Though the devastating WannaCry ransomware attack was a failure on the NSA’s part, current UN cyber norms are far too weak to hold any international actor – let alone the US – responsible.
Washington: Picture this scenario – a nuclear weapon developed by Pakistan for a limited purpose and a preordained destination is captured by a terrorist group. Neither Islamabad nor other powers in the region are able to gauge the intention of this group, or predict where the ‘tactical’ weapon will be deployed. Leaders of the G7 nations, agitated by the development, issue a strong statement condemning Pakistan for its lax nuclear security and reiterate their call for all countries to sign the Nuclear Non-Proliferation Treaty. Pakistan is placed under sanctions that curtail, among other things, its ability to trade in critical technologies.
Were such a scenario to materialise, it is likely the ‘proliferator’ in question will be named and shamed. The international community should wonder, then, why the same G7 issued a tepid declaration about the “growing threat of cyber incidents” in the wake of destruction by a weapon created in the US.
Into its fifth day, “WannaCry” – a ransomware that takes advantage of a zero-day developed by the US National Security Agency (NSA) and leaked into the wild by a group calling itself the Shadow Brokers – has crippled “mission-critical” systems across the world. It has slowed down or altogether stopped the working of traffic systems in Xi’an (China), fuel filling stations run by the China National Petroleum Corporation, emergency health services of the UK National Health Services, and the state electricity department’s operations in West Bengal. Far from being a pandemic with no known origins, WannaCry’s effects are directly attributable to the failure of the US government to prevent the proliferation of malicious cyber instruments. Its actions may well be in breach of several international non-proliferation norms and obligations.
Most non-proliferation regimes like the Non-Proliferation Treaty or the Wassenaar Arrangement on Dual-Use Goods and Technologies were crafted at a time where states were the sole custodians of weapons of mass destruction (WMDs) and the equipment and technologies needed for their design and assembly. As a result, they focused on the wilful transfer of sensitive technologies or lethal ammunitions between governments. Today, the risk of non-state actors getting their hands on a nuclear or biological weapon has grown manifold: acknowledging this threat, the UN Security Council in 2004 enacted Resolution 1540 that called on states to take “effective measures to establish domestic controls to prevent the proliferation of nuclear, chemical, or biological weapons.”
UNSCR 1540 was a candid admission by states that good intentions to prevent the proliferation of WMDs alone were not enough, and had to be supplemented by a binding, positive obligation to prevent their acquisition by non-state actors. In announcing the Proliferation Security Initiative, the Bush administration in 2004 went one step further, putting together a coalition of countries to interdict vessels suspected of ferrying materials to non-state actors in “areas beyond the territorial seas” of third parties. Subsequently, Wassenaar member states too have voiced their support for expanding the ambit of the arrangement to include non-state actors.
The threat of WMDs falling into the hands of non-state actors has also resulted in a significant expansion of the monitoring and oversight powers of organisations like the International Atomic Energy Agency. There is, however, no regime or oversight mechanism to check the proliferation of malicious tools in cyberspace, an arena where its threat is most acute. Of course, the US could still fall foul of whatever limited regulations that currently exist. In 2015, the UN adopted by consensus the recommendations of a group of governmental experts on “cyber norms” against threats to international peace and security. By allowing for the leak of a zero-day exploit that found its way to the WannaCry program, the US finds itself in violation of the norms to:
- Prevent “the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions”; and
- Share “information on available remedies to ICT vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure”
However, current UN cyber norms are far too weak to hold any international actor – let alone the US – responsible for a devastating attack such as the current one. States are only prohibited from “knowingly” conducting or supporting ICT activity “contrary to their obligations under international law” that damages critical infrastructure. Given that the WannaCry attack was not perpetrated by the US and the fact that the NSA is an intelligence agency – espionage is not prohibited by international law – this norm is insufficient to seek accountability from Washington.
None of this is to claim that the US is the only actor developing malicious ICT tools or “weaponising” cyberspace. The “WannaCry” affair is neither going to stop countries from developing surveillance software nor exploiting zero-day vulnerabilities in major digital platforms. But the US is singularly responsible for filibustering the recent progress of international norm and law creation on cyberspace. At the G20 finance ministers meeting in March, the US opposed and successfully vetoed a norm to prohibit malicious cyber attacks on financial instruments.
There is an appetite among several members of the UN Group of Governmental Experts to explore the formation of an inter-governmental task force that can carry forward the group’s recommendations and “elevate” them into something stronger than norms. The Wassenaar Arrangement, which restricts the transfer of “intrusion software” to non-members, is not the appropriate platform to enact export control regulations on this subject given that major digital economies like India, China and the UAE are excluded from the group. The US unfortunately continues to oppose the creation of a binding, legal instrument to check the use of force in cyberspace.
Such an instrument will not discourage governments from stockpiling zero-days like ETERNALBLUE, which the WannaCry program exploited. But a clear and predictable legal regime will force the hands of governments to streamline their vulnerabilities acquisition and disclosure process, raise the costs of deploying zero-days without political oversight and trigger information sharing and assistance arrangements to mitigate the damage caused by leaks. Strict rules on state responsibility will also dissuade governments from freely deploying non-state agents for disruptive cyber attacks. Without a multilateral legal instrument, emerging economies will continue to underwrite the costs of major cyber attacks like the WannaCry affair, without any legal or political recourse to strengthening their digital ecosystems.
Patience is wearing thin in New Delhi and other capitals with the world suffering one debilitating cyber attack after another, even as the US government continues to exploit the vulnerabilities of its own private sector, depleting consumers’ and markets’ trust in them. India should exert pressure at the bilateral level with the US government to kickstart negotiations on a cyberspace treaty. New Delhi would have no dearth of strategic levers to bring both the US government and the private sector to the table: it could enforce a trade ban on digital products from the US citing Article XXI of the General Agreement on Tariffs and Trade; the Indian government could refuse to procure US-based software for public services unless legacy systems are “patched” by their companies; and finally, it could signal that the political commitment to ‘multistakeholder’ internet governance is at risk if the US does not address its core security concerns. New Delhi must be bold in placing all these policy options on the table.
Arun Mohan Sukumar is at the Observer Research Foundation, New Delhi.