A report from the luncheon event on the occasion of the second meeting of the UN GGE
The United Nations Group of Governmental Experts (UN GGE) 2016/2017 was constituted with experts from 25 countries. During the first meeting of the UN GGE held in New York at the end of August 2016, cross-fertilisation among world regions in the field of cybersecurity confidence building was indicated as one of its important activities. In order to advance work on inter-regional cross-fertilisation, a luncheon event was organised on 30 November 2016 at the UN Palais des Nations in Geneva, on the occasion of the second meeting of the 2016/2017 UN GGE.
The two-hour luncheon debate Towards a Secure Cyberspace via Regional Cooperation, hosted by DiploFoundation and organised by the Federal Department of Foreign Affairs of Switzerland in cooperation with the Geneva Internet Platform, addressed the role of regional organisations in the operationalisation of the UN GGE recommendations on cybersecurity. The event attracted some of the GGE delegations, permanent missions in Geneva and UN agencies representatives, regional organisations, as well as NGOs, business representatives, and academia. A draft background study was prepared (the final study will be available soon).
Mr Frank Grütter, UN GGE expert and Head of the Security Policy Division of the Swiss Federal Department of Foreign Affairs, opened the session by elucidating three recurring keywords throughout the group’s second meeting:
- Outreach: to provide an opportunity for states outside the GGE, as well as other stakeholders, to participate in the process.
- Universalisation: to make sure that the work of the GGE is more widely disseminated, more clearly understood, and better known.
- Operationalisation: to ensure that the recommendations in the UN GGE report can be operationalised and implemented.
He also underscored the importance of regional organisations in awareness raising, confidence building, and capacity development.
Mr Karsten Geier, Chair of the UN GGE and Head of the Cyber Policy Coordination Staff of the German Federal Foreign Office, stressed the importance of responding to evolving cyberthreats and vulnerabilities. He then introduced the triangle of international cybersecurity policy – rules, confidence building, and capacity building – which all have to work in concert. According to Geier, regional organisations are particularly important for confidence building, as they bring together states that might have difficult relations. Quoting, Frank-Walter Steinmeier, German Minister for Foreign Affairs and Chairman-in-Office of the OSCE, he argued that ‘confidence is created when we tackle our common problems together.’
After the welcome remarks by Grütter and Geier, Dr Jovan Kurbalija, Head of the Geneva Internet Platform and Director of DiploFoundation, introduced the panellists.
Mr Ben Hiller, Cyber Security Officer of the Transnational Threats Department of the OSCE, provided an overview of the OSCE’s work on confidence-building measures (CBMs) for its 57 participating states. The CBMs can be categorised in three clusters:
- Those that foster predictability in cyberspace as states have the possibility to read each other's’ attitudes.
- Those that provide opportunities for timely cooperation to defuse potential tensions.
- Those that promote national preparedness and due diligence, especially in relation to critical infrastructure.
Since CBMs are only one part of the triangle presented by Geier, Hiller emphasised that all three pillars need to be worked on in tandem to progress towards a more secure cyberspace.
According to Hiller, strategising should mainly be the focus of the UN, while practical implementation would be more suitable at regional level, to ensure that operationalisation of the recommendations can be adapted to a regional context. At the same time, inter-regional coordination and dialogue should be encouraged. Consequently, Hiller identified a need for coordinated fragmentation.
Mr Moctar Yedaly, Head of the Information Society Division of the African Union (AU) Commission, addressed the opportunities and challenges of ICTs in Africa. ICT can be a key to resolving regional challenges, for example those in the fields of education, health, and commerce. Yet, confidence in cyberspace is a necessary precondition. Only 13 African countries have some sort of legislation related to cybersecurity. At regional level, current efforts are galvanised around the African Union Convention on Cyber Security and Personal Data Protection (signed by 8 countries). Later this year, a report on cybersecurity trends in Africa will be issued. He also mentioned the forthcoming partnership between the Internet Society and the AU to build guidelines for African countries in the domain of cybersecurity. According to Yedaly, the main challenge is building capacity to ensure that policymakers understand what is at stake.
Ms Kerry-Ann Barrett, Cyber Security Policy Specialist at the Organization of American States (OAS), offered a snapshot of what has been happening with CBMs in the Americas, including the Inter-American Strategy to Combat Threats to Cybersecurity, adopted in 2004, and a summit in Colombia in 2014, which exposed member states to CBMs in cybersecurity. She also mentioned the Ibero-American Cooperation’s declaration, through which 22 heads of states pledged to work together to create a peaceful environment in cyberspace. Next, Barrett provided several examples of promoting capacity development and information exchange.
Barrett had two recommendations: for the UN GGE to involve regional organisations, so that they can better translate the recommendations into practical solutions, bearing in mind the context of the negotiations; and for states to give the relevant regional organisations a mandate that would allow for the implementation of the GGE recommendations.
Mr Henry Fox, Director of Cyber and Space Policy at the International Security Division of the Australian Department of Foreign Affairs and Trade, gave some examples of simple solutions for CBMs, based on his experience in the ASEAN Regional Forum (ARF). Unlike the OSCE, the ARF has chosen not to negotiate individual CBMs, but rather raises awareness through the adoption of various statements and an ICT work plan, as well as workshops addressing specific problems. Examples of simple, effective CBMs could include workshops and simulations, a directory of cyber policy points of contact, templates, and procedures. Fox proposed that the UN GGE could suggest that regional organisations provide guidance on these measures, for example by identifying the roles and responsibilities of points of contacts.
The last intervention came from Mr Aapo Cederberg, Cyber Security Expert of the Geneva Centre for Security Policy. He argued that cybersecurity challenges could most effectively be dealt with through capacity building at national level, and identified five domains in which cybersecurity challenges can be found and managed, and concrete steps to be taken:
- The political domain: work on security dialogue, fighting against cyber-terrorism and crime via decisions, declarations, and recommendations.
- The military domain: work on information sharing and dialogue, visiting military cyber-exercises and cooperating on a bilateral basis.
- The economic domain: best practices should be shared and public-private partnerships facilitated on fighting against cybercrime and protecting critical infrastructure.
- The technical domain: work on strengthening cooperation between computer emergency response teams (CERTs) and information sharing, as well as providing assistance and engaging in joint cybersecurity exercises.
- The public domain: better educate citizens to prevent cybercrime; used e-learning tools on cybersecurity for the benefit of the wider public.
Specific reflections and suggestions
- A large part of international cybersecurity dynamics happens at regional and sub-regional levels. It is important to comprehensively map the various regional and sub-regional initiatives, including policy documents, training activities, simulation exercises, and information exchanges.
- While the main aims of international cybersecurity cooperation are shared, there are major differences in approaches and speed of action. For example, the Americas have the longest experience in cybersecurity while Africa is in the incipient phase of developing cooperation channels and mechanisms.
- Most international cooperation expertise exists in regional organisations (OSCE, OAS, ARF). The UN GGE should tap into this expertise. The rich experience of regional organisations could be used in the development of global norms.
- Cooperation among regional initiatives is recommended with a wide range of possibilities:
a) building on the existing strong links and informal cooperation between regions through overlapping membership, inter-regional cooperation (e.g. annual meetings on regional cybersecurity activities, an annual report on inter-regional cooperation). Caution was expressed about seeking to institutionalise cooperation given differing regional arrangements and requirements.
b) sharing of best practices and lessons learned should also be facilitated through informal and online channels
- Capacity building is needed not only on a technical level for specialised know-how, but also for non-technical aspects (e.g. economic, political, legal) with special focus on cross-sectoral communication and coordination.
- Norms developed by the UN GGE need to be socialised. In order to be socialised, they have to be internalised by many actors. In order to be internalised, regional organisations and other actors should at least be informed about developments and, at best be more engaged. Regional organisations could be useful ‘conveyor belts’ for the UN GGE to socialise norms.
The multidisciplinary nature of cybersecurity requires a holistic approach involving economic, social, and human rights perspectives, among others. While a holistic approach is necessary, specific aspects should be addressed in existing forums and organisations.
By Barbara Rosen Jacobson, Roxana Radu, and Vladimir Radunovic