Cyber norms: technical extensions and technological challenges

ABSTRACT

Since the late 1990s, the UN has been home to debates and negotiations on the rules, norms and principles of states' responsible behaviour in cyberspace. As these discussions matured over years, they have been taken further to different fora and have been embedded in various stakeholder initiatives. In early 2021, the Open-Ended Working Group on Developments in the Field of ICTs in the context of international security (OEWG) and the UN Group of Governmental Experts on advancing responsible state behaviour in cyberspace in the context of international security (GGE) presented their respective consensus reports, the result of over two years work. It is not only the content of this work per se that is of interest - both in what has been achieved and which parts of these mandates were less successful. These processes, historically due to the two-decades-long GGE efforts, are shaping more than just the states' commitments around cyber strategies. They help build an overarching normative environment shifting priorities in cyber risk management and contribute to the development of voluntary tech-norms, while doing this out of sync with the implications of the emerging technologies for state as well as non-state actors' accountability in cyberspace.

KEYWORDS:

• Cybersecurity
• norms
• technology
• cyber threats
• sovereignty
• international law
• internet
• DNS

Introduction

Over the last three years, the global internet community’s attention has been drawn towards the work of two international working groups mandated by the UN to advance work on developing standards of responsible state behaviour in cyberspace. The Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG) (OEWG 2021), established by the UN General Assembly in December 2018 (UN General Assembly Resolution A/RES/73/27 2018), and the 6th UN Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security (UN Group of Governmental Experts 2021) (previously ‘on developments in the field of information and telecommunications in the context of international security’), also established in December 2018 (UN Resolution A/RES/73/266 2018), have finalised their work with consensus reports.

The OEWG was mandated to continue

to further develop the rules, norms and principles of responsible behaviour of States … , and the ways for their implementation; if necessary, to introduce changes to them or elaborate additional rules of behaviour; to study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations; and to continue to study … existing and potential threats in the sphere of information security and possible cooperative measures to address them and how international law applies to the use of information and communications technologies by States, as well as confidence-building measures and capacity-building.

It submitted a report in March 2021, later than planned due to the pandemic, and was renewed for 2021–2025. The GGE was tasked

to continue to study, with a view to promoting common understandings and effective implementation, possible cooperative measures to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building, as well as how international law applies to the use of information and communications technologies by States.

It submitted its report in May 2021.

It is important to mention that the mere fact that both groups arrived at a consensus text is a matter to acknowledge as a success in light of ever-deteriorating geopolitical tensions. The previous GGE 2016/2017 (UN Resolution A/RES/70/237 2015) failed to achieve that milestone, which put in question the viability of the format. This time both the OEWG and GGE 2021 managed to get their participating 193 and 25 states to align their positions at least to what currently constitutes the minimal common denominator. By no means does that signify that disagreements among states have been resolved, rather that there was the will and the opportunity to put them aside and reconfirm positions on which states see more eye-to-eye. In this article we will look at some important achievements of both groups and then at the broader normative reverberations they have produced over time, specifically in the technical community, as well as the questions they leave open.

Two formats, one goal

When the OEWG report was published, amid congratulatory acknowledgements (TASS 2021a) of the effort through which 193 governments agreed on a consensus text that built on previous achievements in the field, there were others who pointed out the little conceptual and practical progress that had been achieved by the group (Meyer 2021). Indeed, the section on the rules, norms and principles of responsible state behaviour largely reiterates the provisions of the UN GGE 2015 report without adding much new substance, aside from recognising that ‘the COVID-19 pandemic has accentuated the importance of protecting healthcare infrastructure including medical services and facilities through the implementation of norms addressing critical infrastructure’ (United Nations 2021a) (para 26). The section on international law reaffirms that ‘international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment’, a stipulation long established by one of the previous GGEs back in 2013. But it doesn’t further spell-out how exactly it applies to state use of ICTs. The group rather invites states to continue sharing their views and experience on the matter. In the confidence-building measures (CBMs) area, no new measures are suggested. Instead, it is recommended that states leverage the existing regional and other forums to exchange lessons and practices on CBMs, as well as to ‘consider nominating a national Point of Contact, inter alia, at the technical, policy and diplomatic levels’ to help implement CBMs (para 51).

The capacity-building area, however, offers more detailed guidance on further implementation in three dimensions – process and purpose, partnerships and people (para 56). The role of capacity-building in fostering better critical infrastructure protection as well as international law application is highlighted as well. Special mention is given to CERT/CSIRT cooperation and ‘train the trainer’ programmes. Also, as mentioned by some OEWG participants, the group itself is a capacity-building mechanism, and at times when dialogue might not come easily, the existence of such a platform is an important asset (Tolppa 2021). As for the future of further institutional dialogue, the report remarks that the negotiations on these and other emerging matters will continue inter alia in the OEWG 2021–2025 established pursuant to the General Assembly resolution 75/240 (UN Resolution A/RES/75/240 2021) at the end of 2020, even ahead of the expiration of the current group’s mandate.

This is especially noteworthy given the mention in the report of the submitted earlier French-Egyptian proposal of the Programme of Action format for future deliberations on the use of ICTs (para 77), which did not achieve consensus but later garnered considerable support especially among the European countries (United Nations 2020). Roughly based on the model used by the 2001 UN Programme of Work on Small Arms and Light Weapons, the initiative suggests a need for an institutional basis for a regular continuous dialogue on the matters of peace and security in the use of ICTs. It includes creating ‘a framework and a political commitment based on recommendations, norms and principles already agreed’, ‘regular working-level meetings, focused on implementation’, ‘step-up cooperation and capacity-building’, and holding regular meetings to assess the relevance of the format as well as consult with various stakeholder groups. The initiative inter alia sought to get rid of the bifurcation created in 2018 by setting up two cyber tracks under the auspices of the UN and bringing the nations back into one stream of negotiations. The adoption of resolution 75/240 prompted the question of whether the Programme of Action could have a future, given that there was no indication of a seventh GGE preparation, but both reports pointed to the merit of exploring such a format (Géry 2020).

With the above, the OEWG report does not seem to fully live up to its mandate and the expectations conceived around its creation in 2018–2019. It offers little conceptual progress, mostly reiterating the provisions of the 2015 GGE report (apart from arguably the most elaborate capacity-building section). Yet, some members of both groups found it a success exceeding expectations (CSIS 2021a). And the OEWG’s initial sponsor Russia hailed it as a ‘success of Russian diplomacy’ (Krutskikh 2021), according to the Russian Ministry of Foreign Affairs statement. Admittedly, there was a palpable motivation to make this first group a success, especially since it opened up an opportunity for many state and non-state actors to join this topical discussion for the first time in the UN arena: 119 states voted for its creation back in 2018 and it had to be for a tangible outcome, even if at the expense of extra granularity in the final consensus report. And the multistakeholder consultations extension enhances the substantive reach of this work. Besides, there are other factors which help reassess its role beyond its substantive input to the discussion.

First, the Chair’s Summary (United Nations 2021b) accompanying the report provides a broader picture of the array of opinions expressed by all the participating states and emerging from consultations with other stakeholders which did not reach a consensus. This reflects the challenge and limitation of the OEWG as a format: the ability to reach consensus on the final text came at the expense of the diversity of perspectives and uneven experience brought to the table by all participating states and non-governmental stakeholders consulted throughout the OEWG work. That said, 193 states confirmed their support of a lot of the work done since 1998 in the field of the use of ICTs to avoid cyber conflict, increasing the legitimacy and political weight of what in legal essence are non-binding norms, rules and principles. And certainly it is harder now for each of them to ignore the existence of these commitments, even if they are voluntary (CSIS 2021b).

Secondly, the publication of the 6th GGE report (United Nations 2021c) reveals how much conceptual and verbal cross-fertilisation happened between the two processes over these few years with the same people often involved in both. In that sense, the OEWG is not only valuable in its own right as a multilateral and multistakeholder effort but also as a ‘polygon’ for refining the consensus provisions which were eventually reflected in the UN GGE report by 25 states. In the words of one of the GGEs, it was ‘a socializing effort’ using existing frameworks, while the GGE had the time and expertise allowing it to ‘drill deeper’ (CSIS 2021b).

For example, the section on international law says little new in the OEWG report, while the GGE made some progress from the stand-off in 2016–2017 on the applicability of international humanitarian law (Basu, Poetranto, and Lau 2021), absent from the previous reports. Apart from reaffirming the principles of sovereignty and non-intervention in other states’ affairs, refraining from the threat or use of force, the group ‘noted that international humanitarian law applies only in situations of armed conflict’, including the principles of humanity, necessity, proportionality and distinction, and ‘recognized the need for further study on how and when these principles apply to the use of ICTs by States and underscored that recalling these principles by no means legitimizes or encourages conflict’ (United Nations 2021c).

Further, like the OEWG, the GGE report confirms the relevance of the previously agreed 11 norms and takes a deep dive into the implementation directions. This turns the document into a practical guide on how to operationalise these standards of behaviour, very much in close connection with the CBMs and capacity-building efforts discussed later in the report and references to previous GGE reports. As Michele Markoff, acting coordinator for cyber issues at the US Department of State, pointed out, no one can walk away now and say that the norms implementation has not been spelled out to them and that their government has not affirmed the result of two years of deliberations of both groups (CSIS 2021b).

In the CBM section, the GGE report inter alia echoes and further unpacks some of the OEWG recommendations, in particular the idea of establishing a network of national Points of Contact (PoCs) to facilitate and direct dialogue and consultations, and transparency measures for the voluntary exchange of national views and practices on ICT security incidents. The capacity-building chapter similarly promotes international cooperation and assistance and highlights the areas demanding more such efforts (para 95), as well as making a direct reference to the OEWG recommendations on the topic for further guidance.

As for recommendations for future work, the GGE ‘encourages States to continue efforts to further the framework of responsible state behaviour within the United Nations and other regional and multilateral forums to support regular dialogue, consultation and capacity-building’. It welcomes the establishment of the new OEWG as well as remarks that various ‘proposals for advancing responsible State behaviour in ICTs’, e.g. the Programme of Action, ‘should be further elaborated including at the Open-Ended Working Group’ (United Nations 2021c).

A lot of the GGE work’s merit thus lies in confirmation of the achievements of the prior groups’ agreements, especially following in the footsteps of the previous UN GGE fiasco (Gavrilovic 2021). Similar to the OEWG, achieving an elaborate consensus report at a time when disagreements between the key players in the field are aggravated is exceptional – to the extent that the US representative expressed public appreciation to her GGE colleagues for their ‘political will’ and gave ‘a personal nod to the efforts of Vladimir Shin and Wang Lei [her Russian and Chinese counterparts] to help us rise above our differences’ (Markoff 2021). In this light, the extended explanation of old provisions provides helpful guidance and encouragement on where the global peace and security priorities are. The fact that neither the OEWG nor the GGE have moved beyond the original 11 norms is also an indicator of both a long-known degree of resistance from some states to freely multiply their number (CSIS 2021b) but also a need to concentrate first on the meaningful implementation of the existing norms.

With this in mind, would it be fair to say that the GGE report, like the OEWG one, doesn’t break new ground but further cultivates the ground already in intense use since the 2015 report milestone, since in its own words it ‘sought to provide an additional layer of understanding to the assessments and recommendations of previous GGE reports, in order to provide guidance to support their implementation’ (United Nations 2021c)? Not quite.

While the recommendations made in both reports are legally non-binding to states, the reiteration of previously agreed provisions, further granularity of explanations, and the fact that two different groups – one comprising all the 193 UN member states – arrived at an agreement adds political weight to the recommendations on all thematic sections (Solomon 2021). And while many states oppose the idea of a legally-binding treaty down the road, the narrative built around the norms, rules and principles of responsible state behaviour in cyberspace has matured and might require a next step to reflect this development.

Incidentally, in October 2021 the Russian and US delegations submitted a joint draft resolution to the UN General Assembly on the ‘Developments in the field of information and telecommunications in the context of international security, and advancing responsible State behaviour in the use of information and communications technologies’ (UN General Assembly 2021), which then got adopted by the Assembly in December 2021 (TASS 2021b). It expresses the commitment of both countries to back the UN-based efforts in the norms-building domain and hails the establishment of the next mandate for the new OEWG, therefore marking a potential merger of the two tracks after the 2018 bifurcation. Some have already praised this move as a symbolic cyber thaw between Russia and the US (Ignatius 2021), as it recognises inter alia ‘the possibility of future elaboration of additional binding obligations, if appropriate’, a long-time bone of contention between the two sides. But at the very least such an unexpected alignment might also be seen as the result and cumulative effect of this three-year stretch to explore other formats and ideas.

This apparent reconciliation also points to the intention of the leading cyber powers to keep and develop the topic of advancing responsible state behaviour in cyberspace in the context of international security under the auspices of the UN. With the multitude of norms-developing entities that have emerged over the past few years, the UN seems to be still looked up to as a flagship platform for this topic, historically setting the leitmotif for further variations and contributions to the discourse. And this very diversity and cross-fertilisation of approaches to cyber norms beyond the UN, together with its evolving tracks and formats, can’t but add to and intensify the far-reaching effects of the core norms-building context on the broader normative, legislative and even technical developments. The latter is of special focus for this article.

For a long time, the technical community (a rough term used here to refer to a broad stakeholder group involved in ensuring the correct functioning of the internet infrastructure) observed the evolving debates around internet governance following the Tunis agenda but did not actively engage with such designated forums (e.g. the UN IGF and the plethora of national and regional IGFs), preferring narrow industrial formats. However, as various stakeholder groups matured over time and fine-tuned their place and role in internet and cyber governance, governments across the world started catching up with the importance and policy impacts of technological developments via regulatory work. This made the pendulum swing back, as now the technical community is more vocal in trying to consult and/or pre-empt regulatory initiatives which they feel are ill-informed on the technical side of the problem. One of the brightest recent examples is the case of ICANN’s efforts to comply with GDPR, as well as its own proactive attempt to separate technical internet governance from mere internet governance through better awareness of and communication with the stability, security and resilience of the internet as we know it (Datysgeld 2021). Even though technical governance has always been seen as an integral part of the multistakeholder model, this special distinction illustrates what seems to be the desire to protect the cyber domain from unintended damage delivered by non-technical stakeholders. And as we will see, it often results in self-regulatory efforts within formats and concepts echoing UN processes in particular. It is also a challenging task, as sometimes there is little daylight between technical and non-technical internet governance when non-technical norms (e.g. of state behaviour in our case) require technical action.

As a result of these complex dependencies, we can observe a curious interplay and cross-fertilisation of ideas and formats. The UN and other non-technical forums attempt to digest and normalise the most prominent ideas, concepts and challenges from the technological world, with inevitable delay and a somewhat weak link with implementation. In the meantime, the technical community is working out its own rules and norms which sometimes seem inspired by the work being done in other stakeholder groups. Let’s take a closer look at both sides.

Mutual impacts

The UN work in this field is sometimes underestimated due to being slow, not far-reaching in practical terms and detached from the real-world challenges, as its recommendations so far are legally non-binding and do not seem to restrain malicious cyber activity in a tangible way. Yet it provides certain ‘spill-over’ effects which are important to acknowledge due to their paradigm-shifting power in the approach to dealing with cyberthreats, also now going beyond the multilateral level. And while the debates continue about how these recommendations could be translated into firm commitments and actions by states given that they emerge from soft law, especially now that the 6th GGE has made a special effort in providing guidance on this, certain incremental but nonetheless significant shifts might lead to a more holistic approach and attitudes to what the rampant growth of cyberthreats means for the global society and what it takes to face it.

These shifts are building bridges ‘with the real world’, at the same time leaving some questions still unanswered. They are an important reflection of what these past few years have meant to the cybersecurity field in general and what might lie ahead. Such an exercise might be useful short-term, as the new OEWG starts its work, for the broader work on cyber peace and security under the auspices of the UN, and even more so for all the states and other stakeholder groups willing to carry this work further.

New priorities

Both the OEWG and the GGE work has been heavily affected by the COVID-19 pandemic, which has slowed down the proceedings but also brought in new understanding of the matters in question. As the GGE report says,

A key portion of the Group’s work was conducted during the coronavirus disease (COVID-19) pandemic, which has highlighted the tremendous potential of digital technologies while accelerating the world’s dependency on them, thereby further underscoring the importance of responsible behaviour in the use of ICTs in the context of international security. (United Nations 2021c)

This leitmotif of the ever-increasing reliance on ICTs across the globe, and even more so at force-majeure times, seems to have intensified the spotlight on all the areas within the group’s mandate but especially the vital importance and vulnerability of the critical infrastructure. It finds support in the existing and emerging threats section (para 10), and also in the articulation of Norm 13 (f), noting that ‘The COVID-19 pandemic heightened awareness of the critical importance of protecting health care and medical infrastructure and facilities, including through the implementation of the norms addressing critical infrastructure’ (para 45) (United Nations 2021c). This is an important point of priority convergence for the global community on where commonly recognised threats lie and where the UN work on cybersecurity could make a difference in the face of the pandemic.

Other examples of potential critical infrastructure sectors at risk mentioned are energy, power generation, water and sanitation, education, commercial and financial services, transportation, telecommunications and electoral processes, as well as

those infrastructures that provide services across several States such as the technical infrastructure essential to the general availability or integrity of the Internet. Such infrastructure can be critical to international trade, financial markets, global transport, communications, health or humanitarian action. (United Nations 2021c)

But it is the latter that is a special achievement in this report, as well as in the OEWG report, for those who have followed the development of the concept of the ‘public core of the internet’, first introduced by Dr Dennis Broeders back in 2015 (Broeders 2015). Since then, the concept has been extensively discussed across various academic, governmental, civil society and business platforms, and evolved from the ‘layered’ definition – i.e. via the three basic layers of logical, physical and organisational – to the ‘functional’ definition as ‘the general availability and integrity of the core forwarding and naming functions of the global internet’ (Broeders 2021). In this regard, both tampering with the core internet protocols such as TCP/IP, DNS, BGP etc., as well as their misuse, would represent a threat in scope. One could argue that a number of high-profile attacks since 2015, such as the Mirai botnet (Newman 2016) and Sea Turtle DNS hijacking campaign (Adamitis et al. 2019), could qualify as affecting the public core of the internet.

The idea of non-interference with the public core of the internet has matured over these years through the work of various forums – e.g. the Global Commission on the Stability of Cyberspace, which specified its definition as a norm (Global Commission on the Stability of the Cyberspace 2018) and the Paris Call for Trust and Security in Cyberspace (Paris Call 2018) – and it formed part of the Netherlands’ International Cyber Strategy and its submission to the OEWG (The Netherlands 2020) and the GGE (for OEWG reflected in the Chair’s Summary (United Nations 2021b)). The story of its transformation into ‘the general availability or integrity of the Internet’ and inclusion in both the OEWG and UN GGE reports in the threats and norms sections is outlined by Dr Broeders in one of his latest articles (Broeders 2021) and reveals, on the one hand, an important recognition of the essence of the problem but at the same time signals the impossibility for both groups to agree on what is ‘the public core of the internet’ in practical terms, what constitutes its transborder character given that at the physical layer a lot of that core is within national borders and under national jurisdiction, and what the subsequent implications are for states. Given the increasing number of attacks which could potentially qualify as affecting the core internet protocols – and therefore that very transborder information infrastructure architecture, including by non-state actors or unidentified actors – the reluctance to recognise more precise description of this concept and formalise it as another norm is not surprising. At times when an increasing number of states are developing offensive capabilities, and given the non-binding nature of these norms, it is often argued by the proponents of such active development of cyber offensive capabilities that self-restraint might mean strategic weakness for national security. Further elaboration of the concept of the ‘general availability and integrity’ of the internet will now at least be on the table for the OEWG to work on, but its mere appearance in both reports is significant for future reference when certain types of attacks take place.

Another important development to pay attention to is the transition of this normative concept into the political discourse (Forscey 2021) and (supra)national regulation – the EU Cybersecurity Act (Global Commission on the Stability of Cyberspace 2019) and the EU Cybersecurity Strategy (European Commission 2020b), targeted at increasing the EU’s resilience against cyberthreats and promoting a safer digital environment. Both are to be adopted and implemented by member states and in cooperation with different stakeholders. The recognition in a similar wording that ‘A set of core protocols and supporting infrastructure ensures the functionality and integrity of the Internet worldwide’ in the context of ensuring a greater global internet security (Chapter II on Resilience, Technological Sovereignty and Leadership, the EU Cybersecurity Strategy) and that

ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone (Paragraph 23, EU Cybersecurity Act),

marks a transition of at least the normative language from the voluntary standards to the fundamental documents of the EU digital futures. And in this particular case ‘the public core of the internet’ arose from an academic paper to Dutch national international strategy to the UN forums norms discussion and to supranational strategy.

The evolution of tech norms

The UN processes seem to have inspired not only the realms of government (e.g. the Paris Call (Paris Call for Trust and Security in Cyberspace 2018) which has announced the launch of six working groups to advance global cybersecurity (Tech Accord 2021)), but also of academia (e.g. the Hague Program for Cyber Norms (University of Leiden 2021)), of civil society (Global Commission of the Stability of Cyberspace (Global Commission on the Stability of Cyberspace 2021)), and of business (e.g. Microsoft’s international cybersecurity norms (Microsoft 2021)). The resulting environment of agenda rivalry in the field among state and non-state platforms is beneficial for the broader community in the sense that it pushes all involved stakeholders to advance their thinking and action. It might also mean extra friction as the states claim thought leadership as the deliberations at the UN and other multilateral forums continue but stumble without external expert input, especially from the private sector, civil society and the technical community.

‘Cyber-normalization’ has affected the technical community in so far a less obvious and public way, but it is visible in narrow circles and fits interestingly into the bigger picture. The knock-on effect of the ‘norms’ concept into other areas comes from the field of international law and relations, whereby norms are ‘widely-accepted and internalised [sic] principles or codes of conduct that indicate what is deemed to be permitted, prohibited, or required of agents within a specific community’ (Erskine and Carr 2016). These norms stem from certain values and principles shared by those adopting a set of norms. In the context of the UN work on international peace and security in the field of the development and use of ICTs, much of the existing disagreements on norms of state behaviour are rooted in the differences of values and principles related to internet governance, cybersecurity and more fundamentally to state and societal governance and sovereignty considerations. When we shift the discussion to the internet and its development, that’s where the so-called sociotechnical imaginaries of the internet infrastructure (ten Oever 2020) come into play. As a technology, the internet evolved over the past few decades based on the unspoken and uncodified principles of end-to-end connection, openness and permissionless innovation (ten Oever 2020). Yet the basic protocols underlying the internet developed inter alia within the IETF – e.g. for internet routing, the DNS, encryption protocols – and have grown to become an architecture which is essentially an architecture of power and control (de Nardis 2014) exercised by the ‘incumbents’, i.e. those who have been governed by the above-mentioned voluntary principles while building that architecture and who now show resistance to change, either from within or from other, ‘outsider’, stakeholder groups, especially national/international regulation. The reasons may be economically, technically, institutionally or otherwise driven (ten Oever 2020), but what is important is the shift in values which happened in those ‘outsider’ stakeholder groups which affects similar changes within the technical community itself. For example, as is known, security considerations were mostly off the agenda when the first routing and DNS protocols were created. Today cybersecurity is the ‘buzzword’ for virtually any field of societal life, which affects the hierarchy of values and principles and therefore norms, i.e. behavioural expectations of various actors and stakeholders in cyberspace. These changes have been reflected in technical (self-)governance over time and the UN processes and related expectations represent a strong context for its further development.

One of the older initiatives in the routing community looking at developing a normative regime is Mutually Agreed Norms for Routing Security (MANRS). It was founded in 2014 in order ‘to greatly improve the security and resilience of the Internet’s global routing system’ (MANRS 2021) through encouraging those running BGP ‘to implement well-established industry best practices and technological solutions that can address the most common threats’ (MANRS 2021). To this end, MANRS addresses three main issues: incorrect routing information, traffic with spoofed source IP addresses, and coordination and collaboration between networks. It is a voluntary framework for network operators, IXPs and CDN and cloud providers, and as the abbreviation suggests it presupposes a particular code of conduct for the signatories.

As for the DNS, one of the oldest internet protocols and one of the least protected, it has undergone intense extensions and modifications over the past couple of decades. Back in 2018 Bert Hubert’s talk at the IETF101 introduced the metaphor of ‘the DNS camel’ (Hubert 2018), pointing out that some 185RFCs currently describe the protocol, certainly each of them seeking to improve it and inter alia to make it more secure, although also making it incredibly complex and thus potentially even more vulnerable. However, initiatives similar to MANRS have started emerging for the DNS as well, in different specialised stakeholder groups. In many ways this should be due to the especially high interest given to the topic of DNS abuse on multiple forums. For example, in 2019 the DNS Abuse Framework was launched to encourage DNS registries and registrars to sign up to shared practices toward disrupting abuse of the DNS and ‘promptly investigate allegations of DNS Abuse and the Website Content Abuse that falls within this framework’ (DNS Abuse Framework 2021).

Additionally, the Internet Corporation for Assigned Names and Numbers (ICANN) has initiated a discussion with the broader internet community about a programme to develop a framework that focuses on the most important operational best practices or concrete instances of DNS security best practices, called KINDNS – Knowledge-Sharing and Instantiating Norms for DNS and Naming Security (KINDNS 2021), much inspired by MANRS. It is aimed at both authoritative and recursive resolver operators with special thought for small operators which should benefit from the open DNS community standards, that are basic and easy enough to comply with. In line with the ICANN organisation’s strategic goal to improve the security of the DNS and the adoption of global open standards and best practices, this also looks like an extended hand to the broader community to develop a framework of voluntary norms which would help go beyond the existing limited contractual obligations for the DNS operators, registries and registrars. And this is not unlike the situation with the norms of responsible state behaviour whereby even in the absence of a binding legal framework the expectation bar is gradually rising via soft law.

Another initiative, the European resolver policy, looks specifically at the policy expectations aimed at the DNS operators in the European community or of those who take it as a benchmark. With a special attention to personal data protection, it aims to bring together the industry to ‘set out best practice for the protection of personal data by DNS resolver operators in Europe’ (European Resolver Policy 2021). Visibly GDPR-inspired, the proposed policy ‘sets out the minimum policy and transparency requirements for DNS resolver services’, which would reassure the end-user about due use of their personal data gained in the DNS operations (European Resolver Policy 2021). Additionally, the policy provides guidance regarding the use of filtering and encourages the use of the recent security protocol extensions for the DNS – DNS over TLS, DNS over HTTPs etc.

Interestingly, initiatives such as DomainTrust by Global Cyber Alliance function as a confidence- and capacity-building measure through data and intelligence sharing. By providing registries, registrars and cyber protection agencies with ‘high quality, large-scale sets of data on suspected malicious and criminal domains being used in phishing attempts, malware distribution, and command and control (C2) activities’, it helps strengthen trust and cooperation (Global Cyber Alliance 2021).

All together, these and other similar initiatives signal a certain voluntary tech-culture emerging both from consumer expectations and the broader context of tackling cyberthreats where these expectations (of different stakeholder groups) are shaped. They further serve to develop and implement new technical and policy solutions based on the best practices being adopted. Partially, this process could be seen as a repercussion of the broader norms-driven discourse. And simultaneously, with these self-regulatory measures at the industry level, we can observe movements towards binding ‘normalization’ of the DNS at the national level – in the sense that they define what ‘good’ and ‘secure’ looks like in conformity with the national (cyber)security standards and strategy to offer to the public a DNS service in harmony with the operational norms devised by the responsible authorities.

An example is the Protective DNS (PDNS), set up by the UK’s National Cyber Security Centre (NCSC) and implemented by Nominet registry (Nominet 2021). As part of the NCSC’s Active Cyber Defence (ACD) programme, the PDNS recursive resolver prevents access to domains known to be malicious, due to malware, ransomware, phishing attacks, viruses, spyware etc. Branded as ‘a free and reliable internet accessible DNS service’, PDNS, however, is ‘mandated for use by central government departments by the Cabinet Office’, available upon application to a number of public service institutions and is not currently available to the private sector. This is an example of how voluntary commitments on running the DNS and the choices the users make about which service to opt for border on state-sanctioned use prescriptions. In contrast to the exclusivity of the PDNS for governments, CIRA’s Canadian Shield (CIRA 2021) offers a public DNS service open to all Canadians. It promises to protect them from cyberthreats with the threat feed data that powers CIRA DNS Firewall used by both public and private organisations.

In this light, it is interesting to see which way the DNS4EU initiative of a public European DNS resolver service announced in the EU Cybersecurity Strategy published in December 2020 goes. At the time of writing, there is still little detail about the practical implementation of this initiative, but consultations with stakeholders have started to inform European lawmakers about potential implications. According to the strategy, DNS4EU aims ‘to contribute to secure Internet connectivity by supporting the development of a public European DNS resolver service’ (European Commission 2020b). It is described as ‘an alternative, European service for accessing the global Internet’, transparent and conforming to the ‘latest security, data protection and privacy by design and by default standards and rules’ (European Commission 2020b). On the face of it, this is a sound aspiration, given the already existing trend for ‘good resolver practices’ and norms, and certainly in line with the (supra)national security and infrastructure resiliency considerations. More public resolvers (and non-public as well) add to the general interconnectedness and consumer choice through increased competition inter alia via declared norms of behaviour and practices. In itself, DNS4EU may be good news as long as it is open and accessible to anyone willing to use it, with clear filtering policies regarding malware and other cyberthreats. As is known, there are also other, more comprehensive national DNS projects in the world, e.g. the Russian National DNS project as part of the sovereign RuNet law (Meduza 2018), with further-reaching goals of state control not only, as is declared, over the security of the national digital infrastructure that DNS forms part of but also (ultimately) over information flows.

Exploring the rationale for the DNS4EU, it should be noted that the recent DNS encryption protocols, e.g. DNS over TLS, DNS over HTTPS (Cloudflare 2021), might eventually affect the resolver operator market if their emergence per se raises the expectations bar at the consumer side. And although presently when general consumer awareness might be comparatively low and an overwhelming majority use default resolver settings, eventually there might be more spotlight on the operators providing such security extensions (DNS Privacy Project 2021).

Additionally, initially there was a double privacy expectation from DNS over HTTPS due to its rendering encrypted messages indistinguishable from other HTTPS non-DNS traffic. This raised concerns that with a wider adoption of the protocol by a small group of most widely used public resolvers (e.g. Cloudflare’s 1.1.1.1 aka ‘quad 1’ and Google’s 8.8.8.8 aka ‘quad 8’) (ETNO 2019), much of the traffic, which is usually processed through the ISP recursive resolver function, might migrate to those large non-EU public resolvers dominating the market among the multitude of other public resolvers (Livingood et al. 2019) (Doan, Fries, and Bajpai 2021). Some more recent research reveals that, in fact, DNS over HTTPS packets can be distinguished from the rest of the TLS-encrypted traffic, thus losing a layer of privacy protection (Nijeboer 2020). This nonetheless drew attention in the EU-case to a perceived public DNS resolver function/service concentration possibility in the hands of a few significant US players, thus contributing to the bigger discourse around the necessity to achieve more ‘technological sovereignty’ within the EU.

The latter triggered a layer of other internet infrastructure security considerations mentioned in a few latest legislative proposals apart from the EU Cybersecurity strategy: e.g. the NIS2 Directive, the initial draft of which had DNS root servers in scope thus subjecting them to higher regulatory oversight. This provision, however, doesn’t look likely to appear in the final consensus draft due to consistent efforts from the technical internet governance actors (as discussed above) highlighting the excessive character of these provisions (RIPE NCC 2020). There’s also a big emphasis on the market concentration and fair competition in the tech field (tackled inter alia by the Digital Services Act (European Commission 2020b) and the Digital Market Act (European Commission 2020a) which address rules and liability for online platforms and competition policy, with a special focus on the big tech-companies). In this light, it seems politically – if not technically – significant for the EU to bring in a European DNS resolver, as discussed at length in various technical forums (Huston 2021). As mentioned before, it is too early to assess this initiative in the absence of a detailed description and intended implementation strategy, but its mere emergence is interesting to analyse in the context of the deeper normalisation of cyberspace through various stakeholder groups. For example, DNS encryption protocols will evolve as a best practice and possibly eventually a sociotechnical norm, and will, among other technical best practices, most probably be widely implemented with time. The European Commission also aims, in liaison with member states and industry, to accelerate the uptake of key internet standards including IPv6 and well-established internet security standards and good practices for DNS, routing and email security (European Commission 2020). And as mentioned, this also makes part of a larger political ‘self-identification through technology’ project for the EU.

The battles of norms

The DNS4EU initiative is also an interesting case of how norms and values from various paradigms may come into conflict. On the one hand, if we look at DNS over TLS or DNS over HTTPS, they were developed stemming inter alia from the value of user privacy which is traditionally strong in the IETF environment where it was developed. Privacy is also an integral part of the European human rights value set ingrained in a few fundamental regulatory frameworks. As a result, DNS encryption is gradually moving from a ‘nice to have’ to a ‘must have’ norm, including concordantly in Europe.

At the same time, new protocols uptake seems to challenge the EU’s view of its strategic autonomy, also known as digital sovereignty. This is a relatively newly developed aspirational EU norm, highly promoted by the current European Commission, which also finds reflection in the digital diplomacy in the UN processes.

The GGE report makes a few allusions to the concept of ‘sovereignty’ (five, compared to two in the OEWG report), traditionally strongly defended by Russia and China. It cautiously points to ‘due regard for sovereignty’ in a situation of ‘appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts’. It also remarks in the section on the application of international law to the use of ICTs that ‘state sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory’. This vague wording cautiously avoids directly linking cyberattacks to the breach of state sovereignty and will be up to the future OEWG and other platforms to pick up and take further in the context of applying international law. But seemingly, as follows from the national submissions, the value of positioning sovereignty as a rule has grown more popular with most states (Schmitt 2021) and has gained more support in the EU.

As mentioned above, this might be due to the EU’s re-evaluation of the its role in the global community and specifically through the lens of digital sovereignty or strategic autonomy – the latter term is a euphemism often used instead, probably in order to step away from the historically loaded former term mostly associated with what is seen as authoritarian regimes imposing state-led approaches to the development of digital society and internet infrastructure within their national borders and national jurisdiction (one of the latest examples is the so-called law on ‘sovereign’ Runet in Russia (Stadnik 2019)). Ironically, an integral part of self-determination and national security strategies in those states for years, digital/technological sovereignty is currently seen as quintessential for the EU’s autonomous future and competitive edge (EuroSmart 2021). The EU’s technological sovereignty forms part of its new cybersecurity strategy; it will be further pursued via legislative (e.g. GDPR) and infrastructure (e.g. GAIA-X project) initiatives, sometimes possibly struggling to marry these emancipation ambitions with the values of an open internet (Komaitis 2021) or privacy. It will be interesting to follow how this value and norm gets translated into its foreign digital policy and diplomatic efforts, inter alia at the UN, and how it gets reconciled with competing socio-technological norms as well.

Emerging threats: motivation and liability games

Both the OEWG (including the Chair’s summary) and the GGE have expanded the scope of their emerging threats sections to discuss the broader, ever-evolving threat context for these discussions. For one thing, indeed it is no news that new military cyber capabilities are being developed by an increasing number of countries, despite, and in parallel with, the process of agreeing on voluntary norms ‘to avoid and refrain from the use of ICTs not in line with the norms of responsible state behaviour’ (GGE report, para 16) (United Nations 2021c). At the same time, a reference is made to the emerging technologies and that ‘their ever-evolving properties and characteristics also expand the attack surface, creating new vectors and vulnerabilities that can be exploited for malicious ICT activity’ (GGE report, para 11) (United Nations 2021c). While detailed discussion of the possible implications of this technological evolution is beyond the scope of this work, it is important to stress that only the Internet of Things is mentioned in the texts, possibly as a catch-all phrase for the threats brought about with new technologies and an increased interconnectedness. Yet, while it is impossible to predict the next big tech-disruption, it looks probable that, for instance, artificial intelligence (AI) might seriously rock the norms-building boat, since its speedy adoption as a technology runs ahead of the regulatory and norms-building efforts – for a number of reasons mentioned below. And while the UN processes might not be intended to account for the latest emerging threats, the resulting gaps in risk assessment for global peace and security might be significant.

AI systems could be seen as an amplifier in the cybersecurity context. In ENISA terms, they have ‘a multi-dimensional relationship and a series of interdependencies’ (ENISA 2020). AI affects cybersecurity and there are cybersecurity challenges for AI systems – both positive, as an advanced toolset for cyber defence of both private and public entities, and negative, whereby the same extra functionalities can be put to malicious use or cyber offence by state or non-state actors. In this technical sense, AI is yet another dual-use cluster of technologies, which implies certain technical, political and ethical governance challenges. For example, in the cybercrime context, AI-powered cyberattacks is an active research field (Europol 2020) revealing the repertoire which is available to a range of adversarial actors, both state and non-state. These enhanced capabilities might have significant implications for the international peace and security context.

In a broader social-economic sense, AI is likely to qualify as a transcending trend, offering an even bigger gap of inequality, as the main economic powers rush to adopt AI to gain the market share (Council of Europe 2021). Not unlike any other new emerging technology, there are trade-offs for ethical, trust and security considerations, and they are catching up with the technical advances via policy and regulatory response in national (NSCAI 2021), local (European Commission 2021) and global (Interpol 2020; OECD 2019) contexts. However, the battle for global economic (and military?) supremacy is already on as the leading world powers embrace AI and the extra capabilities it offers. In this sense, the existing major cyber players have a competitive advantage to enhance their cyber capabilities with AI, competing among themselves and increasing the gap with the rest of the world. For example, China has an edge in data training with its uninhibited access to the wealth of its citizens’ data, the ‘luxury’ that most democracies can’t ‘afford’. In the meantime, the US capitalises on its microchips industry and algorithm development (Feldstein 2019).

The peace and security sense of the AI-enhanced cyber capabilities so far feels like a promise of a new round of arms race. There’s a strong initial push to develop AI-driven cyber defence and offence capabilities, even though there are already recommendations being developed on limiting the autonomy that AI inter alia would bring to weapons systems (Boulanin et al. 2020). There are also calls for concerted and targeted international effort to counter the sorts of global risks created by AI in ‘high-consequence’ uses of AI, including nuclear operations, lethal autonomous weapons, crisis stability and swarm combat (Pauwels 2019). A shift of responsibility to a decision-making algorithm is an unpredictable and risk-bound property of AI systems that makes them problematic in the context of state commitments to responsible behaviour. So far, beyond the academic and some national efforts, the broader international community still seems to be far from the consistent normative processes already under way in the field of ‘conventional’ cybersecurity. At the same time, this dynamic potentially throws a shadow onto the implementability of the mutual agreements made in the UN and elsewhere to ensure cyber stability.

Given the ongoing development of AI-powered cyber capabilities and in the absence of any specific agreements on AI use in the context of international security, it might be useful, inter alia for the next OEWG, to explore how the evolving AI cyber defence and cyber offence tools might entail national strategy changes concerning the use of ICTs to avoid conflict in cyberspace with implications for international peace and security. With the already blurry line between cyber offence and cyber defence, cyber capabilities driven by algorithmic decision-making might complicate the concept of agency and responsibility in a cyber incident. If the AI-based decision-making lacks explicability and/or transparency, due to a certain (also possibly mistaken or hacked) AI-based configuration in the management and operation of the cyber assets, a fatal decision can be taken without a direct link to a state as the primary subject of the existing recommendations and agreements. The question remains open, however, whether the UN processes discussed here are the appropriate place for such granular analysis, but it’s a ‘how’ rather than a ‘whether’ question. And the extension of the norms-building spirit from the UN arena onto the AI domain seems to be largely failing so far in the peace and security context.

Conclusion

While this article has not attempted a comprehensive analysis of all the implications of the work done by the OEWG and the GGE at this stage, it is important to highlight several far-reaching, paradigmatic shifts brought on by the ‘normalization’ of responsible state behaviour in the field of ICT use, and especially the interplay of political and socio-technical norms as a result. Some are very symptomatic of the past couple of years as the real value of the stability and resilience of the internet and ICTs suddenly became obvious when translated into human lives at risk. The UN processes are slow, limited in scope and far from exhaustive on this subject, yet they continue to nurture a field and vector of thought. They are seemingly far away from the technical community, but indirectly contribute to the formation of its accountability practices in the face of cybersecurity challenges through the broader norms-building discourse which has emerged over time with the help of other players and platforms. And it will certainly be interesting to see where this interplay between tech-responsibility and tech-regulation leads in the DNS world in particular. For example, the Transparency Reporting format evolved from one of Google’s free-time creative projects back in 2009 into a tech-industry accountability format, triggered by Snowden’s revelations in 2013, when internet companies started replicating it in an effort to boost consumer trust amid that surveillance crisis (Kulikova 2013). Seven years later, the new EU Digital Service Act provisions require all online intermediaries offering their services in the EU single market, whether they are established in the EU or outside it, to publish a transparency report (European Commission 2020b).

Alongside these repercussions of the norms-building discussions, there are other areas which reveal the limitations of this influence. There often seems to be a disconnect between the norms of behaviour on the agenda and rampant cyber activity in the world, including with the use of various emerging technologies which seem to be outside the purview of the current global norms-building processes in cyberspace. That is the sort of activity that is incompatible with the agreements being made and at the same time which the current discussions of international law in cyberspace fail to properly qualify and address. And while it is impossible to take into account future cyber capabilities as they rapidly evolve, some of the existing ones might already challenge the meaningfulness of the agreements already made, by their technical nature. This catch-up game is not new, but the current technological advances are deep and comprehensive and will demand more collective goodwill and trust to make the cyber future more secure.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Alexandra Kulikova

Alexandra Kulikova is an ICT policy and cybersecurity researcher and an IT&Security professional. Alexandra Kulikova previously served as Head of Global Stakeholder Engagement for Eastern Europe and Central Asia at ICANN, leading the development and implementation of the regional engagement projects across stakeholder groups on a variety of topics, including global internet governance, global DNS security, stability and resiliency issues and DNS industry development. Prior to ICANN, she ran the research programme on global internet governance, international information security and cyber diplomacy at the PIR Center think-tank in Moscow, Russia. She holds an MSc (Hons) in Media and Communications Governance from the London School of Economics and Political Science as well as a graduate degree (Hons) in Linguistics and Multicultural Communication from Moscow State Linguistic University.