Members of the UN Security Council meet during a session on December 22, 2014, at United Nations headquarters.

Members of the UN Security Council meet during a session on December 22, 2014, at United Nations headquarters. Frank Franklin II/AP

Policy

Two Ways the United Nations Could Improve Cybersecurity Policy This Week

It will come down to sticking with an unsatisfactory status quo or coming up with something new.

Alex Grigsby,
Council on Foreign Relations

|

The 2012-2013 consensus report from the Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security recommended “regular institutional dialogue with broad participation under the auspices of the United Nations, as well as regular dialogue through bilateral, regional and multilateral forums, and other international organizations.”

In typical UN fashion, the sentence attempts to please a number of constituencies without saying very much. First, it appeals to the United States and its allies by referring to “broad participation” and regular dialogue in venues outside the UN system. This supports the United States’ existing bilateral dialogues and initiatives on cyber issues, as well as signals that cyber discussions cannot only be left to governments given that “broad participation” is required, notably from other stakeholder groups, such as civil society and the business community.

Second, it appeals to Russia, China, India, Brazil, and others that would like to see the UN take a more central role in cyber matters, not only on issues related to international peace and security, but when they are related to broader issues like Internet governance. This is exemplified in the Russia and China’s proposed Code of Conduct for Information Security and the joint Brazilian-Indian proposal for a UN Committee for Internet-Related Policies in 2011.

Despite reaching a consensus on the need to talk more, the current GGE group will continue to argue over the appropriate place of the UN in discussions about cyber activity that can undermine international peace and security. The GGE will have two options to consider: status quo or something new.

Status Quo

Thus far, the bulk of the discussions regarding the destabilizing implications of cyberspace at the UN have taken place in GGEs in 2004-2005, 2009-2010, and 2012-2013, only the last two of which produced consensus reports. While the GGE process has been instrumental in promoting the norm that international law applies to state behavior in cyberspace, the model is not sustainable for two reasons. First, GGEs have to be periodically renewed by the UN General Assembly, a process that can be upheld by politicking, deal-trading on unrelated issues, and pressures on the UN budget.

Second, the cyber GGEs are limited to a small number of states, five of which have always been the permanent members of the UN Security Council, and the membership changes every time a new GGE is created. Cyber issues can be notoriously complex and require a significant amount of expertise accumulated over time before engaging in an intelligent discussion over its political and military implications. Furthermore, some of the diplomats that sit on the GGE can be arms control generalists, not cybersecurity policy experts—an important distinction given the hyperbole that can infiltrate cyber discussions. It is impractical for countries that sit on GGEs on a rotational basis to gain cyber expertise over the life of a GGE only to give up their seat to a newcomer. GGEs only meet in three or four weekly sessions, meaning that precious time can be lost bringing the newcomers up to speed on the previous discussions of the GGE before resuming an informed discussion.

Something New?

To replace the ephemeral nature of the GGE process and create institutional knowledge at the UN, it may be possible to insert cyber discussions in existing UN organs that specialise in international peace and security issues. However, none of these options are particularly appealing. One institutional home for cyber at the UN could be the Conference on Disarmament,  but the group, with few exceptions, has not been able to agree on a work plan since 1996, making it an impractical venue for pressing debates on cyber issues.

Another option could be the creation of a standing group to address the military implications of cyberspace. The idea was floated during the 2012-2013 GGE, modelled on the Committee on the Peaceful Uses of Outer Space (COPUOS), but fell flat for a few reasons. First, UN Member States are loathe to expand the UN structure that would require additional funding. Second, committees like the COPUOS often come into existence to oversee the implementation of a treaty, something that does not exist for cyberspace and which is not particularly desirable for a whole host of reasons.

Notwithstanding these challenges, some sort of cyber working group within the UN would help build expertise on the military aspects of cyberspace, contribute to the development of confidence building measures, and shape the promotion of norms for state behavior in cyberspace. While I’m by no means an expert of General Assembly procedure, it doesn’t seem too far fetched an idea to transform the GGE into a standing working group of the First Committee that any interested UN member state could join. And much like the GGE, the standing working group would issue recommendations every few years or so.

Where will the discussion land?

The UN’s role in the military dimensions of cyberspace is likely to become a bargaining chip. While Russia and China may not push for a new UN cyber committee, middle income and developing countries in the current GGE such as Brazil, Kenya, Malaysia, and others may find it appealing as a way to develop expertise on the topic and could want to see a recommendation for a new group in the GGE’s report.

The United States, which is comfortable with the status quo approach, will likely resist such a move unless it can obtain some concessions in return. For example, it may be more receptive to a new structure if it can achieve consensus on the specific norms it has been recently promoting, namely that states should not:

  • Interfere with the operations of Computer Security Incident Response Teams, which act as digital firefighters that provide mitigation, recovery advice, and assistance to organisations requesting it;
  • Knowingly conduct computer network operations that damages critical infrastructure; and
  • Hinder or impede requests for assistance from other states investigating cyber crimes or other malicious cyber activity.

Even so, previous UN committees that have examined cyber and Internet issues, such as the Committee For Science and Technology for Development, have not amounted to much. This makes it all the more unlikely that this GGE will add more clarity as to the UN’s role in cyber issues.

This post appears courtesy of CFR.org.

NEXT STORY: National Security Eclipses Economy as Voters' Top Concern, GOP Poll Finds

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.