Last week, the United Nations (UN) released its most substantial recommendations to date for how governments can secure cyberspace from escalating conflict. The recommendations recognize that international law applies to state behavior online and lists specific sectors that should be considered critical infrastructure and thus off-limits to attack, including healthcare, the electrical grid, education, financial services, transportation, telecommunications and electoral processes. But while this is progress, it is still not enough. The recent deluge of damaging cyberattacks, against everything from oil pipelines to food supplies to aid agencies, and increasingly damaging ransomware attacks on a variety of sectors, demand that we take concrete action that implements and upholds the rules of the road in cyberspace. UN member states must now take these recommendations, coupled with others released earlier this year, and quickly turn them into meaningful and enforceable expectations.
The GGE report – areas of consensus inch forward incrementally
The new recommendations released last week are included in the final report from the UN Group of Governmental Experts (GGE) on cybersecurity, the closed-door working group of representatives from 25 UN member states tasked with providing guidance on responsible state behavior online. Encouragingly, the core commitments in the final GGE report mirror those recognized by the parallel UN Open-Ended Working Group (OEWG) on cybersecurity, which released its final report in March this year. While there were earlier concerns that the two UN processes could have reached contradictory conclusions, the twin reports underscored international consensus on what is increasingly being referred to as the “framework for responsible state behavior in cyberspace” – the recognition that international law applies online and that the 11 norms of state behavior agreed upon in the 2015 GGE report need to be upheld.
Beyond simply restating these commitments, however, the GGE report for the first time elaborates on how states should implement the 11 cybersecurity norms. Of note, the report enumerates a non-exhaustive list of specific sectors that should be considered “critical infrastructure” and off-limits to attack. Singling out “healthcare and medical infrastructure,” which has been so essential during the Covid-19 pandemic, is particularly praiseworthy, but the list also includes other sectors that have been under attack recently, including “energy, power generation, water and sanitation, education, commercial and financial services, transportation, telecommunications and electoral processes.” Expressly recognizing these sectors as needing protection will help drive greater investments into their security and should also be seen as a red line for malicious behavior by states that – when crossed – will trigger consequences.
In addition to explaining what states can and should do on their own, the report recognizes that cyberspace does not stop at national borders, and that cybersecurity is not a zero-sum game. States will need to work together to maintain security and stability online. That kind of cooperation, however, requires building the diplomatic muscle necessary to engage in what is a new issue space for many nations. To that end, the report encourages states to participate in capacity-building efforts, establish designated points of contact to coordinate with other governments, and set up means for responding to requests for assistance following cyber incidents, as well as routines for reporting technical vulnerabilities. These are foundational actions for ensuring states can live up to their commitments to promote security online.
Despite these promising elements, however, the report unfortunately makes limited progress on the application of international law online or on multistakeholder inclusion. While it reaffirms that international law applies in cyberspace, the report fails to say how it does so, instead encouraging states to respectively volunteer their own opinions on the topic, leaving open legal questions unresolved. However, even here there is some promise, as the report comes with the opinions of the 25 states that participated in the dialogue on the matter – we urge others to follow suit soon. Perhaps the most glaring omission though is the scant reference to multistakeholder participation in these dialogues, or in the implementation of the resulting commitments. In a cyber domain that is largely owned and operated by the private sector, meaningful progress in developing and upholding expectations for responsible behavior will require much closer cooperation between governments and industry, as well as civil society.
Passing the torch – a new chapter of cyber dialogues
The series of GGE dialogues that began in 2004 has laid an invaluable foundation by establishing and reinforcing norms for responsible state behavior online. But implementing and upholding these expectations is ill-suited to ad hoc working groups only open to states. The fact that progress has been so slow and incremental over the past decade clearly signals that a new and meaningfully different era of international dialogue on cybersecurity needs to begin – at the UN and beyond.
First and foremost, states need to put citizens at the heart of these discussions. The focus of deliberations should not solely be on inter-state competition, but also on ensuring that other aspects of national security are considered. This includes elements such as preserving the benefits of cyberspace for national economies and protecting human rights and freedoms that have been recognized in physical domains by extending them to cyberspace.
Second, states need to recognize that term limits on these dialogues are counterproductive in the context of cyber conflict. This is an issue area that will persist into the foreseeable future as the world continues to increase its reliance on technology. A permanent standing body to address issues of peace and security in cyberspace needs to be established in order to keep pace with challenges in a constantly evolving digital domain.
Finally, future discussions at the UN should be built around a multistakeholder model that brings in voices from industry and civil society on a systematic and consistent basis. The online world is largely built and maintained by private industry, so deliberations on peace and security online cannot be exclusive to a select set of governments. Multistakeholder inclusion needs to be built into the framework of all future cybersecurity dialogues at the UN, with minimum standards set for both written and in-person consultative sessions with nongovernmental stakeholders.
No time to waste
Looking ahead, the currently discussed Programme of Action (POA), proposed by France, Egypt and other countries has the potential to provide the inclusive and standing body described above. However, we can ill afford to wait around for it to be introduced until the end of the new OEWG in five years’ time, as some states have suggested. Attacks are escalating well ahead of the pace of diplomacy. We need to move faster and do more immediately.
In addition to moving quickly, we also need to think creatively to ensure that resources and insights outside the UN are leveraged in upholding international expectations online. The work of the Paris Call for Trust and Security in Cyberspace brings together an unprecedented multistakeholder coalition of supporters committed to upholding expectations for responsible behavior online. Its recommendations on norms implementation should be considered in the context of the UN’s efforts. In addition, on the interpretation of international law in cyberspace, the so-called “Oxford Process” provides a preeminent forum to build consensus among leading scholars from around the world on thorny questions. As opposed to operating in silos as wholly independent processes, the work of these and other initiatives should be viewed as tools to take forward the vision set forth by the UN for a more peaceful and secure cyberspace, and as the source for further innovation and evolution of international expectations for all actors online.
Finally, we need to move beyond discussions. We need to work together as a global community to ensure that malicious actors are held to account. When lines are crossed, norms broken and international laws violated, there must be consequences. Undermining the security of ICT supply chains, attacking healthcare organizations, threatening energy transportation and jeopardizing food resources cannot become the kinds of activities that are normalized due to inaction. Alarm bells are ringing, and we need to collectively rise to the scale of the challenge.