The contest of rules: US, China, Russia rival in setting the norms of behavior in cyberspace

The shift of cyberspace governance discussions towards a normative framework demonstrates states’ efforts to formulate ‘rules of the game.’ Recent multinational and bilateral agreements on cyberspace governance fall under the domain of non-binding soft law, in which norms agreed upon are not set in stone. As fundamental differences exist amongst individual states’ visions of cyber governance (for example views on state sovereignty in cyberspace), and with the uncertainties a rapidly developing cyberspace brings, hard laws often imply commitments that are difficult to honor. Non-binding agreements and norms leave room to maneuver as seen in the recent UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report and talks between the US and China.

While the United Nation’s bureaucracy is typically perceived as ill paced for dynamic ICT governance, in June 2015 a major breakthrough occurred. Representatives from twenty countries formed the fourth Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. The GGE agreed on a range of non-binding norms for state behavior as well as confidence and capacity building measures in cyberspace – something many were skeptical about. The agreements, reflected in the reportpublished in August, outline some important commitments which states have refused to recognize since the late 1990s when the Russian Federation started promoting the norm building process through the creation of the UN GGE. These include, inter alia, the commitment to not attack each other’s critical infrastructure and cyber emergency response systems (CERTs and CSIRTs); to not knowingly allow illegal third party cyber activity from within their territory; to carry out due investigation on malicious activity before counteractions are taken; to assist in investigations of cyberattacks and cybercrime launched from the country’s territory; and to commit to peaceful use of ICTs as a cornerstone of peace and security in cyberspace and beyond. Building on the success of the previous UN GGE in 2013, which acknowledged the applicability of international law to cyberspace and encouraged future elaboration of norms and confidence building measures (CBMs), the current GGE managed to build upon and agree on some minimum conditions for international cyber stability.

Since the release of the report, numerous discussions have focused on the practical implementation of the agreement, as well as the feasibility of the non-binding norms-based approach to cyberspace governance in general. While the agreement is a positive step, the extent to which the given commitments will actually translate into practice depends on the political good will of all signing parties regarding information sharing, CERTs and CSIRTs cooperation, and joint efforts in investigation against at attacks. The current level of trust in the international arena makes it difficult to imagine that non-binding principles could act as an effective measure of restraint for the twenty states-signatories (Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, Israel, Japan, Kenia, Malaysia, Mexico, Pakistan, Republic of Korea, Russia, Spain, UK, US) let alone any other aspiring cyber-nations. Though it sets an important precedent for consensus, this report does not tackle some key issues on bilateral agendas, which will need individual fine-tuning.

What is most interesting is how some issues, which were not included in the agreement, are currently addressed. UN GGE is a consensus platform, and given the long-standing differences in stances formulated by the most vocal participants (the US, Russia, China), this reveals the ongoing contest over who sets, shapes, and interprets international norms, representing the ultimate manifestation of power in a multipolar world.

Both China and Russia are quite successful in domestic norm building, which reflects Chinese and Russian authorities’ tough position on content control and online data sovereignty. In this regard, the recent research paper, “Benchmarking Public Demand: Russia’s Appetite For Internet Control,” by the Center for Global Communications Studies at Annenberg School for Communication, gives a good sense of the domestic norms setting success enjoyed by the Russian authorities.

China and Russia have attempted to push these norms at the international stage for further legitimation, but beyond the Shanghai Cooperation Organisation (SCO) ‘Code of Conduct for information security’ their success has been modest until recently. However, some of the ‘Code of Conduct’ language is present in the UN GGE report. For instance, clause 26 explores how states should “[refrain]in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations… and non-intervention in the internal affairs of other States.” Clauses 27 and 28 also suggest that state sovereignty and international norms and principles flowing from sovereignty apply to states’ conduct on ICT-related activities and to their jurisdiction over ICT infrastructure within their territory. Still, in other fora the concept of state sovereignty in cyberspace remains a stumbling block, as well as what ‘objectionable content’ implies. The latter is increasingly important to spell out, as radical groups like ISIS actively use online platforms for recruitment. This might give an extra opportunity for the wider acceptance of what up to recently has been qualified as a ‘domestic norm’ for a number of countries (e.g. taking down extremist/terrorist content).

As for the US cyber norm promotion, one principle of state behavior laid out by the US State Department in May 2015 states that “no country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain.”  It was not included in the set of norms in final UN GGE report, which might have contributed to the intention to pursue the issue on the bilateral level. At the end of August, the media reported that the US planned to impose sanctions on Chinese companies and individuals found guilty of commercial espionage. A related Executive Order, signed back in April 2015, gave the Treasury Department wide authority to employ economic sanctions against cyber hackers whose actions have harmed national security. Though not drafted to address exclusively Chinese offenders, given the long track record of bilateral tension over the issue it is viewed as such.

Cyber issues certainly framed the agenda of Chinese President Xi Jinping’s September 22-25 state visit to the US. A White House statement released at the end of the state visit, articulated the two countries’ agreement to not engage in cyber theft and cooperate on cybercrime issues, a surprise amid scepticism many have had about cajoling China into any promises. While this may give an impression that the US cyber agenda is gaining the upper hand, this is most likely wishful thinking.

The talks are an interesting carrot and stick exercise. In addition to the reported US sanctions for intellectual property cybertheft, ahead of President Xi Jinping’s visit, sources announced that the US and China are developing their own cyber deal similar to the China – Russia agreement signed in May. While the deal would not be regulated by any international accords both countries are signatories to, it would echo and reinforce the UN GGE agreement. In retrospect, this rumoured bilateral pact looks like a Plan B in case the efforts to settle more urgent cyber theft issue lead nowhere.

Indeed, Mr. Xi Jinping has been sending mixed messages by both standing his usual ground on some norms and seemingly suddenly giving in on others, which he previously refused to embrace on behalf of his country. In an interview ahead of his visit to the US he reiterated China’s traditional stance that “rule of law also applies to the Internet, with the need to safeguard a country’s sovereignty, security and development interests as relevant as in the real world.” However, he also recognized the urgency to fight what his country has been accused of by admitting that “cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.” Speaking to tech-firms in Seattle, Mr. Xi Jinping pledged readiness to set up “a high-level joint dialogue mechanism with the United States to fight cybercrimes,” pointing out that his government “will not, in whatever form, engage in commercial theft nor encourage or support such efforts by anyone.” Coupled with promises to welcome foreign investment, this appears to be a candid commitment to stronger bilateral relations, followed by the US-China joint pledge not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” which few expected.

Still optimists should not hold their breath due to the non-binding nature of  the US-China talks and UN GGE norms. The language of the cyber commitment reveals some important reservations, which leave much room for interpretation in the future. Along with some other CBMs on timely responses “to requests for information and assistance concerning malicious cyber activities” and establishing “a high-level joint dialogue mechanism on fighting cybercrime and related issues,” the US-China talks also suggest that the two sides “agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.”: The allusion to national laws is a useful caveat to any future conflicts over lack of cooperation. Additionally the activity of non-state actors is not addressed, allowing for deniability of failure to commit.

China must be feeling fairly comfortable with the soft law solution since even if US sanctions follow if China does not honor this US-China commitment, sanctions  might backfire. First,  cyber-attack attribution is difficult  and the accused will most certainly deny any wrongdoing (as seen with the Sony Pictures attack). Second, sanctions will deliver a blow to US companies’ business with China, impacting the thousands of jobs that rely on these ties. Third, China can retaliate against the threat of sanctions by pushing US tech firms to comply with China’s desire for increased control over data flows. While this could force some US companies to leave the Chinese market, US tech firms giving China access to encrypted communications could also have larger implications for domestic US data access. If the US corporate sector eases on data disclosure in China, this could give grounds for US law enforcement to request similar access to data for intelligence purposes.

This also reveals an interesting interplay between the two faces of cyberespionage – for intelligence or commercial ends – representing different perceived threats on both countries’ sides. Since Snowden’s revelations, which ironically were made public when China and the US last addressed cybercrime issues face to face, China feels its actions in the cybersphere are justified, given the scope of the US cyber intelligence intrusiveness. The US sees SIGINT efforts as a legitimate part of any country’s foreign policy. Though the commitment to non-compromising ICT products with “harmful hidden functions” features at least in the UN GGE’s set of norms (even though the verification remains a challenge), IP theft looks more like a sore point on the bilateral agenda, probably addressed in a broader context of US-China relations with inevitable trade-offs.

Unless the US curtails some cyber intelligence, other incentives must be offered to push the Chinese to make concessions and embrace more US-promoted norms.  In any case, in its current vague form, which addresses only governments and does not incorporate none-state actors, the agreement is a comfortable and symbolic half-step, saving face for both sides and leaving the door open for further negotiations.

With the dormant Russia-US cyber deal from 2013 in mind, there is a triangle of agreements among Russia, China and the US embedded in the UN GGE accord. Non-interference with domestic affairs via ICT tools might be more of a priority for Russia given current geopolitical turmoil despite record domestic public approval rates. While supporting this norm, China does not seem to view it as a critical one – a tightly controlled digital domain is well-preserved in the country and faces no palpable threat. The US, on the other hand, places much importance on curtailing commercial cyberespionage. All three countries are united by the desire to protect their critical infrastructure against cyberattacks though this most tangible ‘common denominator’ is less relevant in peacetime. The struggle will continue in the domain of little or no normative consensus in cultural, historical and practical terms, lined with strategic economic bargaining where conceptual understanding fails.

The article originally appeared at our partner’s CGCS Annenberg Media Wire blog.

Alexandra Kulikova is the Program Coordinator for the PIR Center’s Global Internet Governance and International Information Security Program in Moscow, Russia. Alexandra graduated from Moscow State Linguistic University, with a degree in language education. She also holds an MSc in Media and Communications Governance from the London School of Economics and currently acts as a researcher, focusing on internet governance, state, and corporate policies in human rights. Active in the field, Alexandra has participated in the LSE Media Policy Project research group and interned with the Language Policy Division at the Council of Europe in Strasburg, France. For five years, she headed the RBCC Bulletin, the monthly business magazine of the Russo-British Chamber of Commerce. Alexandra’s research expertise includes cybersecurity, information security, global internet governance, internet development.