Diplomats from around the world are convening this week to share ideas about what type of behavior should be allowed in cyberspace, and debate what happens when those rules are broken.
The virtual confab, organized by the Estonian Ministry of Foreign Affairs and designed for seasoned and green diplomats alike, began Tuesday morning to discuss how international law applies in cyberspace and different attack methods diplomats may encounter when confronting cyber incidents, Estonia’s Ambassador at Large for Cyber Diplomacy Heli Tiirmaa-Klaar told CyberScoop in an interview.
While the gathering will touch on historical cyber incidents that have rocked the international norms conversation over the years, including the sweeping WannaCry and NotPetya attacks, the focus of the so-called cyber diplomacy school is not on instruction about the technical details of cyber incidents. It’s about how to negotiate and shape behavior of other governments.
“This is not technical training,” Tiirma-Klaar said. “What is missing in the market in a way is the more conceptual part — how you see the cyber events at a more strategic level and how we put the cyber behavior of governments and nations into the lens of diplomacy.”
Members of the United Nations agreed in 2015 to a framework of responsible state behavior that establishes that nations shouldn’t run cyberattacks with the intention to cause damage to other countries’ critical infrastructure. Adherence to the agreement has been inconsistent in recent years, though, and a shared international understanding of what constitutes a transgression is still developing. Allied nations frequently fail to reach a consensus on the best way to respond to a major cyberattack, or cyber-espionage campaign.
The international tenor of cyber diplomacy is “progressing towards more maturity, more clarity in terms of, the need for response, we need to implement the norms, we need consequences if some countries do not follow the norms,” said Tiirmaa-Klaar.
The event this week is the third of its kind. Estonia hosted the first-ever so-called cyber diplomacy school in 2019, but only opened it to participants from the European Union and the North Atlantic Treaty Organization. Due to the pandemic, however, this iteration of the cyber diplomacy school is entirely virtual and streamed live, so any member state from the United Nations, as well as any member of the public, may participate.
The event comes weeks after the U.S. government announced Russian operators were “likely” behind a cyber-espionage operation carried out against federal agencies and the private sector in the U.S. in part through a manipulated software update in SolarWinds technology. While the gathering this week is not focused on hashing out consequences for malicious behavior in cyberspace, the incident is a perfect example of why diplomats need to brush up on how to address cyber incidents, says Tiirmaa-Klaar.
“All these events and incidents that we have seen during the last year are just confirming that we all have to pay much more attention to cybersecurity and also supply chain issues in cybersecurity — and it’s up to us to defend our networks and make sure that our supply chain is protected,” Tiirmaa-Klaar told CyberScoop.
It was in 2016 that NATO determined a cyberattack on a member nation could result in a collective response from allied nations. In the last two years, several NATO nations have said they would, in theory, be willing to share offensive cyber capabilities through the alliance.
One of Estonia’s goals in organizing the cyber diplomacy school is to “mainstream cyber” for diplomats, as cybersecurity issues increasingly impact and overlap with how international relations have to be conducted, Tiirrmaa-Klaar said.
“What I’m trying to show is it’s not about the technology,” Tiirmaa-Klaar said. “It is about behavior. Countries behave. It is often the behavior of people that we are trying to actually address here. Computers don’t attack each other. It’s people.”
The event, scheduled to end on Wednesday, also involves various UN forums meant to develop cyber norms, as well as panels on the basics of the framework of responsible state behavior established in 2015 and international law.
“The real aspect of … training is the political policy-making and legal requirements that are equally important — you need training in how do you make cyber policy, how do you make cyber law,” James Lewis, a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, said during a cyber school session Tuesday.
A changing tide
The international community is still developing what consequences nations should face when they overstep the framework of responsible state behavior established in 2015. While individual governments such as the U.S. have been slapping sanctions or indictments on entities and individuals that have been deemed responsible for malicious cyber-operations — and occasionally coordinating with other governments on such actions — there is no preset menu of consequences for bad behavior in cyberspace.
“This is possibly the most important thing for giving meaning to norms,” Lewis said. “Norms are defined by consequences. If states choose to observe them there’s no need for consequences. But unfortunately in the world we live in we know that’s not the case.”
Part of the challenge is governments’ differing perspectives on what level of attribution is needed to respond to infractions, and how willing foreign countries are to take action.
The tide may be changing, according to Tiirmaa-Klaar.
In December, European Union members made overtures to the Biden administration about better interweaving U.S. and EU efforts to counter attacks on critical infrastructure.
“We have to keep educating decision makers so that a new generation of decision-makers and diplomats will have it in their arsenal of thinking,” Tiirmaa-Klaar said. “I think this kind of breaking point is almost there.”