Confidence Building in Cyberspace
International security fellow, Simon Fraser University
In the world of multilateral diplomacy, to have states arrive at a consensus agreement on anything is a cause for some celebration. Given the sensitivity of the subject matter and the disparities in power, the fact that a 15 nation UN Group of Governmental Experts was able to issue an agreed report on prospects for international cyber security cooperation is a welcome development. Such expert groups or GGEs are frequently resorted to when UN member states wish to address a relatively new topic, and to generate recommendations as to how the issue should be handled in future. The GGE “on Developments in the Field of Information and Telecommunications in the Context of International Security” finalized its report in early June, and it has just been released as one of the documents to be considered by this fall’s 68th session of the UN General Assembly.
The current report follows upon an earlier GGE study in 2010, which in turn reflects a widely-supported Russian-led initiative at the General Assembly to consider the international security implications of the new environment of cyberspace. The terminology here is still in flux – the UN study uses “information and communication technologies (ICTs)”– but the focus is on the Internet and the threats to cyber security that exist in this unique environment. These threats, the report notes, have increased in recent years “as ICTs are used for crime and the conduct of disruptive activities”. Not surprisingly, the GGE recognizes that “States also have an interest in preventing conflict arising from the use of ICTs” and concludes that “international cooperation is essential to reduce risk and enhance security”.
So far so good, but what exactly is the content of this international cooperation that the GGE espouses? The experts’ recommendations are set out in three sections: norms, confidence building measures and capacity-building. The carefully crafted text reveals both the potential and the limits of the envisaged international cooperation. Under the section on “norms, rules and principles of responsible behaviour by States” the report affirms that “The application of norms derived from existing international law relevant to the use of ICTs by States is an essential measure to reduce risks to international peace, security and stability”. This assertion of the relevance of international law to the new domain of cyberspace was a key objective of the U.S. and other Western states. The inclusion of this sentence will be viewed as a gain, even if it is immediately conditioned by two other sentences noting that how these norms apply to State behaviour requires further study, and that additional norms geared to the unique attributes of ICTs could be developed in future.
The latter caveats represent views that non-Western states, notably Russia and China, have expressed. These two states are the chief proponents of the “Code of Conduct for Information Security” which was put before the UN in 2011 as a basis for state behaviour in cyberspace and which emphasizes sovereign control over a country’s “information space”. Given this orientation, it is understandable why Russia and China could not convince the GGE to do more than “take note” of their proposal. This balancing act between Western and non-Western preferences continues throughout the discussion of norms, with a paragraph on the applicability of international law for instance being immediately followed by one affirming the applicability of state sovereignty to ICT-related activities and infrastructure.
Confidence-building measures are the focus of the next section. The report endorses, albeit rather tepidly, the role of such measures in reducing the risk of conflict: “States should consider the development of practical confidence-building measures to help increase transparency, predictability and cooperation…” The report provides an illustrative list of possible measures, including the exchange of information on national strategies and policies; the creation of bilateral, regional and multilateral consultative frameworks for confidence-building; enhanced information sharing on ICT security incidents; and enhanced mechanisms for law enforcement cooperation. This last measure points to the security challenge posed by cyber criminals or terrorists to inter-state cooperation as the report notes that enhanced international law enforcement cooperation would “reduce incidents that could otherwise be misinterpreted as hostile State actions”. This section presents a reasonable menu of confidence-building measures, but their actual adoption is left up to states to decide on, bilaterally or in multilateral forums, and to date the take up has been limited.
The last set of recommendations concerns capacity-building, which the report observes “is of vital importance to an effective cooperative global effort on securing ICTs and their use”. The great disparities in cyber capacity and the developmental orientation of the majority of UN member states explains why a call by the GGE for states “to provide technical and other assistance to build capacities in ICT security “ would figure in the report.
The GGE report concludes by noting that progress in the international cyber security realm “will be iterative, with each step building on the last”. Left unsaid is that the iterative process may not simply be in the direction of enhanced security for state actions can detract from as well as contribute to the level of international security in cyberspace. Recent revelations of sophisticated state-conducted actions of espionage and sabotage demonstrate the real risks to the international community’s welfare if “norms of responsible state behaviour” are not developed and implemented internationally. The GGE’s issuance of a consensus report, even if its recommendations are modest, is a welcome development. The real test of its significance however will be the extent to which states actually embrace its recommendations and incorporate the proposed measures into their foreign policies for cyber security.