The cyberattack late last year against Sony, attributed by the US government to North Korea, has highlighted the issue of international norms — especially those related to impermissible actions in cyberspace and permissible actions in response to them. Because norms — including binding international law as well as widely-shared informal expectations of proper behavior — are shaped by the practices of states and how other international actors react, the Sony case is itself part of the process of establishing and shaping norms. For the United States to effectively advance norms it must balance secrecy and transparency as well as build and sustain credibility.
For years the US government has talked about promoting international norms as an important pillar of its cyber strategy, though usually without much specificity as to the content of those norms. The United States has been successful in pushing the general notion that international law regarding force and self-defense could apply to some cyberattacks, and that the law of war (international humanitarian law) applies to cyberattacks conducted during armed conflicts. Beyond that, it has been preparing to push diplomatically some additional principles to govern actions in cyberspace, but it has been slow to do so.
The Sony hack has lent urgency to that agenda. In his end-of-year press conference, President Obama addressed the attack on Sony and he highlighted an absence of clear international rules: “[T]his points to the need for us to work with the international community to start setting up some very clear rules of the road in terms of how the Internet and cyber operates. Right now, it’s sort of the Wild West.” Secretary of State John Kerry similarly declared: “This provocative and unprecedented attack and subsequent threats only strengthen our resolve to continue to work with partners around the world to strengthen cybersecurity, promote norms of acceptable state behavior, uphold freedom of expression, and ensure that the Internet remains open, interoperable, secure and reliable.”
Most discussion and commentary about developing international norms for cyberspace brings to mind formal and centralized international processes, such as multilateral negotiations conducted under the auspices of the United Nations or other international groupings. Especially when it comes to international security and national defense, however, norms and interpretations of international law develop mostly through decentralized state practice: states defend their actions and counteractions with arguments and counterarguments that win support or fail among important international constituencies.
That process of developing and refining norms generally works well for conventional military activities because they are so visible. It doesn’t work well, though, for activities that take place in the shadows. For that reason I’ve argued that intense secrecy around states’ cyber capabilities will slow the development and clarification of international law governing cyberattacks or responses to them. The concealment and low visibility of some states’ responsive actions in cyberspace make it difficult to develop consensus understandings even of the fact patterns on which states’ legal claims and counterclaims are based, assuming those claims are even leveled publicly at all.
Furthermore, secrecy makes it difficult to engage in sustained diplomacy about rules. Officials can talk about them at high levels of generality, but can’t get very specific about detailed examples, and it’s therefore hard to reach agreement. Secrecy makes it difficult to verify commitments or demonstrate compliance. Perceived distance between mere words and true actions may be large amid high degrees of secrecy. Some transparency — and resistance to the natural tendency of security agencies to protect operational secrecy — is often therefore critical to a strategy of promoting norms.
It was thus striking when, in written answers to the Senate Armed Services Committee, the then-nominee to be NSA Director, Admiral Michael Rogers, saw a silver lining to the leaks of NSA documents by Edward Snowden: “I believe,” he wrote, “the recent disclosures of a large portion of our intelligence and military operational history may provide us with opportunity to engage both the American public and our international partners in discussion of the balance of offense and defense, the nature of cyberwarfare, norms of accepted and unacceptable behavior in cyberspace, and so forth” (emphasis mine).
It’s especially interesting that Admiral Rogers talks about the Snowden revelations and their impact on norm development in optimistic terms, because the general mood since the documents began emerging has been that the disclosures are damaging to American efforts on cyber norms. But Rogers talked about all this as a positive opportunity to advance the US agenda on norms.
The Sony attack is an occasion for the United States to promote diplomatically some lines of proper and improper behavior, and to defend the legitimacy of reasonable and proportionate responses. The US government is getting ready to roll out some specific proposed norms that it seeks to promote as global guidelines. So far, however, the United States government has been hesitant to reveal details about its own practices (or practices it contemplates) as a means toward establishing such norms. Of course, a high level of secrecy regarding certain aspects of cyber policy and strategy is necessary to their effectiveness, and within the agencies responsible for implementing them that secrecy is also culturally and institutionally ingrained. Radical openness about offensive and defensive cyber capabilities and practices is unrealistic and dangerous. Some rebalancing is needed, however, if normative development is to form a significant part of US international strategy in this arena.
Notwithstanding Admiral Rogers’s optimism, it is also likely that the Snowden disclosures have left the United States with a weaker hand in some important respects, by blurring lines and undermining US credibility in the eyes of foreign partners. For instance, many critics question whether disclosures of major US Internet surveillance programs run counter to American commitment to an open, global web. Disclosures of US government spying on foreign companies, such as Brazil’s Petrobras, have clouded American efforts to distinguish legitimate foreign policy espionage from illegitimate commercial espionage.
Moreover, even to the extent that Snowden revealed some of what the United States does in cyberspace, he didn’t reveal all of it. Whether justified or not, other states will not assume that the disclosed activities are the actual outer bounds of what the United States has done or is prepared to do. So it’s true that the Sony attack and the Snowden leaks provide opportunity for the United States government to push its agenda on international norms, but only if it can discuss some sensitive aspects of its own practices or intentions in a more detailed and convincing way.