The United Nations as a Forum for Cybersecurity: Procrastinator or Enabler?

Malicious cyber activities in cyberspace pose a threat to peace and security, human rights and sustainable development internationally. When considering a solution for this global problem, the first forum that comes to mind is naturally the United Nations. The initiative of convening an international meeting of experts in 1999 by the United Nations Institute for Disarmament Research led to the establishment of a group of governmental experts in 2004 (by resolution 58/32) with the agenda of ensuring cooperation and finding ways to secure cyberspace.

As part of that journey, groups of governmental experts (GGEs) contributed significantly to the understanding of the law applicable to cyberspace internationally with (their) 2010, 2013, and 2015 reports. Recognition of applicability of international law, in particular the UN charter, to cyberspace was an important step.  Moreover, the “11 UN norms of responsible state behaviour in cyberspace” as outlined in the 2015 report draw a useful map of problem areas, emphasises some principles and approaches that if elaborated and implemented with further works may contribute to a free, open, peaceful and secure cyberspace and may help establishment of the customary international law in terms of cyberspace.

Despite those rules are still non-binding, the existence and the content of these rules are a call for the adoption of an international convention to help securing cyberspace. The 11 UN norms of Responsible State Behaviour in Cyberspace, UN Cyber Norms, were summarised by the Australian Strategic Policy Institute as:

“1. Interstate cooperation on security, 2. Consider all relevant information, 3. Prevent misuse of ICTs in your territory, 4. Cooperate to stop crime & terrorism, 5. Respect human rights & privacy, 6. Do not damage critical infrastructure, 7. Protect critical infrastructure, 8. Respond to request for assistance, 9. Ensure supply chain security, 10. Report vulnerabilities, 11. Do not harm emergency response teams)”. These rules require advanced state cooperation and this can only be achieved by creating sufficient legal and administrative capacities built on an international cyber convention.

At the same time, the West is opposing new Russian and Chinese initiatives of a new legally binding convention. based on valid and legitimate concerns such as preventing oppressive tendencies in cyberspace, protecting human rights etc. However, just opposing bad law is not sufficient to accomplish the purpose (ensuring human rights in cyberspace, preventing oppressive approaches, ensuring peace and security in cyberspace). Preserving and developing a secure and open cyberspace (ICT environment) requires positive action. Stopping the creation of potentially ‘bad law’ is logical but developing good laws is more important. Because as long as there is need for regulation, there will be the ones who want to regulate and a legitimate ground for such efforts-enable gathering support for such efforts. In addition, in cyberspace any regulation needs consensus and who brings most of the states together has the advantage. Positive action will bring most of the states together.

The GGE continues to exist with the support of western states yet the 2016 and 2017 groups failed to produce a consensus report. Consequently, those groups could not produce anything meaningful since their 2015 report.

In addition, an open-ended working group (OEWG) has also been established. The OEWG came into existence ((11 December 2018, UNGA A/RES/73/27) after a proposal made by Russia, China, Iran and 30 other states which was supported by 110 states and objected by all western democracies (19 November 2018, UNGA A/73/505). OEWG may have a similar mandate but this time all the UN member states have been invited to participate in this group, unlike the GGE which has experts from only 25 states. Despite their initial opposition to the establishment of the OEWG, Western democracies decided in the end to participate in the group as the group may act only on a consensus based basis.

Cooperation is a necessity in cyberspace and such necessity was essential for the adoption of a consensus report of the UN cybersecurity Open-Ended Working Group (OEWG) drafted by some 150 countries and observers under the auspices of the UN. The United States and other liberal democracies had to accept some compromise regarding international humanitarian law and human rights in order to be able to contribute from within such an initiative with an eye on taking the lead in terms of forming the legal framework of cybersecurity internationally within the boundaries of a rule based approach. This consensus is important for further work and for shaping customary international law in the long run. A group that requires consensus among all states which have conflicting national and strategic aims such as China, Russia, Iran and USA, Australia, Canada and the United Kingdom, does not promise much in terms of addressing daily issues in cyberspace. Cyberspace needs immediate action and not mid-term or long-term solutions due to the very nature of cyberspace. Otherwise, it will be hard to talk about a free, open and secure cyberspace anymore in light of the dangers of fragmentation, regional regulations and exercise of jurisdiction and sovereignty over cyberspace on a territorial basis. The mind-set of repressive states about cyberspace leads to the understanding of cyberspace in general, especially in terms of jurisdiction and sovereignty-openness of this realm. Therefore, we regard the OEWG as a dead-end working group in that respect, because apparently there is no way of bringing all nations to a consensus on effective solutions. So (despite constituting a base for the emergence of customary international law) what all this new group promises is more delay and more distraction.

Developed states have to understand the security concerns of the less developed states (lacking the capacity to defend themselves against malicious cyber activities so they demand binding rules to be protected) and in that sense the need for further regulations. Only by doing so it is possible to bring most of the states together in finding ground for compromise. Developed countries have to understand they don’t have to bring all states together which we believe is impossible to agree on the necessary actions required to ensure an open, free, secure and peaceful cyber environment with the respect to human rights and rule of law. Hence, instead of trying to stop Russia, China and their other allies, the western democracies have to take the lead and focus on what it takes to ensure a free, open, peaceful and secure cyberspace with reference to rule of law, humanitarian law and with the consideration of respecting human rights.

On the other hand, the interstate problems are not the only concern in cyberspace. Individuals, companies and different types of groups suffer from cross border malicious cyber activities all around the globe and they find no effective forum to protect them, to reinstate their rights, to compensate for their loses etc. The hottest topics of the groups at UN such as the applicability of IHL and the right to self-defence against a cyber-attack above the threshold of an armed attack as envisaged by international law provide no use to urgent problems of various actors in cyberspace. The discussions under auspices of UN mainly focus on states (those discussions even have the difficulty of covering the threats to the states by non-state actors properly) so they do not properly cover the problems of and those problems caused by other actors (that means discussions do not focus to the majority of the problems and an efficient solution is not possible without even seeing the problems that individuals, groups, companies are facing or causing) in cyberspace.

We make the observation that states seem to enjoy discussing and agreeing on vague statements under the auspices of the UN yet when it comes to define clear practical rules they fail. States which defend the necessity of having binding rules (such as China and Russia) do not have a good track record of following and complying with them. That raises doubts about their real purpose. They are just playing that they want law but for what-to keep the high moral ground and yet not to follow them or maybe they are sure about there will be no agreement over reasonable binding rules- they know they can abuse those rules) the state which do not follow the rule of law gets upper hand against the one that follow rules. It seems as if Laws seems to be binding for developed democracies while other major state players do not seem to respect the rule of law at all. Is the ultimate objective to use such laws as a tool of lawfare?

The efforts under the auspices of the UN about cybersecurity are trying to create soft law. The question here is, can soft law be effective in the cyber context? Soft law requires transparency, mechanisms for monitoring and auditing, a reporting system, an investigation mechanism that ends up with remedies for the victims to be effective to some degree.  Our answer to the above-mentioned question is definitely no! Because a soft law benefits mostly from the power of condemnation. To condemn it is necessary to know who to condemn. Here we face the inherent problem of cyberspace, the attribution. The perpetrators usually mask their identity. Finding the perpetrator of a cross-border malicious cyber activity mostly entails intense cooperation which is rare and hard in the current international system.

Although efforts at the UN are important to develop a common understanding and contribute customary international law, it takes too long even to take a small step. Especially looking for a consensus on effective norms among so sharply divided nations. It is not reasonable to expect a consensus among states like China and the US in their current ‘Great Power competition’ state. It delays allocating resources and focuses on real solutions. On the other hand, development in cyberspace is so fast, any delay in addressing problems leads to a worse balance in its future (fragmentation- authoritarian approaches- restrictions- narrowing enjoyment of human rights- but with all that cost no further security).

Because of delay, the future of cyberspace is being shaped not by rationally discussed and agreed norms but within the arms of anarchy.

Only like-minded states can act fast enough to reach a consensus over a ruled based system that ensures its openness, security and full enjoyment of human rights by individuals. Such a prototype may then attract more states and shape a better future of cyberspace for all nations.

Cybersecurity requires an international legal system working as smooth as a domestic legal system. That is, the required level of cooperation is so high. On the other hand, the possible cooperation that UN mechanisms can offer would be so low even in the best scenario. Here the gap between the level of cooperation needed and the level of cooperation that the UN mechanisms can promise shows clearly that the UN (can be a forum for discussions but not the solution) is not the best forum for a fast, desirable solution. Alongside preserving efforts under auspices of the UN, the western democracies need to focus on another forum which may bring like-minded states together, allow high level cooperation and ensure a free, open and secure cyberspace where there is respect for rule of law and human rights. The question remains of how much cooperation do we need and how much cooperation can we get from any UN mechanism.