Covid-19: Why states now need to consider self-restraint in the cyber domain

Discussion Prompt: What existing national security legislation, new bulk analysis efforts, and emergency measures have different states deployed to curb the spread of Covid-19?

See all contributions to this question.

By conducting cyber operations, intelligence agencies are increasingly becoming norm-setters for the cyber domain. Since it is often in states’ own interest to respect international norms, governments — including their intelligence agencies — should consider self-restraint when it comes to cyber operations. The case of China shows that this is particularly true during the unfolding Covid-19 pandemic.

Covid-19 is a health crisis of staggering proportions. While the governments of the world are struggling to respond to it, some actors are exploiting the situation for their own selfish gains. Continuing and even expanding their day-to-day operations, cybercriminals attack hospitals, security agencies push for more domestic surveillance, and intelligence agencies and affiliated groups exploit the omnipresent panic to deliver malware to foreign targets. While it is the job of intelligence agencies to conduct clandestine operations in all domains — including cyberspace — these actions are still bound by rules. Domestically, national legal frameworks define the agencies’ scope of action. Furthermore, softer limitations like public opinion play a crucial role, especially in liberal democracies. With intelligence agencies conducting cyber operations, they also increasingly become the object of an additional set of rules: international norms.

By engaging in cyber operations, intelligence agencies enter norms discussions

Intelligence agencies have historically not figured prominently in debates about collective expectations concerning the proper behaviour of particular actors — or norms — and respective response mechanisms, like sanctions. This is because they largely conduct their intelligence activities in secret. For norms discussions to take place, behaviour — including communicative action like declarations or justifications — needs at least to be observable. Because of this, there has been little debate about norms for intelligence operations. This changes when intelligence operations become publicly known, as in the case of targeted killings. After the Skripal poisoning, where an internationally banned military-grade nerve agent was used, the fallout was not only the expelling of diplomats and criminal indictments but even culminated in discussions at the United Nations about the appropriateness of these operations.

By increasingly engaging in cyber operations, intelligence agencies suddenly become agents in norms discussions. Similar to conventional intelligence activities, cyber operations leave traces that can be exposed, as the Snowden revelations have prominently shown. What is different is that cyber operations are not only analysed by other secretive government agencies but also by a large number of IT security companies and researchers around the globe. These actors shine a consistent light on cyber operations, regardless of who is behind them, and publish their findings for everyone to read.

Against this backdrop, governments’ behaviour in cyberspace gains a norm-setting quality. While many proposals for responsible behaviour norms in cyberspace have been drafted, so far no forum has succeeded at producing a robust framework of enforcement and sanctions mechanisms. As a result, state actors have largely taken to letting their actions speak. Governments that conduct intelligence operations in cyberspace signal to international actors of all shapes and sizes that their conduct is tolerable, albeit not officially acceptable. These two effects combined — the public analysis of cyber operations and the norm-setting effect of government actions — put intelligence agencies at the forefront of global norms discussions. This also became evident in a UN resolution aimed at curbing cyber espionage, although this initiative bore no fruit. Intelligence agencies who take advantage of the current pandemic will therefore not only face domestic opposition in liberal democracies but can also effectively sabotage their government’s ambitions on the global stage, if they want to be perceived as a leader by the international community.

Why norms matter on the global stage

Norms matter on the international stage, because, while they do not guarantee that all states comply with them, they still raise the figurative or literal cost of non-compliance. Public naming and shaming is a basic tool used to this effect. One example is the joint public attribution of broad website defacements and TV interruptions in the Republic of Georgia to the Russian military intelligence. While naming and shaming often occurs along geopolitical fault lines and may appear inconsequential at first, in the long run it can contribute to stronger or codified norms, like customary international law or international treaties.

Moving beyond words, the whole or parts of the international community may impose sanctions on states, state entities, or individuals. So far, the international community has not responded to cyber operations in a concerted effort that would parallel, for example, the sanctions put in place against Apartheid South Africa. However, certain actors — most notably the United States — are increasingly going down this road. The US government responded to the breach of Sony Pictures by imposing sanctions on North Korean individuals and entities, including its military intelligence agency. After Washington pointed the finger at North Korea for the global WannaCry ransomware attack in 2017, the US Treasury imposed sanctions on the groups it regarded responsible for the attack. The US also indicted two Chinese nationals allegedly involved in North Korean cyber operations aimed at raising money for the country’s nuclear weapons programme.

Beyond these immediate consequences, violating international norms may take its toll on a state’s overall trustworthiness and legitimacy among the international community. Put plainly, the deviant state may find it harder to take part in international trade or advance regional or global leadership ambitions, since these depend on the willingness of other states to follow the aspiring leader. In short, even in the absence of sanctions or formal enforcement mechanisms for norms, complying with international norms contributes to soft power and is often in states’ own self-interest, as the case of China illustrates.

China’s cyber operations are a case in point

China serves as a good example of how intelligence agencies’ actions might hamper the broader geopolitical goal of the country. China aspires to global leadership and therefore faces great power competition with the United States. This competition naturally extends to the countries’ behaviours during the current health crisis — where China seems to have the upper hand so far. It delivered aid to Italy, Iran, Serbia, and several African countries through Ethiopia and silenced criticism directed at its handling of the early stages of the crisis. Beijing wants to be perceived as the benevolent new superpower and is cleverly taking active advantage of the current crisis to advance its power aspirations on the international stage.

Therefore, anything that casts a bad light on the country might be counterproductive for the Chinese self-interest right now, especially as reports about the botched handling of the outbreak and faulty Chinese aid equipment in Spain, the Netherlands, and the Czech Republic are coming out. IT security companies have been reporting publicly about sustained Chinese cyber operations, leveraging the pandemic to the country’s advantage. According to these reports, which naturally have to be taken with a grain of salt when it comes to attribution, Chinese intelligence agencies have been targeting Vietnam, Mongolia, the Philippines, and Taiwan with cyber operations custom-tailored to the Covid-19 developments. Those attacks come in many different forms and shapes. Many, such as phishing messages, rely on an enticing hook to make victims click on a link or open a document – what appeared like the latest updates on the pandemic actually delivered malicious software. From this foothold adversaries move deeper into the IT-infrastructure of the organisation to extract documents. However, these cyber operations exploiting Covid-19 are unlikely to be in Beijing’s interest because they taint China’s reputation in its regional and global aspired spheres of influence. Therefore, Chinese intelligence agencies might want to realign their operations with the current strategy of the central government.

Incentives for self-restraint in the cyber domain, especially during the pandemic

Keeping this in mind, intelligence agencies are generally well-advised to consider self-restraint. Self-restraint is not a new concept for intelligence agencies. During the Cold War, for example, Soviet and American intelligence agencies largely refrained from targeting agents’ family members in their counterintelligence efforts. Regarding cyber operations, various stakeholders have long called for self-restraint because restraint increases overall stability and prevents conflict escalation. The emerging normative framework also points towards restraint. The 2015 UNGGE report, which was drafted by 20 government representatives, including China, calls on states to refrain from harmful cyber operations. But as long as this normative framework remains fragile, intelligence cyber operations today will determine future norms of accepted behaviour in cyberspace in general.

Such self-restraint practices are particularly urgent during the unfolding Covid-19 pandemic. The virus has dominated the attention of policymakers and media worldwide for weeks on end now, creating ample opportunity for exploits. During this international public health emergency, and preferably even beyond that, intelligence agencies should refrain from leveraging Covid-19 for their cyber operations. Apart from using the pandemic as a hook for phishing messages, there are various ways for intelligence agencies to abuse the current crisis. They could potentially integrate backdoors in a software that will be adopted by the United Nations amidst the crisis or specifically target sectors like public health institutions and logistics companies whose infrastructures are already at the brink of breaking down due to the pandemic.

Practicing self-restraint in the cyber domain through their intelligence agencies can be a double win for governments. While contributing to international stability, they also strengthen their own international leadership projects. As of now, China is failing in both regards.

Covid-19: Why states now need to consider self-restraint in the cyber domain

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers