The United States, Russia, China and 22 other States agree to a voluntary accord designed to advance responsible state behavior in cyberspace. The accord was formulated by an international Group of Government Experts (GGE) operating under the auspices of the United Nations. The “voluntary, non-binding norms…reflect the expectations of the international community and set standards for responsible state behavior.” Furthermore, a group of nations, led by China and Russia proposed “an international code of conduct for information security.”
The following 11 norms were extracted from the accord:
- States should cooperate in developing and applying measures to increase stability and security in the use of ICTs (information communication technologies) to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.
- In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment, and the nature and extent of the consequences.
- States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
- States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect.
- States, in ensuring the secure use of ICTs, should respect Human Rights, including the right to freedom of expression
- A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.
- States should take appropriate measures to protect their critical infrastructure from ICT threats.
- States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.
- States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions [backdoors].
- States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.
- States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
The GGE’s accord goes on to encourage international cooperation and assistance in cybersecurity by strengthening CERT and CSIRT international cooperation, as well as enhancing the technical capabilities of all States to investigate and resolve cyber incidents.
U.S. response re the cyberspace accord
When asked on Face the Nation about the likelihood of Russia adhering to the accord, Secretary of State, Antony Blinken said, “It’s not a matter of trust. I think someone once said trust but verify. I’d say don’t trust and verify. We’ll see by Russia’s actions whether it will make good on- on any commitments it makes. Here’s the thing. We’ve- we’ve now been the victim of ransomware attacks, and many of these attacks come from criminal organizations, not necessarily from States, but countries have an obligation. No responsible country should be in the business of harboring criminal groups engaged in these attacks.”
Michele Markoff, Deputy Coordinator for Cyber Issues in the Office of the Coordinator for Cyber Affairs within the United States State Department delivered prepared remarks to the Group of Governmental Experts on the accord, “We have put forth a meaningful body of guidance on considerations states should take into account when they are the victim of an ICT incident – ranging from practical requests for assistance to the complex issue of attribution. Given the threats all states are facing and the rise of serious ICT incidents, this may be one of the most important areas of progress in the report.”
United Kingdom’s response to cyberspace accord
The United Kingdom, posted a policy paper, “Application of international law to states’ conduct in cyberspace: UK statement” which discusses the nation’s optic on the GGE accord, throwing its support behind the initiative. The UK, in their policy paper emphasize the prospect of countermeasures, specifically calling out, “The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances.”
The voluntary, non-binding accord agreed to by 25 nations is a start, but it lacks teeth and enforcement capability and in reality is more of a suggestion on how nations should behave within the cyber domain than an agreement. That said, the United Kingdom’s policy paper provides an optic into which direction one can expect the policing of cyber incidents to take, as was seen in the United States response in clawing back the ransom paid to the Dark Side criminal group.