Cybersecurity & Tech

New U.N. Debate on Cybersecurity in the Context of International Security

Nele Achten
Monday, September 30, 2019, 8:00 AM

In 2018, the United Nations General Assembly voted to establish two separate groups to study international law and norms in relation to cyberspace. Resolution 73/27proposed by a number of countries, including Russia—created an open-ended working group (OEWG) on the subject.

A U.N. meeting room (Source: Flickr/Keith Burns)

Published by The Lawfare Institute
in Cooperation With

In 2018, the United Nations General Assembly voted to establish two separate groups to study international law and norms in relation to cyberspace. Resolution 73/27proposed by a number of countries, including Russia—created an open-ended working group (OEWG) on the subject. Another group of countries—including Australia, France, Germany, the United Kingdom and the United States—supported a resolution advocating continuing the debate within the framework of a group of governmental experts (GGE) reporting to the secretary-general.

A GGE on developments in the field of information and telecommunications in the context of international security has convened since 2004 and failed to produce a consensus report in 2017. The GGE has yet to convene this year, but the OEWG gathered for its first substantive meeting from Sept. 11 to Sept. 12. This is the first time that all U.N. member states were invited to discuss developments in information and communication technologies (ICTs) in the context of international security.

At first, it was not clear how the GGE and the OEWG would relate to one another. The different resolutions varied primarily on the scope of involvement of all U.N. member states. The GGE comprises experts from only 25 selected member states and includes two consultations with all member states. The OEWG, in contrast, involves the participation of all interested U.N. member states. Both groups address cyber norms, confidence-building measures and the question of how international law applies to cyberspace. The OEWG has a slightly broader mandate and also discusses existing and potential cyber threats, the establishment of a regular institutional dialogue and international concepts for securing global IT systems.

Here, I focus on the topic of international law applicable to cyberspace and cyber norms discussed during the first substantive meeting of the OEWG. Notably, even though the GGE and the OEWG were often described last year as mutually exclusive, the majority of countries voted in favor of both, and many countries that had voted against the establishment of an OEWG participated in its first substantive meeting last week—including Australia, France, the United Kingdom and the United States.

A recording of the OEWG session can be accessed here. Some states have submitted written statements, available here.

Background and Common Basis

Both U.N. dialogues are based on the substantive U.N. GGE reports from 2009/2010, 2012/2013 and 2014/2015. Most importantly, the 2012/2013 report confirmed that international law—in particular the U.N. Charter—is applicable to the ICT environment. The applicability of international law to the ICT environment was also confirmed by a number of delegations in oral statements during the substantive meeting of the OEWG last week (for example, by China, Czech Republic, Egypt, Japan, Mexico, Russia, Singapore and Switzerland). And some states confirmed the general applicability of international law to the ICT environment in their working papers submitted to the chair of the OEWG (in particular, Australia, Canada, China, Iran and UK).

In addition to international law, the 2014/2015 GGE report included a separate section on “norms, rules and principles for the responsible behavior of States.” During the first substantive meeting of the OEWG, the majority of state representatives confirmed that the 2014/2015 report should be the starting point for further discussions of cyber norms. The representatives highlighted the importance of developing a clearer understanding of these norms and how to implement them into their domestic systems. Overall, state representatives agreed that the applicability of existing international law to cyberspace and the implementation of the cyber norms agreed upon in 2015 are essential to sustaining international peace and security in cyberspace.

Applicability of International Humanitarian Law and the Right of Self-Defense

Nonetheless, some already existing disagreements became apparent again during the first substantive meeting of the OEWG. Most importantly, state representatives disagreed about the applicability of international humanitarian law (IHL). China, in particular, believes that further study is required about which international laws are applicable in cyberspace. Regarding the applicability of IHL, the Chinese representative argued that it is impossible to distinguish between civilian and military objects in cyberspace, comparing cyberattacks with nuclear weapons. He argued that some states believe in the controllability of cyberattacks but reiterated twice that “cyberwar cannot be won and must never be fought”—paraphrasing Ronald Reagan’s comment about nuclear war. The Chinese representative consequently argued that the protection of civilians in armed conflict is important but that it is even more important to prevent the armed conflict in the first place.

The Egyptian representative also expressed concerns that the debate within the OEWG should not focus excessively on the applicability of IHL and issues related to the right of self-defense. Some other states raised concerns about sanctions and public attributions as responses to malicious cyber activities. The Cuban representative argued that these measures would make cyberspace a “zone of conflict,” while the Chinese representative felt they would lead to great international instability. The Malaysian representative made the case that, rather than focusing on self-defense and public attribution, it is more important to identify mechanisms to prevent cyber conflict escalation.

Yet a number of countries—including the United States, Australia and Norway—explicitly opposed the view expressed by the Chinese representative. The United States argued that an agreement on the applicability of IHL and the right of self-defense would not invite further conflict but, instead, would remind states to comply with these ethical norms. The Australian representative agreed that cyberwars should not be fought but highlighted the importance of implementing IHL as a “plan B” if a cyber conflict rising to the threshold of an armed conflict cannot be prevented.

New International Cyber Convention

Another well-known disagreement concerns the need to establish a new international cyber convention. Some countries, including Iran, Russia and Syria, argued in favor of a new legally binding international agreement. The Syrian representative proposed that such an agreement could include the establishment of an institutional mechanism or permanent body to examine all relevant issues and threats regarding the use of ICTs in the context of international security. Iran suggested that the agreement could also incorporate legal rules and norms with the objective of ensuring that ICTs are not used for malicious purposes.

The Russian representative stated that the Kremlin does not want to change the existing international law but feels that it is necessary to adapt that law to cyberspace. Analogizing to the international law of the sea, he argued that it is possible to declare that international law is applicable and yet reach an additional international agreement.

The majority of representatives, however, expressed their desire to focus instead on the understanding and implementation of agreed-upon legal rules and norms applicable to the ICT environment. The Australian representative expressed her concerns that a new convention would cover only certain cherry-picked areas and that overall it would bring a lower level of protection against malicious cyber activities. A number of states, among them Canada and the Netherlands, explicitly articulated their belief that new instruments are not needed and that the existing norms are sufficient to guide states’ behavior in cyberspace. The U.S. representative recalled that international agreements can take years and that norms might develop into binding standards over time.

From Diverging Views to Common Interests

The meeting exposed not only the above disagreements but also potentially divergent views around human rights, social media content regulations and the development of offensive cyber capabilities. Beyond the applicability of IHL and the need for a new convention, state representatives avoided commenting on issues that are potentially not shared by the whole international community. The focus of the debate was clearly to identify areas that would be addressed in future discussions at the OEWG.

On Twitter, some state representatives and the chair of the OEWG described a positive and engaged atmosphere during the debates. To reach an agreement that goes beyond the mere reaffirmation that international law and norms are applicable to the ICT environment, it will be necessary to maintain sincere and constructive engagement among states. The “we are not starting from scratch” motto might have been a good approach for the first substantive meeting. It will now be necessary to identify concrete measures to preserve the positive aspects of ICTs. This requires the assessment of common interest and not focusing only on national interests. The representatives of the OEWG thus agreed that it is necessary to better understand the precise content of the existing norms and to identify best practices for their implementation.

Next Steps

The next meeting of the OEWG will take place at the beginning of February 2020 and will likely include another round of open discussions. At the end of this year, the GGE will begin its separate meetings—though the complementary role of both groups remains to be established. While the states that contributed most actively to the first session of the OEWG are also members of the GGE, it was refreshing to hear the views of some states that are not part of the smaller GGE. Their views could contribute to mitigation of long-established disagreements. As the Egyptian representative has expressed, at the very least the OEWG report will, it is hoped, record these disagreements and explain why they exist.

While there is hope that the OEWG will further the understanding and implementation of agreed norms, the precise scope of further debates has yet to be defined. Will the OEWG address only the behavior of states in cyberspace, or will it also examine the behavior of nonstate actors? Will it address issues related to emerging technologies? Will it contribute to the more technical work of international cybersecurity that is currently done by regional bodies? No doubt there will be disagreement, but the first substantive OEWG meeting also created hope that a debate about international cyber norms could make progress again in the near future.

Nele Achten is affiliated with the Berkman Klein Center for Internet and Society at Harvard University and a PhD candidate at the University of Exeter, where she focuses on the debate around cyber-specific due diligence obligations and assesses key normative questions relevant for the development of a normative framework that protects cyberspace as a safe and secure environment. Last year, Nele was visiting researcher at Harvard Law School and affiliated with the Cybersecurity Project at Harvard Kennedy School. She holds a LL.M. from the Geneva Academy of International Humanitarian Law and Human Rights and is qualified to practice law in Germany.

Subscribe to Lawfare