Back in September, 2011, I
blogged on a joint Chinese-Russian proposal of a voluntary International Code
of Conduct for Information Security, as debuted at the 66th session of the UN General
Assembly (http://www.williambplummer.com/2011/09/china-russia-et-al-propose-un-cyber.html).
Key provisions of the 2011 joint
cyber proposal – which seemingly fell on relatively deaf UN ears – included
commitments:
- Not to use ICTs including networks to carry out hostile activities or
acts of aggression and pose threats to international peace and security;
- Not to proliferate information weapons and related technologies;
- To endeavor to ensure the supply chain security of ICT products and
services, prevent other states from using their resources, critical
infrastructures, core technologies and other advantages, to undermine the right
of the countries...or to threaten other countries' political, economic and
social security.
- To lead all elements of society, including its information and
communication private sectors, to understand their roles and responsibilities
with regard to information security, in order to facilitate the creation of a
culture of information security and the protection of critical information
infrastructures.
As I said at the time, good
stuff.
Flash forward three-and-a-half
years to earlier this month when the two governments formalized their
cyber-alignment with a bilateral agreement (http://blogs.wsj.com/digits/2015/05/08/russia-china-pledge-to-not-hack-each-other/?mod=rss_Technology).
According to the agreement
between the two States, in terms of general principles of cooperation: The Parties shall cooperate in the field of
international information security in such a way that such cooperation
contributes to economic and social development, consistent with the objectives
and maintenance of international peace, security and stability, and consistent
with generally recognized principles and norms of international law, including
the principles of peaceful settlement of disputes and conflicts, non-use or
threat of force, non-interference in internal affairs, respect for human rights
and fundamental freedoms, and the principles of bilateral cooperation and
non-interference.
(I know, I know… This is Russia and China we’re talking about. But, let’s remember that human rights
and fundamental freedoms are under increasing assault in countries like the
U.S. as well).
The main cyber threats identified
in the accord include “the use of Information
and communication technologies:
1) To carry out acts of aggression aimed at violating sovereignty,
security and territorial integrity of States and which pose a threat to
international peace, security and strategic stability;
2) To cause economic and other damage, including by providing a
destructive impact on the facilities of information infrastructure;
3) For terrorist purposes, including for the promotion of terrorism and
engaging in terrorist activities;
4) To commit offenses and crimes, including related to unauthorized
access to computer data;
5) To interfere in the internal affairs of states, to spread public disorder,
incite ethnic and racial strife, to spread racist and xenophobic propaganda and
theories that give rise to hatred and discrimination, to violence and instability,
as well as to destabilize the political and socio-economic situation; and
6) For the dissemination of information prejudicial to political and
socio-economic systems, or the spiritual, moral and cultural environment of
other States.”
While, as pithily demonstrated by
threats 5 and 6, the bilateral agreement is perhaps
overly-focused on regime stability, there are elements that other governments
might consider multi-lateralizing.
To wit: In addition to the commitment to not conduct cyber-attacks against each other, the
Parties agreed to cooperate towards ensuring international information security
in multiple ways, including:
- The establishment of communication channels and contacts for sharing
responses to threats in the sphere of international information security;
- Cooperation in developing and promoting standards and international
law in order to ensure national and international information security;
- The exchange of information and cooperation between law enforcement
authorities in order to investigate cases involving the use of information and
communication technologies for terrorist and criminal purposes;
- To enhance cooperation and coordination between the Parties on issues
of international information security within the framework of international
organizations and forums.
Meanwhile, the U.S. Government on May 14 (two
weeks after the China-Russia Accord was unveiled) reminded the world of its proposed “cyber norms” via State
Department testimony before a Senate Foreign Relations Subcommittee (http://fcw.com/articles/2015/05/18/state-cyber-norms.aspx).
The norms - which the U.S.
Administration is reportedly pushing to have adopted by the UN - in brief, would dictate that Nation-states:
- Should not conduct online activity that intentionally harms critical
infrastructure;
- Should not prevent national computer emergency teams from responding
to cyber incidents;
- Should not conduct cyber-enabled intellectual property theft; and
- Should cooperate with international investigations of cybercrimes.
No doubt, the U.S. version is shorter,
clearer, more definitive, and, largely, proscriptive – the latter which is not
a bad thing, per se.
Nor, however, are the
Chinese-Russian provisions for forward-looking and cooperative and
international initiatives to establish global standards, norms and laws (concepts –
cyber or otherwise - that the U.S. has historically supported).
Opportunity, it would seem, may be knocking.
Perhaps these complementary approaches might be considered together at the next meeting of the UN's "Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security" (quite a mouthful, I know, but it's gotta start somewhere).
Perhaps these complementary approaches might be considered together at the next meeting of the UN's "Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security" (quite a mouthful, I know, but it's gotta start somewhere).