logo_reaching-critical-will

Cyber Peace & Security Monitor, Vol. 1, No. 6

Finding purpose
10 February 2020


Allison Pytlak

Download the full edition in PDF

The constructive atmosphere of the first substantive session of the United Nation’s Open-ended working group (OEWG) “on developments in the field of information and telecommunications in the context of international security” set a necessary and important tone for its future work. The OEWG is the first open and inclusive UN forum to discuss digital technologies in the context of international security. 

The OEWG is the first open and inclusive UN forum to discuss digital technologies in the context of international security. It emerged, unfortunately, in a situation of intense politicisation, deadlock, and grandstanding—which is why the positive spirit and quality exchanges during its first session were an encouraging signal that states are committed to moving past the polarisation and tension surrounding the OEWG’s establishment and are eager to engage in this area of work.    

This is a good basis on which to begin the second session.  Few items on the UN agenda feel as pervasive and rapidly evolving as information and communications technologies (ICTs), and their misuse, making it all the more urgent that meaningful and effective outcomes be reached.

The state of play

Ambassador Lauber, chairperson of the OEWG, states in his working paper that the objective of this second session will be to “deepen the discussion of the First substantive session and reflect on various aspects pertaining to the OEWG’s mandate in more detail…”. His working paper provides his observations and takeaways from the first session as well as some questions to focus the discussion. Afterward, a pre-draft of the final report will be prepared and states will come together for two informal consultations to discuss and negotiate, ahead of the third and final OEWG session in July—which is where the report will be put forward for adoption, which must be agreed by consensus.

The proposed outline for the final report is a good approach. It gives space under each of the six substantive OEWG topics to identify points of agreement and where more discussion is needed as well as to offer conclusions and recommendations, which would be negotiated. This could mean that there is less potential for obstruction as long as all views are (faithfully) represented—although “nothing is agreed until everything is agreed”, as goes a familiar refrain at the UN.

There are points of agreement in many of the discussion topics. Most participating states have expressed similar concerns on the threat landscape, albeit some with greater detail than others and it is important to acknowledge that countries prioritise threats in different ways. All recognise the benefits of technology for socio-economic development and are keen to preserve a technology neutral, and behaviour-focused, approach. There was also widespread recognition in September of the importance of capacity- and confidence-building measures, and to build on regional cooperation and initiatives. A point highlighted by many delegations was practicality, with urgings to avoid politically charged and possibly unproductive avenues of discussion in future OEWG sessions. Finally, another major takeaway was the recognition from virtually all participants to not “start from scratch” and take existing practice and normative agreements as a baseline of discussion.

Implicit in “not starting from scratch” is the understanding that international law applies in cyber space, and that this not be undermined. Most states and many non-governmental actors support this view, although many point out that this assertion needs further unpacking, such as by better explaining how international law applies. Some states assert that it may apply but appears insufficient to constrain state behaviour. Some of these states therefore support steps that would lead to new international law, possibly through binding norms or a treaty. There is also a small grouping of states that contest the applicability of international humanitarian law (IHL) to operations in cyber space on the grounds that doing so legimitises conflict in cyber space and contributes to its militarisation. This is different than the concern that has been expressed by some civil society organisations about militarisation, which comes from a place of contesting the weaponisation of technology and militarism more broadly.  In fact, some of the states who do not accept the applicability of IHL for this reason among the most aggressive actors in cyber space.

Apart from these more easily identifiable areas of convergence and divergence are a multitude of other points where opinions may differ: should the OEWG account for the actions of non-state actors in cyber space, for example? How to apply a more human-centric approach to international cyber security and grapple with human rights dimensions? It is also important to remember that not all countries have been engaged in these discussions for as long as some others and are now working quickly to develop positions and understand the dynamics and evolution of the UN dialogue on this subject. As that occurs and the conversation expands, there is the potential for other priorities to emerge.

The fate of the multi-stakeholder approach

A question from many in civil society is if the informal multi-stakeholder consultative meeting held in December 2019 will have any bearing on the process going forward. This was always a planned part of the OEWG’s timeline yet took on new significance after many civil society groups were denied access to participate in the first substantive session. The meeting then became the only opportunity for representatives of non-governmental organisations, academia, and industry to meaningfully input and engage on the same six topics that states speak to during formal sessions.

It was hoped that the high turnout and expert inputs from the more than 100 organisations that attended the December meeting would have sufficiently demonstrated the added value and logic of having these stakeholders in the room. Yet, the 30 organisations without ECOSOC status that applied to attend this session have been denied accreditation. This includes reputable research institutes, advocacy networks, and private technology companies that together possess significant knowledge and expertise in this area. As we noted in September, such a broad and categorical denial of access is extremely rare in UN disarmament and arms control fora and sets a dangerous precedent, not least when those affected have credible background and expertise to the issue at hand.

There are credibility and practical risks to shutting out stakeholders, especially those with a role to play in implementing decisions taken by the OEWG and can provide subject matter expertise. At the same time, it is worth remembering that participation in a global meeting is only one kind of multi-stakeholdership; national dialogue processes and consultations between government representatives and a range of civil society actors are encouraged.  A “stakeholder” is someone or something with an interest in, or will be impacted by, a decision or an action. A worthy question is, who then is going to be impacted, positively and negatively, by the decisions made in the OEWG?  Conversely, how are the interests of those affected being represented in multilateral spaces?

Mr. David Koh of Singapore chaired the multi-stakeholder meeting. His summary will be presented formally on the first day of this meeting. The summary has also been shared with all member states, who may choose to advance some of the content. It is comprehensive and wide-ranging, picking up on a lot of the specific proposals made in December. It also helps to identify where there are similar and different views among the stakeholders present–and between some stakeholders and governments. There are also unofficial summaries available, such as from Global Partners Digital and Citizen Lab, alongside our reporting.

Identifying a common purpose

Questions about the OEWG’s purpose and possible products have been asked since its inception, not least because of the parallel process taking place in the form of the UN’s sixth Group of Governmental Experts on ICTs. Each process indirectly puts pressure on the other to be successful, which should ideally be complementary and avoid duplication or redundancy. As noted above, suggestions from states so far on possible OEWG outputs—which would be captured as recommendations in the final report—are largely practical in nature. There is no shortage of ideas; around 10 states have prepared working papers in the last five months with suggestions in this regard.

Within topics where there is broad support, the next step will be to establish clarity on what a recommendation or a conclusion could look like, and if it will enjoy the support of all. For example, does recognition of the need for more capacity-building measures translate into a specific course of action? Does an acknowledgement that regular institutional dialogue would be positive mean that all states have a similar view on the form that dialogue could take?

It is time to start moving toward this kind of specificity. The GGE and the OEWG are both under pressure to deliver results, which will be important to help the UN in preserving its role as a central forum for discussion on international cyber security. The emergence of other normative processes on international cyber security in the last few years shows that the global community takes this issue as a priority and will act through other channels to address threats there, if UN mechanisms are too slow or too deadlocked.

Purpose is also a question that sometimes arises in reference to the eleven voluntary norms of state behaviour developed by the UN’s fourth GGE on ICTs, in 2015. This is not to say that that these norms are not underpinned by specific objectives—they each were carefully crafted and negotiated—but rather that as viability hangs on implementation, which has been patchy which causes questions about the purpose of the norms and where they fit in the landscape.  Varied understandings of key terms contained within the norms, as well as differing levels of awareness about their existence has further hindered implementation.  

This may be due in part to the fact that the norms were developed and negotiated by a small group of states. Their adoption was no easy feat, but as the rest of the UN membership didn’t participate closely in the process there may not be the same level of direct buy-in and ownership, or understanding about why and how they came to be. These problems are joined by others, such as the challenges of attributing responsibility for cyber operations, and no real way to monitor norm compliance, much less address non-compliance.  If the OEWG’s outputs could include practical steps that address some of these challenges and cultivate wider ownership and involvement in the process of doing so, we would take an important step forward in better assessing the on-going impact of the norms as time passes but also curtail aggressive behaviour in cyber space.

 

[PDF] ()