China and Russia just dropped a surprising draft resolution at the United Nations General Assembly. 

Nations and UN organizations have been gearing themselves up what was expected to be a bruising dustup over norms for conduct in cyberspace, the “rules of the road” as expressed by the UK foreign minister.    There are at least two camps of behavior, with divergent views of what norms should be. In the first group we have the United States and the United Kingdom and other nations arguing for controls on cyber crime but supporting the free flow of information. China and Russia lead the opposite camp, which worries more about cross-border information which might destabilize their societies (or, rather, the grip of the current leadership).  

What makes the new proposal surprising is not just the timing or that it was coordinated between China and Russia, but that it just may be (could be, possibly, fingers-crossed) the start of something we could work with. This blog explores the background of the issue, examines the main agreeable and disagreeable provisions, and concludes with what has been left out.

Cyber Norms in Context:  The topic of norms has been heating up all through 2011 as the world prepares for the first major international conference on norms this November in London.

Russia made their first efforts at the UNGA over a decade ago with a relatively predictable set of proposals to limit cross-border flows of information.   These efforts peaked with a 2008 agreement between the nations of the Shanghai Cooperation Organization. This document did not explicitly discuss norms, but did discuss threats including “dissemination of information harmful to social and political, social and economic systems, as well as spiritual, moral and cultural spheres of other states.” 

The United States and United Kingdom have both laid out norms for cyber behavior which are far more rooted in concerns about cyber crime and more protective of the “freedom of opinion and express” as enshrined in Article 19 of the Universal Declaration on Human Rights.   (See the previous blog for a comparison of these with those from the SCO and head of the International Telecommunications Union.)

Though the positions of these groups of nations differ, there has been important consensus. Russia, China, the United States and United Kingdom joined with other eleven nations (the UN Group of Government Experts or UN GGE) to report to the UN Secretary General. This report covered topics of common concern like cyber crime, norms and confidence building but avoided discussion of controlling content where there could be no consensus.

The Sino-Russian Proposal:   On 12 September, the UN delegations from Russia, China, Tajikistan and Uzbekistan sent a letter to the Secretary General proposing a dialogue on their draft proposal, “International Code of Conduct for International Security.” The overall sense from the US government seems to be that this covers old ground in an attempt to score points and regain the initiative for a more repressive Internet prior to the upcoming global conference hosted by London. 

It in fact does cover old ground and score points, but there may be more to it than this. The proposed code contains many points we can easily agree with, such as a commitment to ensure supply chain security, protect critical infrastructure, commit to freedom to find and disseminate online information, and promote a culture of cyber security, capacity building, and international norm development. 

While these could have been pulled directly from US proposals, the Chinese and Russian proposal includes many provisions that should chill the spine of anyone concerned with free speech and a dynamic, innovative Internet. 

Freedom of Opinion and Expression: Veterans of cyber debates will already be nervous that the Chinese and Russians are putting forth a proposal on “information security” (which for Russia and China includes their concerns over Western evils like CNN, Facebook and Twitter) rather than the preferred US term, “cyber security”.  

Indeed, the proposal hews closely to the previous agreement by SCO, asking nations to pledge,

To cooperate in combating criminal and terrorist activities which use ICTs [information and communications technology]  including networks and curbing dissemination of information which incites terrorism, secessionism, extremism, or undermines other nations’ political, economic, and social stability, as well as their spiritual and cultural environment. 

This is standard boiler plate from autocratic countries to limit freedom of expression. Unfortunately, there is not much wiggle room here for diplomats to find language on which to compromise, but there are possibilities. One way for agreement might be to just keep the first phrase (“to cooperate in combating criminal and terrorist activities which use ICTs…”) and intentionally leave the language vague on what those are. 

Commanding Heights of Cyberspace: The Russian and Chinese proposal asks for nations to pledge to

… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security. 

What does this mean? China, in particular, has felt the United States uses its position as inventor of the Internet to unfairly seize an unassailable competitive position in cyberspace. It is not seen as a coincidence that the United States has a disproportionate share of DNS root servers and key Internet companies which matches the Pentagon’s previously stated goal to ensure “US military strategic superiority in cyberspace.” Just as bad, the State Department supports international rights to freedom of speech with a commitment to “undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks.”

Like the other provision to limit free speech, this paragraph would give further justification to repressive governments to limit access to external (and independent) news sources as happened in Egypt and Libya during the Arab risings and in China every day. Accordingly, this provision is unacceptable and there seems few ways to compromise.

Cyber Peace and Conflict: A third pledge the United States, United Kingdom and like-minded nations will have a problem with is,

Not to use ICTs … not to carry out hostile activities or acts of aggression and pose threats to international peace and security…

If you aren’t used to international law or cyber issues, this may seem straightforward, but “hostile activity” and “acts of aggression” are overly broad and open to wide interpretation.   China and Russia know we could not possibly accept this provision. However, we might if these words were with “threat or use of force”, an extremely well established phrase in international law, rooted in the critical Article 2(4) of the UN Charter, that sets a clearer bar. “Armed attack” and “armed conflict” are other, but likely weaker, possibilities but there is clearly common ground here. (For more on this topic, please reference the excellent works by Michael Schmitt and Tom Wingfield.)

Internet Governance: The Russians and Chinese would ask states to pledge

To promote the establishment of a multilateral, transparent and democratic international management of the Internet…

This phrase potentially opens the door for a more active role for the United Nations in governing and running the Internet, a bugbear for Western nations. This is not out of knee-jerk distrust of the United Nations, but out of a fear it may lead to a Balkanization of the separate national internets run by a non-representative UN committee or organization. In the current multi-stakeholder process, governments are just one constituency meaning neither China (nor, for that matter, the United States) can simply bribe other nations to vote one way or another on the future of the Internet.

So while this phrase may leave the door open for a wider UN role, it is far more agreeable than we could have reasonably expected as it does not call explicitly for such a role. Not only is there room for negotiation but the West could plausibly argue the existing Governmental Advisory Committee for ICANN adequately meets the requirements of this pledge.

What’s Missing? There are a two glaring omissions in the Russian and Chinese proposal, which should be added:   

  • Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).
  • Nations should further pledge to be bound to the laws of armed conflict. Both the United States and the United Kingdom have already made this pledge; both Russia and China avoid it, because it needs “more study by experts”. Such a pledge would bind nations to not making threats or use of force against other nations and abide by traditional norms such as proportionality and distinction. Cyber conflict is neither so new nor so different that nations should not pledge to follow the provisions of the UN Charter or Geneva and Hague conventions. All nations should agree the laws of armed conflict apply; if not, then hospitals become legitimate targets.

Russia and China have stolen the moment, releasing a UNGA proposal less than two months before a major international conference called for by the UK foreign minister in the latest effort to rebuild the Internet into one with Chinese characteristics: “used more as a surveillance network, propaganda tool, and to control dissent.”

But while there is material clearly offensive to Western values, as Adam Segal puts it, “Not all is bad in the code.” What we still don’t know is whether this document is actually meant to be the next step in a serious international dialog or simple points scoring before the UK conference later this year.   Unfortunately, this may just be a stick to beat the West with and throw the conference off track. It may be safer to ignore this and stick to the UN GGE document and norms laid out in the US and UK strategies and speeches. Just maybe, though we are meant to take it at face value.

If we are meant to take this seriously, there is much here that we agree with, and more we might be able to accept with deletions, additions, wording changes, and intentionally vague meaning. Given the expected clash of titans and headlines screaming “Cyberwar!”, that is likely far more than we could have hoped for.

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. Photo credit: Flickr.