|Last month saw key meetings from two cyber processes at the UN: the Ad-Hoc Committee on Cybercrime (AHC)’s first substantive meeting, and the Open ended working group on responsible state behaviour in cyberspace (OEWG)’s second one.
The unfolding crisis in Ukraine loomed large over both discussions, but particularly at the OEWG—perhaps unsurprisingly, considering that this process sits within the First Committee and is expressly concerned with international peace and security.
Even before the invasion, the OEWG was facing obstacles in coming to consensus on the thorny issue of stakeholder modalities: an issue that remained unresolved by the end of the meeting last week, despite numerous attempts by the Chair.
Discussions began with statements from the US, UK and EU countries condemning Russia for its invasion of Ukraine and the resulting erosion of trust and good faith in the process. The conflict has provided an opportunity to see the framework for responsible state behaviour referenced and its applicability and relevance made clear. Perhaps for the first time, there were multiple references to how actions, in this case by Russia, have undermined the framework—including international humanitarian law through the attacking of critical infrastructure in Ukraine. The US, UK, EU and Australia mentioned their own attribution of cyberattacks to Russia in recent months. It is rare to see this level of ‘real-world application’ to the framework of responsible state behaviour that has been agreed through the First Committee—and the meeting also revealed the challenges in applying this framework. Russia denied and questioned the methods of attribution of its accusers, and retorted with claims that a binding framework is needed to enforce rules in cyberspace, a long held ambition of Russia.
The meeting could only proceed on an informal basis due to the inability to agree on stakeholder modalities (in non-UN parlance, this means that while there may be a Chair’s summary of the discussions, it will be much more difficult to get agreement on a report from the meeting). The UK also indicated that it would force a vote on stakeholder modalities at the General Assembly before the July meeting, which would break the commitment so far to consensus decision-making, as well as symbolising the new, more fragmented and divided dynamic shaping discussions. This is a huge lost opportunity because, as the Under-Secretary General noted in her opening remarks, the Ukraine invasion makes these discussions more relevant than ever. As the Chair remarked on the last day: if the discussions on responsible state behaviour didn’t exist, they would have to be created.
Amid this general division, there were also plenty of concrete suggestions made to advance the application of the agreed framework. Australia and Mexico, along with UNIDIR, launched a national survey of implementation of the framework at a side event. And sponsors of a new mechanism for dialogue and implementation of norms—the “Cyber Programme of Action” (PoA)—shared views on how the PoA could complement the OEWG. Singapore provided updates on their implementation of the framework and proposed joint capacity building programmes, while other states proposed measures to increase trust and confidence among states through transparency reporting on cyber capabilities, or proposed that the OEWG make progress on the application of specific areas of international law, like due diligence. The OEWG could—and should—provide the space to discuss these ideas, achieve consensus and advance peace and security in cyberspace. Unfortunately, the current political context and lack of agreement on modalities makes it increasingly unlikely that this will be possible, at least in the near future.
The AHC substantive meeting was somewhat more productive, with states managing to make some progress and provisionally agree on a roadmap for discussions, along with an ambitious timeline for agreeing the text. The substance is likely to prove trickier: while most states seemed to agree on the usefulness of the convention in strengthening international cooperation and ensuring consistency with other UN instruments, they didn’t agree on other key areas, including the most basic question of all—what the convention should and shouldn’t criminalise.
From a human rights perspective, there is a real danger that any scope that includes content crimes—which Russia, India and some states both in the Asia and Africa grouping are pushing for—would result in human rights abuses. The AHC intersessional with stakeholders which followed this meeting revealed other areas needing further discussion. While most non-governmental stakeholders agreed on the need for a narrow scope, there wasn’t clear agreement over the question of cyber-enabled crimes (those that take place offline but can be facilitated online, like child sex abuse material)—should such crimes be included in the scope, and if so, which ones? The next substantive AHC meeting at the end of May will see member states discuss three elements of the convention which are critical from a human rights perspective, including law enforcement and criminalisation. Inputs from both states and stakeholders are due on 8 April. As others have pointed out (see the Global Initiative on Transnational and Organized Crime and Chatham House) the roadmap’s timeline looks difficult to achieve given current disagreements.
- GPD, Article19 West Africa, The Centre for Human Rights at the University of Pretoria, CIPESA and PROTEGE have developed a new tool which tracks and analyses government responses to online disinformation across Sub-Saharan Africa. Join us for the (virtual) launch event on Tuesday 10 May (register here).
Your monthly global update, tracking relevant laws and policies relating to the digital environment.
On the trust and security side:
- Chile approved a Commission report that establishes regulations on computer crimes, repeals Law No. 19,233 and modifies other legal bodies to bring them in line with the Budapest Convention.
- Uzbekistan is reportedly developing a cybersecurity law obliging ‘essential facilities’ to establish processes to detect, report, and respond to cyber attacks.
- El Salvador approved reforms to the Criminal Procedure Code allowing digital surveillance by police without a court order or an oversight mechanism.