Yesterday’s RSA keynote by Brad Smith, Microsoft’s President and Chief Legal Officer, has the industry finally buzzing about the creation of global digital norms. In his accompanying blogpost, “The Need for a Digital Geneva Convention”, Mr. Smith moves beyond simply reiterating the stats behind the breadth and depth of digital attacks. He provides concrete recommendations for pursuing law and order to the digital domain.
His keynote has garnered a lot of buzz across the media and within subsequent panel talks that I’ve already seen today. Importantly, as one key aspect, he highlights the necessity for digital norms, which at their most basic level are mutually agreed upon standards of appropriate behavior. In his blog, Mr. Smith notes, “This commitment to 100 percent defense and zero percent offense has been fundamental to our approach as a company and an industry.” He further expands upon his company’s collaboration with many other companies in helping ensure a safe and neutral internet, while encouraging governments to continue to build upon the nascent norm creation occurring at some international forums. As he accurately notes, the creation of norms will require greater attention and absolute conviction by both the public and private sector.
Already, we’re seeing many of the responses to his talk focusing too narrowly on the feasibility of a digital Geneva Convention, and overlooking the underlying necessity to establish the appropriate guardrails of digital behavior. This is unfortunate, as that is where a constructive discourse is required, exploring the feasibility of making progress towards establishing those norms that he outlines. The challenges but necessity for the creation of digital norms was the focus of a talk I gave earlier this month at the Enigma Conference, some of which is summarized below. Despite the many challenges to digital norm formation, they must be a core component of a larger cybersecurity strategy.
As Mr. Smith notes, the current situation consists of attacks on critical infrastructure (e.g. Kiev power grid), automated bots wreaking havoc across social media sites and targeted geographies (e.g. Mirai bot), and massive IP and PII theft (e.g., US steel industry, OPM breach), not to mention the continued growth of global censorship, filtering and data manipulation.
Attempting to help reign in the impact of this wide range of digital attacks, nation-states have looked to global forums to formulate very nascent norms. Last year, former US Secretary of State John Kerry outlined five areas to guide appropriate offensive behavior in cyberspace, including prohibitions against attacking critical infrastructure or stealing intellectual property, as well as not impeding cybersecurity emergency response teams. These mirror those norms agreed upon by the UN’s Group of Governmental Experts and at the G20 summit. Similarly, many reference the Sino-American agreement at the end of 2015, which introduced the norm against cyber-attacks for commercial advantage, as indication that norms work.
National cybersecurity strategies are also advocating for norm formation. Both the US State Department’s International Cybersecurity Strategy, as well as the UK’s recently released National Cyber Security Strategy 2016-2021 address the essential role of norms. Surprisingly, the necessity of norms is one area where the tech community agrees with the policy wonks. Last summer, Microsoft published another white paper on the need for cyber norms. Similar to Mr. Smith’s keynote, they advocated for the establishment of norms to limit the impact of nation-state attacks, norms against the trafficking of vulnerabilities for offensive weapons by companies, as well as against forced backdoors in software. Jeff Moss touched on this during last year’s Vegas hacker summer camp, noting, “Are we at the beginning of a sea change in what the international community decides is acceptable behavior? It doesn’t have to be a treaty; it can just be a norm.”
“Just be a norm.” It sounds simple, but that there’s a reason why global digital norms have yet to be established in the twenty year since the first US public attribution of a digital attack, dubbed Moonlight Maze.
First, and importantly, leadership is required to propagate norms globally. These leaders must be credible and convince a critical mass of states to embrace the new norms. Currently, global major powers are divided on what framework digital norms should reflect, those of a multi-stakeholder model or those indicative of cyber sovereignty. A previous post highlighted these distinct models, but to oversimplify, a multi-stakeholder model reflects a democratic view of a free and open internet and focuses on what targets are off limits, while cyber sovereignty focuses on governmental control within sovereign borders. This state of competition between these two models is currently underway, although there are areas of agreement such as those worked out at the global forums.
Second, even if leadership does emerge, there is an enormous collective action problem. Quite simply, the more actors involved, the harder it is to achieve cooperation and find common ground. There are roughly 200 countries in the current international system, many of which are building up their own digital arsenals. This is not limited to major digital powers, but is increasingly viewed as a necessity by regional powers and smaller countries, such as South Africa, Thailand, and Estonia. But digital capabilities are not only the purview of nation-states; they also are accessible to criminal organizations, terrorist networks, hactivists, and lone wolves, some of which are associated with state sponsorship, but many are not.
Finally, norms only become entrenched when there are visible signals of compliance, which involves a range of technical and social obstacles. The socio-technical aspects of attribution are especially challenging. On the technical side, dynamic C2 infrastructure, the potential for deception, and weapon reuse all create a fog of cyber war that renders it difficult to quickly and confidently identify malicious actors. Looking at the human element of attribution, it may be difficult to establish whether a non-state entity is linked to a state or acting on their own. There are numerous cases where military hackers may become lone wolves during off hours to make money, or where attacks are initiated by criminal groups and then taken over by state actors. In those cases, the government is complying, but state-associated personnel are not. Additionally, given the current dwell times of adversaries within targeted systems, it is hard to evaluate how well a state is adhering to a norm against targeting commercial entities, for instance. Sophisticated digital capabilities also remain state secrets due to their short shelf life and the necessity for the element of surprise. And of course there always is the risk of insincere compliance. Wassenaar is a great example of this. Just because states are participants, lacking any repercussions for failing to comply, many states opt to take the insincere compliance route, where their actions contradict their words.
Despite these challenges, the discourse that Mr. Smiths’ keynote has generated must continue past RSA, and will require both technical and policy innovation across the public and private sectors. The global race is underway to define acceptable behavior in cyberspace. Unless the vacuum is filled by those in favor of norms akin to Mr. Smith’s ‘digital Switzerland’, the alternative is a world where unrestricted digital attacks, unlimited censorship, and even physical destruction may well become the new global norm.