How German (Cyber)diplomacy Can Strengthen Norms in a World of Rule-Breakers
This DGAP Memo argues that Germany and other EU member states should apply norm-setting to the niches where great powers see a pragmatic need to deepen trust. In this vein, they should table an initiative to the United States and China to sign a political declaration that they will not conduct any cyber operations against select critical infrastructure – early warning satellites, nuclear command and control systems, electrical grids – of the parties involved during peacetime. Such a declaration could serve as an example for other norm-setting measures with which Germany could help build welcome trust at a time when geopolitical tensions and risks of misperception are particularly high.
Discussions at the United Nations have identified the protection of critical infrastructures (CI) as the most high-stake issue related to the cybersphere. In recent years, Germany, Ukraine, Costa Rica, and many other members have repeatedly lamented that their CI has been the subject of cyber operations by malicious actors. Targets include a nuclear power plant in Germany, the energy grid in India, and a dam in the United States, among others. In fact, cyber operations against critical infrastructures are common – despite binding international obligations not to attack any type of CI. Russia, China, North Korea, and Iran are blatantly violating them, acting as if they were not bound by international law. Moreover, such states are not satisfied by merely breaking rules. As seen at the UN in New York this summer, they also aim to insert provisions into negotiations that weaken existing laws and norms.
The overarching challenge for Germany – here and, increasingly, in other similar cases – is to prevent the rules-based international order from being undermined. Rather than continuing to try to uphold existing norms, the governments of Germany and other EU member states should instead focus their efforts on deepening them, appealing to the self-interests of China and the United States in the process.
Against this background, this DGAP Memo explains why Germany should see the protection of select CI as both necessary and desirable, and why it should strengthen norms to this end. It not only recommends that the German government actively push for a political declaration to ensure this protection, but also provides a fictional version of such a document that features a preamble and codifies its scope and conditions. The idea for this fictional declaration was inspired by Herb Lin’s article “A Hypothetical Command Vision Statement for a Fictional PLA Cyber Command.”
Make Abstract Norms Specific
In 2021, UN member states – including EU member states (EU MS), the United States, and China – agreed on 11 voluntary and non-binding norms of responsible state behavior in cyberspace that aimed to reinforce binding obligations that already existed. One of these new norms decreed that states should not attack each other’s critical infrastructure (CI), including critical information infrastructure (CII), a key subset of CI, during peacetime. This specification enables states to more effectively call out others when such malicious behavior occurs.
For example, the United States used the norm in 2022 to scold Iran for its disruptive activities against Albanian CI. At that time, Iran had launched a cyberattack explicitly designed to destroy the data of the Albanian government and leak other data it acquired. As a result, Tirana cut its diplomatic ties with Tehran.
Yet as this CI norm stands, it is still too abstract in scope, leaving it unclear which critical infrastructure is, in fact, off-limits. The final substantive report of the UN’s Open-Ended Working Group (OEWG) 2019–2021 on international cybersecurity that was issued in 2021 states:
While it is each State’s prerogative to determine which infrastructures it designates as critical, such infrastructure may include medical facilities, financial services, energy, water, transportation, and sanitation.
As the declaration only says that CI “may” include the sectors listed above, it fails to indicate whether any state – including EU member states (EU MS), the United States, and China – actually considers any of these infrastructures to be critical. In addition, the sectors that countries involved in the OEWG negotiations designate as critical appear to be arbitrary. In the 2023 annual progress report of the OEWG 2021–2025, the negotiating countries defined the maritime and aviation sectors as CI but failed to include medical facilities, sanitation, and the financial and transportation sectors – all of which were specifically noted in 2021. Adding to the confusion, additional sectors that include banking, e-commerce, food distribution, and water supply were classified as CI in an earlier resolution passed by UN member states in 2003.
To provide necessary and overdue clarity, the EU MS, the United States, and China should seriously consider entering into a declaration with each other that specifies which CI they find to be off-limits for all state-conducted cyber operations. Making the norm more specific would strengthen it. The narrower the norm, the more difficult it is to violate.
Moreover, pursuing a declaration on CI with China could benefit Europe and the United States because it would sideline Russia, a country that has frequently violated this norm. Further, reaching a deal with China – which, especially in the context of Taiwan, might engage in future attacks against US or European CI – would be prescient. Historically, China, as opposed to Iran and North Korea, has shown a certain amount of restraint related to disruptive or destructive cyberattacks on CI in the EU and United States. Therefore, it might be prudent to reinforce this tendency. Here, however, one must keep alleged Chinese disruptive cyber campaigns against the Indian power grid in 2021 and Taiwanese critical infrastructure in 2020 in mind.
Germany and other EU MS would bring something distinctive to talks leading up to such a declaration that has nothing to do with their capacity for power politics, but is still key – namely, an established background in confidence-building. Germany, a long-term leader in confidence building measures within UN cyber negotiations, should reinforce its role and table the initiative. This would be an important step toward increasing international trust and potentially reducing the likelihood of conflict.
This DGAP Memo not only recommends that EU member states, the United States, and the People’s Republic of China sign a declaration in which each side agrees that it will refrain from conducting any type of cyber operations against CI infrastructure that is deemed to be the most crucial. But it also includes a fictional draft of such a declaration that specifies which CI is classified as such: early warning satellites, nuclear command and control systems, and electrical grids. Considering that all infrastructure is, in theory, off-limits for attacks – according to both binding international law and voluntary commitments – this specific infrastructure should also explicitly be made off-limits for the pre-positioning of malware (logic bombs) and espionage, two points on which the current legal and normative boundaries are less clear.
Upholding Existing Law and Promoting Small-Country Norm Implementation Is Insufficient
Critics of such a declaration would argue that, at best, we can hope to protect existing international norms and law. Further, they see little hope for a new set of deepening norms on relatively novel problems like cyberattacks. According to them, we should not create sub-norms in areas where behavioral rules already exist. By sharpening the prohibitions against certain subsets of CI, for example, we risk implicitly sanctioning attacks against others, thereby undermining broader prohibitions.
In a similar vein, critics would recommend that the EU MS focus their efforts in norm implementation on small states that depend on their markets because they simply cannot hope to bind the two great powers – not least at a time when the United States and China are so focused on their rivalry and may wish to keep their options open, for example around an attack on Taiwan or retaliatory measures. Moreover, any deals with the United States and China would be weak on implementation because the former typically carves out exceptions for itself while the latter openly breaks laws.
While upholding existing laws and getting smaller states to embrace norms is important, it is in no way sufficient to reign in Russia, China, and others. Focusing on upholding current laws is a reactive approach and focusing on small countries is timid. The EU MS need to be bolder and think of how to get great powers to abide by rules.
Appeal to the Great Powers’ Self-interest in Conflict Prevention
A multilateral cyber declaration would be a step in this direction and follow in the footsteps of other agreements involving great powers. In September 2015, for example, US President Barak Obama and Chinese President Xi Jinping agreed on refraining from spying for commercial purposes. In November 2015, all G20 countries affirmed this intention. These agreements were accompanied by further bilateral Chinese reassurances to the UK that year and negotiations with Germany in 2016. Agreements on the same issue followed between Canada and China and Australia and China in 2017.
According to a report by the cybersecurity company FireEye, the US-China agreement appears to have worked – at least initially. After the conclusion of the agreement and a round of sanctions against Chinese hackers, operations from cyber groups affiliated with China declined significantly. One year later, improvement was still notable. However, China soon started exploring gray zones of the agreement, hacking defense contractors.
While this agreement partially failed, there are valuable lessons to be drawn from it. One potential reason for the agreement’s eventual demise is that it tried to curb the behavior of only one of the parties to the declaration – i.e., China who was the only actor who saw economic espionage for commercial purposes as legitimate. A political declaration on CI might be different because the United States or certain EU countries may be just as involved in cyber operations against early warning satellites, nuclear command and control systems, and electrical grids as China is. Given that misconduct by one party – whether China or a Western state – could trigger others to reengage in these activities, both sides have a greater interest in respecting a political declaration that curbs state cyber behavior.
The same lesson applies more broadly to other diplomatic negotiations. Focusing on issues in which both great powers have an interest in adhering to rules may well be a way forward to deepen existing norms of state behavior.
All in all, we should not think that every issue plays out against the backdrop of a global bipolarity defined by two superpowers that are squaring up to each other. All states have an interest in rules and norms, especially if they serve to reduce the risk of inadvertent conflict. The common needs of the United States and China to protect their CI create a basis for deepening the CI norm – and similarly targeting other such niches.
Acknowledgements: The author would like to thank Jason Healey for in-depth discussions and valuable feedback, as well as for hosting the author during a research visit at Columbia University’s School of International and Public Affairs during the summer of 2023. An additional thank you goes to Isabella Brunner for commenting on earlier versions of the fictional political declaration. As always, any errors are the author’s.