“Keep right on lying to me. That’s what I want you to do.”
― Ernest Hemingway, A Farewell to Arms
Most liberal internationalists, particularly in the United States, are thoroughly committed to the idea that the development of cyber norms is the key to resolving inter-state conflicts in cyberspace. This is the mainstream consensus in Washington. One need only examine the work of the Center for Strategic and International Studies, the Carnegie Endowment for International Peace, the cybersecurity funding of the Hewlett Foundation, the papers of Joseph Nye for Harvard’s Belfer Center and any other establishment US-based foreign policy center to pick up on this theme.
We appreciate the good intentions behind these efforts. Cyber diplomacy is better than cyber conflict. But in this blog, we make the case that reality has passed the cyber norms movement by. Two critical recent events have, in our opinion, shaken the foundations of the whole strategy. Yet its advocates don’t seem to realize it.
What are cyber norms?
Let’s begin by specifying what adherents mean by cyber norms. A widely accepted definition of a norm is “a collective expectation for the proper behavior of actors with a given identity.” In this case, the “actors” are governments and the collective expectations emanate from other governments and the broader Internet community. To contextualize this definition further, one must also understand what norms are not. Norms are not treaties. They are intended to be a second-best alternative to formal international law, which is perceived as simultaneously a) not in the interests of the U.S., a dominant cyber power which is highly dependent on cyberspace, and b) not feasible because of the inability to get consensus on the specifics of a formal international law. In short, a treaty will never happen, but if it did happen it wouldn’t be good for the U.S. Closely linked to this view is the idea that we don’t need new international law anyway, because existing international laws can be applied to cyber conflict in a workable manner. So to sum up: a cyber treaty is bad, so we need norms; but the UN charter and existing Law of Armed Conflict, which are based on treaties, are OK as a basis for resolving conflict.
One of the better and more systematic cases for cyber norms was stated in a law review article by Kristen Eichensehr:
- Norms are general principles, which are easier to develop and agree on than formal treaties
- Norms are more flexible because they can develop through unilateral declarations, bilateral agreements, or groups of states
- Norms can develop and evolve through state practice – what is meant by “use of force” for example may need to evolve over time with changes in technology
- Even when conflicting norms emerge it can “foster valuable clarity” about a state’s actions
Eichensehr concisely summed up the underlying premise of the cyber norms movement thus:
“states must agree on or at least clarify baseline positions regarding cyber actions in order to avoid conflict in and stemming from cyberspace.”
Why norms fail
The literature and conferences on norms have generated a kind of self-referential momentum based on this premise, and yet, cyber-conflict among states is as intense as ever. While it’s true that there are not a lot of alternative governance mechanisms available, the idea that norm development helps avoid conflict is something that needs to put to the test, empirically and logically. Let’s first make a brief general argument about the limitations of norms and then turn to specific evidentiary exhibits. To respond to Eichensehr’s bullet points:
- Of course norms are easier to develop and agree on than treaties. As general principles with no binding force, it is easy for states to formulate generalities that sound nice and agree to them without any credible commitment. Does this accomplish anything?
- The fact that norms can develop through unilateral declarations, bilateral agreements, or groups of states indicates that they still leave us in a state of anarchy, with multiple actors telling others what they think states should do and plenty of room for maneuvering around constraints states don’t like. But with dozens of different and possibly conflicting norms flying around, how can the discourse have any impact on what states actually do?
- True, cyber norms can – and should – evolve through state practice, but again that means that we don’t really have rules that shape behavior, we just have an open-ended normative discourse. That states will alter their normative positions as facts on the ground evolve, based on their own interests, is a realistic/positivistic description of what will in fact happen, it is not a normative prescription that channels behavior in a certain direction.
- The claim that conflicting norms “foster valuable clarity” about states’ actions is not always true. The parties engaged in a normative discourse – states – are known to be secretive, deceptive, frequently hypocritical, and likely to defect whenever it serves their interest. But even when states honestly formulate and promote their conflicting norms, we are still in a state of anarchy. And usually their actions are clearer than their words.
Two recent incidents of cyber conflict provide support for these jaundiced conclusions: they show that norm development cannot overcome basic conflicts of interest among rival powers, and that states advancing specific norms repeatedly violate them.
Exhibit A: Russian “meddling”
The current hysteria about Russian influence operations in the U.S. is deserving of a Sherlock Holmesian title: “Russian Influence Operations and the Curious Case of the Inverted Norm.”
In 2011, and again in 2015, the Shanghai Cooperation Organization, which is led by Russia and China, released a proposed “International Code of Conduct for Information Security.” The code defines information security to include control of content and exchange through digital media. An analysis by Citizen Lab concludes that “the SCO states promote the Code… in order to extend SCO notions of sovereignty and territorial integrity to the digital space.” The security threats identified include the “use of information to undermine the political, economic and social system of other States,” and “unauthorized transboundary influence through information.” This, folks, is a proposed norm.
Now in advancing its influence operations in the U.S., Russia is obviously violating its own proposed norm. So much for “fostering valuable clarity.” But what’s even more notable is the U.S. reaction to this behavior. Formally, in its policy pronouncements prior to the 2016 election, the US and the West have always rejected the SCO’s Code of Conduct because they realized it was a recipe for international censorship. The SCO Code of Conduct would reverse the Internet revolution by re-aligning information flows and national borders. Yet those who are screaming about the “threat to our democracy” posed by Russian influence operations are, in effect, saying that the ability of the internet to erase national boundaries on the spread of information is dangerous and problematic because, well, foreign enemies might use it to undermine our society. And that is exactly what the Russians and Chinese believe.
And here is the terrible, sad irony of the inverted norm: Russia violates its own norm to harass the U.S. with inauthentic accounts and social media drek. In reaction, the U.S. internalizes the Russian-Chinese Code of Conduct and starts regulating Internet speech. If this is really a “war” between two norms and a free vs. controlled Internet, Congress has already lost it.
To make matters worse, how does the U.S. reaction square with the U.S. position that existing laws of war are perfectly suitable for handling these kinds of cyber conflicts? If one persistently calls this activity a “war” then the U.S. believes that it has a right, recognized in international law, to retaliate against the aggressor with military means. Yes, that means missiles, troops, tanks, guns. Is Renee DiResta, who insisted on the information war label in her testimony before Congress, advocating such an attack on Russia? If not, why not? If the little threads of propaganda insinuated into Facebook or Twitter are an “attack” and “a war,” then why can’t we respond to it with our military might? Conversely, if these actions do not rise to the level of an armed attack, then why is she insisting on calling this a “war,” repeatedly and aggressively?
So let’s sum up the score here: in theory, Russia supports the norms of the code of conduct, but in practice, they don’t. In theory, the U.S. opposes the norms of the SCO code of conduct, but in practice, they do. And intense conflict between them continues. Tell us again how cyber norms create “clarity” and “avoid conflict”?
Exhibit B: the UN GGE’s breakdown
The “information war” label leads us directly into the next failure of the normative strategy. Until last year, the UN Group of Governmental Experts (UN GGE) had been happily developing cyber norms for several years. Overcoming some early disagreements, three prior GGEs in 2010, 2013 and 2015 had established an international conversation on cybersecurity norms and confidence-building measures that had, one observer claimed, “turned into the main international vehicle for discussions on rules of behavior for states in cyberspace.”
In earlier UN GGE’s the issue of the applicability to cyberspace of international humanitarian law and the laws of armed conflict had been finessed with vague language. But in the 2016-2017 UN GGE, the United States pushed for “clear and direct statements on how certain international law applies to states’ use of ICTs,” including the right to self-defense and the international law of state responsibility and countermeasures. The U.S.’s international rivals became alarmed. They feared that invoking those elements of international law would “legitimize… unilateral punitive force actions, including the application of sanctions and even military action by states claiming to be victims of illicit uses of ICTs.” In short, there was a clear conflict of interest between states with military superiority fearing asymmetric warfare and weaker states who wanted to de-link cyber conflict from traditional military conflict. This division seems to have killed off the UN GGE. Despite its successful agreement on a host of other, smaller norms and confidence building measures, there are no plans to revive discussions.
So let’s sum up the score here: norm dialogues are nice but even in the relatively formal context of a UN working group if they threaten to impinge on fundamental state interests regarding the use of power they get thrown aside.
Don’t get us wrong: we are not against normative dialogue at the international level. There is definitely a need to find ways to mitigate state-based cyber conflict. But if we are to preserve the open global internet in an international system based on territorial state sovereignty, we wouldn’t put our chips on cyber norm negotiations among states. Enforceable and enabling cyber-rules are going to have to come from private actors and new transnational governance institutions. States and the anarchy inherent in territorial sovereignty are a big part of the problem, and our understanding of their role has to be framed accordingly.