Geopolitics keeps overruling cyber norms, so what’s the alternative?

With the proliferation of cyber technologies over the last two decades, governments and experts have been scrambling to try and come up with a set of behavioral norms. The problem, argues Laura G. Brent of the Center for a New American Security, is that cyber weapons have become a built-in part of the geopolitical strategies for governments around the world. In this new op-ed, she offers some suggestions for how to make cyberspace, perhaps, a little less dangerous. 

Whenever a new technology emerges as a national security issue, governments want to establish norms of behavior. We are seeing it with AI, with unmanned systems, with hypersonic technology — and we have seen it with cyberspace.

Setting norms can be useful. The process itself can have benefits: it requires governments to communicate and develop a better understanding of how different nations view challenging issues. When norms are agreed upon, even if voluntary and non-binding, they can make explicit what may be mutually beneficial to states.

Norms, however, will always struggle when they begin to hit up against the core interests of the nations involved. As cyberspace is now intrinsically tied into traditional geopolitical contests and conflicts—that is, core interests — norms can alter behavior only so much. But hope is not lost: Once governments accept the limits of political cyber norms, they can then adapt to the messier reality of cyberspace today.

An excellent case study on the relevance and limits of norms is NSO Group, an Israeli company that develops advanced cyber surveillance tools. NSO Group says it is on a “life-saving mission,” with capabilities that are used by governments for legitimate security purposes, such as search and rescue efforts or disrupting terrorist plots.

But a large collaborative investigative journalism effort alleges that the company’s technology has been subverted to spy on politicians, diplomats, activists, and private citizens the world over. Apple has called [PDF] it an “amoral 21st century mercenar[y],” a journalist has deemed it a “menace to democracy,” and a US Senator has asserted its actions “‘violate human rights and threaten [US] national security.’” In early November, the US government effectively banned technology exports to NSO Group, stating the group’s products allowed for “transnational repression” that “threaten[s] the rules-based international order.”

Amidst this criticism, the Israeli government imposed stricter rules on its industry; now, NSO Group can easily do business with drastically fewer (and no authoritarian) countries. The decision has been portrayed as a “victory” for political cyber norms — the standards of responsible state conduct in cyberspace that, for example, promote human rights. This understanding would have it that Israel, in order to return to the good graces of its fellow democracies, felt obliged to curtail the more aggressive activities of its industry.

The reality: not much has actually changed. Israeli businesses can still request approval to export cyber tools to any nation. Israel is, despite the strength and size of its cyber sector, just one country; others, including democracies, can and will continue to sell similar cyber products (and surveillance represents only one issue in cyberspace).

Norms were also quickly flouted. Even as it imposed stricter export controls, Israel reportedly sparred with Iran in cyberspace, with both nations making each other’s civilians targets — the exact scenario political norms are supposed to preclude. And the fiscal year 2022 National Defense Authorization Act [PDF], recently signed by President Joe Biden, included a provision to enhance cybersecurity research and technology development collaboration between the United States and Israel — hardly the action of one democracy indicating normative displeasure.

The most ambitious norms perpetuate an idea of cyberspace as a realm separate from traditional geopolitical realities and national interests. But behavior in cyberspace will not be better or different than behavior in other domains. Israeli leadership views Iran as an existential threat, so how could cyberspace norms ever be a fully effective restraint?

While governments should not give up on political norms, they should focus on what other tools might also reduce harms in cyberspace. One such tool: technical cyber norms.

If political norms are about lofty, long-term goals for responsible behavior in cyberspace, technical cyber norms are about more limited objectives. They accept as their premise that offensive operations will occur, and they seek to define how such operations can be made safer. This requires a “certain hardheadedness and even cynicism” because governments must negotiate with their adversaries to agree on more mutually acceptable offensive cyber campaigns — for example, those that use tools that have undergone robust testing or incorporate limits on their ability to spread.

This approach is not unprecedented. Consider New START and the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). Both accept that nuclear weapons exist while recognizing the common interest in limiting, respectively, their number and spread.

Implementation of technical norms will be hard and complex, and there will be no traditional inspection as with arms control agreements. But this effort holds promise: it delivers more pragmatic and specific results than political norms.

Another way to promote reliable behaviors comes from states intelligently tailoring their response to malicious cyber activity based on the mechanisms of an attack.

Take the SolarWinds and Microsoft Exchange Server compromises, attributed to Russia and China, respectively. As Dmitri Alperovitch and Ian Ward wrote in March 2021, the SolarWinds compromise was “highly targeted and even quite responsible,” as Russia ultimately accessed only a small, purposeful fraction of the networks it could have; China, however, undertook the “exceptionally reckless and dangerous tactic” of compromising all the servers it could — and doing so in a way that others, whether states, criminals, or individuals, could leverage this compromise.

The United States ultimately imposed higher penalties on Russia (public attribution, technical information release, and a new Executive Order) than on China (public attribution, technical information release, and indictments associated with different malicious cyber campaigns), even though the more indiscriminate attack held greater operational and technical risk.

When deciding on an appropriate response, the United States obviously must take more than the exact technical nature of each compromise into account — geopolitics will always take the lead. But Washington should consider what specific technical methods it may be implicitly ruling in or out of bounds with their decisions on how to respond.

Governments must also remember that they are not always the drivers of technology or policy; cyberspace, more than traditional domains, presents this issue. If Washington and others don’t improve security in cyberspace, industry will take more drastic action. Both WhatsApp and Apple have sued NSO Group for the harm done by its products to their users. Even if these cases fail — which, given their novel nature, is quite possible — risks exist for governments if the private sector independently sets terms for cyberspace. The United States, with its technology companies operating around the world, would presumably have concerns about its companies being similarly sued in foreign jurisdictions.

The current state of cyberspace is grim. Economic impacts from malicious activity are increasing — in the first six months of 2021, suspicious activity report filings [PDF] tied to ransomware payments totaled $590 million, or nearly $175 million more than all of 2020. Business operations—from ports, to meat processing, to pipelines — have suffered significant disruption. And a ransomware attack may have even led to death.

Governments should continue to push for commitments to act more responsibly in cyberspace. They also must acknowledge the limits of these political norms so that they can set clearer, more enforceable, and more useful bounds on activity in cyberspace.

If governments do not consider more creative solutions, there is not much hope cyberspace will change — or at least, not change for the better.

Laura G. Brent is a Senior Fellow in the Technology and National Security Program at the Center for a New American Security. She has previously worked on cyber policy at NATO, within the US government, and in the private sector.