Last week, the United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN GGE) concluded its final session and adopted its final report. An advanced copy of the report was released on May 28, 2021 on the UNODA website. This group was composed of 25 Member States and Chaired by Ambassador Guilherme de Aguiar Patriota of Brazil. More information about the logistics of the Group can be found on the UNODA website.
The UN GGE’s final report came at a relevant time, and follows the success of the UN OEWG’s Final Report (see further analysis of that report here). The conclusion of the UN GGE’s session and adoption of the final report reinforces the productive diplomatic relations currently ongoing at the UN, specifically in the case of cyber discussions. Productive, consistent cyber diplomacy discussions are crucial in order to make progress on the pressing issues related to cyberspace, such as the practical implementation of the UN GGE’s 2015 norms in order to facilitate responsible behaviour in cyberspace. The Group’s final report is representative of this progress as it is a clear step forward on the implementation of norms, especially in light of the fact that the previous UN GGE was not able to reach an agreement in the end. As a civil society organization, the CyberPeace Institute works on and analyzes these topics from the perspective of cyberpeace and human security, dignity and equity in order to ensure that the human focus remains at the core of the negotiations. This will be discussed further on in the comments.
How did the report do?
The advance copy of the UN GGE’s final report is broken into seven sections including conclusions and recommendations for future work. Essentially, these sections provide more direction on how to implement the norms that were agreed by the Group back in 2015 in an effort to better frame what peaceful settlement and prevention of conflict can look like in cyberspace. This is a point of departure from the previous session, where states did not agree on the recognition of the Charter of the United Nations in its entirety, namely Article 51 which outlines states’ right to collective self-defence. The agreement on this issue in the recent UN GGE’s final report shows that states are willing and able to compromise on complex, important issues, and are able to make progress in this field. This is especially more impressive thinking about who was represented in the room. Moreover, the additional guidance outlined in the report is a key step for states to make progress towards more responsible behaviour in cyberspace and to ensure the protection of civilians and critical infrastructure. This report also reaffirmed that respect for sovereignty and human rights are central components to the Group’s work; this is important to keep in mind while reading the report.
Complementary to the work of the UN OEWG, the UN GGE’s final report highlighted the concern over the impact that malicious activities have had on critical infrastructure, and specifically given the ongoing COVID-19 pandemic the impact these activities have had on the healthcare sector. This reinforces the Member States’ recognition that more needs to be done in order to protect critical infrastructure as in the end, it is human lives that are impacted as a result of malicious actions. Further to the CyberPeace Institute’s previous work on the protection of critical infrastructure, the inclusion of guidance regarding Norms 13 (f) and (g) was a welcome addition to the report. The report also mentions that states must be the ones to designate what they consider to be included under critical infrastructure, and specifically mentions the healthcare sector as an example. This designation is a first step to better protect the essential services that people rely on everyday for their health and wellness.
The need for consistent and cooperative measures is reiterated throughout the report and in relation to several different norms. This is something that cyber diplomacy helps to advance and can be seen as a key purpose of these discussions; open dialogues and conversations in good faith are a tremendous step forward in reducing the risk and impact of malicious activities in cyberspace. Everyone has a perspective to contribute to these discussions, and information exchanges at all levels and between the public and private sector would help States to keep current on the proliferation of operations in cyberspace. Awareness raising via confidence building measures (CBMs) is an essential component to this, and is the next concrete step towards the implementation of these norms. The specific mention of establishing Points of Contact under Cooperative Measures in the report is another concrete step to achieve this goal of regular information sharing.
Regarding Norm 13 (e) in the final report, the UN GGE reminds all states of their obligations to protect human rights and fundamental freedoms both on and offline. This is a pivotal point that should remain at the core of ongoing and future discussions about cyberpeace and responsible behaviour in cyberspace. The protection and safeguarding of human rights should always be the first priority, especially in the cyber context. Issues and biases that are prevalent offline are just as prevalent online, and should be treated with the same urgency.
The distinction made between the discovery of vulnerabilities and the exploitation of vulnerabilities between Norms 13 (i) and (j) is useful in establishing the varied roles of all stakeholders involved in this endeavour. Without the cooperation of the private sector, civil society and the public sector at least, not all aspects of supply chain integrity can be met. To go a step further, this will require legislative changes and requirements of different parties so that these roles are better clarified.
Overall, along with the consistent inclusion of information sharing throughout the report, it was encouraging to see the section on International Law and the reaffirmation that international law and the Charter of the UN applies in its entirety to cyberspace and that international humanitarian law applies in the case of armed conflict. Interesting to note in this report is the specific mention of state-used proxies. Proxies add another layer to the difficulty of achieving accountability in cyberspace, and the fact that these 25 states have agreed to this statement is important to recognise.
Where did the report lag behind?
Despite the highlights mentioned above, there are still some areas of the report that need more work and are worth mentioning in this regard. A primary disappointment would be that a human-centric approach was not mentioned once throughout the report. The CyberPeace Institute believes that using a human-centric approach, and therefore keeping people at the heart of the discussions, would help states to better understand what is needed to implement strategies, legislation and policies that would actually work for the people. Also in this way, the solutions implemented based on these norms will also help people to seek redress and justice in case they fall victim to malicious activities in cyberspace.
Building on the idea of a human-centric approach, the report’s failure to mention accountability even once in the context of state behaviour is a pity. Though attribution is mentioned with regard to Norm 13 (b) and the need to take into account the wider context of an event, the urgency of the issue is lost. In order for victims to seek redress they need to know what has happened, and in this way attribution is a key step towards accountability. As such, accountability is an integral component and an ideal outcome of the implementation of these norms based on the additional guidance, but without this as a clearly defined, collective goal, malicious behaviour will continue to persist and go unpunished.
On a more practical note, we were disappointed by the lack of clear measurement proposals in order to quantify and track the progress of the norms implementation. The report mentions the important role that regional and sub-regional bodies have in taking the next steps to implement the report’s recommendations, but no concrete proposal to do so was put forth. The CyberPeace Institute agrees that a regionally-relevant approach should be taken as this is in line with a human-centric approach, however, the lack of clarity as to exactly how to do this was disappointing. Furthermore, the Institute understands this to be a space where civil society can support states’ efforts and can potentially provide some further clarification on how to implement the norms. Ultimately, this is a collective effort and the Institute is happy to assist where possible.
Where do we go from here?
The CyberPeace Institute is eager to support states in implementing the recommendations outlined in the UN GGE’s final report, as needed. At the same time, the Institute believes that tracking the progress of the norm implementation against the reality of attacks, and informing the public of these results, is paramount to hold states accountable to what they agreed upon in order to ensure the collective effort towards more responsible behaviour in cyberspace. This process of implementation needs to be based on the wider context of threats and attacks that continue to proliferate in cyberspace, as well as the actions that states perpetuate such as espionage. A more stable and secure cyberspace cannot succeed without accountability, and now it is up to states with the support of other stakeholders to implement the guidance that the UN GGE has provided.
The CyberPeace Institute is pleased to provide assistance and awareness raising efforts to support those who have already or may fall victim to malicious behaviour in cyberspace. Our engagement and work with experts informs our assistance work by identifying new threats to peace and stability in cyberspace. From the state perspective, the Institute is keen to support states in their effort to apply international law to cyberspace in an effort to hold others accountable for their actions with the understanding that the application of international law requires very detailed knowledge. However, it is a key step towards accountability in cyberspace and therefore of utmost importance. The CyberPeace Institute stands ready to work with others in order to work towards a more open, secure, and peaceful cyberspace for all.
Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.