Canada is among 26 countries that have issued a joint statement urging the world to agree to rules-based responsible behaviour in cyberspace, suggesting they will strike back against attackers if there isn’t agreement.
“There must be consequences for bad behavior in cyberspace,” the statement says. “When necessary, we will work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law.”
The statement, issued Monday, comes shortly after the Open-Ended Working Group (OEWG) and the separate Group of Governmental Experts began rounds of discussions on whether there can be international agreement on rules governing cyberspace, including whether a government-backed attack on critical infrastructure is an act of war.
Interestingly, among those signing the statement was the United States, which as recently as last May refused to sign the non-binding Christchurch Call to Action for governments and industry to improve fighting the spread of terrorist and extremist content online.
Christian Leuprecht, a member of Queen’s University’s Centre for International and Defence Policy and the Institute of Intergovernmental Relations, said in an interview the statement “is a deliberate shot across the bow of our adversaries.
“What the message I think is trying to convey is regardless of whether there is [international] agreement or not there is a set of norms of how states are to behave in cyberspace and those norms are currently being flagrantly violated, and this is extremely dangerous especially when it comes to critical infrastructure. And because there is an emerging state of norms this group reserves the right to retaliate against states that are clearly abusing their power outside the current framework of international law.”
Essentially, he said, the 26 countries are saying, “we’re playing by the rules … but the game is getting so dangerous we reserve the right to rein in those who aren’t.”
In many ways the debate, which has been going on for years, pits democratic countries against authoritarian, or near-authoritarian, nations. One U.S. expert has noted that China, Russia and other countries want more state control over the Internet. A third group, including India and Brazil, sometimes seem to align themselves with Russia and China on how the Internet should be governed, he said, but not on censorship and content filtering.
A document from the NATO Cyber Defence Centre of Excellence notes that no states have denied the applicability of international law in cyberspace, but they disagree on how international law applies.
Monday’s statement can be seen as a rejection by 26 countries of the wide-open interpretation of what will be tolerated in cyberspace.
The OEWG and the Group of Governmental Experts are two arms of the U.N. that are struggling with the issue. The group of experts has been meeting periodically since 2004 on telecom-related issues, working by consensus. The OEWG was set up in November 2018 after the experts failed for the first time to reach agreement on governing cyberspace.
In an attempt to show there is some international unity, today’s joint statement notes all members of the United Nations General Assembly have repeatedly affirmed the idea of a rules-based framework for cyberspace, including three successive group of expert reports in 2010, 2013, and 2015.
However, the statement doesn’t mention the lack of consensus at the 2017 meeting.
“State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them,” the statement says.
“Over the past decade, the international community has made clear that the international rules-based order should guide state behavior in cyberspace. Members of the United Nations have increasingly coalesced around an evolving framework of responsible state behavior in cyberspace (framework), which supports the international rules-based order, affirms the applicability of international law to state-on-state behavior, adherence to voluntary norms of responsible state behavior in peacetime, and the development and implementation of practical confidence-building measures to help reduce the risk of conflict stemming from cyber incidents.”
All members of the United Nations General Assembly have repeatedly affirmed this framework, the statement argues, including three successive UN Groups of Governmental Experts reports in 2010, 2013, and 2015.
The countries signing the statement “underscore our commitment to uphold the international rules-based order and encourage its adherence, implementation, and further development, including at the ongoing U.N. negotiations of the OEWG and Group of Governmental Experts. We support targeted cybersecurity capacity building to ensure that all responsible states can implement this framework and better protect their networks from significant disruptive, destructive, or otherwise destabilizing cyber activity. We reiterate that human rights apply and must be respected and protected by states online, as well as offline, including when addressing cybersecurity.”
Those signing the joint declaration are Australia, Belgium, Canada, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, New Zealand, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain, Sweden, the United Kingdom and the United States.
After meeting for several days at the beginning of the month the OEWG will next meet with private sector companies and non-government organizations in New York in December, followed by what it calls a substantive session in February and a final session in July, 2020.
Meanwhile on November 27 the Internet and Jurisdiction Policy Network, a group of tech firms, non-profits and countries — including Canada — will host a special session at the U.N.’s Internet Governance Forum to report on its work. One of the sessions was held in Ottawa last year.
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA