“We continue to count on the valuable contributions of the Arms Control Association.”
Conference Discusses Cyber Norms
May 2015
Representatives from government, civil society, and the private sector discussed cybersecurity issues, including measures related to state behavior in cyberspace, at an international conference in The Hague last month, but did not reach any written agreement on that issue.
The April 17 chair’s statement by Dutch Foreign Minister Bert Koenders said conference participants discussed some measures on state behavior with regard to protecting national critical infrastructure and that some of these measures should be pursued at future conferences on cyberspace issues and at other forums such as the United Nations.
New U.S. Policy Makes Sanctions a Tool Against Cyberattacksmalicious cyber-enabled activities” originating outside of the United States constitute a “national emergency” and that the U.S. Treasury Department could levy sanctions against individuals, organizations, or states conducting such attacks. According to Obama’s April 1 executive order, the threat of sanctions will play a significant role in combating threats from cyberspace against the national security and foreign policy interests or the economic and financial health of the United States. The order covers cyberattacks that take place against computers or networks that support critical infrastructure, government entities, and commercial and private companies. The order specifically states that the last category encompasses the “misappropriation of funds or economic resources, theft of trade secrets, personal identifiers, financial information for commercial or competitive advantage or private financial gain.” In an April 1 blog post on the White House website, Michael Daniel, Obama’s cybersecurity coordinator, wrote that sanctions against actors that commit the cyberattacks covered by Obama’s order would limit their access to the U.S. financial system and U.S. technology supply and infrastructure, harming “their ability to both commit these malicious acts and to profit from them.” Daniel described the other ways the United States can respond to cyberthreats, including “bolstering the government’s network defenses, sharing more information with the private sector,” and establishing the Cyber Threat Intelligence Integration Center “to provide integrated analysis of foreign cyber threats within the federal government.” In another April 1 blog post, Lisa Monaco, Obama’s assistant for homeland security and counterterrorism, said, “Efforts to improve our [cyber]defenses and response capabilities are essential, but insufficient standing alone.” The United States needs “to deter malicious cyber activity and impose costs in response to the most significant cyber intrusions and attacks, especially when those responsible try to hide behind international boundaries,” Monaco said. The first sanctions against an entity believed to be responsible for conducting a cyberattack were levied against North Korea in an executive order in January. The United States has stated publicly that North Korea was responsible for the November 2014 cyberattack against Sony Pictures. It is unclear if any additional sanctions have been levied since the April 1 order was signed.—TIMOTHY FARNSWORTH |
During an April 15 press event before the start of the two-day conference, Koenders said the goal of the conference was “not to negotiate agreements or conclude treaties” but “to promote the vision” of a “free, open, and secure” Internet.
According to the April 17 statement, the conference discussed the possible establishment of a norm against cyberattacks on certain network systems that provide essential civilian services, such as those used by utilities and first responders, and on critical components of the global computer network. The chair’s statement encouraged countries “to be transparent about the roles and responsibilities of their defence forces and security services in the cyber domain.”
The Hague conference was the fourth in a series of international conferences that began in London in 2011. Like the previous three, the gathering in The Hague covered a wide variety of topics dealing with cyberspace, from Internet governance to international peace and security.
At the 2011 conference, UK Foreign Secretary William Hague said the goal was to discuss international norms governing behavior in cyberspace and begin building a framework for future discussions on international cooperation in cyberspace. (See ACT, December 2011.) The London conference and the one the following year in Budapest were criticized for failing to register any tangible progress toward that goal, but the meeting in Seoul in 2013 produced the first written framework to come out of these conferences for how to move toward creating confidence-building measures among states and establishing international norms in cyberspace. (See ACT, November 2013.)
The chair’s statement from the Hague conference reiterated much of what was laid out in the Seoul framework document on establishing such norms. For example, both documents recognized the important role the UN has in maintaining international peace and security in cyberspace.
The statement “welcomed” a consensus report issued in 2013 by a UN group of governmental experts that said current international law, in particular the law of armed conflict and the UN Charter, applies to state behavior in cyberspace. That report contained detailed recommendations on transparency and confidence-building measures that states could implement to help reduce the risk of conflict in cyberspace. Many experts and government officials saw the report as a major step toward clear rules for state behavior in cyberspace. (See ACT, July/August 2013.)
In November 2013, the UN General Assembly First Committee created a new group of governmental experts to follow up on the 2013 report by determining specifically how current international law applies to cyberspace. (See ACT, December 2013.) The current group, comprising experts from 20 states, has concluded three out of the four sessions mandated under the UN resolution that created the group. It most recently met from April 13 to 17 in New York as the Hague conference was taking place. It is expected to conclude its work at a June 16-22 meeting in New York. The Hague statement emphasized its “strong support for the ongoing work” of the UN group and said “complementary initiatives might also contribute to maintaining peace and security in cyberspace.” The statement did not say what these other initiatives were.
The cyber conferences have grown in size since the one in London, where approximately 700 individuals from government and civil society met. This year, more than 1,800 individuals attended, including more than 60 government officials and more than 600 people from the business community, including companies such as Microsoft, Google, and Symantec.
Koenders said the next conference would take place in Mexico in 2016 or 2017.