When it comes to defining new norms of conduct in the international realm, states move at a cautious pace. When the norms concern a novel and unique environment — such as cyberspace, which has seen little regulation to date — the process can at times seem glacial. However, like a glacier, the impact on the international policy environment can be massive.
The United Nations has a natural role to play in devising norms for state conduct in this most universal of domains that is cyberspace.
Already, a UN Group of Governmental Experts (GGE) concerned with “Developments in the field of Information and Telecommunications in the context of International Security” yielded a consensus report this summer. Its contents get to the heart of the challenge of building norms for state conduct in cyberspace, and what is still lacking, even with the UN engaged over several years in the process.
The UN tends to employ the term “Information and Communication technologies” (ICTs), but this equates with “cyberspace” which in turn can be understood as the Internet and other computer-enabled networks on which global society is increasingly dependent.
The growth of this unique human-created environment and technology has been exponential, with over 3 billion Internet users worldwide; two-thirds of who now reside in the global south. Despite cyberspace’s importance, states are only beginning to turn their attention to what type of regime and policies should apply to it. Maintaining international cyber security is a common aim, but in a realm where attacks can originate with state as well as non-state actors, the best manner to achieve this is far from agreed.
Many see a need for action by the UN in helping to formulate the rules that should apply to this ubiquitous environment. As the UN Secretary General notes in his foreword to the recent GGE report: “Cyberspace touches every aspect of our lives. The benefits are enormous, but these do not come without risk. Making cyberspace stable and secure can be achieved only through international cooperation, and the foundation of this cooperation must be international law and the principles of the Charter of the United Nations.”
A track record of consensus
The current GGE, chaired by Brazil, was comprised of experts from 20 states, selected by the UN’s Office of Disarmament Affairs on the basis of equitable geographical distribution (representatives of the five permanent members of the UN Security Council are always present). It held four one-week sessions over the course of the 2014-15 time period and agreed on its report at its last session on June 26, 2015 (UN GGEs operate on a consensus basis). The group follows closely upon two earlier GGEs on the same topic that also produced consensus reports in 2010 and 2013.
The principal thrust of these reports is similar in content and recommendations. Malicious use of Information and Communication Technologies (ICT) can pose a threat to the security and wellbeing of states and interstate cooperation is essential if these threats are to be countered. This in turn will require the development of common understandings, principles and norms of responsible state behavior in cyberspace. To promote these developments a number of confidence building measures (CBM) could be helpful alongside capacity building actions to assist developing states. On the basis of these findings from the earlier GGEs the current group was to pursue its study of the general issue, described as “existing and potential threats in the sphere of information security and possible cooperative measures to address them.” In addition to this carry-over mandate the GGE was to consider two additional aspects: the use by states of ICTs in conflict and how international law is to be applied to state ICT usage.
Conflict prevention as goal
The 2015 GGE report builds on the basic conclusions reached earlier and tries to enlarge incrementally on them while maintaining the necessary ground for consensus amongst a diverse set of participating states. The GGE reaffirmed “that it is in the interests of all states to promote the use of ICTs for peaceful purposes and to prevent conflict arising from their use.”
This espousal of conflict prevention as a goal is laudable and certainly what the vast majority of Internet users in the private sector and civil society would want to hear. This affirmation, however, also begs the question as to whether states always act in their best interests. The risk that they might not is underlined by the GGE’s acknowledgment that there has been “a dramatic increase in incidents involving the malicious use of ICTS by states and non-state actors.” Such uses can harm international peace and security the GGE notes even as it flags that military cyber capabilities are growing and it warns that “The use of ICTs in future conflicts between states is becoming more likely.”
Norms of responsible state behaviour
So what does the GGE suggest to prevent this harm to global peace and reverse these disturbing trends? The offerings appear relatively modest and revolve around the frequently cited, but still rather vague concept of norms for responsible state behaviour. The GGE states that “Voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability.” Even this formulation however reflects some of the tensions underlying this aim. Take for example the insistence on the “non-binding” nature of norms. If states are not going to be bound in some fashion by norms what are their utility an observer might well ask? So while states espouse norms, some clearly are reluctant to conceive of these norms as an obligatory rather than discretionary commitment.
This reluctance also is manifested in the aversion to considering legally binding agreements for the new sphere of cyberspace on the part of some states that prefer the flexibility of political arrangements. Voluntary norms of course could also be contained in an international legal instrument, in the sense that sovereign states would adhere to such agreements only if they chose to do so. The usage of “voluntary” in this context however is intended to reinforce the sense that conforming to any norms is done at the sole discretion of the parties concerned as a political option. The espousal of political over legal measures appears to be the prevailing view as manifested in the GGE report, although it is hard for any outsider to judge as to how widely shared this preference is, or whether it just reflects the firmly-held position of a few influential states. It is worth recalling that the Secretary General in his forward stated that international law must be the foundation of international cooperation in cyberspace. The interaction between political and legal approaches to the governance of cyberspace and in particular inter-state cyber security activity will be a constant feature as cyber diplomacy develops.
To the degree that such voluntary norms or rules are supported, the GGE suggests a constraint on detrimental cyber operations or what the report describes as “ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.” Most significantly the GGE goes beyond its predecessors in providing specificity regarding the restraint on state conduct it proposes. States are not to engage in ICT activity “that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” Similarly, the GGE proposes that “states should not conduct or knowingly support activity to harm the information systems of another state’s authorized emergency response teams” nor should a state use “authorized emergency response teams to engage in malicious international activity.”
The nature of restraint
These proposed restraint measures seek to provide a protective status to critical infrastructure and to the cyber emergency response teams that are crucial to mitigating the effects of a damaging cyber attack. In this respect they mirror the protective status afforded civilian facilities and ‘first responders’ under international humanitarian law, although importantly the GGE proposal would appear to extend this protection to peacetime conditions and not limit it to situations of armed conflict.
It thus expands the focus of earlier GGEs on how international law and especially international humanitarian law applied to cyberspace, and which was concerned with the limits imposed by that law in conditions of armed conflict, to address the appropriate conduct for states in normal times. This broader context for the exercise of restraint by states can be applauded, but it also raises its own set of questions and concerns. For example if a state excludes its authorized emergency response team from engaging in “malicious international activity” does this mean that any other organ of the state is free to do so? There is a danger in this norm building process that specifying certain constraints on state conduct of damaging cyber activity can appear to legitimize that conduct in general. That which is not prohibited is permissible can be an unfortunate inference from such preliminary forays into defining what constitutes responsible state behavior in cyberspace.
The GGE recommends several cooperative approaches to strengthening international cyber security if states are willing to adopt them. One suggestion is for states to “prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.” Given the current predisposition of states to harbour and exploit such tools rather than forswear them, this measure could have a real beneficial impact if states were actually prepared to cooperate in countering such pernicious cyber tools. A cynical observer might point out that the measure in reality only enjoins states to prevent the “proliferation” or spread of such tools rather than restrict their own development or use of them. For those engaged in global nuclear affairs this phraseology has a disturbing echo of the “non-proliferation” versus “disarmament” debates among states parties to the (Nuclear) Non-proliferation Treaty. Realistically, the successful implementation of such a sensitive cyber security cooperative measure would seem to require a level of confidence amongst leading cyber powers that at the present is lacking.
Confidence building in cyberspace
The need to build confidence has been a refrain through all the GGE reports including the present one. The adoption of relevant Confidence Building Measures (CBMs) is reiterated by the GGE, noting that “they can increase interstate cooperation, transparency, predictability and stability.” The set of CBMs the GGE recommends repeats many of the earlier proposals although there are some significant new elements. For example, states in their “voluntary sharing of national views” are enjoined to include information on “vulnerabilities and identified harmful hidden functions in ICT products,” i.e. the very material that states (as well as criminals) fashion their cyber attack payloads from. Again the laudable nature of such an information exchange in theory may well be beyond the current cooperation of states in practice.
To build the levels of trust that could underpin the implementation of some of the more far-reaching CBMs recommended by the GGE will require sustained consultations among states on their cyber policies and conduct. The GGE rightly recommends such activity although its call for dedicated dialogues takes on a very general character: “The development of and support for mechanisms and processes for bilateral, regional, sub-regional and multilateral consultations, as appropriate, to enhance interstate confidence building, and to reduce the risk of misperception, escalation, and conflict that may stem from ICT incidents.” At a time when some key official bilateral dialogues (e.g. U.S.-China, U.S.-Russia) are suspended and no on-going multilateral consultation exists, one can rightly question whether this call represents much more than a pious plea for states to talk to one another about their cyber activity. The GGE recommends “regular institutional dialogue with broad participation under the auspices of the UN,” but it remains to be seen whether UN member states are prepared to establish and empower such an on-going process.
The international legal dimension
If the GGE’s results on the tasking to consider the use by states of ICT in conflict are rather oblique (reflecting the conflicted posture major cyber powers are in), the section on “How International Law Applies to the use of ICTs” is more clearly set out. Importantly, it contains language that is supportive of treating cyberspace as a “global commons” where state sovereignty is constrained and a primordial responsibility to humanity is explicitly acknowledged. In one of its carefully balanced paragraphs the GGE states: “Underscoring the international community’s aspirations to the peaceful use of ICTs for the common good of mankind, and realizing that the Charter of the UN applies in its entirety, the Group noted the inherent right of states to take measures consistent with international law and as recognized in the UN Charter.” State action must be compatible with the Charter in its entirety (i.e. not just those articles that States might choose to cite) and the overriding goal is one of peaceful use in the interests of all humanity. Of course our cynical observer might remark that such aims are merely “aspirations” of the international community rather than agreed objectives, but overall this formulation does serve to strengthen a type of “global commons” status for the special and novel environment of cyberspace.
A central principle of international law is state responsibility and the GGE attempts to reinforce this at several points. It calls for cooperation in investigating malicious activity emanating from the territory of a state and calls on states not to circumvent this responsibility through the employ of surrogates. Specifically the GGE directs that “States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non state actors to commit such acts.” At the same time and no doubt reflecting the public spat of mutual accusations of wrongdoing between the U.S. and China, “the Group noted that the accusations of organizing and implementing wrongful acts brought against states should be substantiated.”
If states are to be held accountable for possible cyber misuse it should be on the basis of evidence that would withstand scrutiny by the court of global public opinion if nothing more. Cooperation in clarifying the nature of any “wrongful act” emanating from another state’s territory would be an important complement to the affirmation of state responsibility. The GGE does call for such cooperation in response to requests from other states investigating “malicious ICT activity” although this proposed CBM is framed in the context of cyber crime or terrorism and is unlikely to be of much use in countering state-sponsored operations. The GGE consideration of the application of international law does serve to underline the absence of relevant treaty-based governance of cyberspace and of dedicated international tribunals to adjudicate any disputes arising among states.
The GGE concludes with a recommendation that a new GGE be established in 2016 with a similar mandate to “promote common understandings on existing and potential threats in the sphere of information security.” This recommendation might seem on the surface as a case of a group wishing to perpetuate itself and gives rise to questions as to whether the incremental advances of the 2015 GGE over its predecessors justify another iteration of the GGE so soon. Despite the risk of “GGE fatigue”, in the absence of any other empowered multilateral process for developing the global norms of responsible state behavior in cyberspace that many advocate, the UN GGEs have taken on a role as a relatively representative mechanism for states to articulate what such norms might look like. Eventually however, UN member states will have to move beyond commissioning further studies of the subject and decide to act upon the recommendations generated by the series of GGEs. This would most likely entail establishing under UN auspices an inclusive process to negotiate an actual set of norms for state conduct in cyberspace.
To date, there seems little appetite at the UN level to commit to such action. Given the disturbing trends in what the GGE somewhat euphemistically terms “malicious activity” in cyberspace, it is incumbent on states and non-state actors alike to exert themselves and seek to regulate in some manner state conduct in cyberspace if they truly wish to preserve this critical environment for peaceful purposes.
While the path of least resistance may be to simply authorize further group study of the subject, this would border on “irresponsible state behavior” at a point when the future nature of cyberspace is still so ill defined and the risk of massively disruptive conflict is effectively unaddressed.
All citations are from the report of the GGE on “Developments in the Field of Information and Telecommunications in the Context of International Security” contained in UN General Assembly document A/70/174, 22 July 2015.