International Cyber Codes of Conduct

In Moscow last week, Chinese President Xi Jinping and Russian President Vladimir Putin signed a bilateral agreement on cybersecurity. As part of the deal the two countries pledged to not conduct cyber attacks against each other, to share cyber threat data, and to exchange information technology. Both will also work to jointly counteract technology that facilitates the free flow of information deemed a threat to their respective internal affairs.

The move follows several years of efforts by Russia and China to reduce the dominance of the United States in global Internet governance. In February, both countries jointly submitted an updated version of their 2011 “International Code of Conduct for Information Security” proposal to the United Nations. Among its many recommendations were provisions advocating for state sovereignty in cyberspace and assurances by signatories dominant in the development of information and communications technology to never use their products or services to threaten the stability of nations.

Sovereignty in cyberspace is a concept that justifies greater control over the Internet’s governance and online content by governments. It is particularly appealing to countries like China and Russia, who are apt to censor information deemed a threat to their political, economic, or social stability. Naturally, this idea runs contrary to the core values of most liberal democracies that view the Internet as a global commons dedicated to the free flow of information.

This growing divergence of opinion between authoritarian states like Russia and China and liberal democracies like the United States, Britain, and Japan is being accompanied by increasing coordination of efforts within each camp. Both China and Russia have independently frozen bilateral cyber working group discussions with the United States since 2014. Meanwhile, the United States has since signed security agreements with Japan and Britain aimed at further integrating US cyber defenses and intelligence capabilities with its key allies.

Any future code of conduct for acts in cyberspace will be shaped by this emerging dichotomy. However, resolution of this issue will likely neither be quick nor simple. While the ostensible goal of any binding international code of conduct for cyberspace would be to prevent and defend against cyber attacks, each side is operating under a different set of calculations. For the liberal democracies, the problem is securing the Internet from cybercrime without infringing upon personal freedoms. Their solution therefore focuses much more on safeguarding infrastructure and boosting law enforcement capability than controlling content. For authoritarian states, regime stability trumps all other political and security concerns.

A first step the competing camps might find mutually acceptable would be defining a category of entities off limits to targeted or retaliatory cyber attacks. This would include places like schools and hospitals, traditionally protected during times of war, and critical infrastructure (power grids, telecommunications systems, water supplies, etc.)—targets most apt to trigger full-scale wars if damaged. A basic agreement like this may act as a bridge to more substantial discussions about the larger political and economic security concerns (intellectual property, personal data, social media) at stake in the debate over international cybersecurity.

Ultimately, how states decide to police cyberspace will decide not only the extent to which governments monitor and control the flow of digital information, but also whether the Internet remains a global interconnected commons or drifts toward a balkanized collection national cyberspaces.