Years ago, I held senior leadership positions in the U.S. military focused on cyber-operations, policy and strategy. What kept me up at night was the concern that a loosely controlled third-party actor or organization — operating with suspicious motivations or questionable skills at the behest of an adversary — might initiate a cyberattack that could escalate to a physical conflict.
The warning signs are there. Consider the NotPetya attack, which was described by Wired Magazine as “an act of cyberwar… that was likely more explosive than even its creators intended.” This nation-sponsored attack demonstrated the dangers that could lead to conflict.
While part of the challenge is technological, it also comes down to establishing and adhering to behaviorial norms. In cyberspace, there are no rules that describe and govern what type of behavior is and isn’t acceptable.
There have been several efforts in this direction, notably the U.S.-China Cyber Agreement and work from the United Nations. Unfortunately, the U.N. initiative faltered when several key countries backed out from the original agreement. Similarly, gaps in trust have led to concerns about a breakdown of the U.S.-China Cyber Agreement.
Despite stumbles, these efforts provide a valuable starting point for creating a set of norms. The U.N. addressed a number of unacceptable actions for nations to take against another country such as attacking critical infrastructure, interfering with emergency response efforts, or using foreign networks to deploy wrongful acts. The U.S.-China Cyber Agreement attempted to codify the banning of intellectual property theft for profit.
We can’t afford to let our progress towards setting international cyber norms be impeded any longer, nor can we afford to ignore the problem. There is too much at stake, namely our entire digital way of life.
While addressing these broad challenges is ultimately the responsibility of governments around the world, our efforts to define norms for cyberspace behavior must also actively involve private industry, non-governmental organizations (NGOs) and academia.
In collaborating with colleagues around the world, I have identified five norms that responsible nations should follow during peacetime. If nations follow these norms, it will contribute to an improved, common, international understanding at the technical, operational and policy levels. It will reinforce positive, careful control and oversight of cyber activities. It will also bring in additional responsible partners to these efforts.
Responsible nations should be more transparent about what they are doing in cyberspace and why they are doing these things. There is no expectation of total transparency, but improved transparency can lead to reduced uncertainty and greater stability. This is required for better trust and cooperation on common interest issues.
Responsible nations should establish and enforce standardized procedures for oversight of military, law enforcement and homeland security cyber-operations. This includes risk management assessment and control procedures that provide proper oversight from domestic and foreign policy, technical, intelligence and legal perspectives, as well as effective operational accountability.
Responsible nations should share threat intelligence for criminal and terrorist threats of common interest. Cyber threat intelligence and information sharing programs should focus on indicators of compromise along the cyber threat lifecycle steps, as well as contextual information. They should not include personally identifiable information, protected health information, intellectual property or other information that creates surveillance, privacy, liability or legal issues. This norm is particularly important for reducing confusion that can lead to miscalculations and mistakes caused by increased non-state cyber activities that blur the digital environment.
Nations should encourage and incentivize increased industry participation in the development and enforcement of norms of responsible behavior. The private sector owns, operates and maintains the vast majority of the internet, yet the norms discussion has traditionally been a government-only conversation. Industry’s voice is critical because the norms will be more practical and can be enforced by industry much more effectively than the government.
Responsible nations should not employ loosely controlled third-party actors and organizations to engage in cyber activities. The increased use of surrogates, front companies and patriotic hackers by nations is an alarming trend, due to the growing risk of a major cyber event caused by a mistake or unsanctioned action by someone with a personal motivation.
Are these norms realistic? Yes. In fact, an increasing number of U.S.-based cybersecurity companies are actively pursuing some of these norms. The U.S. military has already led the way on the first two proposed norms, and the Cyber Information Sharing Act of 2015 focused on the third and fourth norms.
In addition, U.S. law enforcement, domestic security, intelligence and military organizations are implementing many threat intelligence and information sharing programs with an increasing number of international and industry partners.
The U.S. can lead by example by following these norms of responsible behavior and should engage with world leaders, such as China, to broaden this effort, making it a global one.
Ret. U.S. Army Maj. Gen. John Davis is the Vice President of Public Sector at Palo Alto Networks, a leading provider of cybersecurity solutions. Previously, he served as the Senior Military Adviser for Cyber to the Undersecretary of Defense for Policy, and the acting Deputy Assistant Secretary of Defense for Cyber Policy.