A Republican amendment to a cyber bill would direct the State Department to look at establishing multilateral agreements to govern “international behavior in cyberspace.”
The proposed amendment, authored by Sen. Cory Gardner, R-Colo., would be tacked on to the Cybersecurity Information Sharing Act that the Senate is due to take up again this fall. Congress recessed before voting on the bill in August, and as part of a deal to bring it back up, Senate leaders agreed to vote on 22 proposed amendments to the legislation.
Gardner’s amendment calls for a “plan of action to guide the diplomacy of the secretary of state, with regard to foreign countries, including conducting bilateral and multilateral activities to develop the norms of responsible international behavior in cyberspace, and status review of existing discussions … to obtain agreements on international norms in cyberspace.”
Advocates of the bill have experienced difficulty passing the legislation because of opposition from groups worried about government overreach. The law would grant liability protection to companies that assist the federal government’s surveillance efforts by sharing data about their customers.
Gardner’s amendment is unlikely to assuage those concerns. While it ostensibly applies to concerns about international cybersecurity, it leaves broad interpretative discretion to John Kerry’s State Department and tells it to seek guidance from the United Nations, specifically instructing it to review “the alternative concepts with regard to international norms in cyberspace offered by 19 foreign countries that are prominent actors, including China, Russia, Brazil and India.”
The line is a reference to the United Nations’ 20-nation Governmental Group of Experts, a body tasked with establishing policies on international cyber issues. The group released a report last week outlining principles for international Internet governance. Those principles largely align with the Obama administration’s vision, something that Kerry has articulated.
Gardner’s amendment also singled out China, Russia, Brazil and India, which have sought more multilateral governance on cyber issues. It’s an approach the U.S. has avoided, partially because of divergent views on what constitutes the proper role of government.
Elaine Korzak, a fellow at Stanford University’s Center for International Security and Cooperation, said that where the U.S. tends to be concerned with cybersecurity, China and Russia are worried about “information” security.
“Russia’s and China’s conception of information security is broader than the Western approach of cybersecurity,” Korzak said. “Western conceptions of cybersecurity generally focus on the malicious use of computer code, for example, cyberattacks on critical infrastructure or the use of digital means for criminal purposes. Russia and China, in contrast, are concerned not only with the malicious use of computer code, but also with the potentially destabilizing effects of information.
“In their view, the information revolution has enabled the possibility that uncontrolled information flows across borders could lead to political, economic, social and moral effects that could destabilize a state or society,” Korzak said. “Their approach of information security incorporates these concerns.”
This year, China and Russia signed 32 bilateral agreements that included provisions for greater cooperation in cyberspace. Both countries have a reputation for blocking websites, suppressing online speech and prosecuting individuals who are deemed subversive to government policies.
“Some countries, predominantly Russia — later joined by China — have been advocating the negotiation of a new international cyber treaty of sorts,” Korzak said. “Other countries, particularly the U.S. and European states, have opposed this idea and have instead argued that current international legal frameworks should be applied,” she added.
Yet if Gardner’s amendment is approved and the cyber bill is passed, that could well change. If enacted, “the Secretary of State shall produce a comprehensive strategy relating to United States international policy with regard to cyberspace” within 90 days.
