Cybersecurity, Global Governance, International Law, Power & Security, Technology Perry World House takes part in UN discussions on making cyber safer

Cyberattacks cost $45 billion worldwide in 2018, threatening everything from baby monitors to the launch systems for nuclear weapons. State-sponsored cyber operations, such as the 2017 attack on the Ukrainian power grid that was attributed to Russia, pose an especially grave threat. Although the digital economy and emerging technologies hold great promise for improving our wellbeing and prosperity, we cannot unleash their full potential without better cybersecurity.

As part of Perry World House’s recent work under our research theme “The Future of the Global Order: Power, Technology, and Governance,” we have been exploring the problem of state behavior in cyberspace. Because states have few incentives to completely swear off the use of their cyber capabilities, the focus of some scholars and policymakers has shifted to building shared understanding and rules of the road for cyberspace, known as cybernorms. (Yale’s Professor Harold Hongju Koh gives a great primer on legal norms in our recent podcast episode.) Various international fora have tried to develop and promote such cybernorms, including norms to protect critical infrastructure, the public core of the internet, and electoral infrastructure against malicious cyber activity.

On October 29, 2019, Perry World House hosted a conference on “Cyberspace and Geopolitics: Global Cybersecurity Norms Processes at a Crossroads” organized by our Visiting Scholar and Temple Law School Professor Duncan Hollis, and co-hosted by the Carnegie Endowment for International Peace. Through the conference, we tried to build a forum for interdisciplinary dialogue that included policy practitioners, industry executives, NGO leaders, a cyber leader from the UN, and academic experts.

The UN is also trying to build this gap-bridging dialogue through a new multi-stakeholder process – the UN Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security. Because that title is quite a mouthful, the process is usually referred to as the OEWG. I represented Perry World House at the OEWG’s first consultative intersessional meeting from December 2-4 at the United Nations Headquarters in New York.

Due to its origins, some observers and participants initially viewed the OEWG with suspicion. The process was arguably the result of great power competition, starting with a Russia-led initiative to derail an existing U.S.-supported process, the UN Group of Governmental Experts (GGE). The two countries don’t see eye-to-eye on cybersecurity, so when it was time to renew this U.S.-supported GGE process in 2018, Russia countered with its own resolution for a new group, the OEWG. The General Assembly responded by creating two separate groups with very similar mandates, creating uncertainty about the future of cybernorms processes in the UN.

Some analysts predicted that the two groups would clash, but in Perry World House’s October cyber conference, participants converged on the view that the GGE and OEWG could be complementary; the GGE holds closed high-level discussions of a small group of states, while the OEWG is open to all interested UN member states as well as other accredited stakeholders from industry, academia, and NGOs. Together, the UN processes could facilitate both frank great-power discussion and open and inclusive dialogue, to try to find common ground on cyberspace and international security.

At first, the discussions I attended on Monday, December 4, did not deliver on the promise of a multi-stakeholder dialogue. The left side of the room — made up of delegates from non-state organizations — gave wide-ranging assessments of the cyber threat landscape and cybernorms, while the right side — delegates from participating member states — was mostly silent, with short interventions from Jordan, the Republic of Korea, and Mozambique. After over five hours of this, Duncan Hollis, who was representing Temple Law School, asked when the multi-stakeholder dialogue would begin, and called on states to share their views. After that, France, Canada, Uruguay, and Australia spoke before the first day drew to a close.

Over the next two days, states intervened more frequently. At times there was not only a succession of speeches from the various stakeholders, but actual dialogue between participants, which some noted was a rarity at the UN. This was partly thanks to the staff members of the UN Office of Disarmament Affairs and David Koh, the Singaporean chair of the OEWG, who helped to make this dialogue possible. Moreover, a number of side events and meetings gave space for productive discussion of the issues.

Some issues remained contentious. In particular, while a number of participants suggested that a binding treaty could be a logical next step for the codification of cyber rules of behavior, many others disagreed. They claimed that negotiating treaties would take too long to keep up with the fast pace of progress in emerging technologies, and would distract from the OEWG’s important work of finding ways to implement the norms of the GGE.

Other issues found broad agreement. The importance of “human-centric” approaches to cyberspace, capacity-building initiatives, and bridging the “digital divide” were all key themes throughout the three days. Some participants believed that the issue of addressing the global digital divide extends beyond access to cyberspace and cybersecurity itself, and to participation in diplomatic processes on cybernorms more broadly. A number of delegates pointed out the need for greater funding for stakeholders that are unable to travel to the UN, and for allowing remote participation to facilitate a truly inclusive process — and one that uses leverages the power of the very technology at issue.

The final panel of the three days concluded the intersessional meeting with ‘Ways Forward on a Multi-Stakeholder Approach.’ At this final panel, a delegate from Reaching Critical Will addressed what they called the “elephant in the room.” At the first meeting of the OEWG in September, NGOs that were not already accredited with the UN Economic and Social Council (ECONOC) were blocked last minute from participating, apparently by member States who feared criticism. This is a common mechanism used by states like China to stifle critical discussion in the context of human rights. Whether the broad multi-stakeholder dialogue of the December meeting will continue in future meetings of the OEWG remains an open question.

To help make sense of this tangle of international norms processes on cybersecurity, Perry World House and the Carnegie Endowment for International Peace will soon be publishing a white paper on the fragmented cybernorms process and its effects on cyberspace and international security. In the meantime, you can listen to our podcast Cybersecurity Explained with Duncan Hollis and Heli Tiirmaa-Klaar, Estonia’s first ambassador for cybersecurity.