Russia And US Offer Competing Visions Of Cyber Normality

Uploaded on 2018-10-31 in GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, INTELLIGENCE-Hot Spots-Russia, INTELLIGENCE--USA, NEWS-News Analysis

It’s October and the United Nations General Assembly and subsidiary committees have started their work in earnest. 

As expected, Russia tabled a draft resolution seeking the General Assembly’s endorsement of an “international code of conduct for international information security,” and a resumption of the UN Group of Governmental Experts (GGE) process next year. 

Somewhat less expected, however, is that the United States tabled a competing resolution, setting up a clash between Russia, China, and their largely autocratic friends on one side, and the United States, the European Union, Canada, Japan, and Australia on the other. 

First, some Background 

Almost every year since 1998, Russia has sponsored a General Assembly resolution called “Developments in the field of information and telecommunications in the context of international security.” It’s the mechanism through which UN member states express concern that malicious activity in cyberspace can undermine international peace and security. 

It’s also the resolution that created the GGEs on cybersecurity. Three of those GGEs led to consensus reports that recommended states abide by a set of norms, including the applicability of international law to cyberspace, participate in confidence building measures, and support capacity building initiatives to reduce the risk that state actions in cyberspace threaten international peace and security.

The text of the resolution has not been made public, but it is likely to be a combination of existing cyber norms the GGE agreed to in 2013 and 2015 and previous iterations of another code of conduct members of the Shanghai Cooperation Organisation (SCO) proposed in 2011 and 2015. 

The inclusion of the SCO language will make the United States and like-minded countries balk given its negative human rights implications. 

Nevertheless, the proposed Russian resolution could probably be salvaged through negotiation that strips it of the SCO code’s worst elements, keeps the consensus GGE language, and mandates the creation of a new GGE to pick up where the last one fell apart.

The text of the proposed Russian resolution is now public, and it’s about as expected. It cherry picks some of the worst elements from the previous Codes (e.g. promotes concepts of “cyber sovereignty,” sidelines the role of the private sector, etc.), un-ironically bemoans the spread of disinformation online, and mis-characterises previous consensus GGE text. 

It also calls for a new GGE with the mandate of identifying ways to implement the new code of conduct, make changes as necessary, and to study the possibility of establishing an “institutional dialogue” on cyber issues within the United Nations. 

The United States must have deemed the Russian text unsalvageable because it proposed its own competing resolution, backed by EU countries, Canada, Australia, and a few others. It applauds the work of the previous GGEs, calls on member states to abide by the previous reports’ recommendations, and requests a new GGE be established with largely the same mandate as previous ones.

Contrary to previous iterations, however, the United States asks that whatever report comes from the new GGE should include an annex “containing national contributions of participating governmental experts on the subject of how international law applies to the use of information and communication technologies by States.” 

The United States started laying out its understanding of how international law applies online in the Obama administration (here and here), and has encouraged countries to do the same. Earlier this year, the UK Attorney General laid out his country’s views on the matter. 

By pushing for an annex in the GGE report, the United States is trying to get Russia, China, and others on the record, particularly salient for China as it has remained silent on whether international humanitarian law applies online. 

I’m not a UN process expert, so it’s hard to say how this will play out. But if I were a betting man, I’d put my money on the US approach coming out on top. As an institution, the United Nations prefers incrementalism over radical change. 

That makes it much harder for Russia, China and the rest of the SCO members to drum up support for a twenty-five paragraph code of conduct that contains vague language mostly unfamiliar to many states. 

By contrast, the US resolution has more similarities to Russia’s previous resolutions, an advantage given that they will be familiar to diplomats at the UN who prefer sticking to previously agreed text. 

No matter what happens as diplomats haggle over the particulars of the resolution, expect a new GGE next year. The only open question at this point is its mandate, and that should be made clear in the next few weeks. 

Defense One:

You Might Also Read:

Cyberattack Revelations Appear To Undercut Russia's UN Efforts:

Russia Will Build A Separate Internet Directory:

The US Is Losing the Information War To Russia

« IBM Spends $34B To Buy Red Hat
British Refuse To Co-operate With Belgian Hacking Inquiry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

Automation & Cyber Solutions (ACS)

Automation & Cyber Solutions (ACS)

Automation & Cyber Solutions delivers a range of Industrial Automation and Cyber solutions & services to sectors including Oil & Gas, Chemicals & Petrochemicals, Power and others.

Corrata

Corrata

Corrata is an award-winning provider of mobile security and data control solutions for enterprises.

Andreessen Horowitz (a16z)

Andreessen Horowitz (a16z)

Andreessen Horowitz (known as "a16z") is a venture capital firm in Silicon Valley, California that backs bold entrepreneurs building the future through technology.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Elemental Cyber Security

Elemental Cyber Security

Elemental is a game changing cyber security compliance automation and enforcement technology provider.

Nu Quantum

Nu Quantum

Nu Quantum is developing quantum photonics hardware to power the quantum revolution in communications, sensing and computing.

CyGlass

CyGlass

CyGlass simply and effectively identifies, detects, and responds to threats to your network without requiring any additional hardware, software, or people.

Force Majeure

Force Majeure

Force Majeure specializes in cybersecurity, incident response, and digital forensics, with experience spanning more than a decade.

AdaCore

AdaCore

AdaCore is focused on helping developers build safe, secure and reliable software.

ShieldApps

ShieldApps

ShieldApps comprehensive suite of products is designed to protect your personal devices from privacy threats, including hacking attempts, online tracking, fingerprinting, phishing, malware, and more.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

Digital Edge

Digital Edge

Digital Edge provides unparalleled Managed Cloud Solutions, as well as superior Information Technology Support Services.

Contextal

Contextal

Contextal develops cutting-edge open-source cybersecurity solutions, designed to connect the dots and detect complex threats, which slip through the existing protections.