Discussing state behaviour in cyberspace: What should we expect?

In December 2018, the United Nations General Assembly (UNGA) approved the creation of two distinct groups to further explore issues related to responsible state behaviour in cyberspace: an Open-Ended Working Group (OEWG) and a new Group of Governmental Experts (GGE). The two groups were proposed in resolutions put forward by Russia and the USA, respectively. What are their mandates, and what can we expect from these groups?

Background

This decision was preceded by the submission of two draft resolutions by Russia and the United States to the UNGA First Committee, the Disarmament and International Security Committee (DISEC). In November 2018, both drafts were approved by a vote for submission to the General Assembly as resolutions.

On 5 December 2018, a vote was taken on the Russian resolution and the document was adopted by a large majority: 119 votes to 46, with 14 abstentions. The resolution A/RES/73/27, originally titled ‘Developments in the field of information and telecommunications in the context of international security’, proposed the establishment of the OEWG to discuss further cybernorms for state behaviour. The text of the document has undergone significant changes in comparison with its first draft. The number of proposed norms of responsible behaviour of states has been reduced from 25 to 13. They are still based on earlier reports of the GGE, but there is a norm that stands out of the list.  It says that all charges against states regarding organising and/or conducting illegal activities with the use of ICT need to be substantiated. The norm also touches on the problem of attribution, and the need to study all available information and the broader context of an incident. Some of the removed norms were partially included in the preamble of the resolution: new paragraphs indicate the growing concern of Russia and other countries with the issue of ‘dissemination of false or distorted news, which can be interpreted as interference in the internal affairs of other states’. Reference is also made to the need to assist states in bridging the capacity gap in ICT security. Provisions on the necessity to limit human rights and freedoms online and offline to a certain extent for national security reasons, as well as on the internationalisation of Internet governance and the establishment of ‘multilateral, transparent and democratic international mechanisms’ to guarantee the stable and secure functioning of the Internet and the equitable distribution of resources, have disappeared from the list of norms.

The vote on the American document that asks for the creation of the next GGE, was postponed by the General Assembly due to a significant budget burden for the implementation of the proposed activities with respect to the new GGE. According to a document describing the financial implications of the resolution, the cost of the work of the group over a three-year period is approximately USD$ 1 295 600. Meanwhile the OEWG is estimated to cost half as much – USD$ 603 100 – over a two-year period. However, the financial justification was considered by the Fifth Committee, and on 22 December a vote was taken on the American resolution A/RES/73/266 titled ‘Advancing responsible State behavior in cyberspace in the context of international security’. The document was approved with a larger majority of member states – 138 in favour, 12 against, and 16 abstentions.

Author’s own visualisation

Author’s own visualisation

As the infographics illustrate, there is a dramatic split among countries. Unsurprisingly, voting occurred mainly in accordance with military and political alliances. At the same time, countries that acted as sponsors of the Russian resolution voted against (or abstained) from the American resolution and vice versa. Kazakhstan, which voted for both documents, deserves a special mention, as it is one of Russia’s closest allies. Brazil, India, and South Africa, Russia’s main ‘allies’ among the BRICS states, showed their ambiguous attitude to the Russian resolution – India and South Africa voted in favour of both resolutions, while Brazil supported the American document, but abstained from voting on the Russian one.

Interestingly, as many as 77 states, mainly from South America, Africa, the Middle East, and South-East Asia, voted in favour of both resolutions. On the one hand, this can signal a desire not to fall out of the global processes of negotiating cybernorms without attributing themselves to one of the cyber/information security camps, while on the other hand, such a situation may reflect a low level of awareness (and even illegibility) of some small states in the nuances of different approaches to international information security.

Author’s own visualisation

How the mandates compare

Proposed by Russia, the OEWG will start its work in June 2019. Its composition is declared as open, implying that it will include all UN member states that express a desire to participate.

The main task of the group will be to further the discussion on the norms, rules, and principles of responsible state behaviour listed in the resolution, and ways to implement them, as well as to study the possibility of institutionalising the dialogue on the application of international law on a regular basis under the auspices of the UN. Also included in the group’s mandate is a study of existing and potential threats to information security and possible confidence-building  and capacity-building measures. The OEWG will work on a consensual basis to develop its report, which is to be presented at the 75th UN session, in autumn 2020.

The 6th GGE, proposed by the USA , is designed for a longer period – three years – and will continue the activities of the previous GGEs, studying further possible joint measures to address threats in the field of international information security, including norms and rules of responsible behaviour, as well as the application of international law to the use of ICT by states. The result will be a report that does not imply the consensus of all participants, but must contain an annex in which the GGE members will include their national positions on the application of international law in the ICT environment.

One notable difference between the two groups is related to their composition. The OEWG is to involve all interested UN member states and also hold ‘intersessional consultative meetings’ with businesses, non-governmental organisations, and academia. The GGE is taking a more intergovernmental path: It will have limited participation from member states, on the basis of ‘equitable geographic distribution’, and will involve the UN Office for Disarmament Affairs (UNODA) to hold consultations with regional intergovernmental organisations (the African Union, the EU, OAS, OSCE, and ASEAN). In addition, it is planned to hold two informal consultative meetings for all UN member states.

Prospects for both groups

The creation of two separate groups to discuss international cybersecurity issues has attracted different reactions. Some member states are concerned that the two parallel tracks could lead to less effectiveness, while others have noted that the processes are in fact compatible. In reality, both groups have advantages and disadvantages.

The OEWG format has many advantages. The resolution already includes a list of particular norms to be further developed, so it is possible for the group to focus its discussion on ways and mechanisms of their implementation. The open composition of the group allows every member state to participate, in contrast to the limited number of members of the previous GGEs. The rule of consensus decision-making will ensure that the common interests of all participants will be included in the final document. Also, the time factor plays a crucial role – the report will be submitted in two years, faster than the GGE report.

But there are also several disadvantages. The open composition does not imply the participation of key countries ‘by default’, thus the composition of the group may be much smaller than desired. For example, countries that did not vote for this resolution may be less likely to participate. On the other hand, the USA and European countries could be in the OEWG in order to block its work just because they do not want to have such a consolidated group of likeminded states capable of producing a report that contradicts their understanding of international cybersecurity.

The mandatory consensus can play a blocking role, or significantly affect the final wording of the report, making it more general in scope, unless the group consists of likeminded states who agree on issues of international information security.

Finally, the involvement of other stakeholders in the exchange of views on the issue strikes a ‘good tone’ today. But significant challenges could appear in attracting the involvement of relevant actors from business and civil society. Tech giants and other organisations who supported the Tech Accord, the Digital Geneva Convention, and the Paris Call may not want to be associated with the OEWG for ideological reasons.

In comparison, the GGE format could be seen as having a strength in its principle of equitable geographical distribution in the selection of its members. A smaller group can be more efficient in its work compared to a larger group. The absence of a binding consensus can also be viewed positively – the report would be submitted to the Secretary-General in any case. Regardless of what the group agrees on, the report will also contain national positions on the application of international law to the use of ICT by states. However, the group will need three years to submit a report, which can be seen as a significant drawback in an environment characterised by the continuous development of technologies and the constant emergence of new threats from ICT to international security.

Despite the creation of these two groups, states are still at the beginning of the development of legally binding norms of responsible behaviour in cyberspace. Of course, further progress will depend largely on the content of the report produced by the groups, but these documents will serve only as recommendations for states. Even if the work of both groups is successful, the probability of maintaining the polarisation of positions on international information security is still high, and the final goal may not be achieved.

Ilona Stadnik is a PhD student at the School of International Relations, Saint-Petersburg State University, Russia. During the 2018-2019 academic year she was a Fulbright Visiting Researcher at Georgia Institute of Technology, USA, working on their Internet Governance Project.  She has been a regular participant and speaker at major cybersecurity events, such as the United Nations Internet Governance Forum (IGF), the CyFy conference, and the European Dialogue on Internet Governance (EuroDIG). Her research covers international cyber norm-making, Russia-US relations in cybersecurity, and global Internet governance. Ilona is a curator for the GIP Digital Watch observatory.

*An excerpt of this article was first published in the Digital Watch newsletter – Issue 37 – January 2019.