Background
The rapid diffusion of information technology has remade economics, culture, and politics. It has transformed commerce. It has made global supply chains possible and generated enormous wealth. It has created social and cultural networks that span the globe. It has enabled people to overcome distance and share knowledge and ideas. It has provided powerful tools for political organization and protest.
Yet the digital revolution has also created new sources of vulnerability. Countries, terrorists, and criminals can shut down power, communication, transportation, and financial networks with the click of a mouse. Cyberattacks can inflict not just massive economic losses but also death and physical destruction. Approximately forty countries have acquired cyberweapons (that is, malware) for use in offensive combat operations. Many more have purchased tools from private cybersecurity firms. Individuals and nonstate groups have begun to use cyberweapons too. Sometimes, they act under the direction of their home governments. In other cases, they operate entirely on their own. Furthermore, the responsibility for a cyberattack can be masked. This makes it difficult, if not impossible, to determine who should be punished. This, in turn, makes it harder to deter an attack in the first place. The global and interconnected nature of the internet also means cyberattacks can cause collateral damage to other networks and computer systems.
Countries have yet to figure out how to limit competition in cyberspace. Malware is impossible to count or control. Agreements like those that limit nuclear competition do not exist for digital weapons. Although acceptance of international law in cyberspace is growing, great uncertainty remains about how it should be applied. Standards determining how cyberweapons are used, what targets are acceptable, and whether a country is justified in responding to cyberattacks with conventional military force remain up for debate.
Major powers, including the United States and China, have signaled a willingness to discuss the nature of cyber threats in recent decades. However, they have been slow to develop a concrete policy framework. Since 2005, a small group of governmental experts has gathered at the United Nations to discuss cyber threats. The group, which includes government representatives from the United States, China, and Russia, signed a nonbinding report [PDF] in 2013. This report showed agreement that international law applies in cyberspace. This means that cyberattacks can be considered a use of force, a country can exercise the right to self-defense if it is the victim of a cyberattack, and the laws of armed conflict apply to cyberwar. The 2013 report also asserted that countries are responsible for cyberattacks that originate within their territories, regardless of who directs them. In 2015, the same group agreed to a set of peacetime norms [PDF] promoted by the United States. Those norms include the idea that countries should not attack each other’s critical infrastructure or target each other’s computer emergency response teams—national agencies that defend against and help recover from cyberattacks. The norms also hold that countries should assist other nations investigating cyberattacks and cybercrime.
However, the 2017 round of negotiations ended with the participants unable to identify new norms or agree how to apply international law to cyberspace. Consequently, the norms discussion at the United Nations split into two parallel paths. In addition to the group of government experts, Russia led the formation of an Open-Ended Working Group (OEWG) on international cybersecurity in 2018. The OEWG was formed around the goal of creating a “more democratic, inclusive, and transparent” forum for discussing cyber norms. This group involves all UN member countries. Some analysts have suggested Moscow’s formation of a larger group was in part a deliberate effort to make consensus more difficult. However, the OEWG has seen widespread participation by countries and nongovernmental organizations. This makes it a potential tool to build confidence, transparency, and communication among countries in their pursuit of cyber norms.
In March 2021, the OEWG reached a consensus on a nonbinding report [PDF]. The report reaffirmed the 2015 recommendations on cyber norms and international law and acknowledged the need for further progress on other emerging issues that have so far seen little international discussion. These other issues include protecting health-care systems and other critical infrastructure and using cyberspace to interfere with other countries’ electoral processes. Although the report does not offer recommendations on how to address these topics, their inclusion could lay the groundwork for future cooperation on international cyber norms.
Subsequent meetings of the OEWG have had less success. Discussions have frequently ended in stalemate. Russia and China have blocked access to critical nongovernmental groups such as technology and cybersecurity firms. This is due, in part, to Russia’s war in Ukraine.
The United States and China have significant disagreements over cyber espionage, cyberattacks, and internet governance. These differences have intensified in recent years as cyber issues have become more significant on the bilateral and global agenda. The two countries have a history of clashes in cyberspace. According to a 2013 Washington Post report, Chinese hackers have stolen information relating to more than two dozen U.S. weapons programs. This stolen information includes the Patriot missile system, the F-35 Joint Strike Fighter, and the U.S. Navy’s new littoral combat ship. The White House, the State Department, the Office of Personnel Management, and NASA have all been breached. Attacks on several companies, including Disney, General Electric, Google, Sony, Symantec, and Yahoo, have also been publicly reported. In addition, Chinese hackers have reportedly targeted negotiation strategies and financial information in energy, banking, law, and other sectors.
In response to U.S. claims of Chinese hacking, China has noted that it is also a victim of cybercrime. China has claimed that the majority of attacks against it originate from internet protocol (IP) addresses in the United States, Japan, and South Korea. Chinese media were quick to echo claims by former National Security Agency contractor Edward Snowden that the United States hacks targets on the Chinese mainland and in Hong Kong.
Indeed, though initially silent on its cyber operations, the U.S. government has itself gradually become more transparent about developing and using cyberattacks. Experts widely believe the United States and Israel were behind Stuxnet. Stuxnet was the malware designed to slow Iran’s nuclear program by damaging centrifuges at the Natanz nuclear facility in 2009. However, both countries have denied any involvement. U.S. Defense Department strategy explicitly recognized offensive cyber missions in 2015. Furthermore, the Pentagon began to develop cyber capabilities that can support military operations. Since 2018, U.S. Defense Department Cyber Strategy embraced a new, more offensive posture, aimed at observing, countering, and disrupting adversary operations before they affect U.S. networks.
Meanwhile, tensions between the United States and China have remained high. The two nations have made repeated attempts to enter into dialogue about each country’s cyber practices. At a 2015 summit, they reached a breakthrough agreement under which both sides pledged not to conduct or knowingly support cyber-enabled theft of intellectual property. Washington and Beijing also agreed to identify and endorse norms of behavior in cyberspace. They also established two high-level working groups and a hotline between them. However, further negotiations on cyberspace yielded little progress since 2015. Little evidence exists that either country has lessened its operations in cyberspace. Relations between the United States and China continue to deteriorate and a shared set of international cyber norms continues to be elusive. Likewise, the risk of a cyber clash escalating between the two countries remains significant.