“In progress”? Reflections on the UN discussions on state behaviour in cyberspace

In recent months it has been difficult to escape reports of damaging cyberattacks on critical infrastructure, even without following discussions directly relating to cybersecurity. As well as heightening tensions between states, causing huge financial losses to companies and to governments, and directly impacting the lives of tens of thousands of people, these attacks also raise questions about current multilateral discussions happening at the UN’s First Committee, which aim to achieve a more peaceful and secure cyberspace. What are these discussions at the UN achieving—and what positive ‘real world impact’ are they having—if these kinds of attacks continue apace? 

For those of us who follow these discussions, this is tricky to answer. The recently adopted Group of Governmental Experts (GGE) report notes that “incidents involving the malicious use of ICTs by States and non-state actors have increased in scope, scale, severity and sophistication” and “harmful ICT activity against critical infrastructure that provides services domestically, regionally or globally…have become increasingly serious”. Its proposed response includes encouraging states to implement a set of voluntary, non-binding measures, including the existing 13 GGE cyber norms, and increasing transparency among states through confidence building measures such as identifying “points of contact to address ICT incidents and de-escalate tensions in situations of crisis” and sharing national views on the classification of critical infrastructure. In this approach, the GGE reaffirms and builds on the existing responsible state behaviour framework, as the Open Ended Working Group (OEWG) also did earlier this year in its consensus report.

Given the stakes involved, and the threats we face—is this enough? The additional norms guidance in the GGE report is certainly welcome, and the fact it was agreed is in and of itself impressive—considering the deep rifts that remain between states (which have competing visions of the role of states in cyberspace that extend well beyond the UN First Committee). Also welcome is the  recognition, among other things, that incident response teams should not be politicised, that vulnerability equity processes should ensure legal protections for security researchers, and the increased reference to the impact of malicious state behaviour on human rights and responsibility of states to address that. The new GGE report also recommends that states engage different stakeholders in implementing the responsible state behaviour framework. These are all messages which civil society groups, including GPD, have long been pushing for. 

In other aspects, progress is limited, however—particularly when it comes to the discussion of what is binding in the responsible state behaviour framework, namely on the contentious point of the application of international law in cyberspace. References in the report to international law fall short of explicitly stating that international humanitarian law (along with international human rights law) applies in cyberspace—instead stating that “international humanitarian law applies only in situations of armed conflict and that further study is needed”. 

As others have pointed out (notably Cyber Peace Institute and ICT 4 Peace), the report also falls short of acknowledging the importance of accountability for malicious behaviour in cyberspace. A stronger common understanding of what is ‘acceptable’ and ‘unacceptable’ behaviour in cyberspace is needed to support this. The norms are meant to create that greater understanding, but the actual concretisation of them requires an interplay of rhetoric and action—reaffirming these commitments within diplomatic circles, while also responding in ‘real life’ to perceived violations of norms. 

There are signs of some (slow) progress in this regard. For example, the report references the multifaceted nature of attribution, and some states are increasingly attributing malicious cyberattacks, including jointly, and imposing ‘costs’ (such as through sanctions) on their perpetrators. Recently, multilateral spaces such as the G7 have seen stronger commitments to addressing malicious state behaviour in cyberspace. The reality is that attribution remains a primarily political decision, not an independent or empirical one. Yet these attribution statements, and the continued sharing of perspectives on how international law applies in cyberspace—including, importantly, on how key concepts like due diligence apply—could signal a move towards a greater concretisation of soft law and norms in cyberspace. In time, this may help foster greater accountability.

At the same time, states are increasingly investing in offensive cyber capabilities (presumably stockpiling vulnerabilities and hacking powers) and violating agreed norms (e.g. by attacking critical infrastructure), all the while overtly reaffirming the responsible state behaviour framework. As such, the discussions at the UN will continue to seem to many like a carefully crafted theatrical display, concealing the more chaotic reality in which we all live; where states say one thing on stage and behave quite differently behind the scenes to further their own agendas. 

What, therefore, can we take away from the UN’s adoption of both the GGE and the OEWG reports? It’s clear that multilateral negotiations can result in agreement and common understandings of key threats, as well as proposals to address them. We should cautiously celebrate the rhetorical progress that has been made on the responsible state behaviour framework through these two processes—which have yielded new capacity building principles, greater guidance on norms (including much needed definitional clarity in some areas, like strong agreement that medical facilities comprise critical infrastructure), proposals of a new mechanism for institutional dialogue (like the Programme of Action proposal) as well as acknowledgement—at least on paper—of the role of non-governmental stakeholders in implementing the framework.

What we need to see now is continued progress in implementation of the framework, in a human-centric and inclusive way. This will involve greater transparency on state operations and behaviour, digging deeper into the agreed framework and providing more definitional clarity of key terms, more trusted mechanisms for information sharing among states and other actors on best practice for reducing vulnerabilities and securing networks, as well as the sharing of perspectives on how international law applies in cyberspace. Achieving this will only be possible with the meaningful engagement of non-governmental stakeholders, including civil society. The recent OEWG organisational meeting, where member states were unable to agree on inclusive modalities for NGO engagement, shows the unfortunate though not insurmountable difficulties in achieving this at the UN First Committee. But this doesn’t have to be the case elsewhere: and it’s critical that, while still working to make the UN more inclusive, states engage non-governmental stakeholders outside the UN, in other forums.   

In the context of the First Committee, what needs to happen right now? As a very first step, states should seek feedback on the new norms guidance and the GGE report more generally from the multistakeholder community. They can do this both other multilateral and multistakeholder forums, and at the national level. There is no shortage of opportunities for words to be matched by action when it comes to state behaviour in cyberspace.