Cybersecurity has quickly become a key priority area for many countries. The Russian-linked hacking of SolarWinds’ network configuration software last year, as nefarious and severe as it may have been, is but the latest in a stream of high-profile, state-sponsored cyber incidents that have long troubled policymakers and other stakeholders. The threat that such incidents pose to national security highlights the urgency with which states must tackle this transnational problem. Several of them, including Singapore, have responded by reinforcing their cyber defenses and strengthening their organizational capacities in recent years.
Internationally, an effort to develop cyber norms has been underway since 2004 to regulate state behavior and increase stability within the cyber domain. However, rivalries between the United States of America, Russia, and China and their competing visions of cyberspace have resulted in an impasse—threatening a bifurcation of international cyber norms, in terms of both process (i.e., the means through which nations and international organizations make decisions on cyber norms) and outcome (i.e., the cyber norms that will be formed). Singapore thus risks being left in a precarious position, given the importance of a multilateral and rules-based order to its continued survival.
Maintaining Singapore’s international space for the pursuit of its national cybersecurity interests is therefore of critical concern. To that end, Singapore must strive for inclusive international approaches and be proactive in facilitating regional cooperation that could inform a broader global consensus. This is crucial to prevent it from losing its agency or relevance on the world stage.
Cyber Norms and the Fragmentation of Consensus
Cyber norms refer to standards and expectations of appropriate behavior in cyberspace. They are seen as the basic building blocks of cybersecurity that define acceptable cyber activity between states. This involves establishing the parameters within which countries are allowed to conduct cyber operations or to retaliate against cyberattacks. Consequently, they also act as a deterrent against malicious cyber activities by state actors.
Similar norms already exist in other domains, articulated through articles of international law. For example, the Law of Armed Conflict (LOAC) governs the conduct of hostilities among states. However, translating and applying these legal principles to cyberspace has proven challenging for two main reasons. Firstly, the amorphous nature of cyberspace, with its sprawling network architecture, makes it difficult to attribute cyber operations to specific actors. Secondly, accurately assessing the consequences of cyber operations is complicated by the interconnected and communal character of the domain. Effects can often go undetected or have unforeseen and far-reaching implications.[1] These problems affect the accountability and enforceability of any attempt to introduce norms that determine thresholds and redlines in instances of cyber conflict. Informal rules of conduct in cyberspace like those of the Tallinn Manual[2] have been introduced, but with no codified international consensus, states have occasionally taken a subjective view of what is lawful. This absence of clear boundaries for warfare has created a “grey zone” for conflict, where actors can conduct cyberattacks below a threshold deemed not to warrant escalation.
In this vein, discussions at the United Nations (UN) have gone some way to advance the conversation on cyber norms. In particular, the UN Group of Governmental Experts (UNGGE) has convened periodically since 2004. Meetings between 2012 and 2015 have yielded some important steps forward, including a consensus recognizing the general applicability of international law to cyberspace. However, the 2016-17 UNGGE was marked by the failure to achieve a consensus report. This setback reflected not only fundamental disagreements about the precise application of international law (in relation to the LOAC) to inter-state cyber conflict but also deep-rooted differences in values and approaches among leading cyber powers. On one hand, some states advocate the need for a free and open cyberspace governed by a global regime of prevailing international frameworks. Others instead emphasize sovereignty and state control, while working to preserve the asymmetric advantages afforded by cyberspace.[3] This misalignment significantly hampers efforts to define responsible state behavior, to the benefit of state actors seeking to leverage such procedural rules for the advancement of their own interests.[4]
As a result, in 2018 the UN General Assembly adopted two separate resolutions on the actions of states in cyberspace. One resolution, tabled by the US, renews the mandate of the UNGGE to continue studying how international law applies to state action in cyberspace and identify ways to promote compliance with existing cyberspace norms. The other resolution, tabled by Russia, establishes an Open-Ended Working Group (OEWG) to offer consensus-based negotiations open to all member states for identifying new norms and to encourage regular institutional dialogue across different initiatives.[5]
This dual approach presents competing visions of how states should operate in cyberspace. The Western-led UNGGE has a smaller membership and time-bound mandate that aims to establish agreement on cyber norms for international compliance, while the OEWG led by Russia and China does not impose any requirement on membership, outcome, or compliance.[6] This divergence threatens to fragment the negotiation process into two parallel groups with diametrically opposed principles and to pressure member states to align with either of the two main narratives led by these blocs.[7] Specifically, it indicates a worrying trend of bifurcation that threatens to crowd out Singapore’s maneuvering space.
The Implications for Singapore
For Singapore, the risks of any continued polarization of the cyber norms debate are substantial. It can severely weaken the existing rules-based order which provides the conditions conducive for Singapore’s survival, considering the relative disparity of Singapore’s international clout vis-à-vis larger states. Polarization would also greatly undermine Singapore’s ability to remain relevant as an innovative and involved player, amidst the dominance of consensus-building processes by major powers and their agendas. More importantly, the establishment of any politicized dichotomy hinders Singapore’s pursuit of its national interests, by curtailing the degree to which it can manage diplomatic pressure and exercise its agency in international fora.
These constraints have domestic consequences as well. The effective implementation of Singapore’s Smart Nation Initiative is underpinned by a secure cyber environment that imposes normative taboos on irresponsible state behavior. Similarly, Singapore’s attractiveness to technology and data companies is dependent on a safe and stable cyberspace. As underscored by Minister for Communications and Information S. Iswaran, “All our international partners have recognized the benefits of this digital advancement…but equally they’ve also emphasized the need for international cooperation to ensure a secure and trusted digital environment that will support this progress.”[8] Singapore must thus continue contributing to the development of a cyberspace beneficial to its interests.
The Cyber Security Agency (CSA), Singapore’s lead agency for cybersecurity, has been active on this front. Since it released its inaugural cybersecurity strategy in 2016, CSA has spearheaded a slew of bilateral and multilateral agreements with partner countries like Germany and Australia.[9] These agreements promote confidence-building measures and strengthen cooperation, which gives Singapore an avenue to share its views and seek alignment with like-minded nations. Most notably, Singapore hosts the annual Singapore International Cyber Week, which facilitates knowledge exchanges on key cybersecurity issues and provides a platform for building consensus on international law and developing cyber norms.
However, the trend of bifurcation in cyber norms is unlikely to disappear soon, given the distance in positions between both the US- and Russia/China-led blocs. It is therefore of paramount importance that Singapore finds ways to safeguard and enhance its international position, to navigate the splintering global cyberspace landscape. It can do so with a three-tiered strategy.
Recommendations
At the UN-level, Singapore should utilize its existing diplomatic engagements to position itself as a bridge-builder to foster dialogue between the two competing blocs. As a country with friendly relations with all major powers, and a participant in both groupings, Singapore is well-placed to promote understanding and communication. This should be done with a view to avoid entrenchment of this division and seek common ground to be expanded upon. This also helps to prevent the attendant political antagonisms from taking root and stave off fatalistic calculations that would inhibit inclusive frameworks. It should do so by playing a more active role in both the UNGGE and the OEWG, and working with the groupings’ smaller members to represent the perspectives that might be drowned out in the contestation of big powers. The UN Group of Friends on e-Governance and Cybersecurity and UN Group of Friends on Digital Technologies, which are both co-chaired by Singapore, are also ongoing UN-level coalitions that can augment the discussions of the UNGGE and OEWG.
At the multilateral level, Singapore should be proactive in supporting and initiating alternative platforms for the discussion of cyber norms. This entails empowering non-traditional voices, such as those of smaller states and non-state parties, with broader opportunities for the contribution of norms. There are already multiple fora and formats to leverage here, from expert commissions like the Global Commission on the Stability of Cyberspace (GCSC) to industry coalitions and multi-party collectives. Singapore has significant expertise here, having contributed to the 2018 publication of the GCSC Singapore Norms Package of six critical norm recommendations for cyberspace.[10] These platforms can help to encourage a kind of international pluralism that prevents the institutionalization of conflict between the UNGGE and OEWG. They can also recalibrate UNGGE and OEWG negotiations towards more realistic objectives, and strengthen the representation needed to ensure non-exclusionary decision making.[11] This increasingly diverse ecosystem of norm creation should be treated as an opportunity to widen the range of stakeholders and deepen mutual understanding of their various concerns.[12]
Lastly, at the regional level, Singapore should intensify its efforts to enhance collaboration on cyber norms within the Association of Southeast Asian Nations (ASEAN). Focusing on consensus-building within ASEAN can help states better navigate the unique contexts and cultures that color any attempt to define basic cyberspace rules.[13] This can subsequently provide a blueprint for managing such tensions on a larger scale. We saw an example of this last year when Singapore announced its cooperation with the UN to develop a Norms Implementation Checklist. This checklist was built on a chart developed by ASEAN in 2019 to implement the norms recommended by the 2015 UNGGE.[14] Moving forward, Singapore should double-down on its capacity-building and information-sharing efforts to encourage consensus among ASEAN states. Regional agreement on areas of commonality could then inform a broader consensus internationally, and sustain the momentum needed to tackle more contentious norms. This also bolsters Singapore’s value-add to ASEAN, which serves as a vital platform for overcoming its many geographical and diplomatic limitations. Greater involvement in, and increased cooperation within, ASEAN can then only contribute to a more stable external environment for Singapore’s economic and foreign policy.
Conclusion
The challenges that surfaced in the UNGGE process crystallized the underlying tensions among the major players involved and set the tone for subsequent international discussions on cyberspace conduct. This is the cyber landscape that Singapore now has to grapple with for the foreseeable future—one which features a division between leading cyber powers that threatens to endanger the formation of a stable and secure cyberspace, whatever an eventual consensus on cyber norms may look like.
Singapore’s geopolitical position and limitations as a small state constrain the policy options it has to significantly influence the global debate on cyber norms. However, the stake it holds in this debate means that it must try. Singapore must harness its intrinsic strengths to expand its diplomatic space on the international stage and make concerted efforts to engage at all levels. By advocating for inclusive frameworks that narrow divides and amplify its voice, Singapore will then be able to adroitly navigate the space in-between.
Disclaimer: The views expressed in this article are the author’s own, and do not represent those of the Singapore Armed Forces.
Endnotes:
[1] Jacquelyn G. Schneider, “Deterrence in and through Cyberspace,” in Cross-Domain Deterrence (Oxford University Press, 2019), 113.
[2] The Tallinn Manual is the product of an academic attempt by scholars and practitioners, led by Michael Schmitt of the US Naval War College, to identify and explore the applicability of international law to cyberspace. It sets out rules which participants agree upon unanimously, records areas of disagreement, and provides extensive commentary on the basis and interpretation of international law in cyberspace; Michael Schmitt, ed., “The Use of Force,” in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge, UK: Cambridge University Press, 2017), 339.
[3] Paul Meyer, “Norms of Responsible State Behaviour in Cyberspace,” in The Ethics of Cybersecurity, ed. Markus Christen, Bert Gordijn, and Michele Loi, vol. 21, The International Library of Ethics, Law and Technology (Switzerland: Springer International Publishing, 2020), 353.
[4] Mark Raymond, “Confronting the Ubiquity of Norms in Cyberspace and Cyber Governance,” Lawfare, March 17, 2020, https://www.lawfareblog.com/confronting-ubiquity-norms-cyberspace-and-cyber-governance.
[5] Alex Grigsby, “The United Nations Doubles Its Workload on Cyber Norms, and Not Everyone Is Pleased,” Council on Foreign Relations, November 15, 2018, https://www.cfr.org/blog/united-nations-doubles-its-workload-cyber-norms-and-not-everyone-pleased.
[6] Elaine Korzak, “What’s Ahead in the Cyber Norm’s Debate?” Lawfare, March 16, 2020, https://www.lawfareblog.com/whats-ahead-cyber-norms-debate
[7] Sabina Frizell, “Cyberspace Needs Global Norms — Here’s Where to Start,” Fair Observer, February 4, 2020, https://www.fairobserver.com/more/international_security/cyberspace-global-norms-cybersecurity-technology-news-43240/.
[8] Yuen-C Tham, “Singapore, UN to Cooperate on Checklist for Countries to Implement Cyber-Security Norms,” The Straits Times, October 9, 2020, https://www.straitstimes.com/singapore/politics/singapore-un-to-cooperate-on-checklist-for-countries-to-implement-cybersecurity.
[9] “Singapore Signs Joint Declaration of Intent on Cybersecurity Cooperation with Germany,” Singapore Cyber Security Agency, August 30, 2018, https://www.csa.gov.sg/news/press-releases/singapore-signs-joint-declaration-of-intent-on-cybersecurity-cooperation-with-germany; “Singapore Renews MOU on Cybersecurity Cooperation with Australia,” Singapore Cyber Security Agency, March 23, 2020, https://www.csa.gov.sg/news/press-releases/singapore-renews-mou-on-cybersecurity-cooperation-with-australia.
[10] “Norm Package Singapore.” Global Commission on the Stability of Cyberspace, November 2018.
[11] Fabio Cristiano, “The Road Toward Agonistic Pluralism for International Cyber Norms,” Council on Foreign Relations, July 6, 2020, https://www.cfr.org/blog/road-toward-agonistic-pluralism-international-cyber-norms.
[12] Tim Maurer et al., “Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads,” Carnegie Endowment for International Peace, February 26, 2020, https://carnegieendowment.org/2020/02/26/cyberspace-and-geopolitics-assessing-global-cybersecurity-norm-processes-at-crossroads-pub-81110.
[13] Christy Un, “It’s Time for the Asia-Pacific to Move Toward Regional Cyber Norms,” The Diplomat, October 14, 2020, https://thediplomat.com/2020/10/its-time-for-the-asia-pacific-to-move-toward-regional-cyber-norms.
[14] Tham, “Singapore, UN to Cooperate on Checklist for Countries to Implement Cyber-Security Norms.”
—-
Image credit: The Hill.