A group of governmental experts from 14 countries, including the United States, Russia, and China, produced a “landmark consensus” report affirming “that international law, especially the UN Charter, applies to cyberspace,” according to a State Department statement released June 7.
“This consensus sends a strong signal: States must act in cyberspace under the established international rules and principles that have guided their actions for decades—in peacetime and during conflict,” the statement declared.
The report, which has not yet been made public, came out of a meeting held June 3-7 at the United Nations. The meeting was the last of three held since August 2012 by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. The panel examined existing and potential threats from behavior in cyberspace and possible cooperative measures states can undertake to address them.
In a June 19 interview, a State Department official familiar with the discussions said the United States had fallen short of gaining consensus on the applicability of international law to behavior in cyberspace during meetings of an earlier group of governmental experts in 2009 and 2010. This time, the United States achieved its original goals and more, the official said.
The UN experts affirmed that the law of state responsibility applies to cyberspace, which means states must hold nonstate actors—terrorists, criminals, and activist hackers—accountable for wrongful acts in cyberspace that originate from the states’ territory, the official said. It also means that states should not use these actors to commit wrongful acts in cyberspace on their behalf, the official said. According to many experts, both of these issues have long divided the United States from Russia and China with regard to establishing norms for behavior in cyberspace.
The report contains detailed recommendations on transparency and confidence-building measures that states can implement to help reduce the risk of conflict in cyberspace, the official said, emphasizing that this is an important difference from the report that resulted from the 2009-2010 meetings. The new report, the official said, calls for “increasing predictability and reducing misperception” by establishing high-level communication and timely sharing of information on potential malicious activity between countries.
U.S. Cyberspace Operations Detailed
In a secret U.S. policy document, President Barack Obama has outlined details of how the United States conducts offensive operations in cyberspace against other countries.
The classified document, known as Presidential Policy Directive 20, was leaked to and published by the British newspaper The Guardian on June 7. Signed by Obama in October 2012, the directive declares that all offensive operations in cyberspace intended to produce effects outside the United States with “significant consequences” must have presidential approval, except in emergency situations. The document gives authority to the secretary of defense to conduct emergency cyberactions “necessary to mitigate an imminent threat or ongoing attack” against U.S. national interests when there is not enough time for presidential approval.
The document orders senior national security and intelligence officials to “identify potential targets of national importance” outside the United States where offensive operations in cyberspace “can offer a favorable balance of effectiveness and risk as compared with other instruments of national power.” It also says that the United States will conduct these operations in accordance with existing international laws and norms, including its right to self-defense.
Some details of the directive on the Defense Department’s role in operating in cyberspace were declassified in January 2013. (See ACT, January/February 2013.) The document published by The Guardian provides new details on the criteria for these U.S. government operations.
When considering such operations, U.S. officials must weigh the possibility of intelligence gain or loss, the risk of retaliation, and the impact on foreign policy relationships, according to the directive. The document generally requires the United States to “obtain consent from countries in which cyber effects are likely to occur or those countries hosting U.S. computers and systems,” but allows the president to make exceptions.
The document recognizes that these operations can have unintended consequences in locations other than the intended target and could affect U.S. national interests in many locations.
The directive establishes a process for discussing and changing policies related to offensive and defensive operations in cyberspace by creating a Cyber Operations Policy Working Group, where agencies can raise “unresolved or ambiguous” policy questions.—TIMOTHY FARNSWORTH
The official said the report by the experts group would provide a basis for further discussions by the international community about how to apply international law to cyberspace. The goal is to have more states join the consensus and to consider what norms should apply below the level of armed conflict in cyberspace, said the official.
Some of this discussion may already be taking place. The Washington Post reported June 7 that President Barack Obama and Chinese President Xi Jinping discussed cybersecurity during their two-day summit in California.
In recent public statements by China and the United States, each has claimed it was the victim of cyberattacks by the other. In a report sent to Congress earlier this year, the Pentagon publicly accused the Chinese government and military for the first time of being directly behind many of the intrusions into U.S. networks. (See ACT, June 2013.) Two days before the June 7 Obama-Xi meeting, Huang Chengqing, director of China’s network emergency response center, told the English-language China Daily that China has “mountains of data” if it wanted to accuse the United States of cyberattacks, “but it’s not helpful in solving the problem.” He said that “the issue can only be settled through communication, not confrontation.”
The United States and China plan to hold regular, high-level talks on standards of behavior for cybersecurity, according to a recent report in The New York Times, with the first meeting set for July.
One area in which countries need to come to an agreement is “to not deliberately destroy critical infrastructure with their cyber capabilities,” said John Steinbruner, a professor of public policy at the University of Maryland who chaired a National Academy of Sciences panel on deterring cyberattacks.
Deliberate attacks against a country’s power grid or transportation sector could cause further escalation of a conflict beyond the cyberspace realm and into more traditional types of armed conflict, he said, adding that Russia, China, and the United States are all investing in capabilities to attack one another’s critical infrastructure with cyberweapons. Although it is likely that whatever agreement China and the United States produce will be “marginal,” there is still an opportunity to limit these capabilities before they are used, said Steinbruner, who is chairman of the Arms Control Association Board of Directors.