2021 was a good year for global cyber governance. Two consensus reports were adopted at the UN following years of fractious stalemate, and against the backdrop of dwindling confidence in the ability of international cooperation and diplomacy to solve difficult problems. Building on the sense of momentum, UN states agreed on a new five-year Open-Ended Working Group (OEWG) process to further develop discussions relating to responsible state behaviour in cyberspace, keeping the issue of cyber governance as a key issue on the UN agenda for disarmament and international security.
Despite the afterglow of reaching consensus on this complex policy area, the road ahead will be tough. As several articles in this special issue point out, the main achievement of the OEWG was the adoption, by all UN member states, of norms that had been already agreed upon in other groups, such as the UN Group of Governmental Experts (GGE). Apart from that, the OEWG report itself made a limited contribution in terms of new content. In the coming years, states will need to identify ways to operationalise the agreed norms and reflect them in national policies and practices.
Volume 6 No 3 of the Journal of Cyber Policy is a special issue that brings together a collection of articles that explore diverse issues relating to the theme of #Cyberspace4All, including the substance of the OEWG and GGE reports, capacity building and the role of developing countries and regions, multi-stakeholder governance and the role of international law. The issue begins with guest editor Chris Painter’s reflections on the successes and challenges of both the OEWG and GGE processes.
Some of the challenges explored in this special issue are familiar from any international relations and UN negotiations, such as geopolitical tensions and different ideological approaches between the countries that have been driving the international discussions within the UN since the late 1990s. Other challenges are specific to the cyber governance norms process and reflect the urgent need to build capacity and understanding among all participants. Without that capacity-building effort, and meaningful participation by all stakeholders within a structured approach, progress is likely to remain limited.
Filling existing research gaps with nuanced analysis plays a crucial role, both through exploring complex issues, and enabling actors – whether government, private sector, civil society, academia or the technical community – to develop and implement national, regional and international policies that are well informed and evidence-driven. Inclusive participation in cyber governance processes is essential given the novelty of some aspects of the cyber governance debate and the intersections with other digital policy areas, as well as the varied capacity levels that exist among some states.
Vol 6 No 3 of the Journal of Cyber Policy forms part of Chatham House’s wider commitment to building knowledge on key international issues to help policymakers develop inclusive cyber policies that tackle the malicious use of ICTs while protecting civil liberties and human rights online, and enabling digital technologies to play their role as catalysts for socio-economic development.
This special issue is part of a larger project on inclusive cyber governance that Chatham House is implementing with the support of the Ministry of Foreign Affairs in the Netherlands.
Norms and international processes
The (im)possibilities of addressing election interference and the public core of the internet in the UN GGE and OEWG: a mid-process assessment – Dennis Broeders
Democratic elections determine the distribution of political power and are an expression of the political will of the people. The functionality and the integrity of the logical and physical layers of the internet derive benefits for a large global public. Both the UN Group of Governmental Experts (UN GGE) and the UN Open-Ended Working Group (OEWG) processes have seen calls for the protection of the public core of the internet and against foreign electoral interference. Dennis Broeders investigates whether and how the twin UN processes of the UN GGE and the OEWG are willing and able to address these two ‘below-the-threshold’ problems in their deliberations.
Capacity building
Understanding cybersecurity capacity building and its relationship to norms and confidence-building measures – Robert Collett
Robert Collett explores the origins of international cybersecurity capacity building, definitions and frameworks. In this article, Collett proposes an alternative framework for international cybersecurity capacity building that reflects actual practice and can be used in international negotiations on stability in cyberspace. This framework shifts conceptions of capacity building beyond ‘developed-developing country relationships’ towards a multidirectional, multi-stakeholder framework for cybersecurity capacity building. Collett critically explores the OEWG 2021 report’s contribution to a principles-based approach to capacity building and puts forward recommendations for expanding and communicating these principles.
Look South: challenges and opportunities for ‘rules of the road’ for cyberspace in ASEAN and the AU – Irene Poetranto, Justin Lau and Josh Gold
Advancing the debate on inclusive cyber governance will involve overcoming several challenges at the regional level, including variations in technological development among states, conflicting attitudes towards sovereignty and lack of agreement on international law and cyber norms. Poetranto et al. argue that these factors help to explain why the inaugural OEWG did not significantly advance the ‘rules of the road’ for cyberspace. The authors recommend that regional organisations, such as the Association of Southeast Asian Nations (ASEAN) and the African Union (AU), should be used to help leverage existing partnerships on cybersecurity and build trust in the region.
Multi-stakeholder governance
Cyber norms: technical extensions and technological challenges – Alexandra Kulikova
Since the late 1990s, international debates on responsible state behaviour in cyberspace have been creating an overarching normative environment which, in turn, has led to the development of voluntary tech-norms. In this article, Alexandra Kulikova explores the impact on norm-creation of emerging technologies as well as non-state actors’ accountability in cyberspace. The article addresses the challenge of technical and non-technical internet governance, especially when non-technical norms (e.g. of state behaviour) require technical action. Kulikova also focuses on the role of the technical community which often takes inspiration from the work being done at the UN when developing its own rules and norms.
A multi-stakeholder foundation for peace in cyberspace.– Kaja Ciglic and John Hering
In this article, Kaja Ciglic and John Hering explore multi-stakeholderism in relation to cybersecurity. In particular, Ciglic and Hering address the shift in the perception and use of cyberspace towards being regarded as a domain for conflict. They explore the origins of the internet as a multi-stakeholder experiment before critiquing the various working groups on cyber governance issues at the UN – which have largely been confined to states. The article identifies several informal initiatives led by stakeholders outside of the UN processes. Ciglic and Hering provide recommendations for the future of multi-stakeholder diplomacy for peace and security online and the next generation of cyber diplomacy.
The missing piece in human-centric approaches to cybernorms implementation: the role of civil society – Sheetal Kumar
The importance of a human-centric approach to peace and security in cyberspace has been consistently noted in cybernorms discussions, including in the OEWG. Sheetal Kumar argues that cybersecurity is a positive enabler of human rights: civil society actors, working in collaboration with other stakeholders, have an important role to play in defining and implementing the human-centric approach to cybersecurity through their implementation of cybernorms. In this article, Kumar underscores the importance of civil society in implementing a human-centric approach to cybernorms through three case studies: human-centred incident response in the Asia-Pacific region; a rights-respecting vulnerabilities disclosure process in Colombia; and incorporating citizens’ voices into critical infrastructure policy in Kenya.
International law analysis
The vital role of international law in the framework for responsible state behaviour in cyberspace – Harriet Moynihan
International law is a focal point in the debate on responsible state behaviour in cyberspace. Arguing for a rules-based framework, Harriet Moynihan posits that international law legitimises state responses to unlawful activity in cyberspace and provides a normative framework to accompany states calling out malicious cyber activity. Acknowledging the challenges and lack of consistency among states’ application of international law, Moynihan explores the value of the UN GGE and UN OEWG as means to advance the discussion on the understanding of how international law applies to state behaviour in cyberspace.
Unblurring the lines: military cyber operations and international law – Kubo Mačák
In this article, Kubo Mačák unblurs the lines between several fundamental legal categories applicable to military cyber operations. Mačák looks at five areas of within international law: the distinction between international law and international norms; the distinction between domain-specific and general rules of international law; the distinction between peacetime and armed conflict with respect to the regulation of such operations; the distinction between combatants and non-combatants in cyberspace; and the distinction between objects and non-objects in cyberspace. Mačák argues that appreciating these distinctions will contribute to better understanding of international law as it applies to military cyber operations.
On the strategic consequences of digital espionage – Joe Devanny, Ciaran Martin and Tim Stevens
Digital political espionage is often the elephant in the room in multilateral discussions about norms of responsible state behaviour in cyberspace. In this article, Devanny et al. argue that the strategic consequences of digital espionage are significant asymmetries of state power. The impact of poor technical comprehension of cyber operations leads to uncertainty about measured responses to ‘cyber victimhood’. This article offers multiple propositions to frame state responses to digital espionage, focusing on the relational power of the victim and spying states and their bilateral relationships through three cases: the Snowden revelations (2013); the Office of Personnel Management breach (2014); and the SolarWinds breach (2020).
This special issue is part of Chatham House’s International Security Programme’s project, ‘Towards an inclusive approach to cyberspace governance’, which reflects our long-term commitment to lead on efforts to broaden the participation of stakeholders in cyber governance debates by building knowledge and providing platforms for channelling their inputs into these debates.
We are deeply indebted to our Guest Editor, Chris Painter, for his collaboration over the two-year period of this project. This special issue has been funded through the generous support of the Ministry of Foreign Affairs in the Netherlands.
As this is the final issue of 2021, we would like to thank all those who make the journal a success: the Editorial Board, headed by Dr Patricia Lewis, and the team at our publishers, Taylor & Francis: Dan Trinder and Vijayaraghavan Srinivasan. Thanks also go to our dedicated and meticulous team of copy-editors: Rachel Waring, Fleur Kinson and Angela Greenwell, as well as the editorial team at Chatham House: Esther Naylor, Isabella Wilkinson, Amrit Swali and Hallie Martin.