For the past five years, the focus of international negotiations on cybersecurity has been the creation of norms, or an expectation among governments on how each one will behave. To set a baseline for responsible state behavior, governments have tried extending current international commitments and international law into cyberspace, while discussing where new norms are needed.
But when it comes to espionage, by design, international law does not apply: There are no commitments not to spy, as countries don’t want formal constraints on their intelligence agencies. While there are implicit norms that guide spying, they are few in number, flexible and opaque. This lack of norms and international laws governing espionage is a problem for cybersecurity, where spying is out of control.
But that started to change last fall, when the first explicit norm on espionage emerged from the September summit between U.S. President Barack Obama and his Chinese counterpart, Xi Jinping. The two reached an agreement on cybertheft, pledging that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” The United Kingdom and Germany quickly reached similar agreements with China. The U.S.-China deal was also endorsed by the G-20, which added language on respecting online privacy, in a rebuke to American as well as Chinese spying.