[Web discussion summary] Norms and confidence building measures (CBMs): Are we there yet?
Updated on 07 August 2022
DiploFoundation, with the support of Microsoft, organised the Cyber-diplomacy web discussion: Norms and confidence building measures (CBMs): Are we there yet? This webinar was the fourth in a series of cyber-diplomacy web discussions, following the web discussions: Cyber-armament: A heavy impact on peace, economic development, and human rights; Applicability of international law to cyberspace: Do we know the rules of the road?; and, Traceability and attribution of cyber-attacks: How confidently can we point a finger?
Abdul-Hakeem Ajijola (Commissioner at the Global Commission for Stability of Cyberspace (GCSC), and Executive Chairman of Consultancy Support Services Ltd) and Bart Hogeveen (Head of Cyber Capacity Building at the International Cyber Policy Centre, Australian Strategic Policy Institute) joined us to discuss the role of norms and confidence building measures (CBMs) and frameworks of their implementation. The discussion was moderated by Vladimir Radunovic (Cybersecurity and E-diplomacy Programmes Director, DiploFoundation).
Setting the stage for the discussion, Radunovic listed several ongoing initiatives discussing norms and CBMs: the UN GGE, the OEWG, regional organisations like the OSCE, the OAS, the ASEAN Regional Forum, as well as private and civil sectors such as the Tech Accord, the Digital Geneva Convention, the Paris Call, and the Global Commission on Cyber Stability (GCCS).
What is the point in having norms and CBMs for cyberspace?
Hogeveen pointed out that it is not just about the norms themselves. The UN Framework of Responsible State Behaviour in Cyberspace, introduced in the UN GGE report in 2015, consists of the applicability of international law, 11 norms, CBMs, and capacity building. Over the last 15 years, there have been a lot of developments and conflicts between states, and these norms help to draw boundaries of which state behaviour is acceptable in cyberspace and which is not. So far, they are voluntary (official wording says that states ‘should’ or ‘should not’ do particular acts).
Ajijola explained how norms fit in the Cyberstability Framework developed by the GCSC. He said that norms are used to build trust and friendship between actors, and gain more integrity and transparency in cyberspace. Ajijola noted that the GCSC framework overlaps with the UN, but it has one distinguished feature – multistakeholder engagement for norms development and implementation.
To what extent can norms and CBMs help the relations between big powers, and to what extent can they help on the regional level?
Hogeveen drew attention to South-East Asia. It is the number one region to look at in terms of cyber norms and CBMs. He said that the ASEAN itself is a CBM in the form of a dialogue between its members. CBMs are there to reassure other states or actors of your good intentions. Norms and CBMs can help to prevent conflicts and escalations, not only among big powers, but among smaller nations, which often became the victims of cyber attacks. Hogeveen put forward the case of Indonesia – its ICT infrastructure is poorly protected and misused by other actors, making it among the top countries from which cyber-attacks originate. CBMs and norms are needed to show that Indonesia is not a bad actor itself, it just lacks the proper cyber capacity to ensure a good level of protection of its infrastructure. The CFR cyber operations tracker shows that all Asian countries, even small and underdeveloped ones, have experienced a ‘national security ICT incident’ in the last ten years. So, the role of CBMs should be to avoid the escalation of a cyberconflict and the misunderstanding of cyber incidents.
If smaller nations, among which the probability of conflict is higher, do not adhere to CBMs and norms, could a cyber-attack be a trigger for a greater conflict between states?
Ajijola claimed it could definitely happen. Small countries face a number of additional issues. First of all, adherence means additional costs: anytime you want to implement a norm, you need extra resources. Second, there is mistrust in the motifs of bigger countries and what they are going to do with the sovereignty of small states. States in the Global South – particularly across Africa – have a lot of uncertainty about digitalisation in general.
Can we say that the existing framework outlined by the reports of the UN GGE is enough to build trust between actors?
Hogeveen said that 11 norms in the 2015 UN GGE report have been de-facto endorsed by the UN General Assembly. However, the key challenge is how to implement them. Norms themselves are not contentious, but it all depends on how states interpret and apply them. Most states are already working on national cybersecurity laws and capacity building, but they do not frame it as such. For example, the majority of states now have Computer Emergency Response Teams (CERTs) in place. So, a lot of states are working on the implementation of various parts of the agreed framework, in the Global South.
What particular norms should other stakeholders look more into?
Ajijola pointed to the norm 13(k) of the GGE Report in 2015, which says that states should not attack CERTs of other countries, or use their own CERTs for conducting attacks. He explained that the expertise and knowledge that CERTs possess to combat cyber-threats could be valuable for states to conduct attacks as well, which should be prevented. Other norms that deserve more attention are those from the GCSC, in particular, the norm that prevents hacking back, promotes basic cyber hygiene, and advances the vulnerabilities equities process.
Should – and can – new norms be placed to the agenda of diplomatic negotiations?
Ajijola said it is important that new norms are ‘owned’ by people, not just formally adopted through internationally recognised platforms. He used the example of the General Data Protection Regulation (GDPR) and how it got spread around the world without the formal endorsement of the UN. Hogeveen agreed with this idea: if private companies start to adhere to voluntary norms and principles, or states start implanting them in national frameworks, it will be better than a globally binding agreement. Norm development is a process, not a final destination. He recalled that it took 15 years for a nuclear non-proliferation framework to become a treaty. The speed of the development of technology demands much faster implementation of the cyber stability framework, however.
What is the difference between norms and CBMs?
Hogeveen noted that one cannot always clearly distinguish between them. But trust between states is a must have, in order to allow negotiations about responsible behaviour in cyberspace. That is why we need practical instruments to ensure confidence in each other. CMBs are also important during political tensions and crisis situations. Ajijola added that norms are more strategic in nature, while CBMs are a tactical component.
How do we actually implement norms and CBMs?
Hogeveen highlighted that one should not concentrate on the voluntary nature of norms. States need to contextualise the text of norms and operationalise them – he is sure that most countries are already putting these norms in place to some extent. Ajijola noted that technology is always about people, made by the people and for the people. When we look at public-private partnerships, we need to concentrate on capacity building and advocacy that start early – in schools and universities. Constant training and change of management practices are also indispensable. Moreover, in the Global South, there is a need to ensure that the tech sector has security and economic opportunities in mind. If you have a robust digital economy and these norms can make a positive impact, then you find an interest to participate in the development of norms and their further implementation. Finally, he raised the problem of women empowerment in ICT and the underserved population of the Global South that is still missing the majority of norm negotiations.