Long criticized for its shortcomings in effectively tackling cyber threats, the cybersecurity industry is experiencing a paradigm shift. Leading thinkers in the field of security strategy are now broaching discussions about mechanisms to hold cyber criminals accountable, as cyberattacks increasingly pose a risk to international security.
“What we found is that norms are insufficient,” declared James Lewis, Senior Vice President of the Center for Strategic and International Studies (CSIS). Lewis was referring to the United Nations’ cyber norms, which outline 11 voluntary, non-binding rules for responsible state behavior in cyberspace. His comments came during his appearance at the 2023 International Conference on Building Global Cyberspace Peace Regime (GCPR), held in Seoul this past Wednesday.
“In this case of the 11 norms, the majority of them are self-enforcing,” mentioned Lewis. “It turns out that the norms are good to have, and they provide a useful framework, but they are by themselves insufficient to change the status of cybersecurity. So, the discussion internationally has turned from norms and their implementation to create accountability and consequences.”
His remarks were part of a broader panel discussion centered on international cooperation to hold malicious cyber actors accountable. Moderated by Caitriona Heinl of the Azure Forum for Contemporary Security Strategy, the discussion featured a trio of experts, including Benjamin Ang from the Centre of Excellence for National Security (CENS) and Karsten Geier from the Centre for Humanitarian Dialogue.
Both Lewis and Geier bring firsthand experience from their work with the United Nations Group of Governmental Experts (GGE), specifically focusing on cyber norms. Ang, while currently spearheading policy research at CENS on international cyber norms and digital security, has also lent his expertise to the UN’s Open-Ended Working Group on Cyber (OEWG).
In both 2013 and 2015, the UN GGE published reports that focused on the evolving landscape of information and telecommunications within the framework of international security. According to paragraph 19 of the 2013 GGE report, “international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful, and accessible ICT environment.”
Lewis highlighted key international milestones, including the UN General Assembly First Committee’s adoption of a Resolution on the Program of Action (PoA) on cybersecurity in November 2022. Out of the UN member states, 157 nations voted in favor of the resolution, which advocates for responsible state behavior in cyberspace. Notably, China, North Korea, Iran, Nicaragua, Russia, and Syria voted against it.
Lewis also drew attention to the Counter Ransomware Initiative (CRI), a project launched by the Biden administration last year. He said that the initiative “has not received as much notice as it deserves and has proven to be relatively successful” in comparison to prior efforts in deterring cybercrimes. “The initiative is one of the most interesting collaborative efforts going on. It is voluntary, and the number of members is increasing, now reaching 47,” added Lewis.
The expert outlined three key considerations for effectively coordinating efforts to hold malicious cyber actors accountable. “First, there has to be respect for sovereignty and sovereign independence. You are not joining an alliance to be a member and told what to do. Second, any actions you take have to be consistent with international law. On the third, there has to be common understanding on political attribution. You need to have the ability to go to the political level and say, ‘these are the people who are responsible.’”
In the concluding remarks of his address, Lewis emphasized the critical need for meting out penalties to malicious cyber actors. “Accountability requires consequences. Someone was talking to me yesterday, asking about why China and Russia do not stop. Why should they stop? There is absolutely no penalty for their actions. Until that changes, I don’t think you will see a reduction in cyberattacks,” said Lewis.
Benjamin Ang, Senior Fellow and Head of the Centre of Excellence for National Security (CENS), delved into the key challenges that often make individual nations hesitant to publicly attribute cybercrimes. For instance, when the Chinese hacking group known as 1937CN compromised the announcement screens at Vietnamese airports, the Vietnamese government opted for a subdued response. “The Vietnamese government not only did not call out the attackers for attribution, but also they actually told the cyber community to show restraint and not to take any dangerous actions in response to the incident,” elaborated Ang.
Addressing the reasons behind such hesitancy, the research head pointed to several factors. Among them, he highlighted the insufficient capability to impose repercussions across diverse sectors like diplomacy, information, military, economy, finance, intelligence, and law, commonly referred to as the DIMEFIL Framework. He also underscored the challenges posed by power imbalances and trade dependencies.
Lastly, Ang emphasized the potential impact of collective action on this pressing issue. “International cooperation can help in terms of imposing consequences on the diplomatic side. I am not asking for military help, which is too risky and escalatory. It can also help small powers to share information and go to law, such as imposing economic sanctions supported by its coalition with great powers.”
The quotes in this article were condensed and edited for clarity.
