As interference in foreign elections and attacks on civilian infrastructure push the limits of what states can get away with in cyberspace, a newly formed team of lawyers, academics, executives, and government officials is scrambling to develop some simple rules of the road in an effort to prevent the rising tide of cyberattacks from leading to outright war.
The Global Commission for Stability in Cyberspace, as it’s called, is looking to succeed where the United Nations has stumbled. Tasked with defining how existing international law should apply in cyberspace, a U.N. body debated the issue but reached a stalemate earlier this year, prompting calls for action outside the international body.
The need for establishing such guidelines is urgent. Governments across the globe are racing to build and use digital tools for everything from distributing propaganda to carrying out attacks that look a lot like conventional acts of war. As events like election meddling in the U.S. and Europe and recent attacks on Ukraine’s power grid show, international cyber conflict is increasingly spilling over into the physical world. But “cyberspace is not a jungle,” the new commission’s chair, Marina Kaljurand, told an audience at the Black Hat computer security conference in Las Vegas last month. “International law applies; the question today is how international law applies.”
The commission can only make policy recommendations, but Kaljurand, who was formerly Estonia’s foreign minister, said the fact that the group includes representatives from the private sector and academia in addition to government is an advantage compared with the all-governmental U.N., since the Internet features such a complex array of stakeholders. The commission’s largest funders are the governments of the Netherlands and Singapore, and Microsoft, which has been a leading corporate voice in the discussion of what should constitute responsible behavior for state actors in cyberspace (see “Do We Need a Digital Geneva Convention?”).
Since cybersecurity has become so crucial to global security, said Kaljurand, it is imperative that the international community find agreement on what constitutes unacceptable behavior. “The more ambiguous zones there are, the more possibilities there are for misunderstanding each other and for provocations.”
It’s not that governments haven’t been trying to find common ground. In fact, the U.N.’s attempt, called the Group of Governmental Experts, did initially make progress toward developing some non-binding rules, including that nations should not attack each other’s critical civilian infrastructure during peacetime. This year, however, the GGE failed to reach a consensus and did not deliver a report to the U.N. General Assembly. In a statement after the meeting, Michele Markoff, the GGE’s representative from the U.S. and the deputy coordinator for cyber issues at the State Department, expressed disappointment that some participants seemed to want to “walk back progress.”
It was a major blow to the process, but the discussion must continue, and the new commission will be the forum, said Kaljurand, who has also represented Estonia at GGE meetings. As long as there are gray zones in the application of international law, she said, we will continue to see states try to get away with as much bad behavior as they can, even as such acts carry the risk of mushrooming into global conflict.