May 19, 2015

Borscht, 北京烤鸭, and Apple Pie

Back in September, 2011, I blogged on a joint Chinese-Russian proposal of a voluntary International Code of Conduct for Information Security, as debuted at the 66th session of the UN General Assembly ( 

Key provisions of the 2011 joint cyber proposal – which seemingly fell on relatively deaf UN ears – included commitments:

- Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security;

- Not to proliferate information weapons and related technologies;

- To endeavor to ensure the supply chain security of ICT products and services, prevent other states from using their resources, critical infrastructures, core technologies and other advantages, to undermine the right of the countries...or to threaten other countries' political, economic and social security.

- To lead all elements of society, including its information and communication private sectors, to understand their roles and responsibilities with regard to information security, in order to facilitate the creation of a culture of information security and the protection of critical information infrastructures.

As I said at the time, good stuff.

Flash forward three-and-a-half years to earlier this month when the two governments formalized their cyber-alignment with a bilateral agreement (

According to the agreement between the two States, in terms of general principles of cooperation: The Parties shall cooperate in the field of international information security in such a way that such cooperation contributes to economic and social development, consistent with the objectives and maintenance of international peace, security and stability, and consistent with generally recognized principles and norms of international law, including the principles of peaceful settlement of disputes and conflicts, non-use or threat of force, non-interference in internal affairs, respect for human rights and fundamental freedoms, and the principles of bilateral cooperation and non-interference.

(I know, I know…  This is Russia and China we’re talking about.  But, let’s remember that human rights and fundamental freedoms are under increasing assault in countries like the U.S. as well).

The main cyber threats identified in the accord include “the use of Information and communication technologies:

1) To carry out acts of aggression aimed at violating sovereignty, security and territorial integrity of States and which pose a threat to international peace, security and strategic stability;

2) To cause economic and other damage, including by providing a destructive impact on the facilities of information infrastructure;

3) For terrorist purposes, including for the promotion of terrorism and engaging in terrorist activities;

4) To commit offenses and crimes, including related to unauthorized access to computer data;

5) To interfere in the internal affairs of states, to spread public disorder, incite ethnic and racial strife, to spread racist and xenophobic propaganda and theories that give rise to hatred and discrimination, to violence and instability, as well as to destabilize the political and socio-economic situation; and

6) For the dissemination of information prejudicial to political and socio-economic systems, or the spiritual, moral and cultural environment of other States.”

While, as pithily demonstrated by threats 5 and 6, the bilateral agreement is perhaps overly-focused on regime stability, there are elements that other governments might consider multi-lateralizing.

To wit: In addition to the commitment to not conduct cyber-attacks against each other, the Parties agreed to cooperate towards ensuring international information security in multiple ways, including:

- The establishment of communication channels and contacts for sharing responses to threats in the sphere of international information security;

- Cooperation in developing and promoting standards and international law in order to ensure national and international information security;

- The exchange of information and cooperation between law enforcement authorities in order to investigate cases involving the use of information and communication technologies for terrorist and criminal purposes;

- To enhance cooperation and coordination between the Parties on issues of international information security within the framework of international organizations and forums.

Meanwhile, the U.S. Government on May 14 (two weeks after the China-Russia Accord was unveiled) reminded the world of its proposed “cyber norms” via State Department testimony before a Senate Foreign Relations Subcommittee (

The norms - which the U.S. Administration is reportedly pushing to have adopted by the UN - in brief, would dictate that Nation-states:

- Should not conduct online activity that intentionally harms critical infrastructure;

- Should not prevent national computer emergency teams from responding to cyber incidents;

- Should not conduct cyber-enabled intellectual property theft; and

- Should cooperate with international investigations of cybercrimes.

No doubt, the U.S. version is shorter, clearer, more definitive, and, largely, proscriptive – the latter which is not a bad thing, per se.

Nor, however, are the Chinese-Russian provisions for forward-looking and cooperative and international initiatives to establish global standards, norms and laws (concepts – cyber or otherwise - that the U.S. has historically supported).

Opportunity, it would seem, may be knocking.

Perhaps these complementary approaches might be considered together at the next meeting of the UN's "Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security" (quite a mouthful, I know, but it's gotta start somewhere).