Despite logistical issues posed by the pandemic, failure to reach consensus in 2017, and an unprecedented level of geopolitical tensions among some of the key players, two United Nations’ processes devoted to cyber issues recently produced substantive consensus reports. Remarkably, though many predicted the two processes — one initiated by the United States and one by Russia — would be at odds with one another and lead to failure, the two largely worked in tandem.
The first, the Open-Ended Working Group (‘OEWG’) comprised of all 193 UN member states, issued a report that, among other things, endorsed previously agreed upon norms and highlighted cybersecurity capacity building.
The second, the Group of Governmental Experts (‘GGE’) comprised of 25 country cyber experts, made significant progress in further articulating cyber norms and confidence building measures, expanding on the application of international law in cyberspace and detailing how capacity building could aid international cybersecurity efforts.
Both reports represent significant milestones in the burgeoning field of cyber diplomacy, though they also indicate there is far more progress to be made. Among the many issues and challenges at hand, I shall focus on three: multi-stakeholder engagement; capacity building; and accountability.
Although the dual UN processes reflect a success of multilateral diplomacy, those negotiations were largely limited to states. That is hardly surprising as the UN was built for state interactions, and the UN forum being used – the First Committee that deals with arms control issues – is usually a province for states alone. Nevertheless, many non-state stakeholders have made the case that the private sector, civil society, and academia should have a place in state-led cyber discussions because they often own and run cyber infrastructure and have unique technical (or other) specialized insight. Indeed, many states agree that the inclusion and consultation of other stakeholders both informs and improves the results of their negotiations. Some progress was made in the recent OEWG process through an informal consultation meeting and the ability of other stakeholders to submit written comments at various points. Moreover, some countries created their own formal processes to solicit stakeholder input. Yet, given some member states’ hostility to nonstate participation in UN proceedings, there have been significant constraints on nonstate participation with most nonstate stakeholders viewing the current level of interaction as inadequate. Considering that UN processes are consensus-driven and the opposition of some states, there is no easy answer to this challenge, though like-minded countries can increase their own multistakeholder consultations. Moreover, several UN member states are currently proposing a Program of Action for the next phase of UN activity that contemplates greater multistakeholder involvement.
All UN member states endorsed the importance of capacity building as foundational for stronger cybersecurity and cyber stability. During the OEWG meetings, many states – both developing and developed – cited the need for more (and more) coordinated capacity building. The OEWG report adopted a set of principles for capacity building efforts, while the GGE report stated “[i]nternational cooperation and assistance in ICT security and capacity-building can strengthen States’ capacity to detect, investigate and respond to threats and ensure that all States have the capacity to act responsibly in their use of ICTs.” Moreover, the report notes that other stakeholders clearly have a role in capacity building, “[i]ncreased cooperation alongside more effective assistance and capacity-building in the area of ICT security involving other stakeholders such as the private sector, academia, civil society and the technical community can help States apply the framework for the responsible behaviour of States in their use of ICTs.” However, as good as this language sounds, cyber capacity building remains under resourced and under prioritized globally.
There are some strong existing efforts including cyber capacity building programs by several countries and regional organizations. Moreover, the Global Forum on Cyber Expertise (‘GFCE’) is a strong multistakeholder community comprised of one hundred and forty countries, private sector entities, civil society, and academia devoted to the global coordination for — and prioritization of — cyber capacity building. However, given the pressing need for cyber capacity building around the world — made more acute as all countries have become more reliant on ICTs during the pandemic — these existing efforts need to be strengthened and better resourced. Treating cyber capacity building as foundational for the UN’s sustainable development goals would be a good start – better cybersecurity helps countries achieve those goals, yet the funding and priority of cyber capacity building pales in comparison to the resources devoted to the development goals.
Another would be for countries to treat cybersecurity as a national and economic security imperative and recognize that capacity building is an integral part of securing their digital futures. The GFCE and other organizations are working to raise the priority and coordination of capacity building efforts, but this needs to be a larger political effort.
Perhaps the biggest missing piece from recent UN reports is how to hold malicious cyber actors accountable. While progress has been made in articulating and endorsing norms of responsible state behavior — or guidelines — in cyberspace, those norms are little more than words on paper if there are no accountability nor consequences for those who violate them. Indeed, if there is no accountability, the de facto norm is that anything goes, and that reality encourages the violators to increase their malicious conduct and tempts others to join them. Unfortunately, it appears that malicious cyber activity has significantly increased in recent years and the response to that activity has been sporadic and largely ineffectual. Moreover, future UN debates are unlikely to make progress, at least in the short term, on this issue particularly because of political debates around attribution and the dynamics around cyber aggressors and victims.
Nevertheless, there are signs of progress at least among like-minded countries, and diplomacy has played a key role. Over the last several years, a growing list of countries have come together to publicly attribute and condemn nation-state cyber activity. The largest such coalition assembled to date, and a testament to the diplomatic efforts needed to assemble it, was the recent calling out of Chinese actors by the US, NATO, and the EU. However, such “naming and shaming” of bad actors only goes so far if there are no concrete consequences that follow. Getting a group of countries to join a public attribution is hardbut getting them to act collectively to impose concrete — yet not escalatory — consequences on a wrong doer is even harder. There have been some glimmers of hope here as well, including the European Union’s use of its “diplomatic toolkit” to sanction a number of bad actors and the collective resolve demonstrated by the G7 and others in pressuring those countries that afford ransomware actors’ safe haven. However, how well countries can work together to not just define the guidelines but to enforce them will be the real test for achieving cyberstability in the future.
 Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (2021) pp 89.
 Ibid. pp 88.