Political pressure over suspected Russian interference in US elections isn’t just weighing on President Obama, it could also energize efforts to create international rules of the road in cyberspace.
Currently, there aren't many accepted norms when it comes to what nations can and can't do to each other in cyberspace. Where international laws give countries specific rights to respond to physical attacks, reacting to digital espionage, political hacks, or corporate breaches is far less clear.
This kind of ambiguity when it comes to cyberattacks linked to political and military leaders around the world is perhaps one reason the Obama administration has lagged in responding to Russia.
"We are trying to deal directly with a host of nation-states around the world and engaging with them in terms of what's acceptable from our perspective, and what is not," National Security Agency director Adm. Michael Rogers said at a recent conference. "Cyber does not recognize these arbitrary lines that we have drawn — it doesn't recognize the geography."
Some efforts to establish dos and don'ts in cyberspace seem to be working. For instance, international efforts to curb cybercrime have been effective in some cases. Numerous reports have indicated that Chinese intrusions into US companies declined after an agreement to cut down on cyberenabled corporate espionage last year. A similar agreement between the Group of 20 countries expanded those protections internationally.
When it comes to Russia, however, forging any kind of bilateral agreement when it comes to cyberintrusions may prove difficult in the wake of the the election hacking allegations.
But for some, suspected Russian interference in US elections has raised broader questions about the value of cyber norms – and how much leverage the US has in those talks.
"Russia is ironically in a better position to advocate the need for binding rules to prohibit noninterference through cyberspace," Robert Morgus, a policy analyst with New America think tank in Washington wrote in a blog post earlier this month.
"Even though Moscow is widely believed to be behind the US election shenanigans, it can still argue that a noninterference rule, had it been in place, could have prevented the election tampering," he wrote.
On the international stage, the United Nations Group of Governmental Experts, 20-country bloc, has been working for nearly seven years to establish cybersecurity “norms” that encourage members to tamp down on foreign cyberattacks.
In fact, as the so-called “GGE” gathered for its first meeting in New York in August, internal emails from Hillary Clinton’s campaign and the Democratic Party continued to surface on the antisecrecy site WikiLeaks. Moving forward, experts say that kind of interference will force negotiators to get creative to deal with an emerging US-Russian rift in cybersecurity.
“The difficulty isn’t that norms have reached the end of their usefulness, it’s that we’re in a conflict with Russia,” says James Lewis, a senior fellow at the Center for Strategic and International Studies, a Washington think tank. “You have to think about how to renegotiate.”
But even though norms take time to establish, eventually they begin to change behaviors. “Think about how many years it took arms control to reach fruition," he says. "You can agree to something and then ignore it but eventually the words catch up to you.”
The GGE, which includes the US, Russia, and China, aims to build upon a resolution approved by the UN General Assembly last December that calls for states to respect sovereignty in cyberspace and steer clear of attacks on critical infrastructure.
But just as the resolution was approved, cyberattackers took down part of the power grid in Ukraine. US officials claimed that Russian hackers were behind the blackout.
But even when norms are in place, experts say the lack of teeth behind those standards may make them meaningless in many cases.
“You have to put deterrence in a much broader context,” says Joseph Nye, a political science professor at Harvard’s Kennedy School of Government. “It's not just cyber, but it's the instruments that you have to make the costs higher than the benefits. Cyber deterrence is much more like deterring crime, it's deterring a lot more behaviors that are not as dramatic as a nuclear attack.”
There are a handful of legal, political, and economic tools available to nation-states to reinforce the international rules of the road for cybersecurity. The New York Times reported last week that the Obama administration is still considering sanctions against Russia for the suspected DNC hack. Vice President Joseph Biden also hinted in October that the US could be taking covert action against Russia to retaliate.
But while cybersecurity is playing a big role in the drama around suspected Russian cyberattacks, the decision to leak DNC and Clinton campaign emails to WikiLeaks could fall into a gray area when it comes to cyber conflict.
“If they had just stolen the information and not done anything with it publicly it wouldn't be such a big deal. The big part was not cyber,” says Bruce McConnell, vice president of the East West Institute. “This is an international political matter. You shouldn't shout fire in a crowded theater on an international level. There's the old gentleman's agreement among nations, but that's not honored when it's inconvenient to honor it.”
Though the GGE is the leading effort to establish political rules for cybersecurity, voices in academia and the private sector have begun to look at more expansive precepts for states and technology firms.
The Global Conference on Cyberspace, a meeting that has brought together governments, tech firms, and civil society groups to look at rules of behavior for cyberspace since 2011, has another meeting set for Hyderabad, India, this year. And a successor to the Global Commission on Internet Governance, chaired by former Swedish foreign minister Carl Bildt, is also in the works.
For its part, Microsoft has called on states and technology to stop selling software security flaws, which can be valuable openings for spies and hackers. Elsewhere, the Tallinn Manual, a study convened by NATO’s Cooperative Cyber Defence Centre of Excellence, will aim to look at how international law applies to cyberspace.
“The problem with espionage is that there’s no international law of espionage,” said Thomas Wingfield, a professor of cyber law at the National Defense University in Washington.
But Mr. Wingfield still thinks the GGE and similar efforts to establish rules for cyberspace are headed in the right direction – even if they’re proceeding more slowly hackers.
“International law starts as norms that are later codified in custom and enshrined in treaty. It highlights the bad actors,” he says. “Countries like Russia and China may not have a lot of respect for the law, but it makes it harder diplomatically and politically to do these things.”