International Cyber Norms in The Cyber and Information Security
Strategies of The Russian Federation and The Netherlands
Written by: Benno Elderkamp Student number: 1227386
Supervised by: Prof. dr. B. Van den Berg // Liisi Adamson Second Reader: Prof. dr. A.L.Dimitrova
Leiden University
Faculty of Governance and Global Affairs Msc Crisis and Security Management
2
Index
Introduction ... 4
Research Question ... 6
Sub-Questions ... 6
Academic and Societal Relevance ... 6
Reading Guide ... 8
Theoretical Framework ... 9
(Cyber) Norms ... 9
Cyberspace, Cyber-Security, Information Security, Cyber-Attack, and Cyber Conflict ... 11
Securitization ... 12 Methodology ... 15 Research Design ... 15 Case Selection ... 15 Research Method ... 16 Limitations ... 17
Data Collection and Analysis ... 18
Documents Used ... 18
Operationalization ... 19
Validity and Reliability ... 21
United Nations Group of Governmental Experts and Cyber Norms ... 22
Norm Emergence ... 22
Norm Cascade ... 26
International Law and Human Rights ... 26
Infrastructure ... 27
Prevention, Deterrence, Attribution. ... 30
Norm Internalization ... 32
The Russian Federation and Cyber Norms ... 34
3
Infrastructure... 37
Prevention, Deterrence, and Attribution ... 38
The Netherlands and Cyber Norms ... 41
International Law and Human Rights ... 41
Infrastructure... 44
Prevention, Deterrence, and Attribution. ... 45
Comparison ... 48
International Law and Human Rights ... 48
Infrastructure... 50
Prevention, Deterrence, and Attribution ... 51
Future of the UNGGE ... 53
Cyber Securitization ... 56 Securitizing Actors ... 56 Referent Objects ... 57 Existential Threat ... 59 Functional Actors ... 59 Speech Act ... 61 Conclusion ... 63 Cited Sources ... 65
4
Introduction
The world has experienced a rising number of cyber-attacks. A particular watershed moment in cyber-attacks were the 2007 cyber-attacks against Estonia (Tamkin, 2017). It was the first instance a state allegedly used state-sanctioned cyber-attacks to advance its own foreign policy objectives. A second important cyber-attack was the 2010 Stuxnet malware attack against Iranian nuclear power plants (Finkle, 2013). Both attacks showed many states that they were unprepared to deal with such attacks. These attacks were an unforeseen phenomenon in the world. Many states scrambled to establish their own cyber-security strategies in order to deal with these issues stemming from cyberspace. States recognized that the insecurities derived from cyberspace would have to be dealt with through collaboration on an international level. These collaborative efforts continue to be undermined by several inherent issues.
One of these issues is a lack of a global mechanism to address cyber-attacks and cybercrime, limiting the ability of states to attribute and assign appropriate punishment. This issue is further problematised by a lack of universally accepted definitions and understandings on many cyberspace related terms (Radunovic, 2017). Each individual public and private actor tends to use a different set of terms and approach in dealing with the insecurities in cyberspace. A lack of common language is a fundamental issue as it problematizes any collaborative effort on cooperation and negotiations (Radunovic, 2017). In recent years, these collaborative and cooperative efforts have come together within the United Nations Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security (UNGGE).
The meetings within the UNGGE were initially promising. Although the initial meetings did not deliver any significant progress, a landmark report was issued in 2013 (A/68/98, 2013). The report constructed a set of norms and concluded that international law was applicable to cyberspace. Both norms and international law were deemed necessary for a secure “open, secure, peaceful and accessible ICT environment” (A/68/98, 2013, p. 2). The 2015 report emphasised and expanded the progress made in the 2013 report. However, with the 2016-2017 UNGGE, a roadblock was hit.
The purpose of the 2016-2017 meetings was to provide recommendations on how international law would apply in cyberspace. The group of governmental experts failed to reach a consensus and talks collapsed as a fundamental divide had arisen (Markoff, 2017). The divide was between the United-States and like-minded states which include the Netherlands, and the Russian Federation and their respective allies. The Russian Federation and its allies disagreed
5 on the application of international law to an online conflict. The like-minded states sought ways for international law to be used during or as a means to respond to an online conflict (Grigsby, 2017). The Russian Federation and its allies argued for the creation of a new set of laws to prevent a conflict which they felt should not occur at all (MODRF, 2011; A/69/723, 2015).
A second divide was on the meaning and nature of cyber conflict and cyberspace. The different approach dictates the way each side views the construction of the problem and the solution. Whereas the Netherlands speaks of cyberspace, the Russian Federation approaches it as information space. Cyberspace by the Netherlands is “understood to cover all entities that are or may potentially be connected digitally” (MODNL, 2012, p. 4). Information space is defined by the Russian Federation as the “formation, creation, transformation, transmission, use, and storage” of information which affects amongst other things “the individual and social consciousness, information infrastructure and the information” itself (MODRF, 2011, p. 5). These two different ideological approaches led to the collapse of talks at the 2017 UNGGE. The future of the UNGGE remains uncertain, as no new meeting has been planned for the future.
Nonetheless, the Russian Federation remains fixed on its primary objective to promote a new set of international laws; presented as codes of conduct. These laws are to prevent states from developing cyber weapons as a means to interfere in the internal affairs of states (A/66/359, 2011; A/69/723, 2015). In contrast, the Netherlands continues to argue that such laws already exist. The Netherlands firmly believes in approaching international matters consistently and in line with its previous obligations (MFAICSNL, 2017). Meaning, the Netherlands is reluctant to deviate from already established rules and regulations and wishes establish the cyber norms in adherence of said framework. This reluctance to deviate is part of the like-minded camps concern for the protection of human rights online and offline. They are concerned about the growing number of states who violate these rights and seek to offset this through the UNGGE (MFAICSNL, 2017). Despite these differences, both camps share a common interest in seeking to improve the stability in cyberspace and to eliminate the incentives which motivate states to take risk.
This thesis will look at how the cyber (information) security strategies of both states have evolved between 2007 and 2017. These evolving strategies will be analysed to determine whether they can explain their divergent ideological approaches towards the cyber norms debate. The theory of securitization will be used to determine to what extent both states have securitized their cyber (information) security strategies. The theory will further be used as a
6 means to determine the potential for reconciliation between both ideologies and the future of the international cyber norms debate.
Research Question
The purpose of the thesis is to answer the following main research question and sub-questions:
Research question: How have the cyber security strategies of the Netherlands and Russia developed between 2007 and 2017, and to what extent can the development of their cyber security strategies explain their (different) ideological approaches towards the cyber norms debate?
Sub-Questions
(1) What are (cyber) norms?
(2) What does the concept of securitization entail?
(3) How has the discussion on cyber norms evolved within the UNGGE working group? (4) How is the development of international cyber norms framed within Russia’s approach
to cyber security?
(5) How is the development of international cyber norms framed within the Netherlands approach to cyber security?
(6) What do these developments have in common, and to what extent do they differ? (7) Is cyberspace securitized?
Academic and Societal Relevance
The research has both academic and societal relevance. The academic relevance lies in the research effort to examine a current development within the world and add to a growing body of research. Research which debates whether cyberspace and cyber-security have been securitized, and if so, to what extent. The research will investigate the motivations behind the two dominant perspectives on cyberspace. These perspectives will be framed within the UNGGE debate on cyber norms. Together, the research would add to the growing body of academic literature which seeks to apply traditional theories like realism, deterrence, attribution and onto the field of cyber-security. These theories are applied to test their applicability and suitability, and as a means to gain understanding in an otherwise complex issue.
7 The societal relevance of the study would be to gain understanding in the Russian Federations approach into its information security strategies. The Russian Federations position is interesting as it is one of the major actors within cyberspace whose position is contradictory. They have been noted to seek limits on states behaviour with respect to cyber-attacks to prevent cyber conflicts. At the same time, the Russian Federation has repeatedly been accused of conducting the same type of cyber-attacks it wishes to prevent. The 10-year (2007-2017) approach could shine light into this duality of thinking.
The Netherlands plays a significant role within the cyber community. The Netherlands is one of the most digitalised states in the world. Nonetheless, it has yet to experience a cyber-attack on the same level as Estonia, Germany, the United Kingdom, and the United States. This despite the Netherlands containing the largest internet exchange point in the Amsterdam Internet Exchange (AMS-IX). In 2018, the ABN AMRO, ING, and Rabobank were hit by a DDos attack which lasted for several hours before being resolved (Zwienen, 2018). In 2016 it came to light that the Dutch-German company Rheinmetall Defence had been hacked since 2012, leading to a loss of information. It serves as one of the rare occasions that an act of digital espionage could potentially be attributed to a specific Chinese hacker group; although this is unconfirmed (Modderkolk, 2018). However, the arguably most impactful and known cyber-attack was the 2011 cyber-attack on DigiNotar. The Iranian secret service allegedly used the vulnerabilities in the digital certification of DigiNotar to spy on Iranian citizens, although some suspect US involvement (Hijink, 2013). However, these cyber-attacks do not compare to those experienced by other states; placing the Netherlands in a rather unique position.
With its relatively small size, the Netherlands is forced to rely on diplomacy and has historically emphasised a firm belief in international law. Examining the Dutch approach could provide valuable, more nuanced information. Similar results would not be present when examining the United States (US), whose foreign policy does not rely entirely on its soft-power capabilities. As one of the largest actors in cyberspace, its relation and approach to the UNGGE norms debate would be influenced by its relationship with the Russian Federation and China. This would effectively resort to a great power struggle; whereby objective comparison would be clouded by the history of both states. Lessons learned from the Netherlands could be applied to states who are within a similar “disadvantaged” position, either side of the ideological debate.
By contrasting and comparing Russia and the Netherlands, lessons can be learned from both perspectives. The research could discover areas within which there is potential for conciliation and convergence on cyber norms. Finally, the research may discover the path forward for the establishment of international cyber norms.
8
Reading Guide
The path of the research shall be as followed. The focus and relevance of the thesis are explained in the introduction. Following the introduction, the theoretical framework within which the study will operate is discussed in chapter two. The thesis will discuss the methodology in chapter three. The development and analysis of the UNGGE cyber norms debate in chapter four. In chapter five the study will provide an analysis of the Russian development of cyber norms and do the same for the Netherlands in chapter six. The results of all two previous chapters will be analysed to compare and contrast the similarities and differences in chapter seven. Chapter eight will analyse and determine to what extent cyber has been securitized. Finally, chapter nine will conclude the thesis, followed by the cited sources.
9
Theoretical Framework
A brief examination of the academic literature highlights the lack of commonly accepted definitions for any cyber or information security related term. This is in part due to the inability of states to agree on the meaning and means on how to solve many issues in cyberspace. This chapter will elaborate on the theoretical framework which serves as the foundation of the research. The first section will explore the concept of (cyber) norms and answer the sub-question: “What are (cyber) norms?”. The second section will define cyber-space, cyber conflict, cyber-attack, cyber-security, and information security. These definitions are important for the continuation and influence the analysis within the thesis. The third section will explore the theory of securitization and answer the sub-question: “What does the concept of and move to securitization entail?”.
(Cyber) Norms
Finnemore and Sikkink (1998) define norms as “a standard of appropriate behavior for actors with a given identity” (Finnemore & Sikkink, 1998, p. 891). Norms in this sense are approached form a constructivist perspective, whereas a sociologist speaks of institutions when referring to the same behavioural rules. March and Olsen (1998) define an institution as “a relatively stable collection of practices and rules defining appropriate behavior for specific groups of actors in specific situations” (March & Olsen, 1998, p. 948). A difference between norms and institutions is that norms isolate single standards of behaviours. Institutions on the other hands focus on a collection of rules and practices and how these are structured together and interrelated (Finnemore & Sikkink, 1998) . The danger herein is that norms are often discussed as if they are institutions. Sovereignty, for example, is often discussed as if it is a singular entity, whereas, in reality, it is a collection of norms whose rules and practices changes over time (Finnemore & Sikkink, 1998). Cyber norms in this context are thus standards of appropriate behaviour for actors with a given identity in cyberspace. Cyber-security or information security, on the other hand, are not singular entities. They are a collection of norms in the form of practices and rules which change over time and attract new meaning as the norms evolve.
Norms are commonly categorised as either constitutive or regulative norms. Constitutive norms “create new actors, interests, or categories of action (roles)” and regulative norms “order and constrain behavior” (Finnemore & Sikkink, 1998, p. 891). Constitutive norms create or define an activity. Regulative norms establish a set of duties or permissions (Finnemore & Sikkink, 1998). Mazanec (2015) further distinguishes within the regulative
10 norms between constraining and permissive regulative norms. Constraining norms limit the behaviour of states, whereas permissive norms suggest that certain behaviour is acceptable and expected (Mazanec, 2015).
Finnemore and Sikkink go on to suggest a model of the life cycle of norms. The life cycle suggests when and which norms are likely to reach a tipping point to be accepted. The life cycle consists of three stages: norm emergence, norm cascade, and norm internalization. In the first stage, norms entrepreneurs arise who are convinced something has to change (Finnemore & Sikkink, 1998). These norm entrepreneurs use existing organizations and norms to ensure the norms are adopted. When a norm has been adopted, it moves on to the second stage: norm cascade. In the second stage states adopt new norms either in response to international pressure, to enhance their domestic legitimacy, out of conformity, or for the sake of their self-esteem (Finnemore & Sikkink, 1998). In the third stage, the norms become internalized and professionals press for their codification. Over time, these norms are internalized to an extent that they seize to be seen as norms.
The likelihood of norms reaching the tipping point in the third stage depends on the timing. The timing is determined by legitimation, prominence, intrinsic qualities, adjacency claims or path dependence, and world time context. States may adopt certain norms for the sake of legitimacy or international status (Finnemore & Sikkink, 1998). When their domestic legitimacy and power wavers, norms are adopted to perpetuate a state’s own ideology. Norms are also more likely to be adopted when they are held by prominent and powerful states, or when their intrinsic qualities make adopting said norms more likely. Norms that seek to end human suffering or promote equality tend to be valued more and are more appealing to many other states (Finnemore & Sikkink, 1998). Furthermore, norms are more likely to be adopted when they resemble existing norms or can be derived from it. Norms also tend to arise as a result of world events like as economic shocks or wars. Such events tend to lead to the search of new norms and ideas to prevent a reoccurrence of said events (Finnemore & Sikkink, 1998).
Within cyberspace, norms primarily seek “to improve the stability of cyberspace and remove the incentives inherent to cyberspace that encourage risk taking” (Grigsby, 2017, p. 111). Constraining these incentives should improve the stability of cyberspace and decrease the risk of a cyber-attack or conflict (Grigsby, 2017).
11
Cyberspace, Cyber-Security, Information Security, Cyber-Attack, and Cyber Conflict In order to discuss the UNGGE norms and the security strategies of the Russian Federation and the Netherlands, it is important to clarify what is meant by the concepts which are to be used in this research. These concepts are cyberspace, security, information security, cyber-attack, and cyber conflict. This clarification is particularly necessary considering the lack of generally accepted definitions on any of these concepts.
There are many different approaches to defining cyberspace. However, for the purpose of the research Kuehl’s (2009) definition of cyberspace will be used. Kuehl definiens cyberspace as: “a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies” (Kuehl, 2009, p. 28).
Cyber-security, as defined by the Netherlands, is “the state of being free of danger or damage caused by a disruption or failure of IT or through the abuse of IT. The danger or damage caused by abuse, disruption or failure may comprise a limitation of the availability and reliability of the IT, violation of the confidentiality of information stored in IT environments or damage to the integrity of that information” (NCTV, 2017, p. 59).
Information security as defined by the Russian Federation is “the state of protection of the individual, society and the State against internal and external information threats, allowing to ensure the constitutional human and civil rights and freedoms, the decent quality and standard of living for citizens, the sovereignty, the territorial integrity and sustainable socio-economic development of the Russian Federation, as well as defence and security of the State” (MFARFIS, 2016, p. 3).
Both definitions are heavily influenced by their specific interpretation and construction of threats. These definitions lack a more generalized and objective approach which provides a clearer distinction between the two definitions. A subjective approach would also influence the meaning of a cyber-attack and cyber-conflict. Thus, for the purpose of this thesis cyber-security will be defined as the protection or defence of ICTs in cyberspace, and the protection of those who function in cyberspace and their assets. These include non-information-based and vulnerable assets to threats using ICTs (Von Solms & Van Niekerk, 2013).
Information security is defined as the protection of information (data) itself. This includes information beyond ICTs; meaning both online and offline information and information which is stored or transmitted not using ICTs (Von Solms & Van Niekerk, 2013).
12 The Netherlands defines a cyber-attack as “a series of actions targeted at information systems, where the availability, integrity or confidentiality of the information is affected” (NCTV, 2017, p. 28). The Russian Federation defines a cyber-attack as “an offensive use of a cyber weapon intended to harm a designated target” (Godwin et al., 2014, p. 44). Both definitions are not satisfactory in their very specific construction of the target and construction of the “tool” with which the attack is to be committed. Thus, for the purpose of this thesis a cyber-attack will be defined as an action or actions within cyberspace targeted at ICTs or those who function within it, where the availability or integrity of ICTs or ICT dependent systems and information is damaged or disrupted.
Cyber conflict of this thesis is defined as “a tense situation between and/or among nation-states and/or organized groups where unwelcome cyber-attacks result in retaliation” (Godwin et al., 2014, p. 44).
Securitization
The potential for retaliation or cyber conflict depends to a degree, whether or cyberspace has been securitized. This section will conceptualize the Copenhagen Schools theory of securitization. This conceptualization will be used as a guide the research and used to answer the sub-questions, including: “Is cyberspace securitized?”.
The Copenhagen Schools securitization theory emphasises the danger of framing a societal issue as a security issue. As a security issue, extraordinary measures are allowed to be taken to resolve the issue. The securitizing actor transforms the issue into an existential threat (Buzan, Wæver, & Wilde, 1998). This is not because an actual objective threat exits but rather because the actor presents the issue as such. The threat does not have to be real but can be imaged as well. The weight of a threat depends thus on the perspective of the actor who perceives the threat. However, for extraordinary measures to be taken, the threat must be threatening enough (Buzan et al., 1998).
A successful securitization process has several requirements. The first requirement is to have a securitizing actor; the actor who securitises an issue by declaring it is existentially threatened. The second requirement is to have a referent object; that which is seen as being existentially threatened and needs to be protected (Buzan et al., 1998). A third requirement is an existential threat; that which threatens the referent object. A fourth requirement is functional actors. Functional actors are “actors who affect the dynamics of a sector, without being the
13 referent object or the actor calling for security on behalf of the referent object, this is an actor who significantly influences decisions in the field of security” (Buzan et al., 1998, p. 36).
Beyond the securitizing actor, referent object, existential threat, and functional actors the theory requires an audience to be successful. An audience who accepts the securitizing actors move to securitize an issue in order for extraordinary measures to be taken (Buzan et al., 1998). The securitizing actor needs to convince the audience via a speech act that normal rules are insufficient and need to be changed. If the audience is unconvinced, the securitization attempt has failed (Buzan et al., 1998).
The success of the speech act is dependent on two conditions: internal and external conditions. The internal conditions are the linguistic-grammatical construction of the referent object; meaning the speech act must refer to an existential threat, a point of no return, a solution, and follow the dialects that are part of the sector (Buzan et al., 1998). An example of such a dialect is sovereignty for politics. The speech act has a high chance of succeeding when above-mentioned conditions are met. The external conditions refer to the securitizing actors social and contextual standing. The securitizing actor needs to be in a position of authority in relation to its audience. It is also easier for the securitizing actor to construct a security threat if it is generally perceived to be threatening; such as guns or a tornado (Buzan et al., 1998).
However, Huysmans (2004) argues that this securitization process tends to narrow democratic elements within a society in order to fight what is perceived as a threat. The law is replaced with norms which have the same force of the law but not the same form. As a result, these norms gradually undermine the separation of judicial, legislative, and executive powers (Huysmans, 2004).
Bigo (2002) argues that through such measures governments have managed to gain control over the political process by utilizing networks of surveillance and data mining (Bigo, 2002). This is because securitization relies on a set of normative assumptions and not objective or empirical facts (Buzan & Hansen, 2009).
Trombetta (2008) argues against the negative assumptions made by the Copenhagen School and as described by Huysmans and Bigo. Trombetta especially argues against the proposed ‘logic of security’ which suggest the term security evokes and justifies a set of extraordinary practices (Trombetta, 2008). The logic of security is that of war which follows a zero-sum understanding of security. The logic of security could supposedly lead to the depoliticization and marginalization of otherwise serious issues (Trombetta, 2008).
In discussing environmental security, Trombetta argues that the logic of security instead is more flexible and not as rigid as the Copenhagen School argues. The securitization of
14 environmental issues has reframed the logic of security and the practices with it. As an antagonistic approach to these environmental threats was not the best way to deal with such issues (Trombetta, 2008). Preventive measures proved to be more effective. Within environmental security, the appeal to security has “emphasized the relevance of preventive, nonconfrontational measures and the importance of other actors than states in providing security” (Trombetta, 2008, p. 600). Thus, securitization does not have to lead to the adoption of extraordinary measures. It can also lead to cooperation. In respect to cyber norms, the securitization of cyberspace thus does not have to lead to states adopting extraordinary measures. It can lead to the diffusion of an issue and to cooperation.
15
Methodology
Research Design
The main focus of this thesis is to examine how the cyber and information security strategies of the Russian Federation and the Netherlands have developed, and to what extent this can explain the different ideological approaches toward the UNGGE cyber norms debate. In order to achieve this purpose, the study will follow a qualitative multiple case study design. The multiple case study design is chosen as it allows for a more in-depth look at how both cyber and information security strategies have been constructed over time, and how this has influenced the international debate on cyber norms. The assumption herein being that their ideological position towards the cyber norms debate should align with their cyber and information security strategies.
Case Selection
The Russian Federation and the Netherlands were both chosen as representatives of the two different ideological sides in the norms debate. The Russian Federation representing the information security side, and the Netherlands the cyber-security side.
The Russian Federation is a global power in cyberspace and plays a significant role in the UNGGE discussions. The Russian Federation has also on numerous occasions been accused of carrying the type of cyber-attacks the UNGGE seeks to limit. The Russian Federation was chosen instead of the China which tends to focus its efforts in Asia. China has furthermore (so far) not actively used cyber-attacks as a means to further its foreign policy objectives. The Russian Federation was also chosen for the sake of convenience and availability of documents that could be used for this thesis. The Russian Federation simply had more sources available in English than China.
The Netherlands was chosen over the United States as its position on cyberspace is well documented within the academic literature and media. A comparison between the United States and the Russian Federation would result in a battle of great powers and revolve around the extremes of both ideological positions. The Netherlands allows for a more nuanced comparison as it does not possess the hard-power of the United States. The Netherlands is forced to rely on soft-power measures such as diplomacy to further its foreign policy objectives. Latvia, Estonia, Lithuania, Belarus, Ukraine, and the rest of the East-European states all have a certain bias against the Russian Federation as their major adversary. Their security strategies would be influenced by their contentious history.
16 The decision to look at only two states is the result of time constraints. The scope of the research would become too broad. There are also only two sides to the debate, which would have meant two more states would have to be added to keep the balance. As stated, the Russian Federation remains one of the few states of which there enough data available and in English. A discourse analysis requires a small data set to analyse. Comparing over ten documents of approximately fifteen UNGGE members would be impossible to do considering the time frame of the research (+/- 8 weeks).
Research Method
The research will use critical discourse analysis to analyse the security strategies of the Russian Federation and the Netherlands. Discourse analysis allows for the study in the ways language is used in texts and contexts. It considers the social and historical context which is important for the study of cyber norms and the ideological positions of states. Through a longitudinal approach, it becomes possible to see how the norms have changed over time and how the position of states has changed with respect to the issue. Discourse analysis looks at the overall strategy and impact of words. It looks at what is written, what is implied, and what is or is unsaid in a text. As a result, discourse analysis only allows for a small number of text to be examined. An advantage of discourse analysis is that it is context specific and relevant at any given moment. It can reveal hidden motives and interpret them if necessary. Meaning in cyberspace and cyber norms are never fixed and require a certain level of interpretation to be understood.
To guide the discourse analysis, the study will use Buzan, Waever, and de Wilde’s (1998) securitization theory. The theory focuses on the framing of speech acts and as such fits the purpose of this study. The theory can help establish emerging patterns, their presentation, and evolution of cyber norms by identifying the relevant actors and determine to what extent the cyber norms and cyber and information security strategies are framed as an existential threat. The study will primarily use both primary and secondary sources. Primary sources will be in the form of the Russian Federation and the Netherlands (cyber and information) security strategies and policies. Secondary sources will be the academic literature. The primary sources are used as they can provide a historical account of the cyber and information security strategies. The secondary sources will help to ground the information extracted from the primary sources into reality and contextualise them.
17
Limitations
Discourse analysis does not provide absolute answers. The meaning of a text is never fixed and open to interpretation and negotiation. This can be problematic when discussing the definitions of cyber related terms, whose meaning tends to change over time and perspective. However, as it is the purpose of this study to analyse these changes, discourse analysis remains the most suitable.
A limitation of using the theory of securitization is that it frames the issue in a certain way. It is possible that certain frames or angles are missed due to this narrowing process. The documents which will be analysed are governmental and thus contain a certain type of language. It is unlikely that the entire truth will be revealed in said documents. Yet, they can still serve as a good indicator as to the direction both states think in. A final limitation is that the study is forced to rely on translations when analysing the Russian Federations information security strategies.
The research also has to take into consideration the fact that there is no consensus on the definition of any cyber related terms. The security strategies of both the Netherlands and the Russian Federation tend to use various definitions inconsistently. Thus, although the researched provides working definitions in the theoretical framework, this reality has to be taken into account.
18
Data Collection and Analysis
The research will focus on the cyber and information security strategies between 2007 and 2017. This 10-year time period is chosen as in 2007 Estonia was the subject of a cyber-attack. It was the first time a state used cyberspace to advance its own foreign policy objectives. The attack and rising amount of cyber-attacks subsequently initiated the wider policy discussion on cyber-security and the necessity of developing norms to govern it (Tamkin, 2017). 2017 was chosen as this was the year where the negotiations within the UNGGE came to a halt, and the pursuit towards cyber norms was ceased until further notice.
Documents Used
United Nations Group of Governmental Experts
1. Resolution Adopted by the General Assembly A/RES/53/70: Developments in the field of information and telecommunications in the context of international security (1998) 2. Resolution Adopted by the General Assembly on 8 December 2003 A/RES/58/32
Developments in the field of information and telecommunications in the context of international security (2003)
3. Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2010) 4. Report of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (2013) 5. Report of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (2015) 6. Report of the International Security Cyber Issues Workshop Series (2016)
Russian Federation
1. Russia’s National Security Strategy to 2020 (2009) 2. Military Doctrine of the Russian Federation (2010)
3. Conceptual Views Regarding the Activities of the Armed Forces of the Russian Federation in the Information space (2011)
4. Basic Principles for State Policy of the Russian Federation in the Field of International Information Security to 2020 (2013)
5. Military Doctrine of the Russian Federation (2014) 6. Russian National Security Strategy (2015)
19 7. Doctrine of Information Security of the Russian Federation (2016)
8. Foreign Policy Concept of the Russian Federation (2016)
9. Letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-Genera (2011)
10. Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General (2015)
The Netherlands
1. The National Cyber Security Strategy (NCSS) (2011) 2. The Defence Cyber Strategy (2012).
3. International Security Strategy: A secure Netherlands in a Secure World (2013) 4. Netherlands Defence Doctrine (2013).
5. The National Cyber Security Strategy 2 (NCSS) (2013).
6. International Cyber Strategy – Building Digital Bridges – Towards an Integrated International Cyber Policy (2017).
7. Wereldwijd voor een veiling Nederland – Geïntegreerde Buitenland-en-Veiligheidsstrategie 2018-2022 (2017).
8. Developments in the field of information and telecommunications in the context of international security A/66/152 Report of the Secretary-General (2011).
9. Developments in the field of information and telecommunications in the context of international security A/68/156/Add.1 (2013).
10. Developments in the field of information and telecommunications in the context of international security- Resolution 69/28 (2015).
11. Developments in the field of information and telecommunications in the context of international security- Resolution 71/28 (2017).
Operationalization
The following concepts are operationalized as a means to guide the research into indicators along which the discourse analysis can be codified and the data be analysed.
20
Theory Concept Definition Indicators
Securitization (Buzan, Waever, and Wilde, 1998).
Securitization The process in which a security actor frames a societal issue as an existential threatened by declaring a referent object – which justifies the usage of extraordinary measures to resolve the issue.
Buzan, Waever, and Wilde identify several conditions Referent objects Securitizing actors Functional actors Speech act Securitizing actors
The actors who securitize an issue by declaring an it being existentially threatened
Existential threat
The object that is potentially harmful
The referent objects
Issues that are seen to be existentially threatened and have a claim to survival.
Functional actors
Actors who are not the referent or securitizing actors, but who significantly influences decisions in the security field.
Speech act/Audience
The target audience that must be convinced by the securing actors construction of the referent objects perceived threat.
Norms (Finnemore and Sikkink, 1998)
Norms A standard of appropriate behaviour Finnemore and Sikkink differentiate between two different type of norms: Constitutive and Regulative
• Constraining regulative (Mazanec, 2015)
• Permissive regulative (Mazanec, 2015)
Constitutive norms
Constitutive norms create new actors, interests, or categories of actions.
Regulative Norms
Regulative norms order or constrain behaviour and can influence a states behaviour. (1) Constraining regulative norms
Indicate that certain behaviour is not acceptable. (2) Permissive regulative norms
Indicates that certain behaviour is acceptable. Model of the life cycle of norms (Finnemore and Sikkink, 1998) Life cycle of norms
Suggests when and which norms are likely to reach a tipping point to be accepted.
The life cycle has three stages: Norm emergence
Norm cascade Norm internalization
Norm emergence
Norm entrepreneurs arise that are convinced something much change.
Norm cascade
States adopt new norms in response to international pressure, conformity, esteem, and to enhance their domestic legitimacy.
Norm internalization
Norms become internalized as professionals press for the codification and adherence to these norms.
21
Validity and Reliability
As the study follows a case study design, it has a limited external validity. The results cannot necessarily be generalized onto other contexts. A similar study applied to two different states on both ends of the ideological spectrum should provide similar results. However, there will naturally be case specific differences.
Although a multiple case study of all UNGGE involved nations would have improved the reliability, time constraints prevent the possibility. The scope of the research would be too wide for a master thesis and difficult to control. The vast difference in the available documentation would make any comparison unbalanced. The fact that the documents used are institutional documents, which influences the language used in each document. This will influence the reliability of the data and has to be taken into consideration. This can be resolved through the use of discourse analysis, where context matters.
By using the theory of securitization through discourse analysis, specific boundaries are set up which improve the reliability and validity of the research. However, in the case of the Russian Federation, the language barrier has to be noted, which influences the language used.
22
United Nations Group of Governmental Experts and Cyber Norms
The UNGGE is one of the most important venues for discussing issues on cyberspace and international security. Reports issued by the UNGGE are important in their ability to shape the global agenda on cyber-security. Each report adds to the growing progress of creating an international agreement on responsible state behaviour in cyberspace (Lewis & Vignard, 2016). The purpose of this chapter is to discuss and discuss the sub-question: “How has the discussion on cyber norms evolved within the UNGGE working group?”. The chapter has been divided into three sections: norm emergence, to determine how the UNGGE came into being; norm cascade, where the norms will be categorised and discussed; and norm internalization, to discuss the breakdown of the UNGGE and its future. A future which is determined by the norm entrepreneurs in the first stage of the life cycle of norms.Norm Emergence
In the first stage of the life cycle of norms, norm emergence, norm entrepreneurs arise who are convinced something must change (Finnemore & Sikkink, 1998). There are many different actors within the UNGGE who could be considered norm entrepreneurs. Designating these norm entrepreneurs is problematized due to the inherent nature of cyberspace. Cyberspace is an all-encompassing entity which touches upon all aspects of society. This results in an inexhaustible number of different actors who compete for different threat perceptions (Hansen & Nissenbaum, 2009). Securitization theory assumes the opposite. Although the theory does account for multiple actors, the initiation of the process is done, arguably, by a single securitizing actor (Buzan et al., 1998). The securitizing actor declares an issue as existentially threatened and by doing so, allows for extraordinary measures to be used to resolve the issue (Buzan et al., 1998). In contrast, the life cycle of norms suggests that norm entrepreneurs will respond to the same issue by creating new norms.
What the model and theory have in common is that they both see the state as the most important actor (Buzan et al., 1998; Finnemore & Sikkink, 1998). Although non-state actors can be norm entrepreneurs, only states can adopt and press for the internalization of norms. Similarly, only states can effectively securitize an issue and use extraordinary measures through the logic of security (Buzan et al., 1998). In the context of the UNGGE, state actors also serve as the most important actor, even if only non-state actors are not allowed to participate. However, the cyber norms debate does not only exist within the boundaries of the
23 UNGGE and has been influenced by both state and non-state actors. Each who on their own called for the creation of an international agreement on cyber norms.
A particular notable non-state effort was the Tallinn Manual 1.0 and 2.0 (M. N. Schmitt, 2013). With the support of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) the manuals focused on the legal obligations of states in cyberspace (Schmitt, 2013, 2017) . In essence, the 1.0 Manual focused on interpreting how norms apply the conduct of states in cyberspace. The 2.0 Manual significantly expanded the scope of the first manual, expanding to include state responsibility, peacetime international law, sovereignty, attribution, and human rights law (Schmitt, 2017). Much of the work done by the Tallinn manual is reflected within the UNGGE norm construction. Non-state actors can be considered norm entrepreneurs and functional actors, as each successive action, to some extent, shaped and informed the UNGGE reports. Nonetheless, the relationship between state and non-state actors is, in terms of power and resources, marked by a balance that is clearly in favour of states (Bannelier & Christakis, 2017).
One of the first state actors to declare the necessity for change at the UN was the Russian Federation in 1998 (A/RES/53/70, 1998). In resolution 53/70, Russia warns of the potential misuse of information technologies by criminals and terrorists. The resolution further suggests something must be done and calls for the development of international principles (A/RES/53/70, 1998). In doing so, the Russian Federation fulfils the requirement to be classified as a norm entrepreneur and potentially a securitizing actor. Criminals and terrorists are both functional actors, in serving as existential threats. Yet, despite this, the resolution fails to suggest a point of no return or a concrete solution and fails the international conditions of the speech act. The Russian Federation is in a position of authority as a permanent member of the UN Security Council. However, there are still issues concerning the audience it has to convince.
The UN General Assembly should in this instance be the audience, be convinced by the Russian Federations construction of the threat and solution. However, the resolution was adopted without a vote first by the First Committee of Disarmament and International Security and subsequently by the UN General Assembly. Meaning, in both instances there technically was no audience to convince (A/RES/53/70, 1998). If there was an audience, it would have to be the members of the First Committee Bureau (Belgium, Kazakhstan, Chile, Belarus, and Egypt) who made the decision to accept the resolution (UNGAFC, 1998). However, this would be a stretch as none of the official UN documents indicate any form of discussion on the subject had taken place (A/RES/53/70, 1998). As such, the Russian Federations 1998 resolution can at
24 best be considered a securitization attempt by a norm entrepreneur, but one that did not meet all of the required criteria to be successful. Since the 1998 resolution, the issue has become part of the UN and evolved through multiple resolutions which were equally all adopted without a vote.
The 2003 58/32 resolution notes an existential threat and functional actors in the potential misuse of information technologies for criminal and terrorist purposes. The referent object has evolved from the 1998 resolution and adds beyond international security and stability the integrity of infrastructure of states, the security of states in the civil and military field (A/RES/58/32, 2003). It also called for the creation of the UNGGE but did not call for the creation of cyber norms. This was done in the UNGGEs 2010 report ( A/65/201, 2010).
The 2010 report reaffirmed the existential threat as the malicious use of tools and technologies by criminals and terrorists. It created a new existential threat in expressing concern about the potential usage of ICTs by states as instruments for warfare, intelligence, or political purposes ( A/65/201, 2010). As a result of these concerns, the 2010 report calls onto states to cooperate in developing a shared understanding on the use and prevention of these malicious tools. International cooperation and the creation of cyber norms were emphasised as being the way to reduce and prevent any misconceptions between states and threats to international peace and security ( A/65/201, 2010). The 2010 report further recognises the role the private sector and civil society as functional actors in reducing these threats. However, the dominant role within the cyber norms debate remained assigned to the states themselves ( A/65/201, 2010).
Naming the 2010 report a successful securitization effort, would suggest an end to the process and lead to the use of extraordinary measures, which clearly has not been the case. It would also assume that each new state that joined the UNGGE agreed with the construction of the referent objects and existential threats by the 2010 UNGGE member states and does not take into account the somewhat arbitrary selection of the UNGGE members.
Members of the UNGGE were selected based on regional and political position and the level of interest shown by the state to ensure an equitable geographical distribution. Members of the UN Security Council (UNSC) were added automatically as part of the UN regulations (Lewis & Vignard, 2016). It is difficult thus determine the direct level of interest of participating member had shown prior to joining the UNGGE. Table 1 shows that with each successive round, the interest in the UNGGE and creation of cyber norms has grown (Lewis & Vignard, 2016).
25 Table 1 Participating Members UNGGE
2004-2005 2009-2010 2012-2013 2014-2015 2016-2017 Belarus Brazil China France Germany India Jordan Malaysia Mali Mexico Republic of Korea Russian Federation South-Africa United Kingdom United States of America Belarus Brazil China Estonia France Germany India Israel Italy Qatar Republic of Korea Russian Federation United Kingdom United States of America Argentina Australia Belarus Canada China Egypt Estonia France Germany India Indonesia Japan Russian Federation United Kingdom United States of America Belarus Brazil China Colombia Egypt Estonia France Germany Ghana Israel Japan Kenya Malaysia Mexico Pakistan Republic of Korea Russian Federation Spain United Kingdom United States of America Australia Botswana Brazil Canada China Cuba Egypt Estonia Finland France Germany India Japan Kazakhstan Kenya Mexico Netherlands Republic of Korea Russian Federation Senegal Serbia Switzerland United Kingdom United States of America
Source: (Lewis & Vignard, 2016).
It is important to note that due to the UNGGE rules, the Russian Federation as a permanent member of the UNSC was part of the discussion since the first UNGGE in 2004. In contrast, the Netherlands had to lobby or wait for its position in the 2016-2017 UNGGE and as such has arguably been less influential in the debate. However, non-participating states were still able to submit their official response to the UN General Assembly and vote on the final report and continuation of each successive UNGGE (Lewis & Vignard, 2016). Within this context, the non-participating members can be called functional actors in their ability to influence the decisions made in the security field. They can only tentatively be named norm entrepreneurs as their willingness to submit official responses indicated an interest and belief that something must change. However, as their official responses were reactive instead of proactive, it cannot be said they fully embrace the proactive qualities required of a norm entrepreneur. However, naming the permanent members as norm entrepreneurs is equally problematic considering the selection process. What can be said is that irrespective of the existence of securitizing actors and norm entrepreneurs, the UNGGE discussion moved on from the norm emergence stage, and onto the second, norm cascade stage. The potential lack of these actors and entrepreneurs does question whether the norms in the 2013 and 2015 reports can be classified as norms to begin with.
26
Norm Cascade
This may be difficult considering the way both reports discuss the norms. The 2013 report speaks of “recommendations on norms, rules, and principles of responsible behaviour by states” (A/68/98, 2013, p. 8). The 2015 report changes this by only speaking “norms, rules, and principles for the behaviour of States” (A/70/174, p. 7). The paragraphs do not make clear which are norms, which are rules, and which are principles. However, accepting Finnemore and Sikkings definition of (cyber) norms, norms are a set of rules and practices which govern the behaviour of states (Finnemore & Sikkink, 1998). The differentiation between norms, rules, and principles is minimal. As Shannon (2000) argues, “the more parameters norm possesses, and the more ambiguous those parameters are, the easier it is for actors to interpret them favourably” (Shannon, 2000, p. 293). This is beneficial to the UNGGE considering that both the UNGGE governmental experts and the UN General Assembly have to reach a consensus to release the final report (Lewis & Vignard, 2016).
A result of this consensus making is that the norms in the 2013 and 2015 reports cover similar themes from which they do not deviate extensively. The norms can be categorized into three themes: international law and human rights; infrastructure; and prevention, deterrence, and attribution (A/68/98, 2013; A/70/174 2015). The themes represent the overarching points of discussion within the UNGGE and the ideological division between the Russian Federation and the Netherlands. In essence, international law and human rights determine the prevention, deterrence, and attribution measures a state can undertake to protect their construction of its infrastructure. The three themes are thus interrelated and affect the way states approach each issue and the UNGGE debate overall. The three themes will thus be used in the rest of the thesis as a means to better structure the research.
International Law and Human Rights
The 2013 UNGGE report was hailed as a landmark report as it concluded that international was applicable to the use of ICTs by states in the ICT-environment (A/68/98, 2013). However, the report fails to explain how or to what extent international law is applicable, or what it meant by ICT-environment. Following Kuehl’s (2009) definition of cyberspace, ICTs are used as a means to operate and connect with cyberspace. The use of ICT-environment instead may be a more concrete and specific way for the UNGGE to focus on the use of ICTs by states, instead of the more abstract nature of cyberspace. Nonetheless, it is still part of cyberspace and will be
27 referred to as such in order to avoid adding unnecessary confusion to the already ambiguous UNGGE reports.
In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States. Existing obligations under international law are applicable to State use of ICTs. States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms; (A/70/174, 2015, p. 12).
The 2015 UNGGE report adds some clarification by explaining which principles of international are applicable to the use of ICTs by states as mentioned above (A/70/174, 2015). However, like the 2013 report, the 2015 report fails to explain how these principles apply to the behaviour of states. It also fails to explain if and to what extent the respect to protecting human rights and fundamental freedoms override a state’s rights of sovereignty, non-intervention, and territorial integrity (A/70/174, 2015). Besides, as Von Heinegg (2015) argues, there already is a general consensus that the laws, principles, rights, and freedoms as listed above apply to the behaviour of states in cyberspace. The disagreement is not whether they apply, but how they apply to cyberspace. As such they can therefore not really be considered constitutive norms, as they do not extend a state power, create new interests or categories of action. They are at best constraining regulative norms in that they limit the behaviour of states instead of permitting certain behaviour through permissive regulative norms.
This lack of permissive regulative norms makes it difficult to argue what states are allowed to do in cyberspace in relation to international law and the respect of human rights and fundamental freedoms. This affects the way states approach prevention, deterrence, and attribution measured by allowing states to interpret to an extent the manner in which they seek to protect their infrastructure, which in itself has its definitional issues.
Infrastructure
The definitional issues concern the difference between the various ways the UNGGE addresses the protection infrastructure. In general, the UNGGE reports norms speak of either critical infrastructure or critical information infrastructure but fail to provide a definitional difference between them. Lopez, Setola, and Wolthusen (2012) attempt to make a distinction between the two definitions. They define critical infrastructure as those that are essential for the continued availability and reliability of services. When these critical infrastructures are disrupted or
28 unavailable, they could cause severe economic damage or a loss of life (Lopez, Setola, & Wolthusen, 2012). Critical information infrastructure is considered a critical infrastructure in itself to stress the importance of the ICT sector. However, is also unique in that it provides the interconnectedness and is a fundamental component to the operating of other critical infrastructure. (Lopez et al., 2012). The problem with this definition is that the classification is entirely dependent on the perspectives of states, who do not all agree what is or what is not part of its critical infrastructure or critical information infrastructure (Mattioli & Levy-Bencheton, 2015).
The lack of explanation within the UNGGE reports is problematic as the report does make an explicit difference between the two within the norms. The UNGGE norms mainly address the critical infrastructure of states through permissive regulative norms and frame them as referent objects. States are asked to protect their critical infrastructures; cooperate with states whose critical infrastructures are “subject to malicious ICT acts”; and report responsibly on ICT vulnerabilities as a means to reduce threats to ICT-dependent infrastructure (A/68/98, 2013; A/70/174, 2015, p. 8).
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public (A/70/174, 2015, p. 8).
States are asked through a single constraining regulative norm not to damage or impair the use of critical infrastructure which provide services to the public. The phrasing of the norm does not make clear whether this indeed means the protection of critical infrastructure which provides services, or to the ability of a state to provide services to the public. It also does not explain what may be classified as critical infrastructure which provides services to the public, as technically all infrastructure provides some services to the public. In its current state, it does suggest that states are allowed to conduct and knowingly support ICT activity against critical information infrastructure and is not to be considered a referent object.
The only information infrastructure referent object mentioned is the authorised emergency response team’s information systems (A/70/174, 2015). This specification is still problematized by the different criteria used by states in designating what are or what are not authorised emergency response teams. The report also does not make clear to what extent a difference will be made between public and private teams. According to the European Union Agency for Network and Information Security (ENISA), the Russian Federation has 2
29 emergency response teams, whereas the Netherlands has 19 (ENISA, n.d.). The designation of these teams is therefore somewhat arbitrary and explains how different perspectives by states can result in different outcomes.
It does however not explain how both critical infrastructure and critical information infrastructures fit within the framework of international law, human rights, and fundamental freedoms. It makes it difficult to determine the boundaries of these referent objects. This especially considering that the most significant threat to states is not damage or disruption of their infrastructure, but rather cyber espionage or hacktivism.
These activities are largely perpetrated by non-state actors and do not have to damage or impair the critical infrastructure or critical information infrastructure of a state (Bendovschi, 2015). Instead, states were more likely to be victims of a cyber-attack which granted unauthorised access to information (Bendovschi, 2015). Espionage has an ambiguous position in international law and is technically not forbidden by it; although the practice is frowned upon by other states (Weissbrodt, 2013). States may want to avoid discussing cyber-espionage in the UNGGE context. It would lead to an entirely separate discussion on the legality of espionage and states rarely articulate their views on the relationship between espionage (intelligence activities) and international law (Deeks, 2017). This is because states tend to refrain from limiting their own flexibility in protecting themselves through means that are not unlawful (Deeks, 2017).
However, discussing cyber-espionage would arguably fall within the mandate of the UNGGE. Its mandate as established in resolution 58/32 is to “consider existing and potential threats in the sphere of information security and possible cooperative measures to address them” ( A/RES/58/32, 2003, p. 2). Cyber-espionage is an existing threat within the sphere of information security but does not necessarily threaten to damage or disrupt the infrastructure of states. This argument is however entirely dependent on how the UNGGE defines existing threats; something which it has not done in any of its reports.
Yet, there is no doubt that the UNGGE has securitized critical infrastructure and critical information infrastructure. What that means however, is up to the interpretations of states. It has arguably less to do with their physical structures, but more with their ability to provide services. It could indicate that it would not matter if a specific infrastructure was damaged, as long as its overall ability to provide services to the public was not inhibited. This ambiguity can be problematic when discussing prevention, deterrence, and attribution measures which are heavily dependent on what is or what is not deemed a referent object, and what is or is not an existential threat.
30 Prevention, Deterrence, Attribution.
Most of the prevention, deterrence, and attribution measures presented within the norm revolve around the notion that cooperation and the exchange of information can reduce the threats from cyberspace (A/68/98, 2013; A/70/174 2015). However, much like the other norms, the norms on prevention, deterrence, and attribution are limited and ambiguous.
States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security (A/70/174, 2015, p. 7)
The norms on prevention, deterrence, and attribution are mainly framed as permissive regulative norms and promote cooperation and the exchange of information (A/68/98, 2013; A/70/174 2015). States are asked to not knowing let their territories be used for international wrongful acts (A/70/174, 2015). The report fails to mention what international wrongful acts are or how states are supposed to prevent these acts. In many cases, cyber-attacks are only discovered as they occur, and others are only discovered after they have run for several months or even years (Guitton, 2017). An example of this is Stuxnet. Researchers at Symantec believe that the computer was developed as early as 2005 and deployed in 2007. However, the attack was only discovered years later in 2010 (Finkle, 2013). As such, it is difficult for states to take appropriate measures to prevent and protect their infrastructure from these threats.
Yet, states are still asked within the UNGGE norms to take reasonable measures to ensure the integrity of the ICT supply chain, prevent the proliferation of malicious ICT tools, techniques, and the use of harmful hidden functions (A/70/174, 2015). Abelson et al (2015) argue that instead of leading to more security, such preventative measures would lead to less security (Abelson et al., 2015). It would limit the number of available tools and mean that the malicious actors would concentrate their efforts on only a small number of targets. Furthermore, despite these measures, there will always be many different alternatives available for state and non-state actors to acquire their tools and will not deter them in their activities (Abelson et al., 2015).
Although the measure has a deterrence quality, the UNGGE norms do not address issues concerning deterrence directly and they are mainly grouped together with preventative measures (A/70/174, 2015). The issue is that the constraining regulative norms only limit behaviour and seek to prevent it, but do not actively seek to deter it as well. This is rather problematic considering that deterrence can play a significant role in regulating the behaviour
31 of states in cyberspace. Nye (2016) argues that the effectiveness of deterrence measures in cyberspace depend on who and what measure is taken. They would rely on evoking humanitarian law and call upon the taboo of using cyber-attacks against civilians (Nye, 2016). As such, these deterrence norms may only be effective against major states and less so against non-state actors and has to deal with issues of attribution (Nye, 2016).
The UNGGE does not directly discuss attribution or what measures states through responsibility are supposed to undertake. The norms only mention that states should consider the relevant information in terms of the larger context of the incident, the challenges of attribution, and the extent of the consequences of attributing an incident (A/70/174, 2015). As it stands, states can be held accountable failure to exercise under the principle of due-diligence (Kulesza, 2009). States are expected to undertake reasonable measures, yet the UNGGE reports does not explain responsibility to such an extent and neglect to mention it for the most part. This despite the fact that responsibility is one of the major aspects of the cyber norms debate, especially considering the legal definitions of aggression, use of force, and cyber-attacks (Kulesza, 2009). Without a proper mechanism to determine state responsibility, states could potentially unilaterally interpret the self-defence article (article 51 UN Charter) within international law and end up in a cyber conflict (Kulesza, 2009; United Nations, 2015).
A further significant issue is however that most of these measures are focused on state-actors instead of non-state state-actors. This despite the fact that non-state state-actors demand much more attention than state actors and represent the actual dominant threat (Schmitt & Watts, 2016). However, the state-centric approach of international law in inadequate the address the challenge made by non-state actors in cyberspace. The added principles associated with sovereignty and non-intervention further limit the states legally in dealing with or using cyber operations against non-state actors (Schmitt & Watts, 2016). It makes sense that non-state actors are not included within the UNGGE cyber norms debate.
Nonetheless, in their current form, the norms premature and require multiple iterations before they potentially could be considered sufficient enough. In their current frame, the norms feel more like placeholders; topics which are important and which will be discussed at a later date. As such, it cannot be said that the norm cascade stage has been successful and is thus unable to move onto the norm internalization stage.
32
Norm Internalization
The unsuccessful move came in part as a result of the 2016-2017 UNGGE. The discussion at the 2016-2017 UNGGE had, amongst others, moved towards discussing how international law applied to states in cyberspace. At the centre of the discussion were the international humanitarian law (IHL), right to self-defence, and state responsibility (Markoff, 2017). The final report was supposed to address and clarify the application of these issues and move away from the ambiguity of the previous reports. However, certain states were no longer willing to apply these international law, rules, and principles onto cyberspace. They believed that they should be free to act in cyberspace to achieve their political ends without limits or constraints (Markoff, 2017; Rodrigues, 2017).
The same group of states believed that certain parts of international law were incompatible with the objective of the UNGGE to seek the peaceful settlement and prevention of conflicts. This fear was particularly aimed at the inclusion of IHL, state responsibility, and the right to war (jus ad bellum) (Markoff, 2017; Rodrigues, 2017). It was thought that states could potentially use international law to justify punitive actions such as sanctions or military actions in cyberspace. States could do so by claiming to be victims of a malicious cyber-attack and under the justification of self-defence retaliate (Mačák, 2017; Markoff, 2017; Rodrigues, 2017).
This frame of logic follows the securitization theories logic of security in a rather conflicting way. In essence, they are securitizing against what they believe is a successfully securitization process of other states. They believe other states will use extraordinary measures to resolve their issues. The UNGGE reports naturally do not reflect this sentiment, although its ambiguous does leave a lot much room for interpretation.
Dependent on this interpretation, it may appear that there is indeed a way in which states are able to justify their “punitive” response. This is especially true concerning the norms on prevention, deterrence, and attribution (A/70/174, 2015). The lack of clarity on these norms may allow states to respond in certain ways which could be deemed to go against the international law, rules, and principles in cyberspace. States are only asked to take into account several considerations, but no limit is placed in their response or how this relates to issues of responsibility.
The logic of security in the argument suggests states could securitize any cyber-attack and use this frame to justify extraordinary measures. However, the 2013 and 2015 reports do not discuss the issue of self-defense or the right to war (jus ad bellum) (A/68/98, 2013;
33 A/70/174 2015). The possibility for securitization through this framework is therefore only possible due to the ambiguities as present in the reports. Instead, the reports securitized for the most part states critical infrastructure and critical information infrastructures as referent objects and criminals and terrorists, and extremists as existential threats. States in this instance were framed as both referent objects and existential threats.
How these ambiguities in framing are understood, depends greatly on the interpretation of the states that encounter them. The following chapters will delve into the security strategies of the Russian Federation and the Netherlands, to determine their position towards these contentious issues by using the three main themes as derived from the 2013 and 2015 reports, namely: international law and human rights; infrastructure; and prevention, deterrence, and attribution. The lack of clarity on these issues within the UNGGE invites states such as the Russian Federation and the Netherlands to take different interpreting positions and lead to unnecessary complex situations which are difficult to resolve and ensure the application of international law in cyberspace.
