More than 700 participants from 60 countries met in London last month to discuss international norms governing behavior in cyberspace and begin building a framework for future discussions on international cooperation in that realm.
In his closing statement to the Nov. 1-2 conference, British Foreign Secretary William Hague, who chaired the event, stressed the need “to accelerate the international debate on cyberspace and move it onto a permanent and continuous footing.” He also warned governments not to “treat cyberspace as if it belongs to you” and that “state-sponsored attacks are not in the interests of any country long term and that those governments that perpetrate them need to bring them under control.”
Hague said the conference was successful because it had begun a “dialogue on principles and set out an agenda for further work to build a secure, resilient, and trusted global digital environment.”
However, some cyber experts said the conference did not produce any tangible results in moving toward those norms.
In a speech last February to the Munich Security Conference, Hague laid out a set of principles to govern behavior in cyberspace and called on governments to come together and begin exploring mechanisms for establishing such behavior. (See ACT, March 2011.) The seven principles laid out by Hague included “the need for governments to act proportionately in cyberspace in accordance with domestic and international law,” to ensure openness in cyberspace for innovation and the free flow of information, and to respect individual rights and privacy within cyberspace.
Discussions at the London conference focused on five topics: economic growth and development, social benefits of cyberspace, safe and reliable access, international security, and cybercrime. According to Hague, there was overall agreement on many issues. As one example, he cited the delegates’ recognition that “stronger co-operation and collaboration was needed to build confidence and to avoid misunderstandings” among countries.
He said that “all delegates agreed with the principle that governments must act proportionally in cyberspace and that states should continue to comply with existing rules of international laws and the traditional norms of behavior that govern interstate relations,” including the laws of armed conflict.
U.S. Vice President Joe Biden, speaking via videoconference, said an “absolutely fundamental” part of the U.S. position is that “international law principles are not suspended in cyberspace.”
The delegates also supported the efforts of the 2010 UN group of governmental experts and the Organization for Security and Cooperation in Europe on developing confidence-building measures applicable to cyberspace.
U.S. officials have said they believe discussions of such measures are a good place to start. “[W]hile cyberspace is a new realm, we have many, many years of hard-won understandings to guide us in this new space,” Biden said in his video remarks. In an Oct. 27 speech at Stanford University, Assistant Secretary of State for Arms Control, Verification and Compliance Rose Gottemoeller said the United States is “taking into consideration how our expertise in arms control [confidence-building measures] can be applied to international cooperation on cybersecurity.”
Limited Progress Seen
The conference was successful in putting some issues on the table and establishing a dialogue for the future, but Western countries did not push very hard because of fears of a breakdown in discussions with Russia and China, James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said in a Nov. 15 interview.
On Sept. 12, China and Russia submitted a letter to the UN General Assembly outlining a proposed cyber code of conduct that would establish rights and responsibilities of states in protecting information networks and cyberspace networks. (See ACT, November 2011.) According to Lewis, it was “a brilliant defensive move” and was successful in reshaping the public debate and diluting criticism.
In a separate interview Nov. 15, Jason Healey, director of cyberinfrastructure protection at the White House under President George W. Bush, said civil society also played a role in diluting discussions at the conference. Healey, who now is director of the Cyber Statecraft Initiative at the Atlantic Council, said the London conference began as an attempt to bring together governments to lay down norms governing behavior in cyberspace. About three months ago, nongovernmental organizations created a side conversation that “turned the London conference into a town hall-type event,” he said.
“We have been trying to have this conversation for the past 15 years and are not getting anywhere,” he said. Many issues could be solved more easily if the conversation about them took place only between governments, he said.
For example, regarding the question of what constitutes an act of war in cyberspace, Healey said, “[L]ook at the UN Charter. It has to be an armed attack. Get a few countries to say yes to that, and then take it off the table and move on.”
There is widespread agreement that a treaty governing behavior in cyberspace will not be negotiated in the near future. “There was no appetite [at the conference] to expend effort on new legally binding international instruments,” Hague said, referring to the proposed code by China and Russia. In a Nov. 21 e-mail to Arms Control Today, a spokeswoman for the British embassy in Washington said, “There was no explicit decision at the Conference that [a treaty] was a bad idea but this was not a decision-making event. There was plenty discussion of whether legally binding instruments are a good idea or not and the UK and US view is that generally they are not.”
A senior Department of State official detailed the U.S. position during an Oct. 31 briefing on U.S. Secretary of State Hillary Rodham Clinton’s prepared remarks. “[A] treaty is not the way to go in trying to either govern the Internet or deal with the Internet,” in part because cyberspace changes so quickly that a treaty would be obsolete before it even is created, he said. Clinton was scheduled to speak at the conference, but canceled at the last minute due to the death of her mother.
Next Meetings Planned
At the meeting, Hague announced Hungary and South Korea would hold follow-up conferences in 2012 and 2013, respectively.
According to Lewis, the United States must recognize that it needs two different approaches in negotiating with other countries about cyberspace norms. The United States already does well in reaching out to like-minded countries, but is losing to China and Russia in efforts aimed at the developing world, he said. However, some emerging powers, such as Brazil and India, “share our political beliefs,” Lewis said, and the United States therefore can reach out to them.
Before the 2012 conference, Lewis said, the United States and its allies need to come up with a more convincing narrative about the Internet to appeal to such countries. “The old narrative about the Internet is that a free and open ‘Net automatically produces wealth. This isn’t persuasive,” he said. The United States needs to develop “a new story that explains why a secure Internet based on democratic values best serves all countries’ interests,” Lewis said, citing a case made by Ron Deibert and Rafal Rohozinski of the Munk School of Global Affairs at the University of Toronto.