A senior official speaking Feb. 26 at the RSA Conference clarified recent steps by the State Department to publicly attribute and condemn acts of cyber aggression on the part of Russia, calling the actions of the Department part of a deliberate attempt to establish a framework for appropriate nation-state behavior in cyberspace.
“Over the course of the last year and a half, we’ve taken progressively nimble steps to call out malicious state behavior in cyberspace, to attribute this malicious cyber behavior by states,” said Liesyl Franz, senior policy advisor for the Office of the Coordinator for Cyber Issues at the Department of State. “It’s destructive, destabilizing behavior.”
Franz called attention to a Feb. 20 press statement by Secretary of State Mike Pompeo, condemning “a widespread disruptive cyberattack against the country of Georgia” carried out by Russia, which “disrupted operations of several thousand Georgian government and privately-run websites,” according to the statement.
“These operations aim to sow division, create insecurity, and undermine democratic institutions,” Pompeo said.
This process of public attribution and condemnation may not be all that revelatory to those in cyber professions – Franz herself said “it’s not the first time we’ve done it” – but they are deliberate attempt to establish decorum, Franz noted.
“It’s not just to wave a finger and name and shame,” she said. “It’s based on a long process of establishing a framework for responsible state behavior in cyberspace.”
That framework, she noted, is “based on three fundamental things,” which she described as:
- “The applicability of international law to cyberspace,” Franz said. “We don’t need another treaty, the laws that govern us already apply in cyberspace.”
- “Adherence to certain voluntary and non-binding norms of state behavior that have been developed over the course of several years in the UN context, and to which all member states agree to be guided by,” she said, adding as an example, “a state should not attack the critical infrastructure of another state.”
- “The development and implementation of confidence-building measures in cyber issues so that countries have better understanding of what to expect from other countries.”
But establishing rules of the road may not come easy. Discussion centered on the significance of classifying cyber as a “domain” in the same way land, sea, air, and space are considered the four primary domains of warfare.
Dutch Ambassador Timo Koster, who spoke alongside Franz, said he was “closely involved in this particular decision” – while serving as director of defense policy at NATO – to “not only to call it a domain,” but also to identify a cyberattack as a possible trigger for NATO Article 5. “So, a cyberattack could trigger an armed response above a certain threshold,” he said.
Article 5 – the principle that an attack on one NATO nation is an attack on all its members – has only been invoked once in the history of NATO, in the aftermath of 9/11.
“That doesn’t mean that once you call [cyber] a domain that everything is clear, that all dilemmas have been solved,” Koster said, pointing to murky waters that have long existed, even in a more traditional domain.
Koster noted that even after multiple centuries of human sailing the high seas, the treaty that codified the international law of the sea only came into force in 1993.
“It will take probably decades before we have organized and codified and ratified the domain that we now call cyber,” Koster said.