Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of INternational Security. UN Document A/70/174 (22 July 2015). Report.
The report summarizes a number of norms, rules and principles for the responsible behavior of States. These norms are being considered by the international community.
We can divide them into four classes:
Class I –– Preventative Measures
These include General principles of actions to avoid and positive actions that should be taken by States so as to help stop the outbreak of a cyber emergency. They also include the sensitive issue of protecting the supply chain in information technology, including the preventing of the insertion of malware into equipment for the purposes of intelligence collection.
Class II –– Response in Case of Cyber Emergency
These include two types. First, there are norms for the deliberative phase of State response. Second, there are certain responses that States should develop the capacity to project.
Class III –– Law Enforcement
A number of norms involve improvement of law enforcement mechanisms that already are in place for coordination between nations. Many of these arrangements are governed by international treaty, usually bilateral in nature. For example, between the United States and the Russia there is a treaty for providing assistance in law enforcement. (See Article 2 “Scope of Legal Assistance”, Treaty between the United States of America and the Russian Federation on Mutual Legal Assistance in Criminal Matters, Treaty Doc. 106–22, 106th Congress, 2d Session, U.S. Government Printing Office, 2000) Assistance is provided in a) obtaining testimony and statements; b) providing documents, records, and other items; c) serving documents; d ) locating and identifying persons and items; e) executing requests for searches and seizures; f) transferring persons in custody for testimony or other purposes; and g) locating and immobilizing assets for purposes of forfeiture, restitution, or collection of fines. The UN norm is aimed at criminals and terrorists. In addition, there is a recommendation for enhanced exchange of information. Human rights are also included in this class because in some cases there is a conflict between privacy, freedom of expression, and the need to enforce the law, depending on the nation State involved.
Class IV –– Limitations on Cyber War Capabilities
Although not expressly suggested in connection with the potential for cyber war, some suggested norms would tend to limit the offensive and defensive capabilities of nation States needed in case of the outbreak of Cyber War. The first type of limitation involves a set of general principles involving the use of one's national territory for offensive cyber purposes. The second type involve limits on the use of ICT for intelligence collection. This is done in the guise of protecting the integrity of the supply chain for ICT. Since the insertion of code into ICT equipment in some instances is an important strategy for the collection of signals intelligence, this norm is aimed at cutting off an entire range of intelligence collection activity in cyberspace. There is a parallel norm obligation to report on ICT vulnerabilities. If the vulnerabilities are connected to intelligence collection, then this norm would require the uncovering of sources and methods. The third type of limitation is aimed specifically at cutting back on the use of cyber weapons. Some of the norms involve changes in how cyber defense operations can take place. Others tend to limit the type of targets that can be attacked. Target suppression has a long history in international law. An example is the prohibition against conducting military operations against civilian targets during a war.