Why cyber military conflict has intensified despite multilateral negotiations
Background Paper No. 10
By Michael Depp
Michael Depp is Program Coordinator with the Cyberspace Cooperation Initiative at the Observer Research Foundation America.
Despite numerous warnings of devastating cyber attacks being a new feature of the opening stages of war, the Russian-Ukrainian conflict has reflected a much more muted use of cyber tools than expected. Perhaps Ukraine’s defenses proved more sturdy or cyber war is actually more difficult than we thought. Possibly Russia is holding capabilities in reserve, or the effects are not as public. Regardless, the situation offers an illustration of how norms of behavior in cyberspace develop through actions by states, rather than negotiated agreements. In this case, the most destabilizing cyber actions have not been pursued or failed to achieve their desired effect. For better or worse, this experience will shape the norms around the use of cyber military operations in conflict more than any multilateral diplomatic negotiations or agreements on paper.
The international diplomatic community has been preoccupied for the last decade in developing rules about what states should and should not do in cyberspace—or norms of responsible state behavior. According to the 2015 report of the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE), states should “cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.” Yet, military cyberspace operations have continued to become more widespread and frequent, despite these same governments agreeing to broadly respect international peace and security in cyberspace.
This is because the actions of governments have already created de facto norms of behavior as different states pursue their own interests, in this case by normalizing the frequent and repeated use of military cyberspace operations. In this way, the norms coming out of top-down processes such as the UN GGE resemble highway engineers attempting to direct a river with road signs: its course has already been set by the flow of the thousands of tiny springs that supply its waters. Norms of behavior in cyberspace already exist—and they are not the ones on paper agreed to by diplomats in the halls of the multilateral organizations. Instead, frequent government use of military cyber operations to achieve their national interests, with escalatory attacks that build on each other, has become the norm. This behavior is unlikely to change through diplomatic agreements, but requires states to effect change through actions. The recent events in Ukraine may therefore have created an opportunity for more restrained behavior in cyberspace in the future.
How International Cyber Negotiations Fall Short
Increasingly, technology issues have come to the forefront of negotiations between states and within international organizations. These conversations have often become vehicles to try to develop norms of behavior in cyberspace. One of the most prominent and advanced discussions has been at the United Nations, where the GGE and the Open-ended Working Group (OEWG) have worked to find consensus on technology issues including norms of state behavior in cyberspace. The GGE process includes a limited number of UN member states and has produced four consensus reports over the past five iterations since 2010. Included among this is a proposed set of norms of state behavior articulated in the 2015 report. The OEWG is open to all UN member states, and after its first iteration (2019-2021) produced a consensus report as well.
Besides these UN bodies, there are also a plethora of regional and international organizations that have taken up the mantle of proposing or endorsing norms of behavior in cyberspace, often using the work of the United Nations as a benchmark, such as the Association of Southeast Asian Nations (ASEAN), the G7, and North Atlantic Treaty Organization (NATO). Likewise, some governments have taken to promoting norms in their bilateral meetings, as during the 2015 Summit between U.S. President Barack Obama and China’s leader Xi Jinping. This meeting was notable for its extension of norms to include a prohibition of cyber-enabled intellectual property theft (despite its lack of long term success as a functional norm) as well as endorsement of the 2015 UN GGE report.
These meetings seek to codify state behavior to fit within a narrower band of acceptable or responsible actions in an effort to maintain (in the words of the GGE), “an open, secure, stable, accessible and peaceful cyberspace.” The outcomes have included reports or agreements outlining expectations and standards of state conduct in a new medium consistent with existing international law. Through consensus and negotiation, state representatives identify actions that governments should (or should not) take to improve stability and security in cyberspace, and while these norms are voluntary and non-binding, the expectation and hope is that these will transition into universally observed norms such as those protecting embassy staff or the general prohibition of the use of nuclear weapons.
But this consensus and negotiation approach has a major drawback: it tends to avoid the most politically fraught and dangerous topics in order to make progress on the more manageable ones. This is why the topic of military cyberspace operations writ large has not been discussed in these international negotiations, and the conversation has instead focused on preventing “internationally wrongful acts.” In place of this negotiation and discussion at these bodies, a much more powerful process of norms creation has run undisturbed: one where collective action shapes norms directly.
Most commonly, the natural course of norms development is a bottom-up process where repeated actions create norms organically, rather than codification from top-down, centralized bodies. For military technologies, capability breeds use, and this use creates norms. Oftentimes use becomes a norm because it is seen as a valuable activity by all sides involved, such as freedom of navigation in open seas. Conversely a norm could also arise to avoid use if it is seen as too damaging or destabilizing, as with the general reluctance to use nuclear or chemical weapons (before the latter were formally outlawed). But norms are also likely to develop when activities are seen as largely unpreventable. Military cyberspace operations fall in this category. States see the military use of cyberspace as unlikely to end, and furthermore they see cyber operations as a useful policy tool due to their low cost and low risk. This incentivizes them to join in developing and deploying their own cyber tools. This process of state action normalizing behavior carried out over time, which Martin Libicki calls “normalization,” to differentiate it from the norms created through discussion, is in fact the more standard way that norms for military technologies have developed.
An illustrative example of this process is the use and proliferation of military drones. In this case, the United States was quick to create a series of legal and moral justifications for the use of drones because of the perceived immediate value. It relied on readings of the 2001 Authorization for the Use of Military Force, the Constitution, the Charter of the United Nations, and Executive Order 12333 and vested oversight procedures in Title 10 and Title 50 of the U.S. code to justify their use. These justifications became normative (if occasionally problematic) within the United States and, in turn, helped set the tone for the global use of drones. Cyberspace has followed a similar trajectory where capability has bred use, and in turn led to the de facto norms regime currently active in cyberspace: one of frequent and escalatory use of cyber military capabilities.
The Militarization of Cyberspace: Continuous (but Minor) Conflict
Since 2005, 34 states have carried out cyberspace operations; each one has created its own justifications, rules, laws, policies, and strategies that coalesce in the natural, if chaotic, process of norm creation. In many ways this process has solidified into a de facto norms regime of continuous but minor conflict. As Michael Fischerkeller and Richard Harknett argue “...cyberspace’s structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace.” Because cyberspace enables continuous action, there is an underlying assumption that routine but low-level engagement is not only acceptable, it is expected. The cost of connecting to global cyberspace, of being a part of the modern world, is to invite a continuous and constant conflict.
While this conflict may be constant and low level, that does not mean it is uniform in intensity. The vast majority of cyber operations are low stakes espionage and disruption, with more destructive degradation representing only about 12% of attempts. However, there is growing escalation in cyberspace, not within individual conflicts between two states but in the environment as a whole as larger and more important targets such as hospitals become cyber battlefields. Jason Healey and Robert Jervis noted that there is “a two-decade trend of increasing cyber aggression acting like a ratchet, not a pendulum.” As cyber operations become more aggressive and expansive in ambition, they create a baseline for the next one. Each new attack sets the stage for the next one to be more powerful and aggressive with little sign of this process slowing down.
At the same time, the United States will likely exacerbate these trends because it has come to believe that superiority in cyberspace is a necessary component of contemporary warfare. This realization will surely give the notion of restraint in cyberspace little help as other states recognize the need to grow, rather than atrophy, their offensive cyber capacities in order to compete. While this process is likely to make cyberspace even more of a zone of conflict than it currently is, the American policy of “defend forward” is framed very much as a reaction to the current norm regime where conflict is both dangerous and common: “China and Russia...have expanded [strategic] competition to include persistent campaigns in and through cyberspace that pose long term strategic risk to the Nation as well as to our allies and partners.” In its landmark cyber strategy document, the United States government has argued that aggressive behavior in cyberspace is already the norm and its own policies must match this. This helps solidify the norm of “defending forward” as the governing approach to cyberspace operations but also creates new space for other states to build on: after all, if the United States pursues superiority in cyberspace, other states are likely to strive for the same.
Focus on National Solutions to an International Problem
The permissive and escalatory norms regime that states have built runs separately and counter to the regime being negotiated at international organizations. At the same time, since the creation of norms is an evolutionary process, those international efforts will find it impossible to overrule the current state of affairs. They work better at reinforcing an existing consensus than producing a new one. Instead, if progress is to be found in stabilizing cyberspace, it will not come from international consensus but from the states themselves.
States have the most powerful course of action reserved to them: they can change their own policies and plans to help create the norms that they would like. There are numerous examples of governments outlining their policies regarding norms of behavior in cyberspace such as Australia’s International Cyber Engagement Strategy and France’s Military Cyber Strategy. But these often lack concrete proposals for ways in which they will either change their actions, or ensure that future actions conform to these policies. In other cases, documents may discuss the actions as contributing to norms broadly speaking but avoid framing them specifically, as the United States Cyberspace Solarium Commission does. Here, the United States refers to norms as “collective expectations for the proper behavior of actors with a given identity.” Certainly, a true statement and consistent with how norms have arisen in cyberspace, but one that allows the United States to sidestep reconciling its own actions with norms coming from multilateral fora. If governments are as supportive of these international norms and cyber stability as they claim, they need to issue strategies and policies that respect the decisions of the international processes and follow through with them; the status quo indicates that is not yet the case.
In the end, norms are made from actions, not plans or strategies. Many Russian cyber attacks in Ukraine directly contradict the norms that have been agreed to at the United Nations such as the one that prohibits “impair[ing] the use and operation of critical infrastructure to provide services to the public.” Yet, paradoxically, from the horrors of war in Ukraine, some progress may be found upon which to build a more stable cyberspace. Most critical infrastructure targets such as water processing plants and financial institutions have thus far been spared from military cyberspace operations, but at the same time, the Russians unsuccessfully attempted to attack Ukrainian power generation infrastructure and successfully disabled large swaths of the Ukrainian Internet to little effect. Such failures indicate that these operations are not as strategically valuable as originally conceived. In this case, the relative ineffectiveness of cyber attacks could create a basis of restraint for others to follow and may help direct future attacks to more military focused targets that are not as destabilizing. If critical infrastructure is spared the brunt of cyber attacks in warfare in the future it will be because of failure on the battlefield and lack of strategic utility, not because it was agreed to at the GGE.
It may seem ironic for governments to show up to international organizations like the UN to discuss issues of peace and stability in cyberspace while at the same time continuing military cyberspace operations unabated. Because military cyberspace operations directly protect and advance governments’ national security, success in limiting this behavior is unlikely to be found in the halls of international organizations such as the UN. If national governments do come to believe there is value to changing the current norms, then they, and they alone, must foster it.
Michael Depp is a junior fellow and program coordinator at the Observer Research Foundation America where he focuses on the future of technology. His research interests include the effects of emerging technology on international competition and the role that digital technology plays in military conflict. He is grateful to Chris Painter for his comments on an earlier draft of this paper; all errors that remain are the author's.