Cybersecurity digest (May 2020)

1 Jun 2020

This extract is taken from the May 2020 issue of The digest, GPD’s newsletter. Sign up here.


This month, the UN Security Council convened a fully virtual meeting to discuss cyber stability, cyber norms and international law in cyberspace. 

The “Arria-formula” meeting (meaning it was informal and convened at the initiative of a member state) was led by Estonia, who currently hold the Presidency of the Security Council and co-organised with Belgium, the Dominican Republic, Indonesia and Kenya.

Some quick takeaways:

  • There was broad support for the application of international law (including humanitarian and human rights law) to cyberspace. Most states held that this rights framework was sufficient; while Egypt and Eritrea called for new frameworks, and Tunisia mentioned the possible need for new norms.
  • As our friends at Human Rights Watch pointed out, there was welcome recognition of the links between human rights and cyber stability and security from a number of states (including Belgium, the Netherlands, Ecuador, Mexico and Japan)—although only one permanent member of the Security Council (France) mentioned human rights in its statement.
  • States repeatedly mentioned the need to “punish” violations of international law and cyber norms in cyberspace—with many highlighting the urgent need for attribution and accountability for cyber attacks carried out by states.
  • COVID-19 and its implications for cybersecurity and stability were (unsurprisingly) a core theme of the meeting—see Allison Pytlak’s comprehensive overview for more on this.
  • Many states vocally championed the inclusion of non-governmental stakeholders. At the same time, few such stakeholders were actually in the room. Other Arria-formula meetings focused on gender have managed to do better—we should expect the same from discussions on cybersecurity.
  • The event did, however, see active participation from a diverse range of states, including from the  global South. Those who participated more or less mirrored those who have been active in the Open ended Working Group (OEWG), barring the notable absence of Russia over a political dispute.

A few other pieces of intel we picked up:

  • The International Criminal Court (ICC) is working on a report on how the Rome Statute (the treaty that established the ICC) applies to cyber attacks. This is scheduled to be presented in December.
  • Based on an intervention by Germany, the third and final meeting of the OEWG could be postponed to sometime in Spring 2021, pending further negotiations with states.

Overall, the meeting served as a useful “refresher”,  continuing the discussions that have been taking place in the Group of Governmental Experts and the OEWG—particularly welcome since the OEWG virtual informal negotiations on the revised pre-draft and non-paper of the OEWG report are not open to civil society (although the Chair encouraged delegations to study civil society contributions in his latest letter to member states).

But this Arria meeting doesn’t count as a formal set of discussions—and the OEWG still has a long way to go to finalise its report. Will it be able to pull it off, without the ability to hold in-person meetings? We explored this question in a recent episode of our In beta podcast.

On our radar for next month: 

  • The virtual negotiations with member states that are meant to replace the informal negotiations will take place from June 15-19, according to the programme of work published on the OEWG webpage this month.
  • More information on the plans for the third and final meeting of the OEWG should be coming. Will it be postponed or not? Watch this space…
  • The Australian Department of Foreign Affairs and Trade has launched an open consultation on the international dimension of its cybersecurity strategy (deadline: 16 June).