Cyber Peace & Security Monitor, Vol. 1, No. 5
Breaking silos, building community
09 December 2019
Allison Pytlak of WILPF and Paul Meyer of ICT4Peace Foundation
Some of us in the international community, particularly those working in multilateral spaces, speak of breaking down the institutional siloes that divide our work in order to more effectively address issues of common concern and reduce redundancy. Modern problems are complex and multi-dimensional, and their solutions likewise require a degree of collaboration and communication that the structures we work within do not always easily allow for or encourage.
The intersessional meeting of the UN’s Open-ended working group (OEWG) on developments in the field of information and telecommunications in the context of international security, held 2-4 December, may be a rare exception.
Per the UN General Assembly (UNGA) resolution that established the OEWG, this informal meeting was always intended to be the one opportunity for non-governmental stakeholders to contribute their voices and expertise to the process. It was an opportunity made even more important after a widespread denial of accreditation to observe the OEWG’s first substantive session in September.
The scale and diversity of participants exceeded the expectations of many however. The over 110 entities registered included non-governmental organisations, academics, research and policy institutes, technologists, software providers, and representatives of other relevant intergovernmental processes. While regional and gender diversity was not perfect, it was also not imperfect. The meeting and OEWG chairpersons, along with the UN Secretariat, further encouraged the contribution of video statements from those unable to participate in person and have done much to ensure that interventions and position papers will be posted online and be accessible to the UN membership, which is not always something offered to civil society.
Throughout, the member states present were largely in “listening mode”—to extent that none raised comments or gave inputs until prompted to near the end of the first day. The meeting did not reach the degree of conversational exchange that may have been desired by its organisers but the content of interventions was extremely rich and as the meeting progressed, some began to refer to and take note of what others had said before them, or even ask questions in the open.
Yet what was perhaps most unique about the meeting is that the vast majority of participants did not come from the disarmament and security field in which the OWEG process is rooted. Rather, most participants represented groups and institutions active in other issue areas pertinent to the OEWG’s focus: internet governance; digital rights; technical capacity building; and technology research. Their inclusion might seem like an obvious approach to take on such a complex topic, but it is actually fairly rare in UN meetings to have a majority of interested civil society groups coming from spaces that are not closely associated with the underlying mandate.
It did mean that participants entered the discussion from different starting points or used at times, different points of reference and vocabulary but the net result has been the chipping away at some silos and hopefully, the building of new community and a more informed dialogue process. As some acknowledged in their statements, the meeting was in and of itself a confidence and capacity building mechanism.
Continuing in this vein may not be embraced by all states, however, although even on government delegations there appear to be a mix of those who specialise in cyber security and those who follow the full range of UNGA First Committee subjects. Most prefer to stay close to the “in the context of international security” part of the OEWG’s title, and even those willing to be slightly more expansive are going to be constrained by the OEWG’s mandate and place in the evolution of a longer discussion about international cyber security at the UN. But a point illustrated well throughout this meeting is that because ICTs are so ubiquitous in our lives, and that a range of non-governmental actors play central roles in ICT development, maintenance, and security, broader inclusion than usual is going to be necessary in this process.
Diversity also generated a wide spectrum of concerns. Certain themes occurred regularly throughout the session and are summarised below. Greater detail can be found in the “News in Brief” section of this edition of the Monitor.
Several participants pointed to the increase in cyber security threats, originating from both state and non-state actors, in number and magnitude. Spear phishing and business mail compromise were notably on the rise with attacks more specifically directed. The increased “weaponisation” of cyber space was criticised by some and in particular indications that critical infrastructure was still being targeted despite the agreed norm prohibiting this.
The impact of cyber threats varies with the defence capacities of countries and individuals. Several non-governmental organisations (NGOs) stressed the disproportionate vulnerability of many developing societies and marginalised groups within them. This often included recognition of a need for more gender diverse delegations in cyber security meetings, as well recognition of the gender-differentiated impact of cyber operations, points highlighted by both member states and non-governmental participants. Continued support by the donor community for capacity-building efforts to help bridge this divide was universally endorsed.
Frequent references were made to the necessity of a rights-based, human-centric approach to the governance of international cyber security activity. Concern was voiced on the targeting of human rights defenders by some states utilising ever more sophisticated cyber surveillance systems and there were calls for the export of such systems to be strictly controlled.
There was a refrain throughout the session that states need to be held to account for their international cyber operations. Such accountability would require reliable attribution a possibility that is deemed more feasible today than in the past. Several proposals for a network of accountability inputs drawn from the technical security community that could support an accountability procedure at the diplomatic level were suggested. A possible model for a cyber security “peer review mechanism” is the Human Rights Council’s Universal Periodic Review process. Other ideas included variants of the International Atomic Energy Agency or the National Transport Safety Board, but a form of public-private partnership which could ensure credible forensic capabilities and an equitable accountability forum was considered desirable by many, and perhaps even as a suitable “deliverable” for the OEWG itself.
A prominent theme in the discussions was the perceived urgency for concerted action by states in addressing the growing threat of malicious international cyber activity. “We don’t have the luxury of just talking about these issues” as one industry representative put it. The fact was noted that nine years have passed since the initial consensus report of the UN Group of Governmental Experts (GGE) process on norms of behaviour in cyberspace, and its calls for international cooperation to prevent threats to peace and security, yet this threat has only grown in nature.
The continued divergence of views as to whether it is best to maintain the status of agreed norms of responsible state behaviour (such as generated by the UN’s GGE process) as voluntary, politically-binding measures or to give them a legally-binding nature was evident during the session, with proponents of either variant covering both sides of the aisle. There was however a general sentiment that in the near term the emphasis should be on operationalising the existing agreed norms rather than on generating new ones, although the suggestion was made that the ban on attacking nuclear facilities as an element of critical infrastructure should be extended to nuclear weapon complexes as well. The contribution of “Ethical Codes” for cyber incident responders to help prevent destabilising action was also highlighted.
Several participants flagged the continued gap in awareness (both among the general public, but also at the political level) of the norms of responsible state behaviour that have been agreed. Greater efforts to promote “cyber hygiene” and “best practices” were seen as important complements to the work of the cyber specialist community in and outside government.
Capacity building proved to be the topic with the greatest number of interventions, and exceeded the time allocated to it. A majority of speakers focused on identifying practical steps to increase capacity between states, the private sector, the public sector, and civil society—but many others also highlighted the importance of building capacity at individual levels, and to those most at risk. A lot of existing initiatives were described, including lessons learned from them, that reinforced earlier points about a digital divide.
Ways forward on a multi-stakeholder approach was the theme of the final session. Maintaining an inclusive and multi-stakeholder approach in the OEWG received wide endorsement and little dissent from states in the room. Several practical suggestions were made how to do this, ranging from effective UN meeting formats to the importance of dialogue at national and regional levels, and sponsorship programmes.
However, the future of civil society engagement at OEWG sessions is not clear. Presumably an accreditation process will open up for the next two formal substantive sessions in February and July but it’s not guaranteed that this will happen, and neither is the granting of accreditation to all interested groups, or having opportunities to contribute in the room. The report of this meeting—which held an informal status—will be delivered by the chairperson, David Koh of Singapore, to the OEWG chairperson, Ambassador Lauber of Switzerland, in February. It will likely be a factual summary of what was discussed, and where there was agreement or disagreement therein. What would also be of value is if the meeting report could include all the practical suggestions made by participants across all topics, in an annex or attachment, for ease of reference and possible uptake by states.
Regardless of what occurs in formal meeting rooms, it will be difficult to dial back the engagement of non-governmental stakeholders. Some silo-ing is necessary in order to focus work and play to strengths but keeping the OEWG in a vacuum will do the process no favours, and risks achieving effective outcomes that are implementable and make sense in the real world. As stated in the previous edition of this Monitor, the hope is that this is the start, and not the end, of a more robustly inclusive UN dialogue on cyber security writ large.