Lecture on the different cyber norms frameworks for responsible state behaviour in cyberspace - describing Paris Call, Charter of Trust, Microsoft Digital Geneva Convention, Tech Accord, GCSC, Shanghai SCO, UN GGE, UN OEWG - explaining each of the 11 cyber norms from the UN GGE 2015 meeting, and concluding with a case study on ASEAN's approach to international law in cyber operations

1. A Framework
of Responsible
State
Behaviour in
Cyberspace
Benjamin Ang
Senior Fellow,
Cyber and Homeland Defence
Deputy Head,
Centre of Excellence for
National Security
(CENS), RSIS, NTU
Twitter @benjaminang

2. The 11 UNGGE 2015 Norms
Good practices
• cooperate to increase stability
and security
• consider all relevant
information in incidents;
• assist each other to prosecute
terrorists and criminals
• protect own critical
infrastructure;
• respond to requests for
assistance
• encourage responsible
reporting of ICT vulnerabilities
Limiting norms
• not damage others’ critical
infrastructure;
• not harm another state’s
CERT/CSIRTS;
• not allow territory to be used to
attack;
• ensure supply chain security,
prevent proliferation of
malware;
• respect human rights / right to
privacy

3. Other international initiatives
• All of these entities
also participated in
the UN OEWG
Intersessional Multi-
stakeholder Meeting
and
proposed their views
there

4. Private sector initiatives -
Microsoft: Digital Geneva Convention

5. Private Sector initiatives
–Charter of Trust
• Calls for binding rules and
standards to build trust in
cybersecurity
• 16 members: Munich Security
Conference, NTT, AES,
Airbus, Allianz, Atos, Cisco,
Daimler, Dell Technologies,
Deutsche Telekom, IBM, NXP,
SGS, Total and TÜV Süd
• Already implementing projects
for cyber threat info sharing
and supply chain security

6. Multi-stakeholder initiatives –
Global Commission on the Stability of
Cyberspace (GCSC)
• 26 Commissioners
from government,
industry, technical
and civil society
• Initiated by think
tanks Hague Centre
for Strategic Studies
(HCSS) and
EastWest Institute
(EWI)
• Funded and
supported by
governments,
corporations,
universities, and the
United Nations
Institute for
Disarmament

7. GCSC Calls (Norms)
• Protect the public core of the Internet
• Protect electoral infrastructure
• Avoid tampering
• No botnets

8. GCSC Calls (Norms)
• Report vulnerabilities
• Reduce vulnerabilities
• Ensure basic cyber hygiene
• No offensive actions by non-state
actors

9. Paris Call for Trust and Security in
Cyberspace
• Non-binding declaration for development of
common principles for securing cyberspace
• Launched in November 2018 at the Internet
Governance Forum by President Emmanuel
Macron of France
– Neither the “Californian Internet” (all corporate) nor
the “Chinese Internet” (all government)
• 564 official supporters: 67 States, 139
international and civil society organizations, and
358 private sector

10. Paris Call – 9 Principles to limit
hacking and destabilising activities
1. Protect individuals and infrastructure
2. Protect the Internet
3. Defend electoral processes
4. Defend intellectual property
5. Non-proliferation of malware
6. Lifecycle security
7. Cyber hygiene
8. No private hack back
9. International norms

11. Cyber Tech Accord
• Protect all of our users and
customers
• Oppose cyberattacks on
innocent citizens and
enterprises
• Help empower users,
customers and developers
to strengthen cybersecurity
protection
• Partner with each other and
with likeminded groups to
enhance cybersecurity

12. International Code of
Conduct for Information
Security (the “Code”)
• International
effort to develop
norms of
behaviour in the
digital space
• Proposed by
member states
of the Shanghai
Cooperation
Organization
(SCO)
• Submitted to the
UN General
Assembly in
2011 and 2015

13. SCO and UN
• “Bears in mind” the recommendations of the UN
Group of Governmental Experts on
Developments in the Field of Information and
Telecommunications in the Context of
International Security (UN GGE)
• Proposes that “additional norms could be
developed”
• Members of SCO are also participating in the
United Nations Open Ended Working Group (UN
OEWG)

14. L.27
OEWG
UNGGE 2013
A/68/98
International law,
and in particular
the Charter of
the United
Nations, is
applicable
UNGA A/RES/71/28
adopts Norms and
International Law
UNGGE 2015
A/70/174
Offered non-
exhaustive views
on how
international law
applies to the
use of ICTs by
States
ASEAN AMCC 2018
Agreed in principle
that international
law is essential
CSCAP Study Group
on International Law
and Cyberspace
identified areas for
study
The EU recalls that
International law
and in particular
the UN Charter, is
applicable
Regional
Consultations
ASEAN Regional
Forum (1-3 Oct)
Organization of
American States
(15-16 Aug 2019)
African Union
(11 Oct 2019)
ASEAN/US Leaders
Statement 2018
reaffirmed that
international law is
essential
OAS International
Law Department
circulated in 2019 a
Questionnaire on
international law
ICRC international
humanitarian law
applies to cyber
operations during
armed conflict
Singapore funds,
establishes ASEAN
Singapore Cyber
Security Centre of
Excellence
Context of the OEWG

15. WHAT DO THE 11 NORMS
MEAN?

16. 13(a)
Cooperation to
increase stability
and security
States should cooperate
in developing and
applying measures to
increase stability and
security in the use of
ICTs and to prevent ICT
practices that are
acknowledged to be
harmful or that may pose
threats to international
peace and security;
Let’s
cooperate!

17. 13(b)
Information
for Attribution
In case of ICT incidents,
States should consider
all relevant information,
including the larger
context of the event, the
challenges of attribution
in the ICT environment
and the nature and
extent of the
consequences;
Let me check
before I
blame…

18. FIRELAND
Wrongful attribution
WATERLAND
(not aware)
AIRLAND
INFECTED
INFECTED
We’ve been cyber-
attacked! Where
did it come from?
The malware
must have
come from
WATERLAND!

19. FIRELAND
Dangers of Wrong Attribution
WATERLAND
(not aware)
AIRLAND
INFECTED
INFECTED
WATERLAND, we will
take countermeasures
against you!
We’re
innocent!
Ha ha ha
(evil
laughter)
Is AIRLAND in breach
of International Law?

20. 13(c) Do not allow
Territory to be
used for
Wrongful Acts
States should not
knowingly allow their
territory to be used for
internationally wrongful
acts using ICTs;

21. FIRELAND
Do NOT do this
WATERLAND
AIRLAND
I shall attack
AIRLAND
INFECTED
INFECTED
Hey FIRELAND,
you can use our
servers

22. FIRELAND
Does it apply to this case? (2)
WATERLAND
AIRLAND
I shall
attack
AIRLAND
INFECTED
INFECTED
We are not
aware of
anything

23. FIRELAND
Does it apply to this case? (3)
WATERLAND
AIRLAND
I shall
attack
AIRLAND
infected
infected
We are not
aware of
anything
Hey WATERLAND,
your servers are
attacking us!
Oh No! We
don’t have
capacity!

24. 13(d) Cooperation
in exchanging
info,prosecuting
terrorists, crime
States should consider
how best to cooperate to
exchange information,
assist each other,
prosecute terrorist and
criminal use of ICTs and
implement other
cooperative measures to
address such threats.
WATERLAND
Please help us to
catch the Evil
Clown Hacker
AIRLAND
We caught him
for you!

25. 13(e) Respect for
Human Rights
States, in ensuring the
secure use of ICTs,
should respect Human
Rights Council resolutions
20/8 and 26/13 on the
promotion, protection and
enjoyment of human
rights on the Internet, as
well as General Assembly
resolutions 68/167 and
69/166 on the right to
privacy in the digital age,
to guarantee full respect
for human rights,
including the right to
freedom of expression;

26. A State should not
conduct or knowingly
support ICT activity
contrary to its obligations
under international law
that intentionally
damages critical
infrastructure or
otherwise impairs the
use and operation of
critical infrastructure to
provide services to the
public;
13(f) Not damage
Critical
Infrastructure
FIRELAND
WATERLAND
We know you
hacked our
power stations
AIRLAND
That’s not
acceptable

27. 13(g) Protection
of Critical
Infrastructure
States should take
appropriate measures to
protect their critical
infrastructure from ICT
threats, taking into
account General
Assembly resolution
58/199 on the creation of
a global culture of
cybersecurity and the
protection of critical
information
infrastructures, and other
relevant resolutions;

28. 13(h) Help others
to protect
Critical
Infrastructure
States should respond to
appropriate requests for
assistance by another
State whose critical
infrastructure is subject to
malicious ICT acts. States
should also respond to
appropriate requests to
mitigate malicious ICT
activity aimed at the
critical infrastructure of
another State emanating
from their territory, taking
into account due regard
for sovereignty
My hospitals and
power stations are
getting hacked!
Help!
WATERLAND
Okay, we’re on the
way!
AIRLAND

29. 13(i) Supply Chain
Integrity /
Non-
Proliferation
States should take
reasonable steps to
ensure the integrity of
the supply chain so that
end users can have
confidence in the
security of ICT products.
States should seek to
prevent the proliferation
of malicious ICT tools
and techniques and the
use of harmful hidden
functions;
Let’s put a Back
Door in this network
product before we
export it
No, we
shouldn’t do
that!

30. 13(j) Report
Vulnerabilities
States should encourage
responsible reporting of
ICT vulnerabilities and
share associated
information on available
remedies to such
vulnerabilities to limit
and possibly eliminate
potential threats to ICTs
and ICT-dependent
infrastructure;
We discovered a
Back Door in this
popular software
Thank you for
telling the public

31. 13(k) CERTS
States should not
conduct or knowingly
support activity to harm
the information systems
of the authorized
emergency response
teams (sometimes
known as computer
emergency response
teams or cybersecurity
incident response
teams) of another State.
We’re supposed to
protect people!
Don’t attack us!

32. 13(k) CERTS
A State should not use
authorized emergency
response teams to
engage in malicious
international activity.
We’re
supposed to
protect people,
not hack them!
I want you to
hack the
WATERLAND
hospitals

33. Observations from Cyber Norms
capacity building activities
(Manila, KL, Sydney)
• Different countries (and different ministries within
countries) have different interpretations: Scams?
Cyber pornography? Fake news? Hacking?
• Many countries have no cyber agency
• Very senior officials across different sectors are
interested, and should be included
• There is still a need for clarity on what cyber
norms can achieve
• Track II has a key role in cyber capacity building

34. Case Study: ASEAN
• ASEAN needs Cyberspace, because Digital
Transformation can bring economic progress for all
Member States
• BUT Member States have different levels of cyber
maturity – see the ASPI and EU Cyber Direct reports
on Cyber Maturity in Asia Pacific region
• AND cyber attackers will attack ASEAN through the
weakest Member States e.g. through the ASEAN
Smart City Network
• So Capacity Building is needed

35. ASEAN Ministers Cybersecurity
Conference (AMCC) agreed …
• 2016: Agreed on value of
practical cybersecurity norms
of behaviour in ASEAN
• 2017: Supported development
of basic, operational and
voluntary norms
• 2018: Singapore would
propose a mechanism to
enhance ASEAN cyber
coordination
• 2019: Agreed to move forward
on a formal cybersecurity
coordination mechanism

36. 2020 AMCC announced:
• Singapore + United
Nations will draw up a
checklist of steps to
implement cyber norms
• e.g. legal frameworks
and sharing networks
• ASEAN will share its
experience and
knowledge with the UN

37. What next for ASEAN?
Capacity Building
Programmes
• ASEAN-Singapore Cyber
Centre of Excellence
• ASEAN-Japan
Cybersecurity Capacity
Building Centre in
Thailand
• Singapore/US State Dept
Third Country Training
Program (TCTP)
• UN-Singapore Cyber
Diplomacy Course
Confidence Building
Measures
• Joint training between
Member States to
improve communication
• Sharing cyber threat
information (between
CERTS)
• Contact list

38. A Framework for
Responsible State Behaviour
Norms
• Agree on
what is
acceptable
state
behaviour
Laws
• Interpret
existing
laws
• Possibly
create new
ones
Rules
• Responsible
states
follow
rules-
based
order in
cyberspace