danger is that currently there is no precedent on what would be considered a reasonable response to a cyber attack on critical infrastructure. This is why agreements such as this one have become increasingly crucial, even as a stepping stone to more formal agreements.
“Over the course of the decade we’ve seen some discussion of international arms control centered on cyber, and all of this comes down to establishing norms of behavior – but also agreements on how nations should be rapidly held responsible for their actions,” added Gerstein. “Cyber has unfortunately been allowed to develop with a lack of control or oversight. There is the danger it has become ungovernable.”