The race to establish what nation-states can and can’t do in cyberspace — an effort that has been largely stalled for the past couple of years — is back on.
The United States and 26 other nations on Monday kicked off the United Nations General Assembly in New York by issuing a statement that called out both state and non-state actors for targeting critical infrastructure during peacetime, interfering in politics and conducting intellectual property theft. They also called for costs to be imposed on those that seek to undermine established cyber norms.
“State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them,” reads the joint statement. “We call on all states to support the evolving framework and to join with us to ensure greater accountability and stability in cyberspace.”
Although the statement echoes norms established at past U.N. meetings, the effort to hold nation-states accountable comes as two separate groups are pushing their own efforts to establish what those norms should be.
Several norms have been established over the past few years at the U.N. through a process known as the Group of Governmental Experts (GGEs), with representatives from approximately 20 countries interested in determining what’s acceptable behavior in cyberspace.
But over the course of the last year as the dialogues have stalled, some nations have been pushing for an alternative norms-creating forum. One group, known as the Open-Ended Working Group (OEWG), was established over the last year by Russia and China — two governments known for flagrant efforts to interfere in other states’ domestic politics and conduct cyber-enabled theft of intellectual property. That group started holding its own set of meetings recently.
Contested cyber norms
Some experts see the Open-Ended Working Group — which met for its first substantive meetings two weeks ago — as a challenge to the Group of Governmental Experts’ work. Over the course of several years, the GGE convinced Russia and China to sign onto agreements that conducting cyberattacks against critical infrastructure during peacetime is unacceptable. But in recent years U.N. dialogues have fallen apart over reported objections that advancing the GGE any more could encroach on some states’ right to self-defense.
U.S. Deputy Secretary of State John Sullivan acknowledged during remarks Monday that dignitaries say the new OEWG group meetings may hamper progress made by the GGE over the years, causing a problem for norms that have already been established.
“Over the next two years we are going to engage in not one but two processes,” Sullivan said. “Some expect these parallel processes will create tension. We in the United States, however, view them as opportunities provided that we overlap the past attempts … and past consensus.”
China and Russia don’t have a good track record upholding the established norms. Since about 2016, Russia has targeted the U.S. energy grid, according to a U.S. government announcement in 2018, for example. And although China appeared to bolster its interest in upholding international order in cyberspace by agreeing to stop stealing intellectual property from the U.S., Chinese-linked hacking groups have since continued to target U.S. companies.
Although none of the dignitaries or foreign ministers at the Monday gathering directly called out Russia or China, the subtext was clear: it is the hope of the U.S. and 26 other nations that the cyber norms established under the U.N. GGE will not be diluted as the new working group fashions its own goals.
“All members of the United Nations General Assembly have repeatedly affirmed this framework, articulated in three successive U.N. Groups of Governmental Experts reports in 2010, 2013, and 2015,” the joint statement reads.