Over the past few years, many states, intergovernmental organizations, and think tanks have offered proposals for new norms and principles to govern activity in cyberspace. We’re nearing a bifurcation between east and west. There is significant overlap between the proposals of the United States and United Kingdom and significant agreement between them and those of the International Telecommunications Union. Unfortunately, there is little overlap between Western sources and the norms agreed to by the nations of the Shanghai Cooperation Organization.
As background, many states have released cyber security strategies since 2008. Few have explicitly discussed the “rules of the road” for cyberspace. The one notable and important exception is that most of those strategies have emphasized increased international cooperation. For instance, the Australian Cyber Security Strategy states that “[e]ffective cyber security requires coordinated global action,” a priority echoed by United States, United Kingdom, Canada, Estonia, South Africa, South Korea, Germany, and the Netherlands.
The three most important sources of norms so far have come from the International Strategy for Cyberspace from the United States; a speech by William Hague, the Foreign Minister of the United Kingdom; and statements in a recent book by Dr. Hamadoun Touré, the Secretary General of the International Telecommunications Union. These three statements are directly compared in the following table, based on analysis by Hannah Pitts for the Cyber Conflict Studies Association, which summarizes each proposed norm or principle on the leftmost column.
Comparison of Norm Promotion for Cyberspace Among U.K., U.S. and ITU Statements
As shown, there appears to be an unsurprisingly high degree of overlap between the positions of the United States and United Kingdom. There is also a possible overlap between these proposed norms and those by Dr. Touré. For example, there is a direct correlation across all sources in the three norms of Universal Access to Cyberspace, Combating Cyber Crime, Cybersecurity Due Diligence, and the Commitment to Collaborate with Other Countries.
Moreover, the norm of “fundamental freedoms” is rooted in Article 19 of the Universal Declaration of Human Rights, which should be certainly agreeable to ITU. And while the norm of self-defense does not necessarily contradict that of Touré’s no-first use, the mindsets behind these norms are probably quite far apart, as are subsequent potential policies. Additionally, the stated UK norms emphasize the rights and responsibilities of all actors in cyberspace, whereas those of the United States and the ITU focus on state-based behaviors and norms.
There is an even further gap between the norms from the US, UK, and ITU and the worldview from the SCO ( comprised of Russia, China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan). Unfortunately, the relevant SCO agreement from 2008 did not specifically identify norms, but rather the “main threats in the field of ensuring international information security.” In general, these threats do include some areas (such as information crime or natural threats to safe and stable operation of the Internet) that are either implied or mentioned by the US, UK, and ITU. Others – such as “development and use of information weapons, preparation for and waging information war”—seem to match well only with the ITU.
However, the SCO also casts a very wide net when considering threats, including the spread of information that distorts the “use of the dominant position in the information space to the detriment of the interests and security of other states.” Another threat is “dissemination of information harmful to social and political, social and economic systems, as well as spiritual, moral and cultural spheres of other states.” Together, these perceived threats give the impression that SCO would want to strongly regulate cross-border flows of information, limiting freedom of expression. This would be in direct contradiction to the proposed US and UK norms of “Free Flow of Ideas” and “Fundamental Freedoms” and perhaps even be against the Universal Declaration of Human Rights.
Fortunately, nearly all nations and non-governmental organizations agree that further international discussion is needed and commit themselves to such efforts. The real intergovernmental work will kick off at a London conference later this year and hosted by Hague. However, there has been important work also done by non-government organizations, such as a U.S.-China agreement to fight spam, which might help bridge the differences between nations. In addition, the Atlantic Council has participated in a dialog between think tanks in the China and United States.
The next years will bring loud disagreements as these norms are discussed, but the only way international conversation will progress is through finding areas of cooperation and ways to navigate through disagreement. Nations are now staking out positions and talking, which are the first steps needed to find rules of the road in cyberspace.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber issues on Twitter, @Jason_Healey.