The CyberPeace Institute’s Statement on the Cyber Programme of Action
The Programme of Action to advance responsible State behaviour in the use of information and communications technologies in the context of international security (Cyber PoA) outlined in the resolution A/RES/77/37 reaffirms the commitment of States to implement the agreed-upon framework and to do so through an operative and action-oriented process.
The Cyber PoA aims to promote peace, security, and stability in cyberspace through a cooperative model that advances the exchange of knowledge and practices, avoids duplication of efforts, and assists in national and regional implementation efforts. This instrument is also an important opportunity for a comprehensive engagement of the multistakeholder community.
The CyberPeace Institute proposes the following considerations on the scope, structure, and modalities of stakeholder engagement to inform the creation of this new instrument.
Scope of the Programme of Action
The Cyber PoA will allow for the continuation of previous consensus work in the Groups of Governmental Experts (GGEs) and Open-ended Working Groups (OEWGs) to consider, implement and advance responsible State behaviour in cyberspace and further build upon this work.
This initiative can create a single, dedicated, permanent forum for cybersecurity, which will not require renewed iterations, under the auspices of the UN First Committee where States bear primary responsibility in matters of international security. The Cyber PoA should centre around the implementation of the acquis, mapping and addressing the implementation challenges, and promoting continuous discussion and further development of the acquis.
The Cyber PoA should support the advancement of all pillars of the framework holistically and provide practical and needs-driven capacity building. Its mandate should consist of implementing cyber norms, building shared understandings of the applicability of international law and operationalizing confidence building measures (CBMs), and facilitating targeted capacity building efforts. It also needs to provide flexibility in addressing additional concrete issues that would benefit from information exchange, practical implementation, and multistakeholder engagement.
Content of the Programme of Action
Practical norm implementation necessitates the full inclusion of relevant stakeholders. Stakeholders can support States by advancing the interpretation and clarification of existing norms, assisting in identifying gaps in their operationalization, and promoting regular self-reporting. The Cyber PoA could facilitate broad multi-stakeholder assistance in national and regional implementation efforts, including reporting on the progress.
The inclusion of relevant stakeholders in a dedicated forum would lend legitimacy and shape an instrument that reflects lived realities and addresses real threats that affect the safety, security and well-being of people. Stakeholders can assist States to build their capacity and understanding of how to apply norms on the practical day-to-day level. They are also well-positioned to connect different actors and build partnerships across a variety of communities and geographies to help in the practical implementation of cyber norms.
Clarifications related to the interpretation of international law are still required by States and civil society, academia, and other experts can be trusted partners in this regard. Several organizations, including the CyberPeace Institute, have built a track record of elaborating how international law applies in cyberspace and thereby help to reach common understandings. The Cyber PoA should convene discussions on specific topics related to international law, international humanitarian law, and human rights law. This may include expert briefings and joint initiatives to consolidate common understandings on this subject.
States should meaningfully progress in operationalisation of CBMs as an essential component of international peace and security. The non-exhaustive list of measures towards building trust and transparency includes providing more clarity on what constitutes critical infrastructure under their national frameworks together with sharing information about cyber threats and vulnerabilities, national views on how international law applies in cyberspace, positive practices and existing capacity building initiatives, and national strategies and legislative frameworks related to the use of ICTs.
States are at different stages of implementation of the acquis, and it is imperative that they work together in cross-regional and multi-stakeholder partnerships to ensure that each State has the capacity to implement its commitments. The Cyber PoA can create a venue for needs- and context-driven capacity building that aligns with the assessments of threats and gaps in the implementation. Focused capacity building and multistakeholder initiatives can be particularly beneficial for smaller countries with limited resources to help them assess which infrastructure is critical and how to protect it while leveraging the model of public-private partnerships.
The PoA format needs to offer meaningful flexibility to reflect on the fast-developing field of international cybersecurity. States need to be able to decide on the substance for future meetings based on the identified needs and in a form that actively addresses building resilience against cyber threats. This can include expert briefings on selected topics, initiatives to promote the adoption of best practices and standards, joint exercises and simulations, and other forms of collaboration to benefit from the expertise and resources of various States and non-state actors.
The Cyber PoA should promote full, equal and meaningful participation of women in the process. This forum could include a call for gender diversity accompanied by practical steps, for example, in the form of programmes supporting women’s participation in the meetings. There are already existing models, such as the Women in Cyber Fellowship that aims to ensure equal and effective representation of women diplomats from all regions in UN cyber negotiations, and on which accomplishments States can build and expand, for example, to include stakeholders. Moreover, understanding of the gendered impacts of cyber harm and gender-related practices in established actions should be increased and mainstreamed through this initiative. The Cyber PoA should increase understanding of the impacts of cyber threats that can be experienced differently based on multiple factors of vulnerability.
Modalities for stakeholder engagement
The final report of the first OEWG on ICTs acknowledges that “the broad engagement of non-governmental stakeholders has demonstrated that a wider community of actors is ready to leverage its expertise to support States in their objective to ensure an open, secure, stable, accessible and peaceful ICT environment”. However, the modalities for the participation of non-state actors in the OEWG fall short of allowing for an engagement of relevant non-governmental stakeholders. Given the multistakeholder nature of cyberspace, civil society, industry, academia, the technical community, and other experts, need to be part of the regular dialogue on cybersecurity. Their inclusion and participation can help to drive more impactful outcomes from dialogue and contribute to ensuring transparency and credibility of reached decisions as well as the sustainability of their implementation.
While States have the primary responsibility for the maintenance of international peace and security, non-governmental actors are their trusted partners. Collaboration with civil society, the private sector, academia and the technical community is essential for States to implement their commitments under the framework of responsible State behaviour in cyberspace. The PoA should enable and encourage the participation of relevant stakeholders. Listing the possible roles of stakeholders under each part of the framework can help to mirror in the instrument the real-world collaboration that already takes place in the cybersecurity field.
Modalities for the proceedings of PoA meetings should therefore enable all relevant stakeholders to attend formal sessions, deliver statements and provide inputs, as is the case in other First Committee processes, such as the GGE on lethal autonomous weapons systems convened within the Convention on Certain Conventional Weapons (CCW). The modalities for stakeholder engagement can also be informed by processes in other Committees that have proven effective. Notably, the UN Ad Hoc Committee on Cybercrime has demonstrated an open and inclusive model that was agreed upon in the modalities of the participation of stakeholders in order to enable broad participation from civil society, the private sector, academia, and other relevant stakeholders.
The Cyber PoA should support implementation mechanisms at the national and regional levels, particularly to share best practices and expertise, and pursue engagement with regional fora. The regional consultations which are currently taking place in cooperation with the Organization of American States (OAS) and the Organization for Security and Co-operation in Europe (OSCE) are a good starting point for strengthened coordination.
Shaping a future mechanism for cybersecurity in the context of international security is a unique opportunity to advance accountability in cyberspace. The goal of the Cyber PoA should be to create an action-oriented framework, building upon previous actions and positive outcomes, and leveraging the respective strengths of States and relevant stakeholders. The CyberPeace Institute stands ready to inform the design of the Cyber PoA in its expert capacity and looks forward to future cooperation with States and other stakeholders as part of the emerging instrument.