With Biden in Office, Global Policymakers Are Making a Renewed Push for Cyber Norms

The United Nations held its first discussions on norms in cyberspace in 1998, and those efforts were bolstered in 2015 when a UN body agreed for the first time that there are rules in cyberspace that all nations should be expected to follow—a step that some characterized as a “breakthrough” moment for cybersecurity.

But the focus on norms has in many ways deteriorated since then. Over the last six years, hacking groups linked to nation states have targeted election systems, hospitals, financial networks, energy grids, and a range of other critical infrastructure. In recent months, the U.S. alone has blamed Russia for an expansive attack on federal agencies and private companies, and last week charged three North Korean hackers for allegedly carrying out sweeping attacks, including the WannaCry attack in 2017 and a series of digital bank heists that resulted in the loss of hundreds of millions of dollars.

On Tuesday, diplomats from Australia, France, and Estonia, as well as private sector cybersecurity officials, emphasized the need for a renewed focus on norms in cyberspace, and suggested that progress could be made in the coming years.

“As cyber threats grow, it’s vitally important that UN discussions keep pace, or they really do risk losing credibility,” said Tobias Feakin, Australia’s ambassador for cyber affairs and critical technology, at a virtual event on cyber norms hosted by the U.S. Chamber of Commerce. “All countries are impacted by malicious cyber activity, not just the great powers… there’s a substantial group of countries in the middle of the geopolitical spectrum that just want meaningful progress and practical outcomes.”

One of the biggest assets for this renewed push may be the fact that there’s a new administration in the White House. At the event, Feakin applauded President Joe Biden for recent statements on using diplomacy as a tool in cyberspace. During a speech last week at the Munich Security Conference, which was held virtually, Biden said, "We must shape the rules that will govern the advance of technology and the norms of behavior in cyberspace, artificial intelligence, biotechnology so that they are used to lift people, not used to pin them down."

The issue of cybersecurity norms was largely sidelined during the Trump administration, which scrapped Obama-era rules on cyberattacks and embraced forward-leaning operations instead of a diplomatic approach.

Policymakers said the UN discussions in 2015 established a foundation that current efforts could build from, but also highlighted the challenge of enforcement, especially as so many attacks have been carried out with impunity in recent years.

“There is very little awareness still over how to implement the norms… The question of enforcement is the most important question for our diplomatic community right now,” said Heli Tiirmaa-Klaar, Estonia’s ambassador at large for cybersecurity.

Part of the solution is action: The standards and norms will be strengthened if countries crack down on cybercriminals and state-sponsored hackers, and specifically tie those enforcement actions to global norms.

"We must shape the rules that will govern the advance of technology and the norms of behavior in cyberspace, artificial intelligence, biotechnology so that they are used to lift people, not used to pin them down."

— President Joe Biden at the Munich Security Conference.

“If we look at SolarWinds and the level of attacks on healthcare, I think it’s important that countries continue to work together to hold perpetrators accountable and to make sure they strengthen their accountability framework,” said Kaja Ciglic, senior director for digital peace at Microsoft. “Not just so there are indictments and attributions—though these are critical—but they are connected with breaches of specific norms and laws.”

More localized frameworks have also had some success that the UN can build from, Tiirmaa-Klaar added. For example, in 2017 the European Union—of which Estonia is a member—established a framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, which is commonly referred to as the EU’s Cyber Diplomacy Toolbox. In 2020, the EU used that framework to impose its first sanctions against six individuals and three entities tied to WannaCry, NotPetya, and other incidents. The sanctions included a travel ban and asset freeze, and forbid EU businesses from making funds available to those affected.

“The Cyber Diplomacy Toolbox is one of the best ways to discourage actions against any country in the EU,” said Camille Morfouace-de Broucker, policy advisor for strategic affairs and cybersecurity at France’s Ministry for Europe and Foreign Affairs.

Although there might be a renewed interest in cybersecurity norms, it could still prove difficult to make progress. It took more than 15 years from when the UN held its first discussions on the topic to when a UN group formally agreed that nations should adhere to certain rules in cyberspace.

“Technology is very fast, and international laws and diplomacy are not,” said Ciglic.