Failing to get the major cyber aggressors on board with the Paris Cyber Agreement risks the agreement becoming nothing more than a paper tiger.
On November 12, 2018, the government of France initiated the Paris Call for Trust and Security in Cyberspace. The declaration was well received by many other governments with 51 countries, 72 companies of the Cybersecurity Tech, 16 companies of the Charter, 136 private companies, and 92 non-profit entities, universities, and advocacy groups. The pact is intended to develop “common principles for securing cyberspace” and promotes security measures (e.g., such as risk management measures), as well as guiding values of how states and responsible commercial enterprises will operate in cyberspace.
The latter point bears closer inspection as trying to come to international consensus on what cyber norms should entail have typically failed in the United Nations, both in the General Assembly (GA) via proposals brought forward by China and Russia, as well as the in the Group of Government Experts in the Field of Information and Telecommunications in the Context of International Security (GGE). Repeatedly these efforts have failed to reach their goals with states disagreeing over fine points or unable to reach agreement on definition criteria of key terminology. One promising success occurred during the 2017 meeting of the G7 in which members made a declaration on responsible state behavior in cyberspace. The non-binding declaration essentially affirmed that states should not knowingly engage in destructive cyber acts nor support cyber theft to support commercial sectors.
The foundation of the G7 agreement came on the heels of two similarly-themed agreements. The first was the United States’ 2015 landmark “no commercial hack” pact with China that stated neither government would conduct commercial and intellectual property theft for commercial advantage. The second occurred in November 2015, when the G20 collectively agreed to not engage in cyber-enabled economic espionage. What made that even more noteworthy was the fact that many of the states represented were believed to be some of the more aggressive actors in cyberspace, actively carrying out a variety and volume of cyber exploitation.
After the G7 followed suit, it certainly appeared that establishing a more formal international agreement on cyber norms of behavior was in reach. Approaching it from a multi-state stakeholder approach in economically-focused groups seemed a logical alternative to an international organization like the United Nations, particularly when addressing economic and industrial espionage. As long as general principles dictated how states act in cyberspace were all agreed upon, ironing out the details seemed routine. However, as recent reports indicate, just because states “promise” to act a certain way, they may not deliver. China has been accused of breaking its 2015 with the United States, although the volume of attacks has dropped dramatically as compared to pre-2015 levels. It is safe to assume that states will engage in any activity to pursue and protect its national security interests. And if a state believes that obtaining information is in its interests, then it would be justified in doing anything to preserve them, including breaking a promise.
And this brings up an important issue. The number of states that did sign the Paris Call for Trust and Security in Cyberspace (particularly in context of G20 and G7 agreements) is not as noteworthy as those that refused to sign it—namely, China, Iran, North Korea, Russia, and the United States. All of these states have been suspected of conducting some of the more news-garnering hostile cyber acts, some of which may go against the principles of such a code of conduct. Until these governments get on board, the gesture while nice, is merely a hollow gesture full of good intention without transparency of implementation.
While most governments would generally agree that destructive cyber attacks against critical infrastructure to be a no-no, the soft power projected by cyberspace is not so cut and dry, and that gray area is where states can operate with plausible deniability despite the penchant for more aggressive and public attribution. This is too valuable for governments that want to retaliate, show displeasure, signal without ever having to show more of their cards in the public forum.
It’s fine that the majority of global states can find consensus on what responsible state behavior in cyberspace is. But until the major cyber powers are ready to agree on those principles, it’s yet another group exercise without a conclusion. In the end the Paris Call for Trust and Security in Cyberspace sounds familiar: it provides guidance, it advocates what states should and should not do, but it’s ultimately non-binding. Such declarations serve merely as acts of good faith. Unfortunately, history has proven that such acts of good faith (e.g., the China/U.S. pact, the G20 pledge, the G7 agreement) are more aspirational than functional; more idealistic than bringing accountability to the world stage. As such, the Paris Call is destined to be about as effective.