UN GGE makes another step forward agreeing on the rules of state conduct in cyberspace

Head of Global Stakeholder Engagement, Eastern Europe and Central Asia, ICANN; PIR Center Program Coordinator “Global Internet Governance and International Information Security” (2014–2015)
August 31, 2015

The original article was published on Russia Direct web-site on 28 August 2015

Just a few months ago in April 2015 the global Conference on Cyberspace didn’t give much optimism to those expecting a unison of voices in favour of an international agreement on norms of state behaviour in cyberspace. Despite the palpable understanding that the international community does need to grope for a common denominator for global peace and security, mentions of a legal binding treaty was mostly frowned upon. The discussions on the nuances of the international law application in cyber revealed a wide array of differences of interpretations. The fruit was not ripe, but the plant has been generously watered since then. 

Now four months later the UN Group of Governmental Experts – a team of representatives from 20 countries acting voluntarily – have emerged from their fourth session in the past decade with a vision of the minimum norms to be adopted by the states to ensure a more secure digital future. While the report stating the agreed measures is clearly a progress and success for the Group at the times of scarce trust and mutual understanding among nations, there are certainly caveats and challenges to these achievements to face and consider in the following months and years.

Not a zero sum game

The movement towards this settlement started a while ago, and Russia has been putting a lot of effort into lobbying a commitment to certain rules of the game online, including in the UN GGE framework. The best known endeavours so far to set forth a concrete proposal are the SCO Code of Conduct for information security and Russian draft UN convention on international information security in 2011. Both inter alia take the same focus on ensuring information space stability, sovereign control over national internet segments, and demilitarisation of cyberspace, which have not found much support with the western nations. This might puts a stigma on the revised version of the Code submitted in January 2015, however, both contain inter alia generally recognised recommendations on technical cooperation, protection of individual rights online and the new Code also mentions confidence and capacity building measures (p.10,11). 

Bilateral attempts at codification of state relations in cyberspace were made between Russia and the US (2013) and most recently between Russia and China (2015). The former ground to virtual halt after the eruption of the conflict in Ukraine, the latter is yet to prove its viability. However, all these documents share the language and conceptual understanding in certain instances – and these very instances are now reflected in the UN GGE report as the common denominator, the foundation and launch pad for any further (hopefully) consensus. Inter alia states: 

– Commit not to inflict damage on each others’ critical infrastructure and cyber emergency responders (CIERTs and CSIRTs);

– Commit not to knowingly allow third party illegal cyber activity from their territory and any malicious activity should be proved before counteractions are taken in retaliation;

– Assume duty to assist in investigation of cyberattacks and cybercrime launched from the country’s territory;

–  Commit to peaceful use of ICTs as a cornerstone of peace and security in cyberspace and beyond 

What makes this agreement a milestone is the fact that it not only shows a visible progress on the issue since the previous report in June 2013 building on some of its fundamental points and recommendations. It reveals the good will of the participants to flesh out the minimum of measures they do see eye to eye despite a host of conceptual differences. The increasing illegal activity online, the threat of terrorism with the use of ICT have made a strong point in favour of fleshing out the principles of maintaining stability when cyber aggression can all too easily lead to a kinetic one in the absence of well-defined attribution and verification mechanisms. As Special Representative of the President of the Russian Federation on International Cooperation on Information Security, Ambassador at Large Andrey Krutskikh, who represents Russia in UN GGE, remarked in his recent interview to Kommersant newspaper, this is not a zero-sum game: “We all understand that in the sphere of information and communication technology (ICT), threats are common and transnational.  We can only fight these threats jointly». He pointed out however that the consensus was far from an easy one but essentially it was the desire to find a palatable decision and wording which help the Group come up with a final resolution. 

At the same time, as follows from the above, the differences in threat assessment and vision of responses to those threats as well as lack of trust currently set a limit to the scope of possible agreement. For instance, the clauses (11 (f,g,h) on the commitment not to attack critical infrastructure and to cooperate in dealing with such attacks on another state does not spell out its exact types, while the definitions and classifications of critical infrastructure differ per country. In fact, it was expected earlier that more specific agreements could emerge for the banking/financial industry or nuclear energy sector as probably the easiest for a consensus. 

The clause on non-compromising ICT products with exploits (“harmful hidden functions” – 11 (i)) is hard to meaningfully implement without a viable tool of verification, which is yet to be developed. Besides while signals intelligence is part and parcel of each country’s foreign policy it’s not clear whether the states which have such a capacity are indeed ready to commit at the time of geopolitical turbulence.  Interestingly, the very concerns about those functions in ICTs are not mentioned in the threats section (II) of the present report (but they are in the 2013 one) and are instead addressed directly in the Norms (11) and Confidence building (16(c)) sections. 

Equally, the commitment to investigate thoroughly cyberattacks (13(b)) before pointing the finger at the culprit runs against the problem of attribution, which despite all existing tools and approaches is still an assumption based on a collection of usually indirect evidence. 

All these lead to the essential question of value of an agreement which even if binding is tough to implement. In fact, its voluntary, non-binding nature, while begging the same question of practical use and real commitments, allows for tentative rule-setting. This in turn seems to be an inevitable and important stage in the process of potentially establishing black letter law norms in the future. At this stage, the Group stems from crystallising what seems “customary norm”, i.e. already widely accepted in the respective communities, while envisaging and preparing the ground for “aspirational norms” which are yet to be digested and accepted. These are “the expectations of the international community, set standards for responsible State behaviour and allow the international community to assess the activities and intentions of States” (10). 

One step at a time” looks like the most feasible strategy here as the agreed principles of behavior lay the ground for more detalisation at the same time helping build a new culture of international interaction in this field and an ecosystem for relations with non-state actors. As Ambassador Krutskikh argues, they do not exist in a vacuum and the new legal context eventually should help national and international counterterrorist and anti-crime activities. 

The report has been submitted to the UN Secretary General for presentation at the 70th UN General Assembly at the end of September and the Group intends to continue its work at the development of the norms next year if approved by the General Assembly. Therefore we might be in for a long journey towards a document which is ripe, detailed and balanced enough to become binding. At least this is Russia’s openly stated desire. Many conditions will factor in affecting how soon this happens, and most importantly the participants’ good will and desire to hear each other. 

That said, one shouldn’t overestimate the restrictive potential of the norms set out in the agreement. Defined in the text as mere moral obligations at present they don’t have a sufficiently strong deterrence mechanism guaranteeing the implementation to “prevent conflict in the ICT environment” (10). The Group admits that “their implementation may not immediately be possible, in particular for developing countries, until they acquire adequate capacity” (14) and commits to developing more norms over time (15). However, the next big cyber conflict would be a good litmus test of the signatories’ commitments and the amount of political leverage behind them.

The art of win-win

The first media accounts of the Group’s work in the US and Russia both praised it as a success for their country. This is not just complacency, as it took a long time to reconcile very differing stances, but also a sign that both sides saw their points reflected in the final document. 

For Russia it was essential to highlight its principal position that the prevention of the use of ICT for politico-military goals should walk ahead of conflict regulation which indirectly legalizes their mere existence (4,10). The emphasis is therefore on the peacetime regulation rather than on the application of the law of military conflict in cyberspace, which however was agreed on in principle in the UN GGE 2013 report). This also fits Russia’s continuity of norms building efforts through the SCO and BRICS partners towards an internationally binding convention under the aegis of the UN on the maintenance of global information security, which the Russian negotiator openly admits, with the caveat that this is a long route to take but it is worth walking the talk. 

Besides, it was important to reiterate the principle of the states’ “refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations” as well as “non-intervention in the internal affairs of other States” (26). This clause, echoing the SCO Code of Conduct  clauses 1 and 3, is one of the paramount principles of international law application to cyberspace for Russia. Equally, clause 27 and 28 of the report stating that state sovereignty and international norms and principles flowing from sovereignty apply to the conduct by States of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory, echo clause 6 of the Code which reaffirms the rights and responsibilities of all States, in accordance with the relevant norms and rules, regarding legal protection of their information space and critical information infrastructure against damage resulting from threats, interference, attack and sabotage. 

The US sources specifically praised the agreement on non-attacking the critical infrastructure, CERTs and CSIRTs and nations’ duty to assist investigating cyberattacks and cybercrime launched from their territories, and other confidence and capacity building measures as laid out in Sections IV and V of the Report. All of these reflect the official White house vision of the principles of behavior in cyberspace voiced in particular by State Secretary John Kerry in May 2015 in Seoul apart from one on the obligation not to “conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain”, most probably blocked by China. 

Another stumbling block was reportedly Article 51 of the UN Charter enabling a nation to retaliate upon being attacked. It is closely related to clause 13(b) requiring full investigation of any cyber incident before counteracting, and Russia didn’t want it singled out in the text of the Group report as already falling under the UN Charter provisions applying to cyberspace. Besides arguably any special mention is excessive for the NATO countries which have already extended the use of Article 5 of the Washington treaty to cyberspace. 

All in all the Group didn’t advance much on spelling out how “the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction” (28(d)) apply to cyberspace in war time. This work has been attempted in the Tallinn Manual (TM) on the International Law Applicable to Cyber Warfare and this work is currently carried on in Tallinn Manual 2.0  on the application of international law to situations below the ‘armed attack’ threshold. The report points out, however, the importance of “common understandings on how international law applies to State use of ICTs” (29). 

 It is remarkable therefore that elaboration of the cyber rules in peace and war time are developed in two different expert groups – UN GGE and TM teams – which do not seem to tap into each other’s work very much. The differing “umbrella” frameworks for these two very much related work streams sadly do not allow for the potential synergy to be put to use. 

Finally, the sections on confidence (IV) and capacity (V) building indicate the intention to make a big step forward in proactive cybersecurity and stability. The former inter alia stems from the work done by OSCE in its 2013 set of draft confidence-building measures (the second set is being developed). And the detail in which it is laid out in the UN GGE report suggests much optimism about the good will of the United Nations to engage in mutual threats and risks revelations, vulnerability patching, security awareness and bridging the knowledge and skills divides. However, the actual implementation is yet to be seen: if actively implemented as recommended at the bilateral or regional level, CERT/CSIRT cooperation and development alone would mean a very positive step forward. At the same time capacity building is very much reliant on the private sector, and the states will have to establish and/or promote a dynamic relationship with market leaders to implement the recommendations. Interestingly, the latter increasingly reinforce their policy staff with former international bodies’ employees, which reflects the importance of this liaison. 

An attempt to bring together states and business for capacity building in cyber was made on the sidelines of the GCCS2015 where the Global Forum on Cyber Expertise was launched. Its progress is definitely to be followed in the light of the UN GGE recommendations, however, it inevitably raises market competition issues with emerging cybernations running the threat of total monopolisation by a handful of big brands building their cyber capacity. 

All in all, the UN GGE has performed a remarkable work which could seen too good to be true when no love is lost even among the 20 participating nations. This renders the presented consensus even more precious. But, as it happens, time will show its true value.