Cyber-armament: diplomatic initiatives (Part II)

Is cyber-armament a growing trend? What are the main diplomatic responses? And why is the private sector calling for a global political dialogue? This three-part post analyses cyber-armament as a growing trend, and looks at diplomatic initiatives on tackling cyber-attacks. It also makes reference to DiploFoundation’s latest report, Towards a secure cyberspace via regional co-operation.

Read Part I: Is cyber-armament a growing trend?

What constitutes an armed attack in cyberspace has not yet been agreed. A group of independent international experts, gathered by NATO, offer suggestions within the second and updated version of the Tallinn Manual (Tallinn Manual 2.0) on what may constitute an act of war in cyberspace and how parties could respond to those (jus ad bellum), as well as how existing legal principles of warfare could apply to cyberspace (jus in bello).

Over the last 10 years, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has gathered dozens of countries to discuss global norms of state behaviour in cyberspace as well as confidence-building measures (CBMs) and capacity-building needs. In its landmark reports of 2013 and 2015, the UN GGE affirmed that existing international law applies to cyberspace, and agreed a number of particular voluntary and non-binding norms that responsible states should adhere to in peacetime. It also developed a set of CBMs aimed at strengthening communication and cooperation among states in peacetime. In recent years, several regional organisations ‒ namely the Organization for Security and Co-operation in Europe (OSCE), the Association of Southeast Asian Nations (ASEAN) Regional Forum, and the Organization of the American States (OAS) ‒ have also developed their own instruments for co-operation, confidence building, and capacity building, which may help the operationalisation of the UN GGE’s efforts and provide suggestions for its improvements in the future. The study Towards a secure cyberspace via regional co-operation provides an overview of the main diplomatic initiatives, and a comparison of norms, CBMs, and capacity-building proposals.

The study Towards a secure cyberspace via regional co-operation was prepared by DiploFoundation, in partnership with the Geneva Internet Platform (GIP), with the support of the Swiss Federal Department of Foreign Affairs (FDFA), on the occasion of the second meeting of the 2016/2017 United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), held in Geneva in November 2016. Its intention is to provide an overview of the international dialogue on establishing the norms of state behaviour and CBMs in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, confidence-building measures (CBMs) to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. Consequently, it discusses how they could further influence each other, and notes several specific directions that further developments could take. The report is available for review and download at: https://www.diplomacy.edu/cybersecurity

The 2017 report of the UN GGE is expected to respond to some of the emerging concerns. Some critics, such as Brandon Valeriano and Allison Pytlak of the Niskanen Center in Washington DC, are of the  opinion that the recent cyber-attacks ‒ such as those on the Ukraine power grid and on the US elections ‒ confirm that the UN GGE’s work has had no real impact in practice. Others, like Arun Mohan Sukumar of the Observer Research Foundation in Delhi, India, add to this the fact that its recommendations are not legally binding or codified as international law. On the other hand, Michele Markoff, the US delegate to the UN GGE and Deputy Coordinator for Cyber Issues in the Office of the Coordinator for Cyber Affairs at the US Department of State, stated that the norms apply in peacetime, while Ukraine is in state of conflict; similarly, pre-January 2017 (when it was first classified as critical), the US election system did not fall under the critical infrastructure and the norms therefore could not apply. With the increasing trend of politically motivated attacks that aim to disrupt the social, political, and economic environment of opponents, the UN GGE norms and process may be facing a serious test.

Another question is what the future of the UN GGE should be, and whether its 2017 report should lay out a suggested way forward. There is a general agreement that the work of the UN  GGE is very useful, and that it could keep providing strategic guidance in the area; experts related to the OSCE, the OAS, and ASEAN Regional Forum agreed at the November event in Geneva that it would be good that the UN GGE works more directly with these and other regional organisations on the implementation of various norms and CBMs. The question remains, however: What should the future format of deliberations be?

Some countries have expressed concerns over the UN GGE’s limited and rather closed participation (the 2016/2017 UN GGE consists of experts from 25 countries). While this may have helped reach consensus among experts of the lead powers, especially the USA, Russia, and China, with the growing trend of cyber-armament among other countries, it will become important to involve more if not all the countries in some form of dialogue. One option may be the enhancement of the UN GGE to include more members; another may be the creation of a larger standing body involving all interested states; a third may be the creation of some sort of standing mechanisms to follow up on armament and the implementation of norms (similar to nuclear arms non-proliferation mechanisms). This question is closely linked to one about the role of the future UN GGE or other mechanisms: Should it continue working on norms and CBMs? Should it provide more general dialogue on implementation? Or should it become a mechanism for states to act collectively when norms are breached? At a recent event of the Carnegie Endowment for International Peace, Ms Markoff, as the US expert on the UN GGE, expressed the opinion that it would be important to agree on the possible future model before dismantling the UN GGE, and emphasised that the UN GGE should pause the development of new norms and CBMs and turn to making countries implement the existing ones.

In the meantime, countries are putting cyber at the top of their diplomatic agendas, and increasingly turning to bilateral arrangements. Relations vary from bilateral meetings to strategic partnerships (such as between Canada and Israel), from  continuous dialogue (such as the EU-Japan cyber-dialogues) to statements and communiqués (such as the joint statement by the prime ministers of Sweden and India, or the joint declaration of the Czech Republic and Israel), from Memorandums of Understanding (such as between the UK and Singapore) to bilateral agreements (such as between Brazil and Russia or between India and Russia). Refer to the Digital Watch interactive map, which continuously records bilateral agreements in ICT and cyber issues.

In Part III: Why and how is private sector stepping in?

Follow @vradunovic