After two decades of deliberating cyber norms, UN member states are about to undertake a more hands-on task — the creation of a global, intergovernmental Points of Contact (PoCs) directory. This network would be expected to enhance cooperation and build confidence between governments in matters related to information and communications technologies in the context of international security. Amidst increasingly routinized cyber conflict, this endeavor is long overdue. But even as it would make states better equipped to tackle digital threats together and reduce tensions (if they wish so), the establishment of a new network would hardly avoid the same contentious issues that cyber diplomats have not been able to solve before.
In the context of UN-based negotiations on Developments in the field of information and telecommunications in the context of international security, the idea of connecting national points of contact for the purpose of confidence building dates back at least a decade ago.
The 2013 substantive report of the Group of Governmental Experts (GGE) recommended that “States should consider exchanging information on national points of contact, in order to expand and improve existing channels of communication for crisis management, and supporting the development of early warning mechanisms.”
The 2015 GGE report listed the “identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts” as one of the suggested voluntary confidence-building measures (CBMs).
In 2021, PoCs were mentioned in both the GGE and Open-Ended Working Group (OEWG) reports. Per the OEWG report, “States concluded that establishing national Points of Contact (PoCs) is a CBM in itself, but is also a helpful measure for the implementation of many other CBMs, and is invaluable in times of crisis.” It added that states could have various types of PoCs including for “diplomatic, policy, legal and technical exchanges, as well as incident reporting and response.” The report recommended states that did not have a national PoC to nominate one and encouraged states “to continue to consider the modalities of establishing a directory of such Points of Contact at the global level.” The GGE report included a section (paragraphs 76-78) describing the utility of PoCs and things to consider when establishing them. It also stressed the need for inclusive and universal approaches to addressing ICT security threats. It invited the UN Secretary General to facilitate the exchange of best practices related to existing PoC networks in contribution to the discussion on establishing the global PoC directory.
Thus, by the time the new OEWG (2021-2025) began its work, the idea of the PoC directory had already been elaborated in previous talks and had become part of the GGE/OEWG acquis. In 2022, in the first annual progress report of the OEWG, States agreed “to establish, building on work already done at the regional level, a global, intergovernmental, points of contact directory.” States would provide their views on establishing the PoC directory to the UN Secretariat and would further discuss the idea during the two formal sessions of the OEWG in 2023.
As suggested by OEWG Chair Burhan Gafoor, states used the December 2022 intersessional meeting as an opportunity to begin substantive debate on the establishment of the PoC directory. Multiple states submitted their proposals on the directory before getting together in New York and made presentations during the first day of the intersessional meeting (written submissions are available on the OEWG page).
The Russian concept paper suggests that each state should designate PoCs at two levels, diplomatic and technical. The PoC directory would feature basic contact information of these authorities. It would be maintained and regularly updated by the United Nations Office for Disarmament Affairs (UNODA).
From the Russian perspectives, the two types of PoCs would have different roles: the diplomatic PoC would be responsible for facilitating dialogue, organizing consultations, and addressing any political issues, whereas the technical PoC would be in charge of sharing data on threats and specific incidents and providing technical assistance. The Russian paper was presented at the UN by a representative of the National Computer Incident Response & Coordination Center (NCIRCC). In particular, the presentation featured a slide illustrating the proposed algorithm for using the PoC directory in case of a cyber incident. According to this slide, the request via the director would be directed to the technical PoC only if there are no interstate tensions.
The Russian paper also proposes working principles of the PoC directory including that PoCs should aim at preserving political neutrality and maintaining ties to other PoCs regardless of international situation; that they should not be subject to sanctions; and that their activities should be informed by the OEWG recommendations and the by the rules, norms, and principles of responsible state behavior in information space.
Another prominent paper was submitted by a cross-regional group of states (Australia, Brazil, Canada, Chile, Fiji, Germany, Israel, the Republic of Korea, Mexico, the Netherlands, Singapore and Uruguay). This proposal emphasizes the role of existing regional PoC directories (within the OSCE, Organization of American States, and ASEAN) and recommends to leverage those networks in order to avoid duplication and ensure complementarity when establishing the global directory. To that end, the paper suggests that “existing national contact points at regional level should ideally be also nominated as contact points within the UN PoC directory” (a similar proposal is made in the Russian paper, too). However, it recognizes that not all states are members of regional organizations with PoC directories and hence recommends encouraging the expansion of this practice including through capacity-building efforts.
The paper recommends that states should run regular communication checks to test functionality of the directory and provide updates about their PoCs. More ambitiously, the paper suggests that the directory, being a CBM in itself, could be used for implementing other CBMs at the global level such as cyber exercise and trainings. The paper makes a case for using the PoC directory both in the event of crisis (where it could help prevent cyber incidents or manage crisis more effectively) and in non-crisis times (essentially, exchanges that would foster trust).
The paper suggests that UNODA should be put in charge of setting up and administering the PoC directory, which would be considered operational once at least 50 states nominate one or more diplomatic or technical PoCs. Unlike Russia’s proposal that envisions no need for additional financial resources, the cross-regional group of states believes that UNODA would require more funding to maintain the directory.
Proposals by other states stress various aspects of establishing the PoC directory. For instance, Iran puts a strong emphasis on capacity-building to assists states in setting up national PoCs. India calls for mounting the PoC directory on a specialized online portal that would be maintained by UNODA. The German proposal envisions a possibility for incorporating non-governmental stakeholders into the PoC directory in the future. And Singapore proposed endowing the UN Secretariat with wider responsibilities including for “hold[ing] cyber exercises and trainings, and coordinat[ing] capacity-building efforts relating to the implementation and operationalisation of POCs and the POC directory.” In addition to state perspectives, the intersessional meeting featured presentation on PoC directories from regional organizations, including African Union, ASEAN, CSTO, CIS, EU, OESCE, OAS.
The proposals presented before and in the intersessional meeting in December 2022 demonstrated diverse approaches to how the global PoC directory should be set up, what it should be used for, and who should maintain it. While there were many disagreements over the details, none of them appeared inextricable. Overall, states seemed to agree that establishing the global PoC directory could be beneficial for carrying further the OEWG mission and is feasible in the near term, as early as in 2023.
If in the coming months states figure out a compromise on modalities of the PoC directory and succeed in setting it up, that would be a significant deliverable for the global cyber diplomacy. Yet, states would need to manage their expectations and not expect the new network to solve the old problems.
Consider a situation where one state contacts another state via the PoC directory regarding an ongoing cyber incident. Things would probably go smoothly between two friendly nations, but in other circumstances various issues might arise. Would the requesting state be able to share data to back its request? Would the requested state be able to dismiss the request or to dispute the facts in it? Or to ignore it citing the voluntary basis of cyber norms? What would be the reaction of the requesting state? If a state avoids using the PoC directory altogether because it distrusts another state and comes forward with public accusations, would that defeat the meaning of having the network in the first place?
It is likely that the establishment of the global PoC directory would eventually serve as a reminder about many complex problems such as interpretation of international law and attribution that states have not been able to tackle collectively at the UN yet. This would put significant limitations on the utility of the directory as a tool to mitigate cyber conflict.
Oleg Shakirov participated in the intersessional meeting of the OEWG in December 2022 as a representative of PIR Center.