Lawmakers notch win in fight for global cyber laws

Lawmakers notch win in fight for global cyber laws

Lawmakers pushing for global cyberspace norms have scored an early win.

The major cybersecurity bill that President Obama signed into law two weeks ago includes a clause requiring the State Department to publicly produce an international cyberspace policy within 90 days.

The edict is the product of months of cajoling from cyber-focused lawmakers on Capitol Hill, who regularly have warned that the lack of global cyberspace rules poses serious dangers.

ADVERTISEMENT
“Quite frankly there are no rules of the game right now and that’s part of the problem,” said House Homeland Security Committee Chairman Michael McCaul (R-Texas), who sponsored a standalone bill mirroring the cyber bill’s clause.

“Because there are no [cyber] norms, actions and responses are totally unpredictable,” Rep. Jim Himes (D-Conn.) told The Hill during a recent interview, calling the situation “inherently dangerous.”

Himes is the ranking member of the House Subcommittee on the National Security Agency (NSA). He recently sent a letter to the State Department with his subcommittee's chair, Rep. Lynn Westmoreland (R-Ga.), urging action on the issue.

But these lawmakers acknowledge it’s just the first step toward the ultimate goal: a Geneva Convention for cyberspace.

The Geneva Convention treaties have governed the rules of war for over 150 years. As assaults increasingly move into the digital sphere, many believe a similar set of ground rules are needed for cyber war. Himes and Westmoreland called for an “E-Neva Convention” in their letter.

“I think if you ask the secretary of State his priorities, this wouldn’t necessarily be top 3, and I’m not saying it should be,” he said. “I’m just saying it should probably be on the top 10.”

The section in the recently passed Cybersecurity Act of 2015 — which encourages businesses to share more data on hacking threats with the government — will push the State Department to make global cyber norms a greater priority.

The report mandated in the bill will include a number of elements.

Most notably, the agency must create a “plan of action” for how Secretary of State John KerryJohn KerryColombia's president is a foreign guest Trump should listen to Anti-ISIS cyber op struggled with issue of notifying allies How American compassion, vision and innovation can end the AIDS epidemic MORE will work to develop international cyberspace norms. The State Department will also have to provide an update on how it has implemented the White House’s 2011 International Strategy for Cyberspace, a wide-ranging document that focused on ways to preserve online privacy and the free flow of digital information.

Once the full report is finished, Kerry must brief the Senate and House on his strategy.

Shortly before the bill passed, McCaul told The Hill such work would help “define a lot of these terms of art” the administration has used to describe different types of cyberattacks.

For example, the White House deemed the bruising hack of Sony Pictures Entertainment “cyber vandalism,” and classified the mammoth intrusions at the Office of Personnel Management (OPM) as “cyber espionage.”

Himes added that it’s also vital to explain the difference between a “cyber crime” — stealing designs from aeronautics giant Boeing — and a “cyber act of war” — shutting down a city’s power grid for two weeks.

“None of these lines are drawn, and as a consequence, appropriate responses are unknown,” Himes said.

“If you don’t have clear lines there, an adversary might do something they think is a crime that turns out to be [an act of war],” he added.

The U.S. can then can take these “clear lines” to the international community, even digital nemeses like China, Russia and Iran.

“The Geneva conventions — good people and bad people sign up to them,” Himes said. “The point is that that’s not a negotiation in which you and adversaries are negotiating for relative positions. We’re setting ground rules that everybody agrees to abide by. A world where there are ground rules is a much safer world than a world where there’s not.”

The “E-Neva Convention” concept has bipartisan backing on Capitol Hill, and seems relatively uncontroversial.

“It’s an excellent idea,” House Intelligence Committee ranking member Adam SchiffAdam SchiffSchiff struck by Trump’s suggestion to 'deemphasize human rights' Sunday shows preview: Trump abroad as Russia probe heats up Lawmakers vow to move ahead with Russia probes MORE (D-Calif.) told The Hill. “I think we couldn’t start too soon. The problems are already enormous and are just going to get bigger. There is great danger of miscalculation.”

The Obama administration has also expressed support for similar concepts. This past summer, U.S. officials led the charge on a resolution affirming that the UN Charter applies to cyberspace. And just last week, the White House issued a new report on its strategy to lobby for greater international cybersecurity standards for businesses.

The White House has also been working to set global ground rules step-by-step.

During a September state visit from Chinese President Xi Jinping, the White House announced an agreement to eliminate corporate hacking for commercial gain. China has since struck similar deals with other countries like Britain.

But for Himes and others, the administration needs to move with more urgency. Progress through narrow, bilateral agreements is too piecemeal, lawmakers said.

“Until we actually have a convention signed, we’re behind,” Himes said.

“It’s an idea that’s time has certainly come,” Schiff said.

Many concede, however, that such a far-reaching Geneva Convention accord will need to overcome a number of obstacles.

Not only is public pressure for such action minimal, there are some potentially intractable disputes over how the international community should treat cyberspace.

China, for instance, is loathe to let other countries dictate its cyber policies. Beijing believes in “cyber sovereignty,” or the right to control one’s own cyberspace.

“China is much more prickly about international interference into domestic affairs than the U.S. is,” Himes said. “There will be arguments to be had.”

Brazil, India and Russia have expressed similar sentiments. The cyber bill’s clause addresses these disagreements, directing the State Department to review these countries’ “alternative concepts with regard to international norms in cyberspace.”

But perhaps the most contentious issue will be compliance.

There’s no universally accepted metric to track a country’s hacking activity. And proving a government coordinated a cyberattack is exceedingly difficult. The administration has repeatedly declined to publicly blame Russia or China for numerous intrusions at top government agencies, despite widespread evidence they were responsible.

Compliance has already been a major sticking point for some critics of the recent U.S.-China agreement on corporate hacking. While the White House insists it will track China’s adherence to the deal, officials have offered no assessment of the country’s performance despite security researchers uncovering evidence that Beijing is breaking its promise.

Ultimately, Himes worries it may take a highly visible, destructive cyber incident to spur a cyber-focused Geneva Convention.

“It’s one public disaster away,” Himes said. “And what I mean by that is we’re making very slow progress.”

“When something happens that is really very serious,” he added, “people will say, ‘Why didn’t we do this yesterday?’”