Click to access:
Rapporteur: Allison Pytlak
Since the first instances of malicious cyber operations between states, there has been a growing acceptance of cyber space as a militarized domain. This is a dangerous path to continue down, given the civilian and dual-use nature of cyberspace and digital networks. Such militarization is evidenced in the increasingly formalized role of digital operations in military doctrine and strategy, as well as in the language used to depict activity in this arena, such as through terminologies like “cyber weapon,” “cyber war,” or “cyber bomb”. By treating this primarily as a military and security issue, states and other actors risk institutionalizing and taking for granted the broad idea of cyber conflict. In the on-going discussions at the United Nations (UN), and elsewhere, about norms of responsible behaviour in cyberspace, it’s essential that such norms are viewed as obligatory commitments and that space is also given to articulating a vision of cyber peace.
A) Existing multilateral fora
UN Groups of Governmental Experts
The United Nations has been considering “developments in the field of information and telecommunications in the context of international security” since 1998. The centre of discussion has largely been within Groups of Governmental Experts (GGEs) on information and communications technologies (ICTs) established by the UN General Assembly (UNGA) as of 2004. GGEs are entities created within the UN system to enable thematic and expert discussion and exploration of a given topic, sometimes as a precursor to a political process. Their rules of participation and access will vary depending on the fora in which a GGE is created.
Russia introduced the first draft resolution on the subject of in the context of international security in 1998 at the UNGA First Committee.(1) It had four operative paragraphs, including a call to member states to inform the United Nations Secretary-General (UNSG) of their views and assessments on four key questions relating to information security. These formed the basis of the annual reports that UN Secretary-Generals have published since 1999.
The 2002 resolution called for the establishment of the first GGE on ICTs, prompted in part by reluctance from some countries to fully engage in this subject in First Committee.(2) Five GGEs have since been convened, each meeting either in Geneva or New York four times over a two-year cycle.(3) Their sizes have ranged from 15-25 states.(4)
Each Group sought to agree by consensus a report of its proceedings, that may include conclusions and recommendations, and which are returned to the wider UN membership for adoption. This has had varying levels of success as since their inception, the GGEs have suffered from an inherent sense of mistrust among their memberships and divergent views on definitions and basic approaches to information security.
Over time, the outputs of the GGE have generally improved and expanded, in line with their mandates and progress in discussions.
The report of the 2012-2013 Group was welcomed for its breakthrough statement that international law is applicable to cyberspace, although it was simultaneously tempered by a reaffirmation of state sovereignty in the conduct of ICT-related activities, and protection of infrastructure.(5)
The 2015 report was lauded for setting out eleven recommendations for voluntary and non-binding norms, rules, or principles for state behaviour, confidence-building measures, international cooperation and capacity building, and positive recommendations.(6)
Progress broke down in the 2016-2017 Group, reportedly over the issue of the applicability of international law, including international humanitarian law (IHL) and international human rights law (IHRL).
In 2017, it was not possible for states to agree to establishing a new GGE. Instead, debate at the UNGA First Committee explored other possible entities and forums that could better take forward the subject, as well as providing views on the validity of past outputs from the Groups.
In 2018, Russia—traditional sponsor of the UNGA First Committee resolution on ICTs— introduced new and controversial elements into the annual resolution. The first draft included various points from the Shanghai Cooperation Organization’s International Code of Conduct on Information Security as among a list of norms for discussion in a new GGE. The Code is seen by other states as a way to undermine human rights protections to online activity and so was immediately problematic for many countries. The Russian Federation recanted and redrafted its resolution without that language but with variously selected references from former GGE reports, and a new proposal to create an open-ended working group (OEWG), in place of a GGE, using the argument that such a forum would be more conducive for democratic participation and inclusivity.(7) The United States, frustrated with Russian actions, tabled for the first time its own competing resolution, written in the style of traditional First Committee ICT resolutions and calling for a new GGE but with a limited possibility of input from non-GGE members, through regional consultations. The United States and its allies heavily criticized the Russian proposal, arguing that it mischaracterized and cherry-picked language from previous GGE reports without consistency or logic, and accused Russia of being divisive.
In connection with wider politicization that complicated multiple disarmament topics at the UNGA First Committee in 2018, it was not possible for a compromise to be reached and the end result is that there will be both a GGE and an OEWG meeting throughout 2019 and 2020.(8)
The two entities have similar, yet not identical, mandates and varying modalities to receive inputs from either non-governmental stakeholders or, in the case of the GGE, non-Group members. For example, the GGE is likely to have a series of regional consultations throughout 2019 and 2020, and the OEWG will have a session in December for input from non-governmental actors. The chairpersonship of either entity and the composition of the GGE have not been made publicly available as of late May 2019.
UN Secretary-General reports and Agenda
The UN Secretary-General has issued multiple annual reports on the subject of ICTs since 1998. These consist of a compilation of national reports submitted voluntarily by member states.
The current UNSG António Guterres has made the promotion of a peaceful ICT-environment a key priority. In his Agenda for Disarmament, launched in May 2018, Guterres has included two action points on cyber security as part of the Agenda’s implementation plan. The UNSG notes in his report that “global interconnectivity means that the frequency and impact of cyberattacks could be increasingly widespread, affecting an exponential number of systems or networks at the same time.” He further states that “in this context, malicious acts in cyberspace are contributing to diminishing trust among States.”
Beyond the UN
The work within the UN is supplemented by an external patchwork of global and regional meetings for various stakeholders. Some of these fora have come to play an increasingly important role given stalemate and politicization within the UN system.(9)
France initiated its ‘Paris Call for Trust and Security in Cyberspace’ in November 2018.(10) (France Diplomatie, 2018) Also in 2018 the Global Commission on the Stability of Cyberspace (GCSC) outlined six new global norms to help promote the peaceful use of cyberspace.(11) (Global Commission on the Stability of Cyberspace, 2018)Proposals have also come from the private sector, notably Microsoft’s suggestion for a digital Geneva Convention (Microsoft, 2017)and leadership in the development of the Tech Accords, now supported by dozens of technology firms.(12)
Regional and other cooperation
Regional agreements have enabled information-sharing and support between states on a practical and tactical level, including between Computer Emergency Response (or Readiness) Teams, also known as CERTS. Some agreements, like NATO’s Enhanced Cyber Defence, also incorporates legal considerations. The NATO Cooperative Cyber Defence Centre of Excellence (technically not a NATO organization) commissioned the development of what is known as the Tallinn Manual. The Manual outlines how international law applies to cyber conflicts and cyber warfare and was developed by an international group of approximately twenty experts.
Other regional cooperation agreements have a focus on other aspects of cybersecurity such as cybercrime (the Budapest Convention), data protection and cyber security (African Union Convention on Cyber Security and Personal Data Protection) or information security (Shanghai Cooperation Organization’s agreement on “Cooperation in the Field of Information Security”).
B) Existing norms and confidence building measures
The 2015 UN GGE set out eleven recommendations for consideration by states for voluntary, non-binding norms, rules, or principles of responsible state behaviour with the aim of “promoting an open, secure, stable, accessible and peaceful ICT environment”. They include:
- Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
- In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
- States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
- States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
- States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
- A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
- States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
- States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
- States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
- States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
- States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
In addition, the 2015 Group recommended several voluntary confidence-building measures:
- The identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts;
- The development of and support for mechanisms and processes for bilateral, regional, subregional and multilateral consultations, as appropriate, to enhance inter-State confidence-building and to reduce the risk of misperception, escalation and conflict that may stem from ICT incidents;
- Encouraging, on a voluntary basis, transparency at the bilateral, subregional, regional and multilateral levels, as appropriate, to increase confidence and inform future work. This could include the voluntary sharing of national views and information on various aspects of national and transnational threats to and in the use of ICTs; vulnerabilities and identified harmful hidden functions in ICT products; best practices for ICT security; confidence-building measures developed in regional and multilateral forums; and national organizations, strategies, policies and programmes relevant to ICT security;
The voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them, including information on national laws and policies for the protection of data and ICT-enabled infrastructure. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders. These measures could include:
A repository of national laws and policies for the protection of data and ICT-enabled infrastructure and the publication of materials deemed appropriate for distribution on these national laws and policies;
The development of mechanisms and processes for bilateral, subregional, regional and multilateral consultations on the protection of ICT-enabled critical infrastructure;
The development on a bilateral, subregional, regional and multilateral basis of technical, legal and diplomatic mechanisms to address ICT-related requests;
The adoption of voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident, for the purpose of facilitating the exchange of information on incidents.
As these norms were adopted by the UN General Assembly, they are considered by many member states as reflecting the current standard for behaviour in cyberspace, albeit non-binding and voluntary. These states are now advocating for their implementation, while some countries are calling for further elaboration and discussion about the content of the norms and measures themselves.
C) Major areas of disagreement
Since their establishment, the UN GGEs have suffered mistrust among some of their key members and divergent views about definitions and basic approaches to “information security”. Other areas of contention have included GGE mandates as well as the broader role of the UN and the First Committee with respect to international information security challenges.(13) These different approaches and perspectives have had a ripple effect in other multilateral fora, and colour the scope and objectives of several regional agreements. Outlined below are three of the most visible areas of disagreement.
Existing international law
The applicability of international law to cyberspace has been a primary point of disagreement among states in recent years, particularly with respect to articulating how it applies. The third and fourth GGEs declared that “international law, and in particular the Charter of the United Nations,” were applicable to cyberspace. At the time, it did not appear to be the position of any state that the right to self-defense would not apply in response to cyber operations that meet the threshold of an armed attack under Article 51 of the UN Charter.
Yet, the fifth GGE (2015-2016) failed because of disagreement on this point. Some states (including Russia, China, and Cuba, among others) maintained that to affirm the application of UN Charter principles of use of force and international humanitarian law would result in the “militarization” of cyberspace whereas others (including the United States and western European states) insisted on acknowledging the right to apply “countermeasures” in scenarios that fell below the threshold of the ‘use of force’ in cyberspace. There was debate around linking the malicious use of ICTs with an “armed attack” and what the legal implications of that would be, which largely reflected the asymmetry the Group with respect to the cyber and conventional weapons capabilities of the different countries comprising the Group; as well as if a cyber operation could ever cross the high legal threshold of an “armed attack”.
The applicability of international humanitarian law (IHL) to cyber operations has been similarly contentious as some states have argued that applying IHL to cyberspace would legitimize taking military activities in it—which they claim to oppose, while other affirm its applicability. The International Committee of the Red Cross (ICRC), has highlighted the prohibition of weapons which are indiscriminate by nature as particularly relevant but reminds that the key principles of distinction, proportionality and precautions must also be observed. Adherence to IHL means that attacks cannot be directed at civilians or civilian objects, and as the ICRC points out, critical civilian infrastructure—including the cyber infrastructure on which they operate or rely, such as networks or equipment—are civilian objects and therefore protected against attack, unless they have become military objectives.(14)
While term “information security” has been used widely and for two decades within the UN system, it has always suffered from a fundamental difference of approach and understanding among states, which has ramifications for efforts to reach agreement on norms. Countries that are more technologically developed often prioritize the importance of the free flow of information, while those less developed make equal access to information and information technologies a priority in discussions on cyber security and cyberspace. At the same time, certain others view information technology and the free flow of information as a threat to be contained.
For example, China views the problem of information security as including not only the risks relating to vulnerabilities of structures and systems, but also the political, economic, military, social, cultural problems that arise from technology use within its own borders. China and Russia have preferred to focus on international information security in the context of multilateral discussion fora as a safer formula than addressing it in a way that would draw attention to domestic actions. The United States have regularly reaffirmed that implementing information security measures cannot infringe on basic individual freedoms. The United Kingdom avoids using the term “information security” because it can be misused or misinterpreted as a way to justify limitations on personal freedoms.(15)
The need for new international law
Since introducing its first resolution on the subject of ICTs, Russia been advocating to codify applicable norms and principles to govern uses of ICTs through a binding a universal agreement on international information security. It has made multiple proposals in this regard, both in the UN context and unilaterally within Central Asia, and with China.
Other states, largely Western ones, have not been supportive of the call for a cyber space treaty. Some have argued that to do so would be premature, or that existing international law is sufficient. Some states have also highlighted that given the divergent views on key aspects of the international cyber security issue, as well as around basic definitions and terminology, it would not be feasible to come to an agreement that would have enough substance to be effective.(16)
D) Human rights considerations
The human rights impact of digital technologies is being addressed in separate UN fora than where national security impact is discussed, and usually by different actors within the international community. There has been very little intersection between security-based and human rights-based approaches or discourses.
Some human rights-based approaches have necessarily focused on unique human rights such as the right to freedom of expression, as protected by Article 19 of the Universal Declaration of Human Rights and of the International Covenant on Civil and Political Rights (1966). The human rights to privacy and assembly are also frequently at risk in a digital context. The right to privacy is guaranteed by Article 17 of the International Covenant on Civil and Political Rights (1966). Article 15 of the International Covenant on Economic, Social and Cultural Rights (1966) protects the right of everyone to “enjoy the benefits of scientific progress and its applications” which can be interpreted to include the right to use the Internet. There has also been reaffirmation of women’s human rights that are threatened by targeted online activities like revenge porn and cyberstalking.(17)
The UN Human Rights Council (HRC), a UN body comprising 47 UN member states with foremost authority over human rights issues, has now passed multiple resolutions relevant to the Internet or digital contexts more broadly. The first, adopted in 2012, was considered landmark for not only being the first on the subject but also for its affirmation that “the human rights people enjoy offline, also apply online”.(18) The resolution built on a 2011 report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression.(19)
The right to privacy in the digital age has also been taken up by the UNGA Third Committee. In December 2013, the UNGA adopted resolution 68/167 “The Right to Privacy in the Digital Age” which called on all states to review their procedures, practices, and legislation related to communications surveillance, interception, and collection of personal data. It further emphasized the need for states to ensure the full and effective implementation of their obligations under international human rights law. The resolution was the foundation for a 2014 report of the Office of the United Nations High Commissioner for Human Rights on the same subject, for which the views of multiple stakeholders were solicited(20) and for a follow-up resolution in 2015.
The UN Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression recently issued a report focused on the obligations of states and companies, by aiming to find user-centric and human rights law-aligned approaches to content policy-making, transparency, due process, and governance.(21)
Beyond the United Nations are the day-to-day advocacy and other initiatives of non-governmental organisations and individual human rights defenders. Technologists have added to this work by developing applications and software to prevent intrusions, detect censorship, or enable anonymity online.(22) It is also worth noting that ICTs are increasingly being used in the pursuit and defense of human rights, to capture violations and facilitate sharing.(23)
References for this article can be seen at the Footnotes 3 page on this website (link will open in a new page).