What’s new with cybersecurity negotiations? The UN GGE 2021 Report

The UN Group of Governmental Experts (GGE) was declared ‘dead’ after it didn’t produce a consensus report in 2017. The last, much-lauded and often invoked report was adopted by the GGE in 2015. Yet in December 2019, 4 years after the GGE’s last success, the General Assembly (GA) decided to extend the process and establish another GGE (2019-2021). In May 2021, GGE adopted its consensus report and published its advance copy without much fanfare, as expected from a process generally shrouded in mystery. 

What does the GGE Cyber 2021 report contain? 

In this blog post, we’ll tackle the content of the UN GGE Cyber 2021 report. The group of experts operating in their personal capacity and appointed by the UN Secretary General was mandated to ‘continue to study, with a view to promoting common understandings and effective implementation, possible cooperative measures to address existing and potential threats in the sphere of information security’. In simpler terms, it tried to find ways to cooperate on addressing threats in cyberspace.

Where appropriate, we will note how this report compares to the landmark reports on cybersecurity, i.e. the GGE 2015 report and the OEWG 2021 report. We’ll compare the GGE 2015 and 2021 reports to note which assessments were reaffirmed. We’ll compare it to the OEWG 2021 report to see whether the two groups worked in synergy and how their conclusions converge or differ.

Existing and emerging threats

The GGE 2021 report reaffirms that the serious ICT threats identified in previous reports persist. However, a few concerns were highlighted.

Serious concerns about harmful ICT activity against critical infrastructure, including critical information infrastructure, infrastructure providing essential services to the public, the technical infrastructure essential to the general availability or integrity of the Internet, and health sector entities were noted. 

The assessments of the 2015 report that a number of states are developing ICT capabilities for military purposes are also underlined in the 2021 report. According to the Geneva Internet Platform (GIP) mapping, the number of countries with offensive cyber capabilities or plans to develop them has reached 53 in 2021, confirming this trend.

The report notes a ‘worrying increase in states’ malicious use of ICT-enabled covert information campaigns to influence the processes, systems and overall stability of another state’.

Also underlined were malicious ICT activity aimed to exploit vulnerabilities, which increase with the attack surface and because of the differences in capacities and resources to develop resilience, protect critical information infrastructure, identify and respond to threats in a timely manner.

Norms, rules and principles

Norms and existing international law ‘sit alongside each other,’ the report underlines. Norms do not seek to limit or prohibit action that is otherwise consistent with international law. Norms reflect the expectations of the international community and set standards for responsible state behaviour. Interestingly, the GGE 2015 and OEWG 2021 reports also note that norms ‘allow the international community to assess the activities of States,’ and this phrase is missing from the GGE 2021 report. 

The report reaffirms that additional norms could be developed over time. It also notes the possibility of future elaboration of additional binding obligations, a point which was contentious but still included in the conclusions of the OEWG report.

The GGE 2019/2021 has developed an additional understanding of the 11 voluntary GGE 2015 norms, as it was mandated. The visualisation below contains measures that the 2021 report recommended for States to consider in order to observe the 2015 norms.

International law

Also reaffirmed in the report is the applicability of international law, and in particular the UN Charter in its entirety, to the ICT environment. It is significant to note that the report underlines that the UN Charter applies in its entirety and lists its principles. The OEWG 2021 report does not make this specification, and only specifically refers to the principle of peaceful resolution of disputes. 

The GGE 2019/2021 noted that international humanitarian law applies only in situations of armed conflict. This is a significant milestone, as the previous GGE reports and the OEWG 2021 report have not reached consensus on the issue. It is likely to have long-term consequences – it may limit or prevent development of new cyber capabilities as these may have unintended effects on civilian population and infrastructure and restrict the conduct of hybrid warfare.

The application of established international legal principles (including the principles of humanity, necessity, proportionality, and distinction) to the use of ICTs needs further study. However, the report omits to suggest or recommend which fora should undertake this study. 

Confidence building measures

In this section, the report tackles both cooperative and transparency measures. Among cooperative measures, points of contact (PoC) and dialogue and consultations are discussed.

On PoCs, states are encouraged to consider appointing dedicated PoCs at the policy, diplomatic, and technical levels and creating inter- and intra-governmental procedures to ensure their effective communication during crises. The report also suggests that the UN Secretary-General could be invited to facilitate voluntary exchanges between states on lessons, good practices, and guidance relevant to already existing regional and subregional PoC networks. 

As far as dialogue and consultations, states are encouraged to continue engaging in regional groups to develop and implement CBMs. They are also encouraged to share and disseminate information and good practices on (a) establishing and sustaining national CERTs/CSIRTs and (b) incident management.

For transparency measures, states could consider using bilateral, sub-regional, regional and multilateral fora and informal consultations to clarify positions and share information on existing and emerging threats, vulnerability analysis of ICT products, risk management and conflict prevention, ICT security, data protection, ICT-enabled critical infrastructure protection, mission and functions of ICT-security agency, and national or organisational ICT strategy.

International cooperation and assistance in ICT security and capacity-building

The GGE noted a few areas in which international cooperation and assistance in ICT security and capacity building can support states, including: 

1. Developing and implementing national ICT policies, strategies, and programmes.
2. Creating and enhancing the capacity of CERTs/CSIRTs and strengthening arrangements for their cooperation. 
3. Improving the security, resilience, and protection of critical infrastructure.
4. Building or enhancing the technical, legal, and policy capacities of states to detect, investigate and resolve ICT incidents.
5. Deepening common understandings of how international law applies to the use of ICTs by states and promoting exchanges between states in this regard.
6. Enhancing the technical and legal capacities of all states to investigate and resolve serious ICT incidents.
7. Implementing agreed, voluntary, non-binding norms of responsible state behaviour. 
8. To this end, and as a means to assess their own priorities, needs and resources, States are encouraged to use the voluntary Survey of National Implementation recommended by the UN OEWG.

The GGE also welcomed the capacity building principles concerning process, purpose, partnerships, and people recommended by the OEWG 2021 report. Unlike the OEWG 2021 report, it clearly underlines the multistakeholder nature of capacity building.

Conclusions and Recommendations for Future Work

The GGE identified potential areas for future work:

1. Increased cooperation to foster common understandings on existing and emerging threats;
2. Further sharing and exchanging of views on norms, rules, and principles for responsible state behaviour, national and regional practices in norm and CBM implementation, and international law application on use of ICTs by states;
3. Further strengthening international cooperation and capacity building;
4. Identifying mechanisms that facilitate the engagement of all stakeholders in implementing the framework of responsible behaviour;
5. Requesting undertaking of relevant studies by the UN Institute for Disarmament Research (UNIDIR), think tanks and research institutions.

The GGE was rather conservative in drafting their recommendations for future work. 

Touching upon the mode of future deliberations, the report stated that the Programme of Action (PoA) should be further elaborated, including at the OEWG 2021-2025. The PoA aims to end the ‘dual track’ of the GGE and the OEWG, and establish ‘a permanent UN forum to consider the use of ICTs by states in the context of international security’. This is also in line with the conclusions in the OEWG report.

The most important takeaways

The GGE 2021 report defines the framework of adopted recommendations, norms, and principles (known as the ‘acquis’) for responsible state behaviour in the use of information and communication technologies (ICTs). The framework encompasses the GGE 2010, GGE 2013, GGE 2015, and OEWG 2021 reports. The GGE report also prescribe elements for the attribution of cyberattacks, i.e. ‘the incident’s technical attributes; its scope, scale and impact; the wider context, including the incident’s bearing on international peace and security; and the results of consultations between the States concerned’. It openly encourages contact between the victim and the alleged source of an an attack – notifying the other state and asking for support – before anything else is done. The report sets useful guidelines on some key rules for national frameworks. This is particularly important for ‘newcomers’ in the cybersecurity field (such as developing countries). Most notably, not only does the GGE 2021 report name the OEWG 2021 report as part of the aquis, but it also refers to its provisions, proving that the two parallel processes were indeed in sync.

What’s next?

The future of the GGE is uncertain, with no immediate plans to renew the format. The format did great things in the past – the GGEs can be credited with two major achievements: outlining the global agenda and introducing the principle that international law applies to cyberspace. Its 11 voluntary norms enumerated in the GGE 2015 report are also generally agreed upon. The 2010, 2013, and 2015 GGE reports were adopted as a base for the consensual OEWG 2021 report adopted by all UN member states.

However, the more inclusive, transparent, and of similar mandate OEWG has already been extended by the GA to 2025, even before OEWG 2019-2021 completed its work. Proponents of the GGE format might underscore what the High Representative for Disarmament Affairs stated: ‘a smaller group of experts on the specific topic […] use their extensive expertise to provide in-depth assessments and recommendations’. Yet, more support is being given to the Programme of Action (PoA), which is focused on the implementation of the existing framework rather than further studies.

If we take into account that states seem tired of not having a one-track process, we might be tempted to predict the GGE’s death again. It would not, however, signify the end of the talks on cybersecurity in the UN – even if the king dies, long lives the king.

What do you think about the GGE 2021 Report? Tell us on Textus!

We aim to analyse and inform everyone who is interested in cyber-negotiations, we love to hear what you think! Head to Diplo’s hypertext tool Textus, to easily comment and reflect on others’ comments in two simple steps:

1. Click on the ‘<’ button in the upper right corner, and a gray sidebar will appear. Go to the upper right corner of the sidebar and sign up.
2. Simply log in and comment!