The United Nations’ cyberstability processes: surprising progress but much left to do

While the global pandemic will likely define the last few years forever, these years have also been marked by both a significant increase in the severity and impact of cyberthreats and unexpected progress in global policy and governance efforts designed to respond to them. In the last year alone, there have been major widespread nation-state cyber campaigns such as the Solar Winds and Microsoft Exchange compromises, penetrations into critical health care systems, and a troubling increase in disruptive cyberattacks on critical infrastructure, often by criminal ransomware groups. These ransomware actors sometimes act with the assent or direction of nation states but, even when they are acting on their own, act with impunity because ‘safe haven’ nation states turn a blind eye to their activity. Recent ransomware attacks on critical services – such as one on Colonial Pipeline that interrupted the flow of fuel to parts of the United States or an attack on the Irish health care system – have elevated cybersecurity to a national security priority both in the US and increasingly around the world. In addition, numerous states are building or expanding their military capability in cyberspace and committing to using those capabilities to advance their interests. While this is expected, as with any new technology, the relative lack of understanding or agreement of the appropriate limits on cyber operations and their second-order effects – including on non-state entities – can lead to uncertainty and instability. All of this is exacerbated by a seeming lack of accountability for bad actors – whether they are nation states or criminals operating from uncooperative states.

Against this backdrop, there has been a range of significant responses, including increasing instances of collective state public attribution statements and the use of coercive tools against malicious actors such as economic sanctions. In addition, there has been progress in two global governance processes devoted to cyberstability at the United Nations, the Open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security and the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security. This piece will briefly focus on the outcomes of those two processes, including their results, shortcomings and prospects for the future. However, progress in these formal processes is only one part of the larger fabric of Global Cyber Governance that this issue of the Journal is devoted to covering. Global Cyber Governance includes both formal and informal efforts and the explication of a number of difficult challenges to achieving a more peaceful and stable cyberspace. The articles in this volume are meant both to bring more clarity to the multiple debates around stability, accountability, military cyber activity and capacity building, and to help inform future discussions on these critical topics. Although significant progress has been made, both technical and policy threats continue to proliferate, and it is clear that the status quo is not acceptable.

The OEWG and GGE were born from two competing UN resolutions, the former sponsored by the Russian Federation and the latter by the United States. Although there had been a series of successful cyber GGEs in the past, some of which had made concrete progress, the 2017 GGE failed to reach a consensus. The OEWG presented a new format for UN discussions on cyber stability issues. Instead of the prior GGE paradigm that involved a collection of state experts ranging from 15 to 25 representatives, the OEWG was comprised of all UN member states. Though the voting was contentious, both resolutions passed. However, given the failure of the 2017 GGE to reach a consensus and the creation of two seemingly competing processes, commentators and others opined that the result would be confusion rather than practical results (Grigsby 2018) Though the two processes were set to be concluded earlier, with the GGE following the end of the OEWG, the timeline was stretched to nearly two years by the pandemic and the GGE finished shortly after the conclusion of the OEWG. Despite the angst about competing processes, predictions of failure, and the deteriorating geopolitical situation between the US, Russia and China, both processes were able to agree to consensus reports that were compatible. In part, this was due to the efforts of the chairs of the two groups – the Swiss Ambassador Jürg Lauber for the OEWG and the Brazilian Ambassador Guilherme de Aguiar Patriota for the GGE – who worked to ensure that there was close coordination of their respective groups. Among other things, the two chairs both participated in regional and other input sessions and their teams worked together to ensure that there was continuity and a connection between the two processes. In part, the success of the two processes was also due to all states, even if they opposed one or the other resolution, apparently deciding to fully engage and negotiate in good faith in each venue.

The OEWG report was built on the several prior consensus GGE reports but covered little new ground. Nevertheless, the fact that all of the member states in the OEWG endorsed the ‘acquis’ of prior GGE expert reports, with no renegotiation or backsliding is itself an achievement. In particular, the 2013 GGE report concluded that international law applied in cyberspace and the 2015 report articulated 11 non-binding, voluntary norms of state behaviour in cyberspace that were both seen as foundational achievements. Although those prior GGE reports received endorsement at the UN First Committee level involving all UN states, they were never subject to the level of scrutiny by all states that they received in the OEWG. Indeed, one of the great successes of the OEWG was raising awareness on these issues and engaging diplomats from a much larger number of states in the focused discussion of the emerging, but previously often esoteric, issues of cybersecurity and cyberstability. Endorsement by this actively involved group gives greater validation and force to the norms and other statements agreed to in prior GGEs. Moreover, involvement by more member states including those of the developing world in the OEWG discussions was, in itself cited as a confidence building measure in the report because ‘it stimulates an open and transparent exchange of views on perceptions of threats and vulnerabilities, responsible behaviour of States and other actors and good practices, thereby ultimately supporting the collective development and implementation of the framework for responsible State behaviour in their use of ICTs’ (United Nations General Assembly 2021, 6–7). Though largely endorsing prior conclusions, the OEWG report did further discuss threats, norms, CBMs and international law. The report also advanced some new thinking with respect to global cybersecurity capacity building, among other things adopting a set of principles for capacity building. Finally, the OEWG attempted to engage non-state stakeholders in its discussions. United Nations’ processes discussing cyberstability issues were usually limited to negotiations among states, despite the value and expertise that other stakeholders bring to the debate, so holding a special informal multistakeholder session and welcoming written comments by non-state stakeholders was needed and innovative. Nevertheless, in part because of the objections of some member states, non-state stakeholder involvement was limited. It is difficult to quantify how the lack of more robust non-state participation affected the OEWG’s final outcome, though perhaps further input could have broken some of the many impasses that led to a lengthy ‘Chair’s Summary’ where many of the ideas that failed to attain consensus were detailed. What is clear is that many states lauded other stakeholder participation and a large number have backed a proposal for future work that envisages greater multistakeholder participation.

The 25-member GGE report, issued several weeks after the OEWG report, advanced the conclusions of the prior GGEs and the discussion of cyberstability in a number of concrete ways. First, the GGE report expressly acknowledged the applicability of International Humanitarian Law (IHL) to cyberspace. Although prior GGEs agreed that international law as a whole applied, China and Russia had objected to any reference to IHL – designed to minimise civilian impact during a conflict – because they believed that reference would itself lead to the further militarisation of cyberspace. The GGE mandate also encouraged member states to voluntarily contribute their assessments of how they believe international law applies to cyberspace. The submissions published in an annex to the report can help make further progress on this difficult issue and detail at least how individual states deal with thorny issues including sovereignty, due-diligence, non-intervention and use of countermeasures. Perhaps more importantly, the GGE report takes the 11 previously agreed norms and puts significant ‘meat on the bone’ helping describe how and when they might apply or be implemented. For example, with respect to the norm that critical infrastructure should not be attacked in peacetime, the GGE report takes steps to help define what critical infrastructure is – calling out the health and medical sector, particularly in light of the pandemic, and listing energy, power generation, water and sanitation, education, commercial and financial services, transportation and telecommunications as critical infrastructure that should be protected and not attacked. Interestingly, the report also cites electoral processes in this category – despite continuing instances of election interference by some states – and makes reference to protecting the technical infrastructure that makes possible the general availability and integrity of the internet – a proposed norm advanced by a number of non-state stakeholders. The GGE report also discusses in detail norms relating to states not allowing their territory to be used for malicious cyber conduct and the expectation that states will respond to requests from other states for assistance in those instances – two norms that have gained greater prominence in light of recent ransomware attacks and states offering potential safe havens for those actors. The report similarly adds a great deal of detail in its discussion of Cyber Confidence Building Measures (CBMs), including discussing the various types of CBMs and some considerations for the implementation of points of contact, hotlines, the exchange of information and consultations. Overall, the GGE report’s detailed discussion of the 11 norms and more fulsome discussion of CBMs provides a useful roadmap for states to apply and implement those measures. Like the OEWG report, the GGE report also focuses on capacity building, noting that cooperation and assistance in this area are important to ‘all elements of the group’s mandate.’ The report ties capacity building to the implementation of CBMs and the agreed norms and endorses multistakeholder participation in this activity noting that increased ‘cooperation alongside more effective assistance and capacity-building in the area of ICT security involving other stakeholders such as the private sector, academia, civil society and the technical community can help States apply the framework for the responsible behaviour of States in their use of ICTs.’

Despite the laudable, if somewhat unexpected, success of the OEWG and the GGE, a number of substantive and procedural issues remain unresolved. First, the path towards greater discussion, much less agreement, on how international law applies to cyberspace is unclear. Although the compendium of national views on the application of international law called for in the GGE is helpful, given the political sensitivities of this topic, further progress in the UN setting is unlikely in the near term. That is unfortunate as greater understanding and agreement on the application of international law can be beneficial to both restraining disruptive state conduct and accountability for transgressors. As more countries articulate their own views, however, there may be some room for discussion, if not agreement, in the UN in the future.

Second, although the two reports help further articulate cyber norms or rules of the road, there is little if any discussion in either report on accountability. Rules of the road and even international law are little more than words on paper if there is no way to hold violators accountable or dissuade them from engaging in such conduct in the future. The increase in cyberthreats over the last several years, including the penchant of some states to continue to turn a blind eye to malicious conduct emanating from their territory, is a testament that rules and other pronouncements are not enough in the absence of reasonable consequences. Like international law, however, the issue of accountability is a politically charged one and there are unlikely to be major developments in the United Nations. Although there is good language in the reports on the peaceful settlement of disputes and the use of UN mechanisms, these mechanisms may have limited effect when the aggressor and/or victim state are members of the Security Council and can veto any action.

Third, although the focus on cyber capacity building in both reports is welcome, as is the exhortation that states and other stakeholders should support these efforts, cyber capacity building remains under resourced and under prioritised. Cyberstability is not just the province of a few developed countries but requires the participation of countries and other stakeholders around the globe. Capacity building is the key to this greater participation. Here, the UN can do more and go beyond the language of the two reports – including expressly stating at a high level that cyber capacity building is foundational to achieving the Sustainable Development Goals and leveraging existing multistakeholder platforms outside the UN, such as the Global Forum on Cyber Expertise whose mission is to promote and help coordinate cyber capacity building efforts.

Fourth, although the OEWG exceeded prior efforts in its attempt to include other stakeholders, and the GGE held regional consultations that involved non-state participants, multistakeholder input into, and impact on, these UN processes was limited. Private sector, civil society and academic stakeholders have unique knowledge and perspectives on cyberspace issues and an important role in reaching cyber stability and more fulsome participation can help strengthen nation-state discussions, lead to more practical results, and avoid unforeseen consequences. Again, the UN can do more to involve other stakeholders in the future. Helpfully, the OEWG report commits to ‘identifying appropriate mechanisms for engagement with other stakeholder groups in future processes’ and the GGE report similarly commits to identifying ‘mechanisms that facilitate the engagement of other essential stakeholders.’ Yet this will be easier said than done given that the UN, and particularly the First Committee that deals with arms control, was built for state-to-state interactions, and some member states do not embrace non-state participation.

So where do we go from here?

Both the OEWG and the GGE spelled out a number of areas of future work and both spent time discussing future regular ‘institutional dialogue’ on cyber issues. According to the OEWG report: ‘[s]tates concluded that any future mechanism for regular institutional dialogue under the auspices of the United Nations should be an action-oriented process with specific objectives, building on previous outcomes, and be inclusive, transparent, consensus driven and results-based.’ Similarly, the GGE stated: ‘[t]he Group encourages the continuation of the inclusive and transparent negotiation process on ICTs in the context of international security under the auspices of the United Nations … ’ For the moment, the only current UN process is a newly minted Open-ended Working Group with a five-year mandate. Given that prior GGEs and OEWGs tend to only make substantive progress and reach consensus as their terms are wrapping up, a ‘five-year mission’ seems like a recipe for endless cogitation rather than results. Nevertheless, the Singaporean chair of the new OEWG has pledged to make interim progress during the OEWG’s longer mandate. In addition, France, Egypt and a number of other countries have proposed a Programme of Action (POA) for cyber discussions. This POA is modelled on similar efforts for small arms control and is meant to be a single ‘long-term, inclusive, progress-oriented format’ for advancing responsible state behaviour in cyberspace. Though still subject to negotiation, the POA envisions regular working-level meetings focused on implementation and multistakeholder input through ‘consultations with other stakeholders (private companies, NGOs, civil society …), regional organizations, representatives of other UN processes, and relevant multi-stakeholder initiatives dealing with cyber-related issues in the context of international security.’ The POA shows promise and is designed to deal with at least some of the shortcomings of prior UN processes, but it is unclear whether it will be adopted, how it works with the new OEWG, or what it will look like in its final form.

What does seem clear is that there will not be the spectre of two competing UN First Committee processes this year. As of this writing, in stark contrast to 2018, the United States and the Russian Federation have agreed to jointly introduce a single resolution in the UN First Committee that does not seek to create additional groups. However, as a result of a Russian resolution there is another process starting in the UN Third Committee focused on a new cybercrime treaty. Though cybercrime largely deals with a separate set of issues, there are potential overlaps with some of the outcomes of the GGE and the OEWG particularly around concepts of nation-state responsibility for wrongful cyber acts emanating from their territory and the problem of safe havens and on cooperation and information exchange (Norm 13 (c), (d) and (h) of the 2015 GGE report) (United Nations General Assembly 2015, 8). Like the resolutions creating the OEWG and the GGE, the resolution creating the cybercrime process was very divisive – with most Western countries refusing to support it (Sherman and Morgus 2018). It also squarely tees up the desire of some countries to control content on the internet against countries who promote a free and open one. It is too early to predict whether this process will lead to productive results, or cause confusion with First Committee efforts, but again it appears that all countries are choosing to engage in these negotiations.

Cybercrime aside, the United Nations will and should continue to be one centrepiece of discussion and action around cyberstability. The fact that it includes almost every country in the world gives the UN legitimacy that few other institutions can match. Nevertheless, it is also clear that the UN is not the only game in town when it comes to cyber governance. There are a myriad of regional and multistakeholder specialised efforts around the world that can both implement the recommendations of UN processes and spur international consideration and progress on cyberstability issues. For example, the Oxford Process and the process that produced the Tallinn manuals, both comprised of international lawyers, have made multiple contributions in articulating how international law applies in cyberspace. The Global Forum on Cyber Expertise is a multistakeholder community devoted to enhancing and coordinating cyber capacity building that has and will continue to implement the capacity building findings in the UN reports. The Global Commission on the Stability of Cyberspace is a multistakeholder initiative that focused on norms and other recommendations for further work. The Paris Call is a large and growing multistakeholder initiative that seeks to further cyberstability discussions and implement cyberstability measures. The Internet Governance Forum, a UN-sponsored multistakeholder platform, is also increasingly discussing cyberstability issues.

There are also a number of regional organisations that play an important role in cyberstability discussions and governance. The Organization for Security and Cooperation in Europe (OSCE) has, for many years, taken a leading role in agreeing to and implementing cyber CBMs. The Organization for American States, the African Union, and ASEAN are all involved in stability measure adoption, discussion and implementation. Implementation of the UN norms and other findings, both on a regional and individual country level, can itself lead to new understandings and experiences that can be fed back into and enhance future UN and other multilateral processes.

For some issues, like accountability in cyberspace, it is likely that any progress in the near term will come from smaller like-minded collections of states and other stakeholders. As noted earlier, a number of like-minded states have come together on several occasions to condemn malicious and inappropriate state cyber behaviour. Some states are also coming together to act collectively against common cyberthreats – looking to impose joint consequences while avoiding escalation. The European Union’s use of its ‘Diplomatic Tool Kit’ to impose sanctions on a number of actors in Russia, China and other countries is one example of this.

It is clear that a ‘one ring to rule them all’ approach to cyberstability governance is neither practical nor likely to result in progress in addressing cyberthreats that are desperately needed. Instead, continued efforts in the UN should continue to be enhanced and supplemented by a large range of multistakeholder, regional and like-minded initiatives. Though this approach is messy, it is also inclusive, dynamic, and has the best chance of meeting the many challenges we face.