A report from the luncheon event on the occasion of the second meeting of the UN GGE
The United Nations Group of Governmental Experts (UN GGE) 2016/2017 was constituted with experts from 25 countries. During the first meeting of the UN GGE held in New York at the end of August 2016, cross-fertilisation among world regions in the field of cybersecurity confidence building was indicated as one of its important activities. In order to advance work on inter-regional cross-fertilisation, a luncheon event was organised on 30 November 2016 at the UN Palais des Nations in Geneva, on the occasion of the second meeting of the 2016/2017 UN GGE.
The two-hour luncheon debate Towards a Secure Cyberspace via Regional Cooperation, hosted by DiploFoundation and organised by the Federal Department of Foreign Affairs of Switzerland in cooperation with the Geneva Internet Platform, addressed the role of regional organisations in the operationalisation of the UN GGE recommendations on cybersecurity. The event attracted some of the GGE delegations, permanent missions in Geneva and UN agencies representatives, regional organisations, as well as NGOs, business representatives, and academia. A draft background study was prepared (the final study will be available soon).
Mr Frank Grütter, UN GGE expert and Head of the Security Policy Division of the Swiss Federal Department of Foreign Affairs, opened the session by elucidating three recurring keywords throughout the group’s second meeting:
He also underscored the importance of regional organisations in awareness raising, confidence building, and capacity development.
Mr Karsten Geier, Chair of the UN GGE and Head of the Cyber Policy Coordination Staff of the German Federal Foreign Office, stressed the importance of responding to evolving cyberthreats and vulnerabilities. He then introduced the triangle of international cybersecurity policy – rules, confidence building, and capacity building – which all have to work in concert. According to Geier, regional organisations are particularly important for confidence building, as they bring together states that might have difficult relations. Quoting, Frank-Walter Steinmeier, German Minister for Foreign Affairs and Chairman-in-Office of the OSCE, he argued that ‘confidence is created when we tackle our common problems together.’
After the welcome remarks by Grütter and Geier, Dr Jovan Kurbalija, Head of the Geneva Internet Platform and Director of DiploFoundation, introduced the panellists.
Mr Ben Hiller, Cyber Security Officer of the Transnational Threats Department of the OSCE, provided an overview of the OSCE’s work on confidence-building measures (CBMs) for its 57 participating states. The CBMs can be categorised in three clusters:
Since CBMs are only one part of the triangle presented by Geier, Hiller emphasised that all three pillars need to be worked on in tandem to progress towards a more secure cyberspace.
According to Hiller, strategising should mainly be the focus of the UN, while practical implementation would be more suitable at regional level, to ensure that operationalisation of the recommendations can be adapted to a regional context. At the same time, inter-regional coordination and dialogue should be encouraged. Consequently, Hiller identified a need for coordinated fragmentation.
Mr Moctar Yedaly, Head of the Information Society Division of the African Union (AU) Commission, addressed the opportunities and challenges of ICTs in Africa. ICT can be a key to resolving regional challenges, for example those in the fields of education, health, and commerce. Yet, confidence in cyberspace is a necessary precondition. Only 13 African countries have some sort of legislation related to cybersecurity. At regional level, current efforts are galvanised around the African Union Convention on Cyber Security and Personal Data Protection (signed by 8 countries). Later this year, a report on cybersecurity trends in Africa will be issued. He also mentioned the forthcoming partnership between the Internet Society and the AU to build guidelines for African countries in the domain of cybersecurity. According to Yedaly, the main challenge is building capacity to ensure that policymakers understand what is at stake.
Ms Kerry-Ann Barrett, Cyber Security Policy Specialist at the Organization of American States (OAS), offered a snapshot of what has been happening with CBMs in the Americas, including the Inter-American Strategy to Combat Threats to Cybersecurity, adopted in 2004, and a summit in Colombia in 2014, which exposed member states to CBMs in cybersecurity. She also mentioned the Ibero-American Cooperation’s declaration, through which 22 heads of states pledged to work together to create a peaceful environment in cyberspace. Next, Barrett provided several examples of promoting capacity development and information exchange.
Barrett had two recommendations: for the UN GGE to involve regional organisations, so that they can better translate the recommendations into practical solutions, bearing in mind the context of the negotiations; and for states to give the relevant regional organisations a mandate that would allow for the implementation of the GGE recommendations.
Mr Henry Fox, Director of Cyber and Space Policy at the International Security Division of the Australian Department of Foreign Affairs and Trade, gave some examples of simple solutions for CBMs, based on his experience in the ASEAN Regional Forum (ARF). Unlike the OSCE, the ARF has chosen not to negotiate individual CBMs, but rather raises awareness through the adoption of various statements and an ICT work plan, as well as workshops addressing specific problems. Examples of simple, effective CBMs could include workshops and simulations, a directory of cyber policy points of contact, templates, and procedures. Fox proposed that the UN GGE could suggest that regional organisations provide guidance on these measures, for example by identifying the roles and responsibilities of points of contacts.
The last intervention came from Mr Aapo Cederberg, Cyber Security Expert of the Geneva Centre for Security Policy. He argued that cybersecurity challenges could most effectively be dealt with through capacity building at national level, and identified five domains in which cybersecurity challenges can be found and managed, and concrete steps to be taken:
The multidisciplinary nature of cybersecurity requires a holistic approach involving economic, social, and human rights perspectives, among others. While a holistic approach is necessary, specific aspects should be addressed in existing forums and organisations.
By Barbara Rosen Jacobson, Roxana Radu, and Vladimir Radunovic