China and Russia surprised the international community last month when they submitted a letter at the UN General Assembly outlining a proposal for an International Code of Conduct for Information Security.
The Sept. 12 proposal, which was supported by Tajikistan and Uzbekistan, came less than two months before the first major international conference on establishing international norms in cyberspace is set to take place in London.
The Chinese-Russian proposal discusses the security challenges cyberspace presents to the international community and would establish rights and responsibilities of states in protecting information networks and cybernetworks. The proposal says states should respect domestic laws and sovereignty, but also calls for a multilateral approach within the framework of the United Nations to establish international norms and settle disputes about cyberspace.
It is unclear what the next steps are for the proposed code. The proposal is being disseminated as a UN document for discussion purposes, but could be presented as a General Assembly resolution, a UN expert familiar with the proposal said Oct. 19.
During an Oct. 20 discussion of cybersecurity in the General Assembly’s First Committee, Chinese Ambassador for Disarmament Affairs Wang Qun said that China submitted the code “with a view to launching an open and transparent process for developing, within the framework of the UN, international norms and rules for information and cyberspace security, which, we hope, will prompt countries to act responsibly and constructively in information and cyberspace and address concerns of all parties in a balanced way.”
The Chinese-Russian proposal drew criticism from current and former U.S. officials. According to Jason Healey, who served as director for cyberinfrastructure protection at the White House under President George W. Bush, the proposal is a way to undermine U.S. and British efforts to establish international norms for cyberspace that will protect networks and critical infrastructure while supporting global efforts to protect the free flow of information.
“The overall sense from the U.S. government seems to be that this covers old ground in an attempt to score points and regain the initiative for a more repressive Internet prior to the upcoming global conference hosted by London,” Healey wrote in Sept. 21 blog post for the Atlantic Council, where he now is director of the Cyber Statecraft Initiative.
At a Sept. 27 cybersecurity conference in Washington, Michele Markoff, a senior policy adviser on cyber affairs at the Department of State, said her “personal interpretation” is that the proposal shows that China and Russia “don’t care what we think,” according to The Huffington Post. That attitude is surprising because the United States has had “some good bilateral conversations” on cybersecurity issues with the two countries, she said.
Information Security Versus Cybersecurity
A potential obstacle to U.S. support may be the term “information security,” which is used throughout the document.
The Chinese-Russian proposal would classify information communication technologies, including sites such as Twitter and Facebook, as weapons if their use violated individual state laws. The proposal says that states would agree that they would not “use information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate information weapons or related technologies.”
According to cybersecurity analysts, China and Russia see the free flow of information over social media sites such as Twitter and Facebook as a direct threat to their governments. Apparently in response to the Arab Spring, the two countries are tightening access to many of the social networks used by the demonstrators.
U.S. government statements emphasize that the free flow of information is a fundamental right. In its “International Strategy for Cyberspace,” released in May, the Obama administration said that many governments “place arbitrary restrictions on the free flow of information or use it to suppress dissent or opposition activities.” The document went on to say that “[p]reserving, enhancing, and increasing access to an open, global Internet is a clear policy priority” of the United States. (See ACT, June 2011.)
The Role of the State
The proposal calls on the international community to establish international norms, something that the United States and its allies have advocated. However, the Chinese-Russian approach places a greater emphasis on the role governments should play in combating cybersecurity threats.
The document declares that “policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues.” It goes on “[t]o reaffirm all States’ rights and responsibilities to protect, in accordance with relevant laws and regulations, their information space and critical information infrastructure from threats, disturbance, attack and sabotage.”
“At their heart, [China and Russia] seek to justify the establishment of sovereign government control over Internet resources and over freedom of expression in order to maintain the security of their state,” Markoff said in her Sept. 27 comments.
In his blog post, Healey said there are two “glaring omissions” in the proposal. First, he said, it should add language holding states responsible for cybercriminals, patriot hackers, and militias acting as agents of a state. The United States and its allies believe such criminals carry out cyberattacks against them. Healey also argued for language that applies current laws of armed conflict to cyberspace. “All nations should agree the laws of armed conflict apply [to cyberspace]; if not, then hospitals become legitimate targets,” he said.
According to the proposed code, countries should “settle any dispute resulting from the application of this Code through peaceful means and refrain from the threat or use of force.” In his Oct. 20 statement, Wang said that “countries should work to keep information and cyber space from becoming a new battlefield, prevent an arms race in information and cyber space, and settle disputes on this front peacefully through dialogue.”
The language appears to be a response to recent U.S. statements on cyberspace and cyberwarfare. The administration’s May cyberspace document declared that the United States has “the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.”
The Pentagon’s recently released cyberwarfare strategy was an attempt to strengthen U.S. cyberdeterrence policy by defining cyberspace as a new domain within which to operate, much like air, sea, land, and space. (See ACT, September 2011.)