Normative Taboos

The last method of deterrence referenced by Nye is through norms and taboos. Initially, one can look to nuclear weapons and chemical and biological weapons as historical examples of weapons that have developed norms and taboos regarding usage. With regards to nuclear weapons, Nye notes how initially they were considered usable even in limited conflicts.⁷³ However, over time and after many treaties and agreements their usage has become restricted.

Further, there are now clear taboos with regards to developing nuclear weapons programs as seen in global responses to Iranian and North Korean nuclear programs. With regards to chemical and biological weapons, he notes that they as well have undergone this process and are now restricted by international treaties and agreements. However, as a caveat, it is noted that some states will still pursue and use these taboo weapons. Syria and Iraq are offered as examples of offender states that have seen international responses due to their transgressions. Further, Nye notes that due to the image of these weapons, states risk reputational costs if it is found they are breaking norms and taboos. All of these separate examples provide a starting point when analyzing the United States and its development of norms and taboos in working to deter cyber attacks.

The United States has been working to develop cyber norms for the past several years.

However, much of the language and style of development it wishes to use runs counter to those wished for by other powers, such as Russia and China. This mismatch culminated in 2017 at the conclusion of the United Nations Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. It was

73 Nye, 60

there that the United States' efforts to codify cyber norms into international law was rejected.⁷⁴ However, while sweeping legal and norms developments failed there has been progress at a smaller scale. For example, in 2015 the United States and China agreed to not engage in economic cyber espionage.⁷⁵ These bilateral agreements may pave the way for future multilateral agreements and norms development. In addition, rather than undertaking system wide legal agreements, the United States has made norms development progress by voluntarily promoting non-legally binding codes of conduct. For example, the United States has supported the view that the internationally recognized laws of armed conflict (LOAC) should apply in cyberspace.⁷⁶ These laws prohibit deliberate attacks on civilians. In addition, the United States has supported a ban on targeting civilian facilities in peacetime. As Nye notes, this is not a pledge of no first use of cyber weapons, but rather is pledging to not use cyber weapons against civilians or civilian facilities in peacetime.⁷⁷ This more lax approach to norms building saw some success at the GGE in 2015, where that years report discussed reducing attacks on civilians rather than developing binding legal codes.⁷⁸ Although, as noted earlier, when more solid legally binding agreements

74U.S Department of State. Office of the Coordinator for Cyber Issues. "Explanation of Position at the Conclusion of the 2016-2017 UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security." News release, June 23, 2017.

https://www.state.gov/s/cyberissues/releasesandremarks/272175.htm.

Väljataga, Ann. "Back to Square One? The Fifth UN GGE Fails to Submit a Conclusive Report at the UN General Assembly." NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia. September 1, 2017.

https://ccdcoe.org/back-square-one-fifth-un-gge-fails-submit-conclusive-report-un-general-assembly.html.

75Nakashima, Ellen, and Steven Mufson. "U.S., China Vow Not to Engage in Economic Cyberespionage." The Washington Post.

September 25, 2015.

https://www.washingtonpost.com/national/us-china-vow-not-to-engage-in-economic-cyberespionage/2015/09/25/90e74b6a-63b9-11e5-8e9e-dce8a2a2a679_story.html?noredirect=on&utm_term=.87b9f0d10a53.

76 Nye, 61

77 Nye, 61

78 United Nations, General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Report of the Group of

Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174, 22 July 2015

http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174

were suggested in 2017, certain parties balked. A reason for Russian and Chinese reluctance to embrace codified legal cyber developments is likely the inherent power of the United States in the cyber realm. If retaliatory measures and guidances were written into international law, this would make cyber espionage operations against the United States possibly much more costly.

Further, United States written law would most certainly strategically favor United States interests.

If lower level norms development continues, future cyber attacks may become more and more taboo. In particular, cyber attacks that could be construed as violating sovereignty may be met with stiff consequences. In the United States case, following 2016 election manipulation, the Obama administration responded with sanctions against Russia. This will be helped as attribution technology improves, and as more victim countries cooperate to transparently acknowledge and respond to cyber incursions. An example of this transparency can be seen with responses to attacks from APT28: FancyBear. The hacking group, likely of Russian origin, has been associated with the 2016 United States election hacking, possibly hacking into the German defense and interior ministries in 2018, and hacking into multiple Olympic Games likely in response to Russian athlete doping bans.⁷⁹ Over time, governments, non-government organizations, and the press have become more sophisticated in their analysis and open about hacks. This has helped push a narrative of Russia as an aggressive cyber nation and the United

79Harding, Luke, and Alec Luhn. "Putin Says Russian Role in Election Hacking 'theoretically Possible'." The Guardian.

June 1, 2017. https://www.theguardian.com/world/2017/jun/01/putin-says-russian-role-in-election-hacking-th

eoretically-possible.

Perper, Rosie. "Russian Hacking Group Fancy Bear May Have Spied on Germany's Government." BusinessInsider. February 28, 2018. http://www.businessinsider.com/russian-hackers-fancy-bear-germany-cyber-attack-2018-3.

Matsakis, Louise. "HACK BRIEF: RUSSIAN HACKERS RELEASE APPARENT IOC EMAILS IN WAKE OF OLYMPICS BAN." Wired. October 1, 2018. https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/.

States and other western countries as victims. In response, the United States and others have a precedent to respond to hacking with economic sanctions or through other means and offenders must deal with reputation costs in international society. Over time, these aggressive actions will likely become more and more taboo, and the cost/benefit analysis of cyber incursions will correspondingly change due to increased reputational costs.

The development of norms and taboos in cyberspace is still in flux. However, it should be noted that it took multiple decades for the first nuclear agreements to be signed, as well. The United States has approached deterrence through norms and taboo development by engaging in lower level bilateral agreements, by attempting to codify norms into international law, and by punishing transgressions in a systematic fashion. Development of norms and taboos has been aided by the more and more transparent responses to hacks and cooperation between governments, that aids in attribution and takes control of the narrative. Norms and Taboos are not currently as strong a deterrent as the conventional options discussed above; however, in the future they may gain in power.