Russia and China are building on their long-held ‘uneasy friendship ’ with a new cybersecurity agreement. Under the deal, the two countries will jointly counteract technology that may ‘destabilize the internal political and socio-economic atmosphere,’ ‘disturb public order’ or ‘interfere with the internal affairs of the state.’ Russia and China have also agreed to refrain from conducting cyber-attacks against each other—a move that has raised many eyebrows. While some experts suggest that the agreement isn’t likely to result in any real directive to refrain from hacking, former chairman of the US House Intelligence Committee Mike Rogers expressed reservations about ‘these huge cyber resources now cooperating’ which could pose a direct threat to ‘any innovative economy in the world.’
For its part, China has expressed its own concerns over US cyber activities, most recently suggesting that the Pentagon’s latest cyber strategy ‘will further escalate tensions and trigger an arms race in cyberspace.’ Lu Jinghua, a scholar from the Chinese Academy of Military Science, has also questioned the implementation of the strategy itself, doubting the US attribution capabilities and the legal basis for US offensive operations.
The legal basis for state activities in cyberspace is a perennial topic of interest for legal scholars. They debate whether existing international law can be applied in this domain or whether new rules must be written. Wolff Heintschel von Heinegg, Senior Fellow at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), offers his perspective concluding that ‘modifying and interpreting international law in the way proposed in the article would most probably serve Russian interests, but not necessarily those of other states.’
Of course CCDCOE’s own attempt to apply international law to state activities in cyberspace, The Tallinn Manual Process, has faced its own criticisms over its transatlantic framing—something Jessica Woodall and I will discuss on The Strategist tomorrow.
International law isn’t the only means to govern activities in cyberspace; states continue to jostle to shape international norms in cyber. At the Global Conference on CyberSpace (GCCS), Foreign Minister Julie Bishop called an international agreement on international security ‘premature,’ offering instead her own proposal for peacetime norms that would place critical infrastructure off limits for cyber attacks, recognise the special status of CERTs, and boost cooperation to reduce cybercrime.
Joseph Nye, who moderated the GCCS panel, agreed that ‘the inability to envisage an overall cyber arms-control agreement need not prevent progress on some issues now.’ With these same norms echoed by US State Department Coordinator for Cyber Issues Chris Painter, there is reason for optimism that ‘progress on some issues’ might be possible.
Of course the shaping of state relations is but one of a plethora of challenges in cyberspace.
For Australian and New Zealand businesses the latest threat comes in the form of a $7500 DDoS extortion scheme. Although this may seem like a small hit for some businesses, it represents just a small part of what the Australian Crime Commission estimates is over $1 billion per year in cybercrime damages.
To overcome the threat, it’s becoming increasingly clear that public–private cooperation will be critical. A Department of Homeland Security chief technology officer has called robust partnerships key to national cybersecurity while Japan is pursuing its own measures to boost information sharing and increase secondments between government and the private sector. With the six-month time frame for Australia’s own cyber security review quickly approaching, it will be worth watching how the government will improve its own cooperation with industry, a key priority in the review.