Two Ways the United Nations Could Improve Cybersecurity Policy This Week

The 2012-2013 consensus report from the Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security recommended “regular institutional dialogue with broad participation under the auspices of the United Nations, as well as regular dialogue through bilateral, regional and multilateral forums, and other international organizations.”

In typical UN fashion, the sentence attempts to please a number of constituencies without saying very much. First, it appeals to the United States and its allies by referring to “broad participation” and regular dialogue in venues outside the UN system. This supports the United States’ existing bilateral dialogues and initiatives on cyber issues, as well as signals that cyber discussions cannot only be left to governments given that “broad participation” is required, notably from other stakeholder groups, such as civil society and the business community.

Second, it appeals to Russia, China, India, Brazil, and others that would like to see the UN take a more central role in cyber matters, not only on issues related to international peace and security, but when they are related to broader issues like Internet governance. This is exemplified in the Russia and China’s proposed Code of Conduct for Information Security and the joint Brazilian-Indian proposal for a UN Committee for Internet-Related Policies in 2011.

Despite reaching a consensus on the need to talk more, the current GGE group will continue to argue over the appropriate place of the UN in discussions about cyber activity that can undermine international peace and security. The GGE will have two options to consider: status quo or something new.

Status Quo

Thus far, the bulk of the discussions regarding the destabilizing implications of cyberspace at the UN have taken place in GGEs in 2004-2005, 2009-2010, and 2012-2013, only the last two of which produced consensus reports. While the GGE process has been instrumental in promoting the norm that international law applies to state behavior in cyberspace, the model is not sustainable for two reasons. First, GGEs have to be periodically renewed by the UN General Assembly, a process that can be upheld by politicking, deal-trading on unrelated issues, and pressures on the UN budget.

Second, the cyber GGEs are limited to a small number of states, five of which have always been the permanent members of the UN Security Council, and the membership changes every time a new GGE is created. Cyber issues can be notoriously complex and require a significant amount of expertise accumulated over time before engaging in an intelligent discussion over its political and military implications. Furthermore, some of the diplomats that sit on the GGE can be arms control generalists, not cybersecurity policy experts—an important distinction given the hyperbole that can infiltrate cyber discussions. It is impractical for countries that sit on GGEs on a rotational basis to gain cyber expertise over the life of a GGE only to give up their seat to a newcomer. GGEs only meet in three or four weekly sessions, meaning that precious time can be lost bringing the newcomers up to speed on the previous discussions of the GGE before resuming an informed discussion.

Something New?

To replace the ephemeral nature of the GGE process and create institutional knowledge at the UN, it may be possible to insert cyber discussions in existing UN organs that specialise in international peace and security issues. However, none of these options are particularly appealing. One institutional home for cyber at the UN could be the Conference on Disarmament,  but the group, with few exceptions, has not been able to agree on a work plan since 1996, making it an impractical venue for pressing debates on cyber issues.

Another option could be the creation of a standing group to address the military implications of cyberspace. The idea was floated during the 2012-2013 GGE, modelled on the Committee on the Peaceful Uses of Outer Space (COPUOS), but fell flat for a few reasons. First, UN Member States are loathe to expand the UN structure that would require additional funding. Second, committees like the COPUOS often come into existence to oversee the implementation of a treaty, something that does not exist for cyberspace and which is not particularly desirable for a whole host of reasons.

Notwithstanding these challenges, some sort of cyber working group within the UN would help build expertise on the military aspects of cyberspace, contribute to the development of confidence building measures, and shape the promotion of norms for state behavior in cyberspace. While I’m by no means an expert of General Assembly procedure, it doesn’t seem too far fetched an idea to transform the GGE into a standing working group of the First Committee that any interested UN member state could join. And much like the GGE, the standing working group would issue recommendations every few years or so.

Where will the discussion land?

The UN’s role in the military dimensions of cyberspace is likely to become a bargaining chip. While Russia and China may not push for a new UN cyber committee, middle income and developing countries in the current GGE such as Brazil, Kenya, Malaysia, and others may find it appealing as a way to develop expertise on the topic and could want to see a recommendation for a new group in the GGE’s report.

The United States, which is comfortable with the status quo approach, will likely resist such a move unless it can obtain some concessions in return. For example, it may be more receptive to a new structure if it can achieve consensus on the specific norms it has been recently promoting, namely that states should not:

• Interfere with the operations of Computer Security Incident Response Teams, which act as digital firefighters that provide mitigation, recovery advice, and assistance to organisations requesting it;
• Knowingly conduct computer network operations that damages critical infrastructure; and
• Hinder or impede requests for assistance from other states investigating cyber crimes or other malicious cyber activity.

Even so, previous UN committees that have examined cyber and Internet issues, such as the Committee For Science and Technology for Development, have not amounted to much. This makes it all the more unlikely that this GGE will add more clarity as to the UN’s role in cyber issues.

This post appears courtesy of CFR.org.