‘Cyberspace’ became a UN issue in 1998 when Russia first tabled a resolution on ‘Developments in the Field of Information and Telecommunications in the Context of International Security’ with the aim of starting negotiation of a treaty to regulate the possible use of ICTs in international conflict. Interestingly, what Russia feared most at that time was the ‘development, production or use of particularly dangerous forms of information weapons’, i.e. information warfare, which is arguably what Russia is best at today. Most Western states – in this debate often grouped under the term ‘likeminded states’ – did not want to go down the route of negotiating a multilateral treaty. In their view cyberspace did not substantially differ from the offline world and thus standing international law would be sufficient for its regulation. The compromise between these positions was the start of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (commonly referred to as UN GGE). In 2002 the first UN GGE went to work. Since then, a succession of six different working groups has contributed, through ups and downs, to fostering the role of the United Nations as a normative power in the promotion of responsible state behaviour in cyberspace.
The years of consensus and failure
The first round did not yield a result, but in in 2010, 2013 and 2015 the groups produced reports, which some countries lovingly refer to as the ‘acquis’ of the process. The 2010 report reached consensus on what threats were emerging in cyberspace. The 2013 report made its mark by recognizing that international law – especially the Charter of the United Nations – is applicable in cyberspace. The 2015 report found a way around the difficult negotiations on the question of how international law applies in practice, by formulating eleven ‘non-binding rules for responsible state behaviour’ some of which echo principles of international law, such as due diligence and human rights protection.
In 2017 the group again tried, and failed, to tackle the contentious issue of how international law applies in cyberspace: there was no consensus report. Moving beyond the general dictum that ‘international law applies’ has proven to be stumbling block. Uncharacteristically for a closed diplomatic process, two delegations publicly vented their frustration, with the American expert accusing some countries of wanting to ‘walk back progress made in previous GGE reports’ and the Cuban delegation accusing some countries of trying to militarize cyberspace by focusing the discussion on the right to self-defence, countermeasures and international humanitarian law.
Fragmentation and resurrection
After the failure of the 2017 round, some commentators were quick to declare the UN GGE process dead. In the lull that followed the ‘norms process’ found other outlets and fragmented. Work continued in multilateral regional fora, such the ASEAN Regional Forum, the Organisation of American States and the Organisation for Security and Cooperation in Europe, in new private initiatives such as those led by Microsoft or Siemens, and in multistakeholder fora such as the Global Commission on the Stability of Cyberspace. Moreover, in 2018 France launched ‘the Paris Call for Trust and Security in Cyberspace’, a non-binding set of norms that reads like a ‘best of’ album, that was signed by 78 states.
The reports of the UN GGE’s death had been greatly exaggerated, as there is currently a sixth UN GGE in place. However, things are not back to business as usual at the UN. In November 2018 the UNGA adopted two resolutions: one American-backed resolution calling for a sixth UN GGE (2019-2021) and a Russian- backed initiative establishing the first UN Open-Ended Working Group (OEWG) for cyberspace, fragmenting the norms space further. The mandates of these two processes overlap for 90% but the membership is vastly different. The UN GGE consists of 25 national experts negotiating a report, while the OEWG is open to all UN member states. In promoting the OEWG Russia ‘championed’ the cause of legitimacy and representativeness, claiming that “the practice of some club agreements should be sent into the annals of history”, and all member states should have a say.
Mutually Assured Diplomacy: between geopolitics and the need for a rules-based order
As geopolitical winds blow strong both inside and outside of the cyber domain, countries may harden some of their long-held positions. Russia and China’s focus on information security and regime continuity - opposed to the likeminded states’ focus on technical cyber security – is now firmly connected to the principle of ‘digital sovereignty’, that appeals to many countries and feeds further polarisation. The Sino-American tensions on trade - and particularly on 5G and Huawei - translated into China’s demand to address supply chain security in both UN processes, stressing that “states should not use national security as a pretext” for limiting market access.
Both UN processes will also have to revisit the issue of a new treaty vis-à-vis standing international law and norms. Most recently, and brazenly, the Russian delegate to the OEWG commented that “if international law applies in cyberspace, why are foreign hackers electing the president of the United States?” to underscore the point that maybe norms will not be enough for holding wrongdoers to account. Meanwhile, further deliberation is required to address some of the actual security issues in cyberspace that occur below the threshold of armed conflict: how will states address those cyber operations like NotPetya, the attacks on the Ukrainian electricity grid, or election interferences?
Providing answers to these open-ended questions will affect whether both processes will yield a meaningful result, as both require consensus and affect each other. The UN’s facilitation of two different but entangled processes might be characterised as ‘Mutually Assured Diplomacy’, as it appears likely that either both initiatives will be successful or that both will fail. If one political camp sabotages the other’s process, the other camp is likely to respond in kind. Moreover, geopolitics are as likely to steer the direction and outcome as cyber issues themselves. And, as often with new technologies, powerful states will favour at least some strategic ambiguity to keep their hands free, while smaller states will tend towards increasing predictability by arguing for rules of the road.