G20 – No Commercial Hacking By Anyone

Participants_at_the_2015_G20_Summit_in_Turkey

On November 16, 2015, during the meeting of the annual summit of the world’s leading 20 economies, senior level representatives pledged not to engage in cyber economic espionage in order to support their respective commercial interests.  This consensus marked the first time leaders from the G20 have discussed cyber security, and by extension, acceptable and unacceptable nation state behavior with regards to theft of commercial intellectual property.

Whether intentional or not, the fact that G20 governments have made this pact demonstrates progress toward determining an international nation state code of conduct in cyberspace.  Prior to its historic September 2015 agreement with the United States, Beijing didn’t publicly distinguish between different categories of espionage, and likely several other G20 members did not either.  Not only did leaders agree to not engage in commercial hacking, they came to an agreement that international law applied to cyberspace.  Now, at least among the world’s leading economies, and some of the more offensive cyber capable nations, some of the ambiguity has been lifted with regards to what constitutes an unacceptable act in cyberspace, a move that could continue the cyber norms discussion. This is a promising development.

With a possibly pending acceptance of international law’s applicability to cyberspace comes adherence to other dictates as set forth by international law. Two such provisions, being able to conduct a proportional response and selecting acceptable targets for such responses, must be considered and followed.  As such, the G20 agreement establishes the necessary foundation from which retributive action can be developed and justified on an international level. Furthermore, such infractions if committed by member states can now be elevated to an international body for adjudication instead of unilateral response by the victimized state.

Since the goal for reduced tensions in cyberspace is a goal, such agreement is necessary to work toward creating greater transparency and trust between nations.  Yet, despite optimistic outlooks particularly from at least one senior U.S. official involved in cyber issues, skeptics point out that there are no enforcement mechanisms in place, thereby reducing the pledge to no more than a symbolic gesture than actual progress.  Nevertheless, despite such suspicions, the timing of the agreement comes at a time when all eyes are on China after its historic agreement with the United States to see if it will stop or at least greatly curb it’s suspected pervasive cyber espionage activities.  Certainly, the U.S. government continues to closely monitor the situation, reserving the right to impose cyber sanctions against entities it believed benefited from the theft.

It is too early to speculate how such an agreement will impact observed activity that has typically been attributed to commercial cyber espionage. But perhaps more important than the reduction in the volume of industrial cyber espionage is the fact the G20 countries have been able to reach this accord from an economic standpoint rather than a military or diplomatic one.  This is an important first step in laying down a baseline from which other talks on offensive cyber capabilities can take place, without putting the accomplishments made in Turkey at risk of falling apart.  Multilateral resolutions are made through confidence building steps toward a shared objective.  This case is no different.  While critics see this as more platitude than substance, they overlook the significance behind the gesture:  the leaders of the 20 powerful economies were able to get on the same page, a remarkable feat given failed attempts to do so at other international fora.  A year ago, such an undertaking would have seemed unfeasible if not unimaginable.  All the key cyber players understand what they have agreed to, and ultimately, what they will be held to under global scrutiny.