The UN General Assembly has had on its agenda since 1998 an item entitled “Developments in the field of information and telecommunication technology (ICT) in the context of international security”. For almost a quarter of a century, cyber’s impacts on security have been discussed at the UN. There’s been some progress — reports by several Groups of Governmental Experts (GGE). These government-appointed experts (ranging from 15 to 25) study an issue over two years and issue a report with recommendations — if they can all agree to it (they make decisions by consensus).
The GGEs in 2010, 2013 and 2015 managed to produce such reports with a menu of norms, principles and confidence-building measures for responsible state behaviour in cyberspace. The 2015 report represented a high-water mark for guidance to states. It contained eleven voluntary norms of behaviour that covered some crucial areas of cyber operations. Notably, it prohibited cyber targeting of critical infrastructure on which the public depends.
It also banned targeting Computer Emergency Response Teams (the “first-responders” to cyber incidents) or involving such teams in offensive cyber operations. It stipulated that states should not employ proxies in offensive cyber operations and reaffirmed that international law was applicable to cyberspace. The General Assembly subsequently adopted by consensus a resolution (A/RES/70/237) calling upon all states to be guided in their cyber activity by the GGE report.
The UN has adopted a newer and more inclusive approach to work on cyber security in recent years: the Open-Ended Working Group (OEWG). As the name suggests, it is open to all member states and its proceedings are transparent. An initial OEWG operated in 2019-2021 and produced a report in March 2021. Its success resulted partly from dividing the final report in two parts: a section approved by consensus and a “Chairman’s Summary” which included proposals that were raised during the meetings, but which without obtaining general agreement. Among these latter was a proposal for a “Programme of Action” (PoA) put forward initially by some 45 states.
The PoA seemed to promise, for the first time, an “institutionalization” and venue for UN consideration of cyber security issues. Like the 2001 UN Programme of Action on Small Arms and Light Weapons, the PoA aimed to consolidate the UN’s work on cyber security permanently, with biennial meetings of states, periodic review conferences and meetings of technical working groups.
_The PoA seemed to promise, for the first time, an “institutionalization” and venue for UN consideration of cyber security issues.__
The initial OEWG has now been supplanted by a successor OEWG with a five-year remit (2021-2025) and 60 state sponsors. Their idea has the support of non-governmental “stakeholders” in civil society and the private sector. Although the sponsors submitted an updated paper on the PoA, there is still some uncertainty as to its intended nature. The paper states that a PoA “would be established as a permanent, action-oriented, inclusive, transparent and results-based mechanism…” Although heavy with positive sounding adjectives, the term “mechanism” is ambiguous, as is the formula that the PoA is “to function as an action-oriented instrument”.
Nor is it clear how the PoA is to be realized and its relationship to the OEWG. The sponsors’ paper refers to possible consultations in 2021 and 2022 and notes that “At the end of these consultations, a resolution could be adopted at the First Committee of UNGA to establish the PoA”. This implies that a resolution could be forthcoming shortly, without however any specific time commitment. In this deteriorating international security environment, cyber security norms (such as the prohibition on targeting of critical infrastructure) are being honoured in the breach rather than the observance.
In this deteriorating international security environment, cyber security norms are being honoured in the breach rather than the observance
The third substantive session of the OEWG (held July 25-29, 2022) has just concluded. The first annual progress report will be submitted to this fall’s UN General Assembly session. It states that the scope, content and structure of the PoA and its relationship to the OEWG will be discussed in the fourth and fifth sessions of the OEWG (in March and August of 2023). But it is still unclear how the PoA is to be managed in the near term, nor have its sponsors articulated the way forward.
For those who want the UN deliberations moved beyond the declaratory to produce more operational results, the promise of a PoA is appealing, though the lack of clarity is worrisome. The “talk” needs to be supplemented by the “walk” — responsible state behaviour in cyberspace in the context of international security.
Putting flesh on the skeletal concept of “regular institutional dialogue under UN auspices” endorsed in earlier consensus reports would give institutional form to this ad hoc process. The term “mechanism” is too ambiguous; I would favour “forum” for on-going consideration of cyber security issues. A permanent UN forum for cyber security matters could incentivize states to report on national implementation of the agreed framework. An open inclusion of stakeholders would also enrich this type of informational exchange. A dedicated forum alongside regular reporting would eventually produce accountability mechanisms that have been absent from this important realm of the UN’s work. I am affiliated with ICT4Peace, an NGO that during the initial OEWG proposed a review mechanism outlined here.
The current international situation is urgent, for the UN’s normative framework for cyber security is hemorrhaging and must be staunched
During a May event some PoA supporters proposed clearer and more consistent content for the PoA. The positive contribution of the paper prepared by Allison Pytlak of the Women’s International League for Peace and Freedom (WILPF) merits further action. An excellent next step would be to put forward a “pre-draft” of a PoA text, refining the concept and providing for wider consultation and eventual negotiation.
Clearer timelines are also required for realizing the PoA, which need not wait the 2025 end of the OEWG’s mandate. An UNGA resolution this fall could allow for an agreement within the near term. The current international situation is urgent, for the UN’s normative framework for cyber security is hemorrhaging and must be staunched.
The stakeholders want the OEWG process to become more operationally relevant. From his first days the OEWG Chair, Ambassador Burhan Gafoor of Singapore, has been clear that he doesn’t want to preside over a mere “talk shop”. It is time for participants to rally around a PoA that can advance the expressed commitment of states to responsible behaviour in cyberspace.
Paul Meyer is Senior Adviser, ICT4Peace