Establishing Cybersecurity Norms in the United Nations: The Role of U.S.-Russia Divergence

Establishing Cybersecurity Norms in the United Nations: The Role of U.S.-Russia Divergence

. 6 min read

In June 2021, US President Joe Biden and Russian President Vladimir Putin met in Geneva for the U.S.-Russia presidential summit. This first in-person meeting between the two presidents was set against a backdrop of extremely high levels of tension and disagreement, on issues ranging from arms controls to tensions over US sanctions on Russia. At the same time, both sides emphasized the need for greater stability and predictability in their relationship in order to prevent conflict between the two powers. Among the many important and contentious issues discussed by the leaders during the meeting was the issue of cybersecurity, specifically ways in which to promote predictability and stability in international cyberspace. Agreement on the gravity of this situation led Biden and Putin to even establish a bilateral dialogue on cybersecurity in an effort to set cyber norms.

For the United States, this dialogue is becoming more and more crucial as the country is increasingly plagued by ransomware attacks, including those originating from Russian territory such as the attack on Solarwinds or general misinformation campaigns by the Kremlin. However, while these kinds of ransomware attacks that target critical infrastructure are the main concern expressed by the United States in its current discussions of cyber issues, Russia instead appears to be pursuing this dialogue as a way to gain greater sovereignty over its internet space. This is in line with Russian efforts to implement laws that create a more controlled environment within Russia’s portion of the internet, one in which users are persecuted for their activity and the government has greater power to restrict online content. Hence, despite a mutual desire for stability within cyberspace, this divergence in goals between the United States and Russia raises concerns about the ability to set concrete and enforceable rules on appropriate cyber behavior.

These two states are evidently approaching the regulation of cyberspace from different perspectives, but this incompatibility of goals is observed not just within the U.S.-Russia cyber dialogue—it is evident through broader conversations on how to set international norms for cyberspace. At the UN’s first global meeting on cyber norms in September 2019, the UN and its member states discussed two main processes in setting international cyber norms, one sponsored by the United States and the other by Russia. While the Russia-sponsored Open-Ended Working Group (OEWG) focuses on reaching consensus regarding cyberspace sovereignty and non-interference in states’ political affairs, the American-backed Group of Governmental Experts (GGE) emphasizes an open and free environment in cyberspace. This clash between establishing a free internet and controlling cyberspace presents a fork in the road of whether the UN will ultimately play a key role in establishing cyber norms, or whether this split will simply lead to further splintering on this issue.

UN Efforts: Diverging Tracks

The cyber domain is a relatively new and ill-understood area of international relations. While there have been attempts to relate cybersecurity to nuclear deterrence to determine how to effectively regulate cyberspace, the contrast between these two areas creates the need to establish a new set of norms in order to truly prevent cybercrime. While both methods create environments of fear and uncertainty, the secrecy surrounding cyberweapons as well as their development by intelligence agencies as opposed to the military puts us face to face with a completely new kind of warfare.  This, as well as a growing number of international ransomware attacks, makes it especially important to work on international governance measures to better regulate cyberspace.

Since 2004, states have participated in UN groups to help craft just these norms and regulations. Most recently, two main approaches have emerged within the United Nations. One approach to establishing these norms has been presented in the form of the OEWG, which emphasizes state sovereignty and non-interference in cyberspace when it comes to developing cooperation in cyberspace.

The novel nature of this threat is demonstrated by disagreement on how to best regulate international cyberspace to prevent the escalation to serious conflict. While Russia has pushed for the OEWG as a way to encourage consensus on cyber norms, European states and the United States expressed support for the GGE, which instead promotes an open and free digital environment as opposed to increasing states’ control over the internet. While a lack of consensus is understandable given the novelty of cyber issues, the ability to agree on a unified approach will play a key role in determining how and whether international norms will be developed.

Implications for International Cyber Norms

As evidenced by these two tracks, U.S.-Russia understandings of cybersecurity are a reflection of the broader disagreements on appropriate regulation of cyberspace. Some of this disagreement is also driven by diverging goals—while liberal democracies such as the United States emphasize the importance of “cybersecurity,” countries such as Russia and China instead use the term “information security” to shift the focus away from ransomware and more towards consolidating state cyber sovereignty. Ultimately, interference in the internet space of other countries is not something that liberal democracies would argue for—as evidenced by instances such as Russian interference in the U.S. elections, the opposite would more likely be true. However, the move towards greater state cyber sovereignty already exhibits worrying trends.

For instance, Russian laws that require social media companies to store the data of Russian users on servers located on Russian territory, as well as hand over that information to Russian security upon request, have threatened the privacy of individuals by giving the government greater control over their activity. These stipulations have also received pushback from the American Big Tech giants such as Facebook, Twitter, and Google, who have refused to abide by these rules and compromise the privacy of their users. This emphasis on cyber sovereignty also shifts the discussion away from preventing transnational ransomware attacks, which arguably present a greater threat to international stability than the ability of these states to control content on the Internet.

Overall, this disagreement between states further reflects a fundamental tension between a rules-based order for international governance and an approach that favors a free and open cyberspace environment. With digital authoritarianism on the rise worldwide, repressive states such as China and Russia have worked to secure greater control over their internet spaces, reflecting their emphasis on “information security” as a means of continuing to dictate information flow to  maintain domestic control. Hence, while the OEWG would help facilitate consensus on cyber norms, the emphasis on state sovereignty within this process can also be exploited by states such as Russia to continue increasing control over their information-communication technology (ICT) spaces in order to promote regime stability. This approach, which would allow authoritarian states to crack down on dissenting views within their own cyberspaces, could increase their ability to limit internet freedom and shift efforts away from limiting cybercrime and ransomware attacks. This contrasts with the approach promoted by liberal democracies which, while still leaving cyberspace with the challenges of disinformation and the need for content moderation, instead focuses on the threats posed by potential attacks originating in cyberspace.

Implications for Cyber Space and International Governance

The U.S.-Russia bilateral cybersecurity dialogue is but a small part of the larger international dialogue on the provision of stability and security within cyberspace. However, it is a broader reflection of the divergence between an emphasis on information security or on cybersecurity, especially given the driving role that both the United States and Russia have played on the international stage as well. Not all countries are in disagreement—in 2015, states generally agreed on the implementation of the eleven non-binding norms of 2015 GGE report, which aimed to promote stability in cyberspace and included emphasis on the protection of free expression on the internet and disavowed the malicious use of ICTs. However, there are still concerns about the way in which setting cyber norms could also influence authoritarianism in the world. Given the underlying disagreement between the extent to which states should control their own cyberspace and the differing definitions of cybercrime that arise as a result, the ability to agree on a single set of international norms will rest on resolving this underlying disagreement.

Even if these international norms are set, the peculiarities of international governance suggest that compliance with these norms will continue to be voluntary. However, the ability to agree on these standards of appropriate behavior still carries weight, as it would help dispel some of the tension and uncertainty states currently experience regarding threats originating from cyberspace. This move would also establish international mechanisms for addressing transnational cyber crime, which currently does not exist. Until this tension is resolved, splintering on this issue will simply continue to build pressure and increase the chance for a truly devastating escalation between states.