Fresh off the release of its national cybersecurity strategy, the Trump administration gauged interest at the United Nations in restarting talks on global cybersecurity norms. The negotiations, which collapsed last year amid reported acrimony among the U.S., Russia and others, aim to set limits on government-backed hacking at a time when offensive operations are abundant.
At a meeting Friday with representatives of more than 20 countries, Deputy Secretary of State John J. Sullivan raised the prospect of restarting the norms dialogue at the U.N. Group of Governmental Experts (GGE), according to a State Department statement. Sullivan told reporters the department hopes to reconvene the GGE “to define norms of behavior that states will abide by and, if they don’t, to impose consequences.”
“[N]onbinding norms of responsible behavior during peacetime provides important guidance to states, and we’re looking to develop those,” Sullivan said, echoing language in the administration’s new cyber strategy. Furthermore, he said, “there must be consequences for states that act contrary to this framework. Today I called on like-minded partners to join the United States to work together to hold states accountable for their malicious cyber activity.”
The last agreement at the U.N. GGE, reached in 2015, was signed by 20 countries, including Russia and China, two of America’s traditional adversaries in cyberspace. The document affirms that a country shouldn’t carry out cyberattacks that intentionally damage another country’s critical infrastructure. However, the subsequent round of talks fell apart in June 2017 over reported disagreements among Washington, Moscow and others over the right to self-defense in cyberspace.
Russia and China did not participate in Friday’s ministerial meeting, and all countries that attended are U.S. allies, according to an attendance list provided by a State Department spokesperson. Britain, France, Mexico, and South Korea were among the countries the spokesperson said attended.
In a July interview with CyberScoop, Robert Strayer, State’s top cybersecurity official, said he was “optimistic” that a new multilateral deal on norms could be reached because past agreements included major players in cyberspace. “All of those successful, consensus-based documents required that the U.S., China, and Russia came to agreement on the terms,” Strayer said.
Adam Segal, director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program, said the State Department’s reengagement at the UN GGE reflected the U.S. government’s emphasis on norms-building. “The UN GGE was the most productive place for the discussion of those norms, until it wasn’t,” Segal told CyberScoop. “So it makes sense that you try to reengage China, Russia, and others.”
The effort to rekindle the UN GGE talks came a week after the White House released a national cybersecurity strategy that harps on deterring destabilizing behavior in cyberspace. The document says the U.S. will initiate a “Cyber Deterrence Initiative” to build a group of “like-minded states” to “ensure adversaries understand the consequences of their malicious cyber behavior.”
While the strategy stresses defensive measures, in rolling it out, national security adviser John Bolton vowed that the U.S. would go on the offensive in cyberspace. “We’re going to do a lot of things offensively and I think our adversaries need to know that,” Bolton said.
As governments argue over norms in cyberspace, multinational corporations have stepped up to outline their own. In April, Microsoft and other technology heavyweights agreed to core principles for behavior in cyberspace, including not helping governments conduct cyberattacks against “innocent civilians and enterprises.”
UPDATE, 3:08 pm, EDT: This story has been updated with details on which countries attended the ministerial meeting from a State Department spokesperson.