Agreeing to Disagree: Advancing Expert Discussion with Russia on International Cyber Norms

News | September 23, 2020

The EastWest Institute (EWI) and the Russian Institute of International Information Security Issues at Moscow State University (MSU), partnering in the framework of the International Information Security Research Consortium (IISRC), have released a joint working group study on ”Methodological issues of the application of norms, rules and principles of responsible behaviour of states to promote an open, secure, stable, accessible and peaceful ICT environment.” The new report is the result of multi-year efforts to promote Russia’s engagement with the West on the development of coherent international cyber norms. The idea of a joint U.S.-Russia project to explore methodological hurdles in reaching international consensus on cyber norms was first discussed by EWI and MSU leaders in late 2017. 

The initiative was born when the United Nations Governmental Group of Experts’ (UN GGE) fundamentally disagreed on the applicability of international law to states' use of ICT, preventing the group from delivering its 2016/2017 consensus report (Report of the UN Secretary-General A/72/327). The Track-2 MSU-EWI project was supported by the IISRC at its meeting in April 2018 in Garmisch-Partenkirchen (Germany), by forming an international group of experts to discuss methodological differences in, and develop common approaches for assessing the applicability of the UN GGE 2015 report recommendations. At that meeting, MSU and EWI representatives were joined by experts from the Cyber Policy Institute (Estonia and Finland), the ICT4Peace Foundation (Switzerland) and the Korea University Cyber Law Centre (Republic of Korea). 

Understanding the issue’s complexity, participants of the IISRC working group decided to limit their effort to only three norms of the UN GGE 2015 report: paragraphs 13(g), 13(h) and 13(k). Respectively, these norms focus on the requirement for states to take measures to protect their critical infrastructures from ICT threats, the requirement to respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts; and the requirement not to conduct or knowingly support activity to harm the information systems of the authorized emergency response teams of another state, as well as discouraging a state from using authorized emergency response teams to engage in malicious international activity. Working group participants also deliberated general methodological issues of cyber norms implementation, including technical and legal aspects.

By 2020, the participants of this discussion concluded that they were not able to develop a consensus set of recommendations, even for the three selected topics, initially considered to be the easiest for international cooperation and voluntary, non-binding implementation. The disagreements between and Russian and Western scholars in this area are concisely summarized in the joint comment by the experts of the Cyber Policy Institute, the ICT4Peace Foundation and the EastWest Institute, published as an integral part of the report (reproduced below). However, participants agreed to publish their findings and major points of agreements and disagreement, primarily as useful thought-provoking material for diplomats, lawyers and technical specialists involved in the current stage of UN-sponsored efforts within the GGE and the Open-Ended Working Group. 

The need to continue dialogue and joint research among scholars and consultants of different schools of thought was also considered to be a priority to help Russia and the West overcome their political disagreements. This effort follows the EastWest Institute’s many years of building partnerships with various institutions in Russia, starting with the Institute of Information Security Issues (IISI) at the Lomonosov Moscow State University—a leading think tank in this area. See our select joint publications, below:

The EastWest Institute would like to express special acknowledgements to Professor Anatoly Streltsov and Dr. Eneken Tikk for their leadership in shaping the discussion, coordinating the activities of the Working Group and persistently navigating the text of the report to completion. We are also grateful to Dr. Vladislav Sherstyuk and Ambassador Andrey Krutskikh for their political support and help in enhancing outreach to the highest levels of the Russian and international diplomatic communities.

----------------------------------

Comment by experts from the Cyber Policy Institute and the ICT4Peace Foundation, supported by the experts of the EastWest Institute

It is not often that the Western scholars get to work with their Russian colleagues on issues of international information or cyber security. It is unfortunate as the lack of contacts makes it difficult to find ways forward in the climate of political differences and competing world views.

We have found our cooperation with the Russian colleagues extremely informative and useful as it has helped us understand the Russian positions and views on several contested issues. We entered this project at the invitation of the International Information Security Research Consortium, Moscow State University to better understand how our colleagues approach the issue of implementing the norms, rules and principles of responsible state behavior as outlined in the UN GGE report of 2015.

At the end of this project, we can conclude that there are not only political but also fundamental methodological differences in how the Western and Russian scholars approach non-binding norms and international law. These differences make it close to impossible for the Western colleagues to acknowledge and appreciate the proposals made by the Russian colleagues on how to implement the UN GGE recommendations and make them universally accepted. Whether there is agreement to be found on these differences or not, we consider it necessary to highlight these differences to facilitate finding consensus and ways forward in the international cybersecurity/information security discourse.

Experts in this very small group remained divided in three fundamental questions:

  1. The relevance of the existing international law and current state practices to provide guidance on state behavior. The Russian colleagues are much more pessimistic about the susceptibility of existing rules and standards of international law to be usefully applied to issues of cybersecurity without progressive development. Based on our experience and expertise, we consider it possible to apply the rules and standards of existing international law, such as the prohibition of intervention or the obligation of peaceful settlement of international disputes, to issues of international cybersecurity. It would, indeed, require dialogue between states as to how to best interpret and implement these rules and standards.
  2. The nature of the 2015 UN GGE report recommendations for norms, rules and principles for responsible state behavior. In the Russian conception, these norms, rules and principles will be implemented only after they acquire the legally binding status, either by state practice or treaty negotiation. From our perspective, the UN GGE recommendations can be implemented partially on the basis of existing international law and partially by way of national legislation and policy, which, as the Russian colleagues point out, constitutes the exercise of sovereignty.
  3. The relevance of the question of attribution in the three examined GGE recommendations. Differences on attribution are particular to strategic contestants and, between these States, have raised concerns of less than satisfactory implementation of international law. For most of the States, however, attribution remains a still to be developed capacity and capability. Therefore, it is early to conclude whether the issue of attribution is, indeed, an equally significant issue of international law for the international community, or will the improvements and increase in national resilience and capacity resolve this issue in practice.

These divisions are also some of the key issues in the political negotiations that have taken place globally and bilaterally. Therefore, we conclude that successful and global implementation of the recommended norms is unlikely before nations come to agreement of their relevant premises and assumptions.

Most importantly, given these foundational differences, expert exchange, joint academic research and political dialogue must continue. This interaction should also cross disciplinary borders and involve more scholars and experts. Remaining in our trenches will only keep the war of attrition going on.

Full text of the report can be found here