After a lag of six years, a renewed global cyber consensus was reached on 12 March when the UN member states agreed to the final report of the open-ended working group on information and communication technology developments in the context of international security.
In 2018, the group was instructed to make the UN negotiation process more democratic, inclusive and transparent, and to develop—or amend—current understandings of rules and norms and principles of responsible state behaviour. They were also asked to develop shared understandings of existing and potential threats, and how international law applies to the use of ICT.
The final report reaffirms the initial framework for what states should and shouldn’t be doing in cyberspace that was first agreed in 2015. The framework includes the recognition that international law applies to state activities in cyberspace, and affirms a set of 11 norms, confidence-building measures and a collective commitment to capacity-building.
The fact that 91 participating states managed to reach agreement is an accomplishment in itself, a Herculean task according to the South African delegation.
Concerns that some states would attempt to backtrack on previously agreed consensus outcomes proved unjustified. Relatively early in the process, major countries reaffirmed their commitment to the existing UN framework of responsible state behaviour. At the same time, Iran made the argument that ‘the consensus of the past is not the consensus of the present’ and Russia kept bringing up its ambition to work towards a legally binding treaty instrument for international ICT security.
The previous round of negotiations, between 2016 and 2017, broke down over proposals describing in greater detail how international law applies to state activities in cyberspace. The US tried to get the process moving again by suggesting that each state instead outline and publish its views on the application of international law separately. So far, at least 10 countries have done so.
Diplomats appeared disillusioned at the prospect of a long-term breakdown in interstate collaboration to solidify what was still a fragile rules-based framework for cyberspace. News articles appeared with headlines such as ‘The end of cyber norms’, ‘The end of an era’ and ‘The death of the UNGGE process’. This anxiety was exacerbated in late 2018 when the US and Russia proposed two similar but competing resolutions at the UN General Assembly.
The US called for the establishment of a sixth group of governmental experts (UNGGE), based on a practice started in 2004 for a select group of national experts to advance thinking and agreement on global rules. Russia, probably anticipating broader support for its viewpoints among the full UN membership, proposed that an open-ended working group be formed in which all countries could participate ‘on equal footing’.
Despite initial scepticism, the chair of the working group, Swiss Ambassador Jürg Lauber, and the UN support team have to be applauded for establishing a valuable and inclusive process that encouraged 40 new countries to join the conversations. There were also several, unofficial but on-the-record, opportunities for non-governmental organisations to provide input. This was, surprisingly, a novelty for the UN First Committee; until then, only states had addressed disarmament and international security issues.
But it was not all sunshine and roses.
During the last week of negotiations, states declined to approve text disclosing their areas of disagreement and that section was stripped from the report. Also, China successfully argued for the paragraph on ‘norms’ to be placed before the one on ‘international law’, a move not supported by Australia. Beijing is prioritising norms development, in particular around global rules for data security, over the decade-old entrenched discussion over the application of international law.
At the end of a successful negotiation process, delegations normally try to highlight their success stories. This time, however, delegations expressed their shared unhappiness with the report in quite explicit terms; they all had hoped a final report would be more reflective of their particular standpoints.
Russia’s representative, Ambassador Andrey Krutskikh, a veteran of the UN process, echoed South Africa in saying that ‘the report does not make us happy, but it is satisfactory’.
[N]ot all my country’s proposals are fully reflected in the document. In this regard, I would like to caution in advance that Russia will continue to actively advocate for its interests and for the interests of its friends in the future negotiation process on this topic.
US Ambassador Michele Markoff, also a veteran of the UN process, made similarly clear that the US felt the final report was ‘not perfect’ and continued ‘to have reservations’.
The UK said it would have liked to see more progress in the international law section, but because others had been flexible, it supported the global adoption of the report. Iran went furthest: while it didn’t block consensus, Tehran disassociated itself from those parts of the text that didn’t match its ‘principled positions’.
Despite all the reservations, the report delivers several positive steps.
The report recommends that states ‘continue to study and undertake discussions … on how international law applies to the use of ICTs by states’. This opens the door to continue seeking individual states’ views on how they see principles of international law, including international humanitarian law, applied in cyberspace.
The report unequivocally emphasises the need to support and invest in implementing agreed norms at the national, regional and global levels. States are called upon ‘to avoid and refrain from the use of ICTs not in line with the UN norms’—an important qualification as the norms are technically voluntary and non-binding.
Taking the experiences from the Covid-19 pandemic into account, an Australian-initiated proposal to highlight healthcare institutions as a key part of a nation’s critical infrastructure was endorsed. The report recommends that states prioritise efforts to protect all critical infrastructure and critical information infrastructure.
As the dust settles from the heavy lifting of reaching, in the words of the Australian delegation, ‘a report balanced on a knife’s point’, all eyes will now be on the UNGGE process. The closed-door discussions among the 25 experts when they tackle the unresolved issues are sure to be more fierce than in the open forum of the working group.
With a deadline of May, the UNGGE report is all but certain to garner a consensus. For now, though, a global cyber consensus has been re-established, and that’s a positive thing.