The false promise of cyber conventions: Why the West is losing and what to do about it

There wasn’t much hope as delegates of the sixth negotiating session of the Ad Hoc Committee (AHC) gathered in New York in late August to develop a new United Nations convention on cybercrime. From the start, diplomats downplayed expectations by noting that the final text “wasn’t expected to be especially ambitious.” Updating the 2001 Budapest Cybercrime Convention, the first international treaty to address cybercrimes, also didn’t appear likely.

Over at the UN’s Open-Ended Working Group on Information and Communications Technology (OEWG-ITU)—a special session with fewer participants—in late July, Russia, along with Belarus and Nicaragua, submitted a draft proposal for a binding instrument on international information security that almost derailed years of effort to establish consensus norms on cybersecurity. In order to approve a progress report, the Open-Ended Working Group on Information and Communications Technology resorted to “footnote diplomacy” to satisfy Russian demands, while also holding back Western rejection of the proposal. With footnote diplomacy, disagreements, caveats, and ambiguities between states are put in the footnotes at the last minute, effectively undermining the power of the negotiated document’s paragraphs.

To counter Russia, China, and their allies’ aggressive attempts to undermine existing cybersecurity norms, the United States and Europe must refocus and strengthen their cyber diplomacy efforts. Safeguarding and promoting accountability and liberal values in cyberspace requires the Western alliance to include cybersecurity norms promotion in trade, development, and diplomatic cooperation with the majority of still undecided states. It also requires Europe and the United States to engage organizations that influence the technical functioning of cyberspace. This can be achieved by positioning national experts in the international standards institutions and better regulating product security for software manufacturing (often termed standards and regulations).

The failure of responsibility. Cyber diplomacy is a new and emerging field, distinct from cybersecurity in that it seeks to make diplomacy about cyberspace and technological issues the core function of the enterprise. Ask any newly minted cyber diplomat, and they will indicate the goal is to promote much-needed norms of responsible state behavior in cyberspace. Yet, few genuinely believe that progress in international negotiations is forthcoming.

Efforts by the United Nations Open-ended Working Group  to develop a new cyber agreement that moves past prior attempts by the United Nation Group of Governmental Experts (GGE) have failed. Instead of developing a plan of action with concrete next steps, the United Nations Open-ended Working Group adopted a progress report akin to a warning sent to mischievous students. The group cannot even agree on a common lexicon of terms, let alone how to move forward on establishing an enforceable convention that respects human rights and protects against cyberattacks on critical digitized infrastructure.

Part of the reason for these failures is a fundamental disagreement on the definition of “responsible” when it comes to state behavior in cyberspace. To the like-minded countries mainly in Europe, North America, and Oceania, responsible state behavior entails the promotion of voluntary, nonbinding cyber norms that seek to prevent state sponsored theft of intellectual properties, cyberattacks on critical infrastructure that impact civilians, the proliferation of ransomware, and electoral interference, as well as invoking a commitment to the applicability of existing international law.

States such as Russia, China, and Iran find it “responsible” to ensure sovereign control over the data streams in their respective territories to prevent destabilizing online content from spreading. China made moves to declare the dissemination of false information a crime, while Iran and Pakistan wanted to establish religious insults as a crime under the new convention.

It is with this agenda that Russia’s promotion of a new legally binding convention on cybercrime should be understood—that is, to silence critical voices but also to limit cyber risks to critical infrastructure imposed by Western militaries while avoiding responsibility for the harms that originate from within their own borders. The best many cyber diplomats can realistically hope for under this context is a general political document devoid of mechanisms for enforcement.

Multinational companies have also entered international cyber norm promotion arena. Microsoft, for example, shares concern with Russia, China, and their allies regarding the increasing presence of militaries in critical digital infrastructure. However, the tech company considers a Digital Geneva Convention to be responsible because it can minimize the exploitation of commercial IT products and ensure the privacy of its users globally. As recent work has shown, Microsoft’s status as a very profitable corporation has prevented the company from effectively halting United States’ militarization of cyberspace. Instead, Microsoft has turned to multistakeholder fora and hangs on to support for cyber defensive efforts in Ukraine to promote their agenda.

Loose norms. The difference in perspective has led to a system of loose norms with each group continuously “naming and shaming” one another for being insincere and irresponsible. China recently warned that the United States was a “hacker empire.” Both within the UN and in the private sector, the strategy of name and shame has proven unable to reduce harm through cyberspace.

If the alliance of mainly Western states is going to make progress, then it must move away from the idea of nonbinding cyber norms and move towards a proper framework of standards and regulation. An example of a possible emerging future is the recent effort by the United States and other partners—including Australia, Canada, the United Kingdom, Germany, Netherlands, and New Zealand—to promote security-by-design and default. The guidance by these nations sets forward standards for software manufactures to build security into their products. This could potentially force these companies to improve product security if they wish to do business with Western states.

Currently, the hesitation of the Western alliance to engage in negotiations on legally binding cyber conventions is understandable. All international negotiations on regulatory matters are lengthy processes that leave behind a legal vacuum while they are ongoing. But more importantly, within the United Nations General Assembly, those states sharing values on cyber security with Europe or North America are not necessarily in the majority. The very vocal coalition led by China and Russia is currently mobilizing the large group of undecided states in Africa, South America, and Asia. As a result, current negotiations are unlikely to result in framework that will lead to an ability to impose costs on cyber criminals or to properly safeguard human rights online.

Moving towards holistic cyber diplomacy. The move towards proper standards and regulations for cybersecurity must start now by seriously reinvesting in, and refocusing, Western cyber diplomacy. Here, two priorities are essential. First, cyber diplomacy should be better integrated into the broader diplomatic toolbox. The undecided majority of states in the UN cyber norms debate must be won over.  Russia and China have been successful at gathering support for their positions by taking a holistic approach that includes incentives, persuasion, and socialization. They utilize trade cooperation, development partnerships, military aid, technical capacity building efforts, and information tools to build allies that ultimately support their international position. To more actively compete, Western countries’ diplomatic strategies must mirror such efforts.

Second, the future of the Internet lies within the intersection of politics and technology, and not just at the international negotiation tables but also with the everyday practices at the international institutions that govern cyberspace. China has successfully positioned their national experts at senior roles in institutions such as the International Telecommunication Union (ITU). The West must follow their example.

When governing cyberspace, the devil is in the technical detail. Developing a clear strategy for how the Internet should work technically and then strategically positioning national experts in these emerging institutions can help build the foundation upon which legal and political language can be negotiated.

Unfortunately for those promoting cyber norms and diplomacy, the idea was to move forward based on the strength of the position and moral responsibility, hoping the rest would then follow. This approach has failed once again, and the main victim is anyone hoping for progress on human rights issues in cyberspace. It’s time to only move forward when an overwhelming majority support an accountable cyberspace with enforceable rules. In the meantime, rebuilding a foundation of norms and action based on regulations and standards is the priority.