September 29, 2021
The 5×5—The future of cyber diplomacy
The cyber domain is not just the newest domain of conflict and cooperation, but one that pervades modern societies and is constantly evolving. A lack of mutually agreed upon rules of the road poses a challenge to stability. In 2015, the United Nations published a consensus report from the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security to build out a framework of international norms for responsible cyber behavior. The report has provided an important starting point, but in practice has had little impact on states’ cyber behavior.
The international community has yet to develop a common understanding of what constitutes a norm violation, which specific categories of targets should be off-limits to certain types of cyber operations, and so on. In June 2021, US President Joe Biden presented Russian President Vladimir Putin with a list of sixteen critical infrastructure sectors that should be off-limits to hacking, but the list encompasses certain traditionally legitimate targets, such as the defense industrial base, and Russia-linked cyber operations do not appear to have slowed since.
Effective cyber diplomacy requires the involvement of more than just states, as industry and civil society actors play a vital role in shaping capabilities and norms. We brought together a group of leading experts with a range of perspectives to discuss cyber diplomacy and what the future of responsible cyber statecraft looks like.
#1 What makes cyber diplomacy different, or notable, when compared to other forms of diplomacy?
Kaja Ciglic, senior director, digital diplomacy, Microsoft:
“The very nature of the Internet as a borderless, interconnected system makes it too complex to be solely managed by any single country, company, or organization. Making a meaningful difference and countering threats emanating from cyberspace, especially state cyberattacks, will require effective cooperation among all relevant stakeholders. Cyber diplomacy is different from other forms of diplomacy, because it is the first real multistakeholder diplomacy.”
Aude Géry, postdoc in public international law, specialist in international legal issues of cybersecurity, Geopolitics of the Datasphere (GEODE), University of Paris 8:
“First, the resilience of our societies is dependent upon the security and stability of the digital space. Second, the digital space can be a driver to achieve the United Nations’ Sustainable Development Goals. So, cyber diplomacy participates in the definition of all aspects of our current and future world. It impacts all other domains of cooperation and issues.”
Klara Jordan, senior fellow, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security; chief public policy officer, Cyber Peace Institute:
“Cyber diplomacy’s key difference when compared to other forms of diplomacy is that it is a relatively new area of competition and collaboration between states, where rules, norms, and effects of actions or omissions of states are not clearly defined. Those that engage at the diplomatic level on cyber issues had to develop a framework for engagement in a short period time, without the possibility of using frameworks from other domains as a guide. Rapid digitization increases the attack surface at a pace that is not matched by efforts to secure it or by the international community as a whole showcasing responsible behavior in cyberspace, so the diplomatic community is left to grapple with these issues. It is also a domain of not only strategic importance, but one that touches and influences the everyday lives of individuals at every level. Global progress, democracy, and physical and emotional wellbeing can be impacted by negative trends surrounding cyberspace. So, the stakes are high, the rules of the game are not sufficiently defined, and the topics and equities are complex.”
Elaine Korzak, affiliate, Center for International Security and Cooperation, Stanford University:
“As technology is becoming ever more important, various discussions under the umbrella of “cyber diplomacy” are noteworthy since they seek to build a normative framework for cyberspace. This framework is significant and consequential – its regulatory choices carry economic, political, social, and security ramifications for individual states and the international community as a whole. Though diplomatic processes move slowly and progress has been incremental, it deserves much more attention than it has received thus far.
Christopher Painter, president, The Global Forum on Cyber Expertise Foundation; former coordinator for cyber issues, US State Department:
“Cyber diplomacy is essentially applying a diplomatic tool set to cyber challenges, and encompasses: building alliances and collective response to cyber threats; negotiating a cyber stability framework that includes rules of the road for state actions in cyberspace; negotiating bilateral agreements and cooperative frameworks; ensuring human rights are respected in cyberspace; using diplomatic tools to respond to threats; fostering capacity building; and integrating cyber issues into larger discussions of national and economic security, among other issues. For too long, cyber has been relegated by senior policymakers to technical experts in a failure to recognize the vital policy issues at stake as we have become more dependent on cyberspace for everything from our economic to societal growth. It is important to draw attention to cyber issues and make them a diplomatic priority to help mainstream them as real national security and foreign policy concerns. This is particularly true given the increasing cyber threats we have witnessed, but also the real promise of growth that these technologies offer. Fortunately, there has been good recent progress in elevating both cyber and cyber diplomacy to real areas of national and international priority.”
#2 How do agreed upon norms in cyberspace (or lack thereof) impact diplomatic approaches to cyber crises?
Ciglic: “Agreed-upon norms introduce greater stability to cyberspace and, in combination with confidence-building measures, provide options to prevent escalation and, hopefully, allow for easier resolution of disputes. Norms can also signal what kind of behavior is unacceptable. This is why the attribution of a cyberattack to a state that is in violation of international norms, even when using a third party, should always include an explicit and direct articulation of which norm was transgressed and how.”
Géry: “Norms offer common understanding of what to do or not do, and serve as incentives to cooperate. But, by themselves, they cannot prevent or limit cyber crises. Because many provisions related to crises are confidence-building measures, they are not binding, and their implementation may require capabilities. This is why international law, confidence building measures, capacity building, and norms all reinforce each other.”
Jordan: “While most of the international community has agreed on set of norms, agreed upon by consensus in 2015 and endorsed in 2021 by the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace, the international community has not agreed on what some of these norms mean, and what behavior would constitute the violation of a norm. Therefore, we lack clarity and consensus on where the lines of responsible behavior, or the lack of thereof, lie, complicating clear-cut conversations on responsibility and accountability in a crisis. Because we have a lack of historical precedence of crisis management mechanisms in this area, the diplomatic community has to fly the plane as they are building it – explaining the norm and why a violation has occurred, presenting technical evidence, and discussing proportional response to an act or omission.”
Korzak: “Following the promulgation of the 2015 cyber norms, the agreement was criticized for having little to no impact on states’ behaviors and cyber crises. Abstract norms agreed upon in diplomatic venues seemed to be detached from the string of cybersecurity incidents occurring worldwide. Since then, there has been a shift to actively promote norms in cyberspace and to support states in their implementation. As a consequence, there has also been greater emphasis on accountability in case of norm violation. Cyber norms provide a framework or benchmark to judge states’ actions as responsible or irresponsible. More countries are starting to use the norms agreed upon in the United Nations more explicitly and deliberately in their handling of cyber crises, calling out violators and the norms that need to be upheld. Similarly, cyber crises offer opportunities to point to the need for additional norms or regulations that are currently lacking.”
Painter: “Norms and international law are a baseline of acceptable state conduct in cyberspace. Without them, it would be a lawless space. Even when states violate agreed-upon norms, they provide a rallying point for other states to demand compliance and foster accountability (and consequences for bad actors). For example, the US call for Russia to get a handle on malicious cyber gangs operating from its territory is backed up by previously agreed to norms.”
#3 How do countries balance freedom of offensive (or defensive) action in cyberspace with norms dictating avoidance of certain targets, tactics, or capabilities?
Ciglic: “We have rules in all aspects of our lives that enable us to function as a society. There is no reason for cyberspace to be any different. In addition to agreed-upon norms, international law, international humanitarian law, and human rights law all govern what type of action states can take in cyberspace.”
Géry: “Countries do so by introducing a threshold criterion in the scope of what is acceptable or not. For example, not all cyber operations against critical infrastructures are targeted by norms, but only those operations that cause a certain level of damage. They thus leave outside of the norms’ scope operations limited to mere data collection.”
Jordan: “The norms of behavior that states discuss and agree on express their aspirations for certain principles and behavior in cyberspace. Ultimately, though, norms shape the political and normative environment by states’ actions and decisions, which are an outcome a balancing of complex equities. For example, to balance the strategic benefit of exploiting a zero-day vulnerability for offensive actions, with risk cased to society or civilian equities, some states have implemented a vulnerability equities process. In a situation of an armed conflict, states use the rules of international humanitarian law to determine which objects are protected and cannot be targeted by cyber (or other) capabilities. While balancing equities is difficult and complex, states should always prioritize human-centric equities in decision making.”
Korzak: “That balancing calculation depends on every country and their specific circumstances. Although the international community is working towards regulating state behavior in cyberspace (and with that offensive and defensive action) through cyber diplomacy, different states seek different regulations in this conversation. The United States and like-minded states promote a set of norms that have been agreed in UN Groups of Governmental Experts to limit states’ actions in cyberspace. These include norms prohibiting the targeting of certain structures, for instance critical infrastructure or Computer Emergency Response Teams (CERTs or CSIRTs). Additionally, states have acknowledged the applicability of international law, which places constraints on the activities of states in cyberspace and would have to be taken into account in national balancing calculations. Particularly international humanitarian law contains numerous provisions regulating the development of capabilities and their use. However, these provisions are interpreted by every state, and it still remains to be seen where different interpretations of the law may converge or diverge.”
Painter: “Countries do so the same way as they do in physical space. There are targets that are off limits in the physical world in peacetime because of their nature (i.e., hospitals), and the same should apply in cyberspace. Of course, as a new area, countries need to be comfortable in restraining their capabilities, and this requires coordination both within and between governments. But norms, such as ones prohibiting attacks on critical infrastructure during peacetime, have already achieved a high level of consensus (though we have, as yet, not been good at holding violators accountable). Agreements of restraint and cooperation are vital to future cyber stability.”
More from the Cyber Statecraft Initiative:
#4 Why do some technology companies have cyber diplomacy teams (e.g., Microsoft) and some governments tech ambassadors (e.g., Denmark)?
Ciglic: “The number of countries with tech ambassadors grows year by the year, and we are finally also seeing increasing interest in international processes dealing with cybersecurity across the private sector – and not just the tech sector. This is a welcome and long-overdue development. The reason for this is simple – as more and more of our lives are spent online, this is an area that will only grow in importance over the next decade, impacting not just some countries and some companies, but societies across the globe.”
Géry: “If diplomacy is first and foremost an inter-state activity, the digital space has been created and is managed by non-state actors that are directly impacted by states’ activities. Achieving peace and security in the digital space will thus not be possible without non-state actors, requiring a discussion between these two categories of actors.”
Jordan: “This stems from the commitment of these stakeholders to contribute to safer and principled cyberspace. I believe that industry players engaged in this space want to prevent the weaponization of their technology – not only because they understand the negative impact it can have on their bottom lines, but also because they are concerned that abuse of technology can undermine trust in digital technologies and jeopardize their great potential. They are also operationalizing their part of being responsible actors in cyberspace by investing resources and expertise to inform diplomatic discussion in this domain, especially because it is one built and operated by the industry.
As for governments, these actions are part of their commitments of responsible state behavior. Governments are utilizing all of the tools in their toolboxes to ensure that their national security and foreign policy interests have a chance to prevail, including in this domain of strategic importance. Also, states want to ensure that their citizens can enjoy safe and stable cyberspace where they will be able to benefit from technology without being concerned about security safety and privacy.”
Korzak: “An organization’s decision to dedicate resources to cyber diplomacy can be based on many factors, just as in other policy fields. Increased engagement can be driven by the interest of individuals in leadership positions. It can be spurred by a cybersecurity incident that affected a certain company, sector, segment of society, or state, etc. It can emanate from coordinated civil society pressure on a certain topic. An organization, be it a company or a government, can view itself as particularly capable or vulnerable when it comes to cybersecurity issues and may thus see it in their interest to shape international regulatory outcomes accordingly. Another factor might be peer pressure if certain countries or companies build up diplomatic capacity either regionally or internationally. On the whole, we have seen an increase in corporate engagement and diplomatic posts in governments in the past five-to-six years. However, the more interesting question to me is, why certain technology companies and governments have so far not dedicated noticeable resources to cyber diplomacy in spite of this trend.”
Painter: “I think countries, the private sector, and civil society are all recognizing that much of future prosperity lies in cyberspace, and that decisions made in a multitude of global and regional forums will help shape the future of cyberspace and how we respond to threats. The United States had the first high-level dedicated cyber diplomat and now over forty countries have a version of this. While Denmark created a special position for the tech sector, many existing cyber diplomats have that relationship as part of their portfolios.”
#5 What countries, companies, or non-governmental organizations (NGOs) handle cyber diplomacy exceptionally well? Which have room for improvement?
Ciglic: “The groups, whether in the public or private sector, or members of civil society, that have managed to make a meaningful difference in this complex area are the ones that recognize that they need to reach out across the aisle. That means building partnerships, finding new ways to collaborate across the different stakeholder groups, and investing in bringing others along for the ride. In short, those who are most successful in this space are those who understand and embrace the importance of multistakeholder, digital diplomacy.”
Géry: “Today, we see more and more state and non-state actors involved in cyber diplomacy. This is great, because the digital space shapes our societies and creates interdependencies. Everyone needs to be on board, but there is still a long way to go. The Open-Ended Working Group at the United Nations has brought many states into the discussion. On the non-state actors’ side, there is still a lack of interests. To make concrete progress, raising awareness and capabilities are needed on both sides.”
Jordan: “Rather than calling out specific countries, I would like to highlight a certain approach to cyber diplomacy. Organizations and governments that walk the walk of multistakeholder engagement in cyber issues have the potential to present a comprehensive engagement strategy that does not leave out any stakeholder and considers all the equities that can be impacted or influenced by an outcome of a diplomatic engagement. Additionally, entities that have practical approaches to diplomacy that manage to connect the diplomatic with practical have had some successes in this domain.”
Korzak: “The negotiations of the United Nation’s Open-Ended Working Group from 2019-2021 offer a good starting point to see which states and non-state actors have been particularly active in cyber discussions. For states, this includes the United States, several EU states (Estonia, France, The Netherlands, among others), Australia, Canada, Mexico, and Singapore, as so-called like-minded states. Further, Russia has been driving diplomatic discussions for over two decades and China has become significantly more involved in recent years. On an individual level, the chairs of the Open-Ended Working Group and the latest Group of Governmental Experts, Ambassador Lauber of Switzerland Ambassador Patriota of Brazil, respectively, have been credited with the successful completion of diplomatic talks. With regard to companies and civil society organizations, human rights and privacy groups have been quite involved. On the corporate side, Microsoft has been a long-time leader on cyber diplomacy, and other companies have joined through the Tech Accord. (For a detailed account, the multistakeholder dialogue organized as part of the Open-Ended Working Group has a list of non-governmental organizations that participated; though not all entities that registered also attended.) On the whole, however, a more diverse set of companies and civil society organizations, particularly from the Global South, is still missing.”
Painter: “Really, there are many (and I am not going to choose), but I think the United States has played a leading role – and, hopefully, its posture will be buttressed with re-elevated organizational priority and resources by the Biden administration. Microsoft has been a leader as a company, and I would like to see other companies becoming more active in policy issues. There are also a lot of active and talented NGOs, but I will selfishly plug The Global Forum on Cyber Expertise (GFCE) that I help run. The GFCE is a global multi-stakeholder organization that seeks to promote and coordinate cybersecurity capacity building around the globe – a foundational pillar to the world’s diplomatic and response efforts.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.