Cyber arms control

The Constitution and Convention of the International Telecommunication Union was the founding document of the International Telecommunication Union with the aim of “facilitating peaceful relations, international cooperation among peoples and economic and social development by means of efficient telecommunication services.”

A provision of this treaty includes the International Telecommunications Regulations, first established in 1988, which outlines various principles related to the development and operation of telecommunication services. However, regulations referring to the malicious use of such services between states are not addressed.

The Budapest Convention on Cybercrime, originating out of the Council of Europe, was the first international treaty to address crimes committed via computer networks, “dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.” Its main objective was to pursue a common criminal policy aimed at the protection of society against cybercrime. Sixty-four states have ratified the treaty, including the United States. Russia opposes it on grounds of sovereignty.

This “Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security” (Source) addressed the need among SCO members (China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan) to cooperate in curbing the development of cyber weapons and attacks. Defining concepts such as “information security” and “information war,” it is the first international agreement to acknowledge and address issues of cyber warfare between states.

This agreement further formed the basis of the “Code of Conduct for Information Security” submitted to the UN in both 2011 and 2015, but it has not been put to a vote (Osula and Rõigas 2016).

The Final Acts of the World Conference on International Telecommunications is a renegotiation of the 1988 ITRs. The International Telecommunications Union said the document would help countries coordinate efforts against spam and increase the development and availability of serivces around the world. However, the question of state governance over the development of the internet’s technical infrastructure was hotly debated. As a result, only 89 states signed the treaty, excluding many Western democracies such as the US, Canada, the UK, and Australia (BBC, 2012).

This bilateral agreement between the US and Russia aimed to “[extend] traditional transparency and confidence-building measures to reduce the mutual danger” both states face from cyber threats. In this effort, it created a working group that assesses emerging cyber threats and proposes joint measures to address them, as well as a hotline to share information regarding these matters.

The 2013 Group of Governmental Experts on Developments in the Field of Information and Telecommunications the Context of International Security included 15 countries agreeing that international law, such as the UN Charter, is the main source for regulating offensive state behaviour in cyberspace. In seeking to establish norms derived from international law, the document stated, “although the work of the international community to address this challenge to international peace and security is at an early stage, a number of measures concerning norms, rules and principles for responsible State behaviour can be identified for further consideration.”

Member states of the OSCE agreed to confidence-building measures aimed at reducing the risk of conflict stemming from the use of information and communication technologies (ICTs). Largely focused on information sharing, these measures sought to “enhance interstate co-operation, transparency, predictability, and stability, and to reduce the risks of misperception, escalation, and conflict that may stem from the use of ICTs.”

As part of the Fortaleza Declaration at the 6th BRICS Summit, Brazil, Russia, India, China, and South Africa agreed to “explore cooperation on combating cybercrimes” as well as to “recommit to the negotiation of a universal legally binding instrument in that field.”

In their Wales Summit Declaration, NATO member states endorsed an “Enhanced Cyber Defence Policy” that reaffirms a cyber defense responsibility of the alliance and “recognises that international law, including international humanitarian law and the UN Charter, applies in cyberspace.” The declaration also established cyber defense as “part of NATO’s core task of collective defence.”

In the Council Conclusions on Cyber Diplomacy, European Union member states are encouraged to work towards a global understanding of “how to apply existing international law in cyberspace and to the development of norms for responsible state behaviour in cyberspace.” States are further encouraged to “strongly uphold the principles regarding State responsibility for internationally wrongful acts and to take the initiatives necessary…to ensure that they are fully respected and enforced in cyberspace.”

While it reitereates the position that existing international law is applicable in cyberspace, it also discusses internet governance, promotion and protection of human rights in cyberspace, and other capacity-building and engagement topics.

China and Russia “signed a memorandum not to launch hacking attacks against each other and condemned efforts to destabilize internal politics via the Internet” (New York Times, 2015). While “perhaps 70 percent” of the agreement had been borrowed from the previous agreement under the Shanghai Cooperation Organization, this agreement added “language protecting internal sovereignty in cyberspace.”

As a second iteration of the original 2013 GGE report, this 2015 report from the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security sought to “outline additional points of agreement and to further develop the content of the 2013 report” (Osula and Rõigas 2016). The report expands the discussion of norms and recommends that states “cooperate to prevent harmful ICT practices and should not knowingly allow their territory to be used for internationally wrongful acts using ICT.” States such as the United States, Russia, and China were included in this report.

The US and China agreed to cooperate on matters of cybercrime investigations. Both states also support the GGE reports on norms of behavior and other crucial issues for international security in cyberspace. In addition, the agreement created a hotline for direct communication of information requests regarding malicious cyber activity.

In their Antalya Summit Communiqué, G20 members welcomed the 2015 GGE report affirming that international law, in particular the UN Charter, is applicable to state conduct in cyberspace. They also committed themselves to the view that all states should abide by norms of responsibile behavior and should “promote security, stability, and economic ties with other nations” within cyberspace.

As a multistakeholder commission, the Global Commission on the Stability of Cyberspace (GCSC) urged all stakeholders within government, industry, technical and civil society to adhere to the following norm proposal:

“Without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.”

Here, “public core” refers to packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media.

At the 32nd Association of Southeast Asian Nations Summit, ASEAN leaders addressed in a statement the threats existing in cyberspace and reaffirmed the position that international law applies in the cyber environment. The statement acknowloedged that “the promotion of international voluntary cyber norms of responsible State behaviour is important for cultivating trust and confidence and the eventual development of a rules-based cyberspace.” ASEAN member states agreed to improve coordination of cybersecurity policy development and capacity building initiatives towards this end.

The GCSC proposed another norm regarding electoral infrastructure: “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”

The Global Commissition on the Stability of Cyberspace further introduced a “norm package” of additional norms that state and non-state actors should abide by. These norms include:

• Norm to Avoid Tampering
• Norm Against Commandeering of ICT Devices into Botnets
• Norm for States to Create a Vulnerability Equities Process
• Norm to Reduce and Mitigate Significant Vulnerabilities
• Norm on Basic Cyber Hygiene as Foundational Defense
• Norm Against Offensive Cyber Operations by Non-State Actors

With support of 67 States, 139 international and civil society organizations, and 358 entities of the private sector, the Paris Call reaffirms that “international law, including the United Nations Charter in its entirety, international humanitarian law and customary international law is applicable to the use of information and communication technologies (ICT) by States.” The delcaration also condemns the use of malicious cyber activities in peacetime and welcomes the protection of critical infrastructure that are vulnerable to such activities. Further, it supports cooperation to prevent malicious cyber activity (including undermining electoral processes, theft of information for providing competitive advantages, etc.) and encourages the strengthening of defence and security against such actions.

The US, China, and Russia did not sign the declaration. However, American technology corporations such as Microsoft, Facebook, Google, IBM, and HP all endorsed the agreement.