A few weeks ago, experts from China and the United States met in Washington in the first formal sessions of the Senior Experts Group on International Norms and Related Issues. This group is one of the outcomes of the deal reached during Xi Jinping’s state visit last autumn. From the Chinese side, it was composed of members of, amongst others, the Ministry of Foreign Affairs, the Ministry of National Defense, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security, while the U.S. delegation consisted of representatives from bodies including the Department of State, the Department of Defence, the Department of Justice, and the Department of Homeland Security. It is envisaged that the group will meet twice a year.
According to Xinhua reporting, both sides had ‘”positive, in-depth and constructive” discussions on issues concerning international norms of state behaviour in cyberspace, as well as international law and “confidence-building measures in the field.” But what does this jargon, perhaps impenetrable to the outside observer, mean?
The answer to this questions starts with a crystallization of topics that has become increasingly prominent in cyber politics circles over the past few years. The broad question of “how to govern the Internet” has gradually been replaced by more specific elements. One of these is Internet governance, which has become primarily associated with regulating the protocols and technological processes that make it possible for computers and networks to interoperate. Another one is cyber crime, which (self-explanatorily) addresses topics such as child pornography, narcotics and financial fraud.
The norms debate addresses the question of how states should behave in cyberspace. Where the Internet was once celebrated as being completely beyond the reach of state power, it now has become incontrovertible that state actors can wield tremendous influence both in and through cyberspace. This influence can be divided into three categories: first, use of networks for espionage, intelligence gathering, surveillance and monitoring; second, states can use the network to disable or harm their opponents’ networks; and third, states can use the network to engender “kinetic effects,” in other words, damage to enemy targets in real space. One particular concern is the impact of a cyber attack on a country’s critical infrastructure, such as its telecommunication networks, power grid or industrial control systems. In the popular press, this is displayed slightly more juicily as China “switching off the lights” in the West.
This potential for the use of cyberspace in conflicts has raised the very important question of how such acts should be governed. One point d’ appui for many thinkers has been the application of classical international law, and in particular, the law of armed conflict. In other words, where aggression is not permitted in real space, it is not permitted in cyberspace either. China has, for a considerable period of time, expressed strong reservations against this, arguing that cyberspace should not be weaponized or militarized at all. Instead, China proposed that cyber-related security questions should be dealt with through sui generis regimes, for instance, the code of conduct for state conduct in cyberspace it proposed to the UN General Assembly as part of the Shanghai Cooperation Organization. More recently, however, China has come to acknowledge, if sometimes grudgingly, the application of international law in cyberspace.
But even that acceptance still leaves many questions unsolved. How does one define an act of war in cyberspace? Is every intrusion an aggressive act, or should it have particular kinetic consequences? If classical international law recognizes the important role of neutral organizations, such as the Red Cross, how then do we deal with the Computer Emergency Response Teams (CERTs) set up by businesses and national governments, whose role it is to neutralize attacks and prevent harm from spreading.
This is where the development of norms is important. (Re-) writing international law is a time-consuming process, often proceeding at glacial pace. The rapid evolution of cyberspace therefore requires a more flexible approach. Norms, or generally accepted modes of behaviour, can develop much more readily, and form the precursor of more stable legal rules to follow. They provide some measures of consistency and predictability, even if there is no formal enforcement mechanism. Moreover, traditional international law largely deals with traditional sorts of state-to-state conflict. It has little to say about the sort of minor, but continuous skirmishes, that seem to characterize events in cyberspace.
Another reason why norms are important is that states historically have not seen fit to develop legal norms in too much detail. The poster-child example of this is intelligence-gathering. And it is here that much of the chagrin between the United States and China has emerged. Accusing China of wholesale, state-supported intellectual property theft through cyber espionage, the United States is seeking to establish a norm where it is only legitimate for states to conduct intelligence operations against the traditional sort of targets for state-to-state espionage. China, on the other hand, has denounced the American stance on cyber operations as a ploy to maintain its hegemonic status.
What is it, then, that these talks are supposed to bring, apart from more talks in six months time? Some would say it is most important to build trust. For the moment, however, that seems unlikely: there simply is too wide a disparity in perceptions and expectations for trust to be a realistic objective in the short term. A better option, and equally important for avoiding conflict, is transparency. Hopefully, better information about counterparts’ capabilities and intention reduces uncertainty and risk hedging, and thereby also reduces the risk of conflict.