The World's Forum for Aerospace Leadership

  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    An International Perspective


    To date, Protocol has focused almost exclusively on the important role of cyber risk management within companies or between private organizations. This month, Protocol will open the aperture a bit further and look at international issues in aerospace, aviation, and cybersecurity. Our industries deal with international issues every day, and recent developments make this an opportune time to look at issues that cross national borders.

    Aviation and aerospace are inherently global issues and depend on international organizations. For example, in aviation, the International Civil Aviation Organization (ICAO) provides an international framework for private companies and public aviation regulators to use to manage flights and airspace on a daily basis. In space, the major space agencies coordinate to oversee the International Space Station. These organizations execute principles outlined in conventions and treaties adopted by countries, most notably the Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies (commonly known as “the Outer Space Treaty”).

    Similar structures govern international cooperation, or a lack thereof, in cybersecurity. The most well-known treaty is the Convention on Cybercrime, also known as the Budapest Convention, which you can read more about here. In addition, the Geneva Convention and other rules regarding warfare also apply to nation-states if they use a cyber weapon in warfare. Microsoft has called for a Digital Geneva Convention, which many experts support while others argue that it is not necessary because it would be redundant with existing rules.

    Recently, several cyber-attacks spreading quickly around the world have refocused attention on what rules may govern cross-border cyber-attacks. While many of these attacks are perpetrated by criminal organizations, nation-states may also be at least partially responsible. While some states, like the Democratic People’s Republic of Korea (DPRK, North Korea), have not agreed to the treaty and are not governed by it, other countries are actively discussing the Budapest Convention’s application and how to improve international norms in the future.


    In addition to international organizations that are part of the United Nations and other international state cooperation groups, industry groups, professional organizations, and trade associations also play a crucial role in bringing like-minded organizations and individuals together. These groups, whether AIAA, the International Air Transport Association, or  the Institute of Electrical and Electronics Engineers, raise current issues and organize conferences to further international cooperation and share ideas.

    Did you know?

    • AIAA is composed of almost 30,000 engineers from 88 countries
    • 18% of AIAA’s members are international
    • AIAA has members on every continent except Antarctica, with almost half of the international membership in Europe
    • AIAA has 43 international student branches
    • Aerospace Research Central (ARC) has 46% of its visits come from outside the United States



    UN Group of Governmental Experts (GGE) Collapses

    Since 2004, the United Nations (UN) Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) has been composed of multiple countries aiming to identify, improve, and reinforce norms in cybersecurity. In 2016, the group reached 25 member countries. During the latest group meeting, several negotiations collapsed due to a disagreement over the right of self-defense, countermeasures, and the applicability of international humanitarian law (IHL) in cyberspace.


    In past years, the GGE has been successful in making important progress in building cyber norms. In 2013, it agreed that international law applies to activities in cyberspace performed by states. Additionally, in 2015 the members agreed on four major peacetime norms: 1) domestic critical infrastructure should not be interfered with; 2) computer emergency response teams should not be targeted; 3) states should assist each other in investigating cyber-attacks; and 4) states are responsible for actions that originate within their borders.


    While the true objections of every country may not be clear (only some countries provided statements after the GGE broke off discussions), some of the statements that have come out from experts participating in the GGE did provide some silver linings. In addition, until the collapse, members had agreed on steps to stop the proliferation of malicious cyber code, which seems especially important in the wake of recent ransomware and destructive attacks such as WannaCry and NotPetya; hopefully, this will be a starting point for future negotiations.


    In addition, while final agreement was ultimately not reached, important discussions on information sharing, attribution, and the importance of norm-building did take place and will likely continue, even if in alternate forums. Further, confidence-building measures and voluntary steps that countries can take were identified and can be implemented by individual states. Finally, some countries such as the Netherlands and India are pushing forward, and organizations such as the Global Commission on the Stability of Cyberspace are meeting at the Black Hat cybersecurity conference in Las Vegas in July 2017 to build on previous GGE reports and the Tallinn Manual 2.0, the preeminent document on international law and cyberspace.


    China Continues No-Espionage Agreements


    Several years ago, the cybersecurity challenge being reported on in the United States more than any other was industrial espionage conducted or at least sanctioned by the Chinese government: experts talked about “Advanced Persistent Threats” (APTs) stealing business secrets, eavesdropping on negotiations, and using stolen data for economic benefit. However, after several years of diplomacy, these stories have significantly died down, and there is evidence to suggest that much of this cyber espionage has in fact stopped.


    In fall 2015, the United States and China came to an agreement that both countries would not conduct cyber espionage for commercial gain against each other. Most recently, China and Canada reached a similar agreement. In total, China now has similar agreements with the United States, Canada, the United Kingdom, Australia, G-7, and G-20 countries. There are still examples of industrial espionage, but these agreements have built a strong foundation for an international norm that states should not conduct commercial espionage for the purpose of benefitting state-owned or state-supported commercial enterprises.


    Fundamentally, this has changed the priorities for conducting cyber risk management within companies, particularly those with large amounts of intellectual property and those that compete directly with Chinese companies around the world. For them, the IP theft risk, while still present, has in many cases fallen below business email compromise, ransomware, insider threat, and other disruptive challenges that face every company.


    U.S. State Department Closing Cybersecurity Office


    In mid-July, the State Department made two announcements that indicate large changes are about to take place in how the United States works internationally in cybersecurity. First, Chris Painter, who has been the State Department’s cybersecurity coordinator for six years, announced he would be leaving at the end of July. The following day, reports emerged that the cybersecurity office would be closed and merged into the office covering economic issues.


    While change is not uncommon and changes in leadership can upset any organization, this may be a sign of a change in the U.S. role in leading international discussions on cybersecurity. The United States was the first country to have a foreign policy office focused solely on cyber issues, and the office has long been a strong advocate around the world for an open Internet. This is good not only for U.S. citizens but for U.S. businesses around the world and for citizens and businesses of other countries, since the United States has generally advocated for norms that make cyberspace more secure and reliable for everyone. In the small community of international cybersecurity experts, this change will lead to instability regarding who will be leading advocacy for an open Internet in the future.