Cyber norms serving their purpose despite ongoing attacks, says U.S. official

MUNICH, GERMANY — Almost three years ago, in March 2021, all of the members of the United Nations agreed to comply with 11 cyber norms, including on protections for critical infrastructure and on not knowingly allowing their territories to be used by cybercriminals. It was a major achievement produced by years of hard negotiating, and it set the stage to reduce global anxieties about malicious activity undertaken over the internet.

But, since then, the Russian-rooted ransomware ecosystem has become ever-more profitable and damaging while the country’s law enforcement agencies take little action against it, and the Chinese government has been accused of “systematic cyber sabotage” for an espionage campaign that left hundreds of thousands of Microsoft Exchange email servers exposed to criminals, and blamed for a hacking campaign preparing to disrupt civilian water supplies.

As a report from the Center for Strategic and International Studies lamented: “Unfortunately, international experience since 2015 has shown that agreement on norms, even when politically binding, is by itself not enough to ensure their observation or create stability in cyberspace.” So what was the point of agreeing to these norms?

Well, it was not, in and of the norms themselves, to provide some kind of UN-powered enforcement mechanism to tackle states that are misbehaving online, said Liesyl Franz, the deputy assistant secretary at the U.S. State Department’s Bureau of Cyberspace and Digital Policy, speaking to Recorded Future News on the sidelines of the Munich Cyber Security Conference.

“The norms provide a very articulate foundation for the kinds of behavior that we can expect. So when there is activity that we see from whomever — from states or from within states’ territories — that contravenes the norms, then we can use that as a foundation to call it out, to hold those states accountable for what they’re doing or not doing.”

These political attributions are often couched in the languages of the norms, which were formally established as a framework for responsible state behavior in cyberspace. When the United States and allies accused China of supporting the Microsoft Exchange campaign the announcement specifically called out “irresponsible state behavior.”

While the European Union did not attribute the campaign to a state-sponsored group, its declaration stressed that the hacking campaign was “undertaken in contradiction with the norms of responsible state behavior as endorsed by all UN member states.”

In its statement, NATO, which merely acknowledged the attribution from the United States, United Kingdom, and Canada, said: “We call on all states, including China, to uphold their international commitments and obligations and to act responsibly in the international system, including in cyberspace.”

These collective attributions, which are often separately accompanied by technical evidence in indictments and cybersecurity alerts, are meant to show there is a broad base of countries that share the same views. These "seem to have had at least some effect,” said Franz, who didn’t immediately describe what this effect was.

One effect has been China’s own superficial adoption of the rhetoric of norms in its counterclaims about hacking. When the country’s authorities pledged to “publicly disclose a highly secretive global reconnaissance system” operated by the U.S. government — although this disclosure never arrived —a senior official from its National Computer Virus Emergency Response Center (CVERC) alleged that the U.S. activities were a violation of international law.

In his analysis of Chinese complaints about U.S. activities, Dakota Cary observed that the attributions — which are made unilaterally without any allies’ support, and often with an inconsistent approach to international law — “are notably lacking in the same kind of technical detail or evidential proof” as those made by the U.S. and allies.

China’s own attributions have also, to date, not been accompanied by any countermeasures the U.S. and allies have used to hold malicious actors accountable, including sanctions and indictments.

Franz declined to “speak to our characterisation of how China or others will evoke the norms in their rhetoric, I can’t comment specifically on that,” but said that it was at least a recognition of the norms which both Russia and China were involved in negotiating.

Despite none of the United States’ allies in Europe having a comparable offensive cyber capability, Franz said there was “a very tight line of alignment” across the Atlantic over how such a capability could be deployed responsibly.

She acknowledged there were times when different nations might prefer different wordings during UN treaty negotiations, “but we’re very like-minded,” she said.

“They’ll have the same values about how to shape the international environment, and not have efforts to undermine it either in the UN system or otherwise. We’re also very aligned on the multistakeholder model for the internet.”

In general, the U.S. and like-minded states support keeping the internet governed in a multilateral way, involving stakeholders and non-government organizations like ICANN (Internet Corporation for Assigned Names and Numbers) — in contrast to the “top-down” vision that has been put forward by Russia and China.

Franz said that the proposals by Russia and China to amend the existing governance system of the internet would enable them to “proliferate the kinds of things and the more repressive activities they undertake, and repressing human rights online.”

The U.S. strategy to address those repressive activities demands “transparent, proportional, and reversible” countermeasures, said Franz.

“The principle isn’t to put anyone in a black box forever,” she added.

“The other thing that the normative framework has been very helpful in, is because it has positive norms and capacity building — coming to the aid of other countries — it's a message if we, as the United States in coordination and partnership with other countries, provide assistance to countries who are a victim of cyber incidents.”

Despite the accusations of adversaries such as China, the capacity building work sends a message that the United States is actually “helping to shore up others’ ability to defend against malicious cyber activity.”

READ MORE: Munich Cyber Security Conference 2024 Live Updates