Russia Gains an Upper Hand in the Cyber Norms Debate

Robert Morgus is a policy analyst with New America’s Cybersecurity Initiative and International Security Program and he is the co-author of the recently published Graphic Guide to Cyber Norms. You can follow him at @RobMorgus.

Last month, Admiral Michael Rogers, the director of the National Security Agency, called the systematic leaks and spread of disinformation during the U.S. election a “conscious effort by a nation-state to attempt to achieve a specific effect.” Later in the same conversation, he highlighted U.S. efforts to advocate “what’s acceptable from our perspective, and what is not” with other countries. The process he’s referring to in the latter statement is a series of ongoing conversations that have played out over the past several years attempting to negotiate and normalize a series of norms that help govern and guide state behavior in cyberspace.

Russian interference in the U.S. election has triggered questions about the value of developing cyber norms and stoked reflection on what a norm is, exactly. As my friend and Carnegie Endowment scholar, Tim Maurer put it to me in a recent conversation, there are really two types of norms. The first type is what he called “actual norms”—the norms that actually describe the predictable behavior of states. Norm is short for normative behavior, and in this context, a normative behavior is a behavior we could and should reasonably expect from a state. There is no controversy that norms like this exist and hold value in preserving a stable international ecosystem.

The value of the second type of norm—what Tim calls an “aspirational norm”—is far less certain. This is the kind of norm the United States advocates around the world and what Admiral Rogers was referring to. These are the behaviors that, while not yet universal or universally accepted, the United States and many of its partners would like to see normalized.

So what does all this have to do with Russia interfering with America’s democratic process? A lot. In 2009, Russia and a group of likeminded states began work on a proposal for a broad international treaty on information security. In their view, the set of norms that governed state behavior before the rise of the internet did not translate to state behavior in an internet age. In other words, a new digital age required new norms.

Many in the United States, Europe, and elsewhere flatly rejected the proposition on the grounds that international laws existing offline should and do constrain online behavior. The problem with this approach is that saying something exists does not make it so. International law dictates that states are prohibited from interfering in the domestic affairs of other states. Whether or not this norm is an actual norm or an aspirational norm is up for debate, though anecdotal data suggests it is more aspirational.

Nevertheless, in a 2011 letter to the United Nations General Assembly outlining a proposal for an “International Code of Conduct for Information Security”, the Russian coalition proposed a codification of this concept, stipulating that states subscribing to the Code pledge to “not use information and communications technologies and other information and communications networks to interfere with the internal affairs of other states or with the aim of undermining their political, economic and social stability.” In parallel, Russia and others have pushed to further solidify this and other proposed norms in treaty form.

Russia’s information operations could conceivably radically reshape the cyber norms debate and puts the United States in a predicament. Russia is ironically in a better position to advocate the need for binding rules to prohibit non-interference through cyberspace. Even though Moscow is widely believed to be behind the U.S. election shenanigans, it can still argue that a non-interference rule, had it been in place, could have prevented the election tampering.

That puts the United States in the unenviable position of publicly arguing for a ban on using cyber means to interfere in the internal affairs of states but having to reject a seemingly ready-made solution. Almost no one in the U.S. intelligence or national security community actually believes that Russia would abide by a cyber non-interference pact. Furthermore, many in the U.S. cyber policy community in government do not see new treaties as a viable option for cyberspace given the unique challenge of monitoring and verification that exist in the cyber domain. Nevertheless, Russia and its allies can use the election tampering as evidence new UN cyber treaties or codes of conduct are necessary.

Further confounding the United States’ position is the U.S. government’s insistence on creating clear separation between cybersecurity and the concept of information security.  For the last decade, U.S. cyber policy has focused on the security of hardware and software, not determining what content and information should be allowed online. These conversations, in the U.S. view, open the door for human rights abusers to argue for sovereign control of information and crack down on dissenting voices via censorship. But Moscow’s election-related activities brought the importance of Russia’s conceptualization of information security front and center in the United States, possibly making it harder for Washington to separate cybersecurity from information security.

The Russian influence operation on the election was probably not carried out for the sole purpose of creating a bargaining chip for Russian diplomats. It would also be a stretch to argue that the norms debate played into Moscow’s equites calculation. Nonetheless, it is now harder for the United States to convincingly argue against the need for a more structured and enforceable institution codifying the notion of non-interference in cyberspace. From Russia’s perspective, its influence operation against the U.S. election is the gift that keeps on giving.