Defining the Rules of the Cyber World

This week, a United Nations Group of Governmental Experts (GGE) will attend a series of meetings in Geneva to discuss cybersecurity norms in the international community.

Only last week, the office of French presidential candidate Emmanuel Macron claimed that databases and email accounts belonging to his En Marche party had been victim to structured and coordinated attacks from state-sponsored Russian hackers. This same group has already been accused of playing a similar role in the recent U.S election in which the email accounts of Democratic National Committee (DNC) employees were breached.

These examples of foreign powers attempting to influence the politics of another state are in direct violation of the UN Charter, which states, “any act by one state that threatens the political independence of another state is illegal”. However, despite years of increasingly concerning cyber-related incidents between states, the international legal infrastructure and rules of governance regarding cyber relations remain underdeveloped. The technological ability of states is constantly evolving, so much so that the associated norms of behaviour simply do not exist yet, and states such as the United States of America are taking advantage of this. As it stands there is contestation among the worlds’ political powers as to how the cyber world should be governed.

As far as the public is aware, no retaliatory action was taken by the United States following the Russian sponsored hack of the DNC. In the past however, the U.S. has used threat of sanctions to discourage cyber, like in the case of North Korea following the hacking of Sony Pictures email accounts. U.S. sanctions were again threatened against China following waves of suspected state-sponsored corporate hacking in which hackers stole intellectual property (IP) from American corporations. U.S. officials have reported annual losses of $300 billion a year that are the result of IP theft through cyber espionage. This is an amount almost equivalent to the total annual value of U.S. exports to Asia.

A report by the Commission on the Theft of American Intellectual Property details that 50-80% of IP thefts, depending on the sector, are to be carried out by Chinese backed entities. Only five Chinese hackers have so far been charged by the U.S. Justice Department for the theft of trade secrets, all of whom have been identified as belonging to Unit 61398, a several thousand member-strong unit of the Chinese military.

The U.S. and China are not the only states involved in cyber IP theft and these corporate cyberattacks are even more complicated than politically motivated cyberattacks. This stems from the fact that many companies see reporting breaches as an admission of weakness and vulnerability, and cyber attacks go unreported. Last week, India’s Permanent Representative to the UN emphasized that in order for international law to develop, cases are needed as precedence upon which to develop cyber laws.

In a previous meeting of the Group of Governmental Experts, cyber red lines were drawn. One of these is an agreement that states should not use cyber attacks on critical infrastructure, including electrical grids and power generation. It was also agreed that the international laws that govern armed conflict on land and at sea should apply in equal strength in cyberspace.

This being said, norms inherently take time to become widely accepted and confidence-building measures are often required to help norms become established. In the meantime, a central realisation for cybersecurity policymakers must be that the current inaction is not adequate. Whether aimed to influence domestic politics or to get ahead in the business world, the threat posed by cyber attacks is real, and the international community needs to agree on terms of control and repercussions lest these attacks continue unabated.


By Isabella Banfer ed. Joel Lindsay