Last week, Secretary of State Kerry proposed five principles for international cyber security cooperation. The US has floated these ideas in other venues but not at the Ministerial level. It's a useful way to shape debate, but they are best seen as an opening for discussion.
- First, no country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure.
China and Russia would probably prefer that this apply for both conflict and peacetime as a ban on military activity in cyberspace (whether they would observe it is another matter). One problem is that the line between peace and conflict is increasingly blurred. Bringing greater clarity to this grey area is a problem that is broader than cyber security.
- Second, no country should seek either to prevent emergency teams from responding to a cyber security incident, or allow its own teams to cause harm.
Pretty straightforward; it doesn't cost anything to promise.
- Third, no country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain.
We're on shaky ground here. The US has long argued that politico-military espionage is a normal state practice, but commercial espionage is not. Very few countries accept this. China, against whom this is probably aimed, has argued that economic espionage builds its economy and technological base and that those are national security issues, so their commercial spying is justified.
More importantly, nobody believes us when we say we don't participate in commercial espionage. What I hear from other countries is a general assumption that if they had an NSA, they would do commercial espionage, so the Americans probably can't resist temptation any more than they could. Another is that spying is spying, and US efforts to draw these legalistic distinctions are silly. There's a huge effort to paint NSA as the font of all evil, driven by anti-Americanism, and saying that nobody should complain about our spying because we did it fair and square doesn't do enough to counter it.
It might have been better to say that countries should fully observe their WTO and TRIPS commitments to treat foreign companies fairly and protect intellectual property. These are binding commitment that countries like China and Russia have freely accepted, even if they don't observe them.
- Fourth, every country should mitigate malicious cyber activity emanating from its soil, and they should do so in a transparent, accountable and cooperative way.
Malicious cyber action is a tool of state power. State's aren't going to give it up. If this was directed at non-state actors (who were not acting as proxies for a state), countries might observe it.
- And fifth, every country should do what it can to help states that are victimized by a cyber attack.
A decision to help is ultimately a political decision based on relations between the two countries. This principle treats cyber attacks like natural disasters when they are in fact man-made events where decisions on assistance cannot be divorced from the political context. For example, the US asked China for assistance during the Sony incident. The Chinese said, okay, but we need more information, and ended up doing very little. This principle would need to be better anchored in international laws governing state responsibility to be meaningful.