Australia and China have recently agreed to strengthen their bilateral cooperation in cybersecurity. Cooperation between states on cybersecurity is essential in order to combat cross-border cybercrime and to reduce the risks of inter-state cyberwar. Bilateral cybersecurity agreements between states can help build that cooperation. The real goal, however, should be to achieve multi-lateral consensus and agreement as a basis for a much needed Digital Geneva Convention.
The internet is a multi-stakeholder environment. Not only has it become central to businesses and individuals that operate across borders, but thanks to cyberspace the interactions of states are no longer as constrained by geography as they once. A network of bilateral agreements between multiple states can attempt to model that complexity and depth of relationships. However, differences between individual agreements and gaps of coverage between certain states that have no agreements can be exploited by cybercriminals and can also promote misunderstanding or mistrust between states. Multilateral approaches avoid this problem by creating a single, coherent approach, although they are harder to organize, as reconciling the needs and concerns of multiple states is not straightforward.
The Australia-China deal is a good thing, as both countries are undertaking to not conduct or support cyber-enabled theft of intellectual property (IP), trade secrets, etc. with the intent of obtaining competitive advantage. It echoes the US-China cyber agreement in many ways, which has been credited with a decline in attacks on the US emanating from China (notably those attacks have not stopped altogether).
Significantly Australia and China were clear that alongside their bilateral agreement they would observe multilateral “norms of behavior” that were created in July 2015 by the United Nations Group of Governmental Experts (UNGGE). These norms are the culmination of work over many years (with key reports in 2010 and 2013) to build a genuine international consensus on what responsible states should do and not do in cyberspace. They, and the work the UNGGE has continued to do since then, are extraordinarily important for delivering a workable Digital Geneva Convention.
The UNGGE is preparing for a further report in September of this year, which should be another important step on the road to a more stable and secure Internet. It is not the only international group helping to shape how states behave in cyberspace, and when you look at the range of organizations involved you can begin to detect a broad momentum towards a genuine multilateral agreement on cyberspace. Since 2013 the OSCE, for example, has worked through a series of confidence building measure (CBMs) that should enable states to minimize the risks of misunderstandings and reduce their fear of attack via cyberspace. Equally significant, in early April 2017 the G7 made a major declaration on responsible states behavior in cyberspace, calling explicitly on governments active in cyberspace to abide by laws, to respect norms of behavior, and to foster trust and confidence with other states.
Outside of the “West”, Shanghai Cooperation Organization (SCO) has made its own contributions, which were built on by the Sino-Russian cybersecurity agreement that emerged at around the same time as the bilateral US-China cybersecurity deal, with a similar bilateral pledge not to hack one another. The ASEAN Regional Forum (ARF) has also stepped up its engagement with the state-to-state engagement in cyberspace, running an ASEAN Cyber Capacity Program (ACCP) that builds member states’ capacities, skills base and incident response capabilities. And another regional group, the Organization of American States (OAS), passed a resolution the only a few weeks ago that committed members to increasing cooperation, transparency, predictability and stability in cyberspace through alignment with the UNGGE’s work.
These states and international fora have to be given immense credit for laying the essential foundations for the next, pressing step: the creation of a binding, multilateral agreement between states that protects civilians and civilian infrastructure in cyberspace. In other words, a Digital Geneva Convention. Bilateral agreements, such as those between China and Australia, are helpful and important, of course, but the emphasis for all those involved in cyberspace should be to support the UNGGE and other multilateral fora as they work to create and spread rules, principles and norms for governing state behavior in cyberspace.