A few days later, the First Committee took up its discussions.(1) Izumi Nakamitsu, the United Nations High Representative for Disarmament Affairs(2) characterized “ the increasing malicious use of cyberspace” as a “frontier issue” and an “emerging military capabilit[y] . . . with potentially dangerous and destabilizing implications”.(3) She also noted that “Rapid advances in the civilian and military application of artificial intelligence should continue to give impetus for formal deliberations on lethal autonomous weapon systems”.(4)
The representative for the Association of Southeast Asian Nations (ASEAN)(5) reviewed “cooperation at the regional level to enhance . . . cybersecurity”.(6) The countries were coordinating efforts on “incident response” and building “computer emergency response team[s]”. ASEAN has established a “Ministerial Conference on Cybersecurity” and supported “the development of basic, operational and voluntary norms of behaviour to guide the use of information and communications technology . . . in a responsible manner [based on] . . . the norms set out in the 2015 report of the Group of Governmental Experts on Developments”.(7)
The representative of the Group of African States(8) stated that “International security has continued to deteriorate as the world faces immense challenges to peace and security, particularly the increased threat of terrorism.” As a result, the General Assembly needed to “address a number of multilateral disarmament and international security issues, including issues related to cyberspace and outer space activities.”(9) The representative of the Caribbean Community (CARICOM)(10) emphasized that “cybercrime and other dimensions of transboundary criminal activities continue to pose the most immediate and significant threats to the security of . . . [the Caribbean] region”.(11) The representative of Jamaica(12) called for increasing “global engagement” to deal with cybersecurity:
[W]e grapple with increasing cybersecurity threats and the multiple vulnerabilities they pose to cloud-based management platforms, critical infrastructure and the secure preservation of sensitive information. Therefore, it behoves us, as an international community, to . . . strengthen global engagement on cybersecurity issues.(13)
Israel(14) expressed regret that the Group of Governmental Experts had been unable to reach any consensus.(15) Support for continued work on cyber also was expressed by Vietnam.(16) Similar concern and regret was expressed by Australia:
We confirm our commitment to promoting an international stability framework for cyberspace, based on the application of existing international law, agreed-on voluntary norms of responsible State behaviour and confidence-building measures. It is regrettable that the 2016-2017 Group of Governmental Experts . . . could not reach a consensus.(17)
In its statement, the Netherlands(18) hinted at the major stumbling block that the Group of Governmental Experts had in reaching consensus in its work. “The failure of the Group of Governmental Experts to reach agreement, especially on how international law applies in cyberspace, is regrettable.”(19) The Netherlands expressed support for “the applicability of international law, including the Charter of the United Nations in its entirety” and it “welcome[d] . . . the development of additional norms of voluntary behavior.”(20) Indonesia expressed “concern . . . about the threat of cyberattacks and the militarization of cyberspace,” and stated that “creation of norms to prevent the Internet from being used as a medium for cyberattacks is quite important”.(21) The Egyptian representative did not discuss cyber weapons, but merely referenced cybersecurity.(22) Lebanon expressed concern that Internet infrastructure was becoming an attack point and that current international law was inadequate to manage global cybersecurity:
The Internet is now essentially civilian infrastructure and, as such, it should not be made a target of or medium for attacks. Existing international law, including international human rights law and international humanitarian law, provides solid but perhaps insufficient guidelines on the way forward.(23)
Italy expressed support for a) Development of “norms and principles of responsible State behavior in cyberspace”; b) promotion of confidence-building measures; c) “international cooperation” on cyber issues; and d) “capacity-building to improve cybersecurity and decrease the risk of disputes among States”.(24) Paraguay reported that it had “adopted a national cybersecurity plan . . . aimed at strengthening the security of its critical assets and achieving a secure, reliable and resilient cyberspace.”(25) Qatar expressed alarm at the rise of electronic warfare and encouraged further work by the Group of Governmental Experts:
Electronic information security and cybersecurity are major challenges . . . [E]lectronic warfare . . . is increasingly capable of disrupting relations among States and destroying infrastructures and modern lifestyles. . . . Qatar . . . express[es] its support for the . . . Group of Governmental Experts . . . [aimed at] enhancing international multilateral cooperation . . . to strengthen information security. . . . [Qatar supports] . . . dedicated international legislation and institutions for regulating . . . and . . . punishing those who commit cross-border electronic piracy ”.(26)
Japan expressed support for “other disarmament efforts . . . including cyberwarfare”.(27) The Government of Kenya did not specifically point out the failure of the Group of Governmental Experts to reach consensus in their report, but instead “appreciate[d] the efforts of the Group to reach consensus on . . . existing and potential threats posed by [cyber].” It noted the “misuse of information, communication and technology [by]
. . . terrorists and criminals . . . to plan terror attacks . . . radicalize . . . youth [and] . . . launder money.” It expressed support for “guiding policies, laws, training and other capacity-strengthening . . . for Member States.”(28)
The representative of of Finland(29) supported “[l]egislation, regulation and rules of the game” to manage “[s]cience and technology, the Internet, social media, space, cybertechnology and artificial intelligence” because of its effect on “international security and arms control”.(30) Finland also warned against the emergence of “hybrid threats”.(31)
The Republic of Korea viewed “[a]reas such as outer space security and cybersecurity [as places] . . . where the international community can still be more proactive” in spite of the “unfortunat[e]” set-back in the work of the Group of Governmental Experts.(32)
Georgia viewed cybersecurity within the contet of how “new technologies and artificial intelligence”(33) can damage control of nuclear weapons.(34) China complained indirectly that “all countries are equal as it pertains to the rules” for “cyberspace, outer space and artificial intelligence”.(35) The implication was that some nations, unmentioned, were applying legal standards unequally.
Trinidad and Tobago emphasized the use of cyber by criminals and its effect on “the illicit manufacture, transfer and circulation of illegal weapons, their parts, components and ammunitions”.(36) It referenced activities by the CARICOM Implementation Agency for Crime and Security in particular the 2016 Cyber Security and Cybercrime Action Plan. “[T]he modern information State, where everything from power plants to banking institutions are networked, has created a new battleground on which States and non-State actors can wage war.”(37) Portugal expressed support for application of “international humanitarian law and human rights in all disarmament and non-proliferation discussions and initiatives”.(38) It was concerned with “emerging threats [from] . . . armed drones, autonomous weapons, cyberspace and the militarization of outer space”.
Kazakhstan expressed similar concern regarding the arms control implications of “[a]dvances in 3D printing, cybersecurity, cyberweapons, artificial intelligence and fully autonomous weapons”.(39)
Turkey was “disappointed [that] . . . the fifth Group of Governmental Experts . . . ended its work without agreement”. The statement did not reference cyber arms control, but only a general concept of “[s]ecurity in cyberspace and outer space”.(40)
Singapore supported the position of the Association of Southeast Asian Nations (ASEAN), and said it was “unfortunate” that the Group of Governmental Experts had failed to reach a consensus. Singapore expressed a desire “to forge consensus on a set of global norms on cyberspace and enhance regional and international cooperation on cybersecurity [based on] . . . a rules-based cyberspace”.(41) Its government recently(42) had held a Singapore International Cyber Week to broaden understanding of cyber security issues.
Canada gave another clue as to why the Group of Governmental Experts had been unable to reach a consensus in its work. It noted that although the “2013 report(43) of the fourth session of the Group of Governmental Experts” had “affirmed that international law applies to States’ conduct in cyberspace . . . Canada did not appreciate the fact that during the 2016-2017 session . . . some States challenged the applicability of international law.” In diplomatic terms, this was somewhat harsh language, as it actually expressed disapproval of the actions of other States. But there was no indication of which States had caused the ire of Canada:
For Canada, the Charter of the United Nations, including . . . the right of self-defence under Article 51, remains the cornerstone of peace and security at the international level. The behaviour of all States in cyberspace, as elsewhere, should be governed by international law, including the Charter, current international humanitarian law, customary international law on State responsibility, especially counter-measures, and international human rights law.(44)
Jordan placed control of cyber within the context of confronting “terrorist groups that seek to use space”.(45)
Bulgaria gave its support to “development of international norms and principles for responsible behaviour in cyberspace”.(46) There was no mention of binding international law.
Pakistan specifically mentioned the threat of an “arms race in outer space” and the emergence of new threats to security from “chemical and biological terrorism, lethal autonomous weapons systems and cyberweapons”.(47)
The representative Estonia expressed “regret” that the Group of Governmental Experts had failed to reach a consensus, even though it had “been a productive working format” and in the past had managed to have “a number of [its] recommendations” endorsed by the General Assembly.”(48)
The International Committee of the Red Cross expressed alarm at the “challenges for international humanitarian law compliance raised by autonomous weapons and cybercapabilities”. The emergence of these new technologies as tools of war had “len[t] urgency to international debates on those new means of warfare”.(49)
After these general statements by participating member States, the Under Secretary-General and High Representative for Disarmament Affairs(50) gave a comprehensive overview of the challenges to arms control posed by emerging technologies.(51) Her statements reveal a deep and profound understanding of the dynamics of disarmament and arms control. She set the scene regarding dangerous developments in technology:
[B]y 2020 the number of people online will double to 4 billion, with . . . 30 billion devices connected to the Internet. . . . [T]he . . . WannaCry ransomware . . . affected about 200,000 systems in over 150 countries. . . . ICT-enabled critical infrastructure . . . from health-care facilities to power grids to nuclear facilities, is vulnerable to attack . . . [L]ethal autonomous weapon systems, cybersecurity issues, synthetic biology, UAVs and other new challenges [must be] borne by the international disarmament and non-proliferation machinery.
She then reviewed various problems being faced by the international community. a) “attribution and accountability . . . of cyberattacks and autonomous weapon systems” was not understood; b) “portability and commercial availability of . . . these innovations could increase . . . proliferation, including to non-State actors”; and c) many critical weapons systems “rel[y] on computer networks to function”. She predicted that cyber could have a negative on arms control and raise the risk of war:
[These technologies] “could . . . destabiliz[e] arms races [and] . . . lower the threshold for armed conflict due to perceptions of casualty-free warfare or because the accelerated pace and enhanced scale of conflict can lead to a failure of escalation control”.
She emphasized the need for policy to “conform to international humanitarian law and human rights law”.
The Under Secretary-General and High Representative for Disarmament Affairs Izumi then presented to the First Committee a series of six questions that framed the future of arms control work.(52) These questions bear careful consideration.
Nakamitsu's Six Questions
Do we have a sufficiently clear understanding of the ramifications of these new weapons, including their combined effects and how they might be used?
What is the scope of the governance or regulation required to ensure that they do not become destabilizing and that they are not used either for unintended purposes or in contravention of international law?
Is the current system fit for purpose, or should we consider new instruments and initiatives? What new confidence-building and transparency measures can we develop? Are we making proper use of all the tools at our disposal?
How can these technologies be governed without stifling innovation or inhibiting technology transfers that could be helpful to sustainable development?
What opportunities do these technologies present for our work? The benefits for verification stand out, but there are others, such as enhanced detection of the use of weapons of mass destruction (WMDs) and the ability to mark and trace conventional weapons.
Are we moving fast enough, and are we doing so in a way that addresses these challenges strategically and holistically?
Question 1 — Understanding the New Arms Race
Her first question was “Do we have a sufficiently clear understanding of the ramifications of these new weapons, including their combined effects and how they might be used?” From the debates and various regional meetings, there had emerged an alarming understanding of cyber weapons.(53) The understanding of these weapons was not so much based on knowing the technology of how they work, but rather was based on the effects they might have on society. Statement after statement had raised alarms about dangers to critical infrastructure. A few nations had gone into detail regarding which specific parts of infrastructure might be placed into danger.
Some had raised alarm about how cyber weapons might be used to disrupt the command and control or safety system of thermonuclear weapons, leading to unintentional conflict.
Other concerns were expressed by contrasting possible cyber damage against the new landscape of international computing that had been brought about in all spheres of society, including social media, logistics and distribution, control systems, and the basic informational infrastructure of societies. In general, there were two classes of possible damage—destruction or corruption of information, or tampering with information systems in a way that would have kinetic effects, such as causing airplanes to fall out of the sky.
On the other hand, for the most part, diplomats are not scientists or engineers, particularly software engineers. That type of work is left to the specialists and experts. As a result, the debates never indicated any appreciation of the technical nature of cyber weapons. Details of code, operating systems, microelectronics, and in general all of the paraphernalia of the cyber world never were mentioned. At first this might seem natural, after all, these are diplomatic conferences, concerned with emerging international law and regulation of the behavior of States. On the other hand, if one examines the discussions over the years of the First Committee as regards conventional weapons, biological systems, and of course nuclear weapons, the technical level of discussions was quite sophisticated. For example, in the creation of a regulatory set of arrangements for nuclear weapons and nuclear power, policy had been set as informed by a robust understanding of many engineering details, in particular the nature of the nuclear fuel cycle, and the technological challenges of creating nuclear weapons and their delivery systems. In general, the sophistication of discussions regarding nuclear weapons was far more advanced than that regarding the cyber world. We can only conclude that at a minimum two major changes in the work of the First Committee were needed. First, significantly greater study was needed regarding the nature of cyber weapons technologies, and the implications for policy making. Second, as many of the participating experts representing States in the First Committee had a background in the nuclear world, it was perhaps time for some States to consider changing out their personnel, or at least removing some of the entrenched nuclear bureaucracy and bringing in fresh blood more acquainted with the cyber world.(54)
Question 2 — Scope of Regulation
The second question was “What is the scope of the governance or regulation required to ensure that they do not become destabilizing and that they are not used either for unintended purposes or in contravention of international law?” Here, the Under Secretary-General was cutting directly to the nub of the matter. In the various debates, some countries such as China had openly expressed the desire for setting up a comprehensive legal and regulatory system to govern the international cyber world. In a sense, there is nothing wrong with this idea. It is an elementary notion that when a new and dangerous technology emerges, there is a need for some type of system of regulatory arrangements to govern its use. Such a system is necessary for the safety of everyone. Of course, there is a vast gap in legal philosophy between the Common Law system of regulation and that of the Roman Law heritage, as practiced primarily on Continental Europe. One system tends to set out general principles and then refine their application to specific situations as case law emerges over time. The second, attempts to define in the greatest possible detail all variations in advance, so as to set up a workable and well-functioning system from the very beginning. Neither system is superior to the other, but the approach is completely different. So this difference is the source of one gap of perceptions and political philosophy among the member States in the United Nations.
A second and more serious gap exists in the different traditions of Western capitalism, stemming from the inheritors of the Roman Empire, and those countries who were influenced by international Bolshevism and communism with its completely different views of the role of the State in shaping society. By this time, the Soviet Union no longer existed, but in Russia, as it had from the tenth century, there remained a strong sense of the centrality of State power over social and economic affairs. This theme of Russian political philosophy had conveniently merged with communism while Russia was under the influence of Marxism-Leninism, but had remained in the form of strong State centralization even after the fall of the Soviet Union. This State-centric philosophy was reflected in Russian national policies regarding Internet governance. Much Russian policy is defensive in nature.(55) In the cyber world, realizing the disadvantage of Russia in microelectronics and cyber in general, there was a fear of vulnerability of Russian cyber systems, and a pervasive fear of cyber espionage. All states have this fear, but in Russia it added to the side of the scales in favor of strong State regulation of cyberspace. It had been Russia that had initiated many of the earliest debates regarding the emergence of the cyber danger. This no doubt this was in response to a fear that the United States and the West in general was developing a qualitative superiority in this new arena of conflict. As a result, even though Russia had transitioned away from the communist political philosophy of Marxism-Leninism, it still may have been in favor of a stricter governance system over cyberspace than the United States.(56)
In a similar way, the other great power involved was China, which during this time(57) was enjoying the ephemeral power of being economically powerful and on its way up in the world. China’s response to the cyber world had been predictably in line with Marxist-Leninist thought, as carried out by the Communist Party of China. In this line of thinking, the State may regulate all aspects of human communication and thought. This is done so as to ensure the greatest good for all citizens and to reduce the threat of disruption or social conflict that might harm historical development. China within its borders had no notion of individual privacy, and in practice routinely violated its obligations regarding freedom of communication and individual expression, a basic human right.(58) As a result, China’s solutions to regulation of international cyberspace likely would be very different from any policy notion proposed by the United States and the West.
Up to this point in the discussions of the First Committee, a great emphasis had been placed on “non-binding” and “voluntary” norms of State behavior. There were at least two reasons for this. First, to a certain extent, the norms were experimental in nature. No one quite knew how they would work out in practice, or how they would evolve over time. Second, should they had been made binding in nature, then it is a substantial question as to how they would be enforced, or what the implications for a State would be should it fail to conform to the rules, or how disputes could be resolved should a State be accused of a violation, but denied its own culpability. At the same time, there were pressures from groups such as the International Committee of the Red Cross to ensure that international humanitarian law was made an essential part of the discussion. This is fine, but in practice, there was no definition in practice as to what exactly this meant. On the other hand, there was a giant Trojan Horse that had been introduced into the discussions. There appeared to be general agreement that the Charter of the United Nations was applicable to problems in cyber space, and that in general existing international law was applicable. But no one had worked out the details of what this meant. For example, as discussed earlier, by adhering to the United Nations Charter, States were obligated to have policies that respected a wide range of human rights.(59) But none of this seems to have been worked out clearly.(60) So with this question, the Under Secretary-General was getting to the heart of the source of uncertainty found in the deliberations of the First Committee.
Question 3 — Defining Policy Tools
The third question was “Is the current system fit for purpose, or should we consider new instruments and initiatives? What new confidence-building and transparency measures can we develop? Are we making proper use of all the tools at our disposal?” Here the Under Secretary-General perhaps was pointing to a way forward for the First Committee. That is, instead of continuing to focus on areas such as regulation where strong divergences of opinion had emerged, the Committee could eat around the roots of the problem by looking at smaller steps in international cooperation that might eventually lead to more significant and comprehensive progress in other areas, including the development of international law. The discussions already had made clear that much work could be done in the setting up of systems of international coordination between the CERT organizations of different States so that it might be easier to mitigate the damage from a fast developing cyber emergency spanning international boundaries. There were many such measures being considered. So the Under Secretary-General was hinting that further work should continue in this area. In general, this should be a non-controversial idea. On the other hand, from the point of view of “free market” countries such as the United States, with its inherent distrust of overpowering governmental power, it never is clear that government-led international coordination always is the best or most efficient means of solving a problem. The Internet had grown up in most cases without strong governmental intervention.(61) In the same way, there already was in place a sophisticated system of coordination for security and software patching that did not rely on government participation (or its money). “If it ain’t broke, don’t fix it” is a mantra in the computer world. Why get government involved in a system that already was working efficiently? There is a fear that the more government gets involved, the more cumbersome, difficult, slow-moving, inflexible, and ultimately in-effective an Internet government mechanism might become. The world’s Internet community is nowhere close to solving this issue, and in 2017 this question could not be answered clearly. Nevertheless, the Under Secretary-General was correct in suggesting that still there was much study remaining for the First Committee to do in this area. Finally, there was a hint that yet other policy tools might be discovered. In this connection, there is nothing that would prevent the First Committee from working on development of solutions that might be operated almost entirely by the private sector in some parts of the world. It was too early to give up on the effort. The overall idea is that much further consideration was needed in order to discover the possibilities on the horizon.
Question 4 — Innovation & Development
The fourth question was “How can these technologies be governed without stifling innovation or inhibiting technology transfers that could be helpful to sustainable development?” Here the Under Secretary-General was echoing one of the standard policy considerations of free market capitalism in the West, particularly in the United States. The general idea was that if the Internet and its supporting applications architecture was placed under too much government regulation, then innovation would slow down, or stop altogether. This theme in political economy comes from the heritage of the “free market”, which in essence leaves the development of technology and innovation to an unplanned process, driven primarily by the emergence of opportunities in the marketplace, and a Darwinian type of natural selection of the best ideas and enterprises. To the extent that government interferes in this process, it is seen as inhibiting the development of new ideas. For the international community, there was a sense that it would not be good public policy to have a cabal of nations dictate Internet governance or ICT policies for the world. The information revolution was recognized as being responsible for advances in efficiency, and a blossoming of new opportunities worldwide. For example, the growing penetration of universal Internet access to the world’s population, including persons in developing countries, had the potential to improve the economic opportunities and lives of millions or even billions of persons. One often touted advantage was seen in the rise of free open course-ware and open education that was being accessed through the Internet from students around the world, in almost every discipline, including hard sciences. These courses, many given by some of the world’s greatest educational institutions out of reach financially for all but a tiny sliver of the world’s elite population, were becoming available through the Internet, thus completely changing prospects for the future.
On the other hand, it is possible to interpret these policy prescriptions in a different way. Instead of representing a caution against taking of public policies that might stifle innovation, instead they were merely an expression of a desire for private interests, not elected government representatives, to set policy. Many of the innovative microelectronic and Internet-based technologies and applications were in the hands of private interests, and these were considered to be important property rights, worth thousands of billions of dollars. Consequently any public policy movement that might inhibit the flexibility of the private sector in exploiting its innovation would be discouraged. There are positive arguments in favor of the private sector. The great accumulation of wealth under capitalism had powered wave after wave of innovation, primarily because there was enough capital being accumulated to maintain a steady flow of investment in innovation. Nevertheless, supporters of State-centric development of cyberspace pointed out that there was no guarantee that leaving the development of the cyber world completely in the hands of private enterprise necessarily would procure the greatest good for the greatest number of persons. Apart from issues regarding the democratization of cyber technologies and access to cyberspace, there were other inherent problems in this logic. It is likely there was a false logic in the assumption that private enterprise left in a completely unregulated environment was the source of such dynamic innovation. Where was the logic in that?
An explanation of the revolution in microelectronics and cyber technologies that completely left out the role of government hardly was credible. It would ignore the subsidies for Research & Development, and the massive amount of funds that have flowed into the aerospace and cyber sectors. To give only a single of many examples, it was the National Security Agency (NSA) of the United States that had funded much of the initial work on development of supercomputers, large-scale integration of microprocessors, encryption, and database innovation.
In addition, there are ample examples of stunning technology developments that could only have taken place under the direct guidance of government-led industrial policy. These include the development of nuclear power, fighter aircraft, satellite systems, space travel, missile technology, and the almost incredible amount of focused technology it takes to process today’s SIGNIT.(62) On the infrastructure side, large electrification programs(63), and the highway transportation system generally is the result of government intervention in the market place. It is completely unlikely that in the absence of substantial government innovation in these sectors that private enterprise in itself would have developed these innovations.
In other nations, such as Russia, China, and much of Europe, the role of government is accepted as being the driving force in high technology innovation. Consequently, this again sets the stage for a philosophical divide over the role of government in regulating cyberspace.
A second prong of the Under Secretary-General’s question touches upon technology transfer of cyber-based technologies from developed to developing countries. She placed this discussion within the politically acceptable context of “sustainable development”. Here, the theme of the discussion revolves around the emergence of Internet-of-Things (IoT) technologies that were being developed to aid in monitoring the environment, and in many other sectors of the economy. There was a concern that government regulation might inhibit the spread of the useful and beneficial aspects of cyber technologies. This should be seen within the context of the lengthy discussions regarding “capacity-building” that were part and parcel of the work of the First Committee. From the point of view of cyber stability and cyber security, the concern is that any emerging public policy should not inhibit the export of technologies that nations may use to protect themselves against cyber attack. These “defensive technologies” in cyberspace should not be inhibited in their sales and global distribution.(64)
Question 5 — Range of Action for First Committee
The fifth question was focused on getting a closer definition of what opportunities there were for the First Committee to take action to encourage cyber stability and a reduction in the threat of cyber war: “What opportunities do these technologies present for our work? The benefits for verification stand out, but there are others, such as enhanced detection of the use of weapons of mass destruction (WMDs) and the ability to mark and trace conventional weapons”. Here the Under Secretary-General was suggesting three possible types of action that might be taken by the First Committee: a) Verification; b) Detection of cyber attacks; and c) “Marking and tracing” the proliferation of cyber weapons. Verification is a multifaceted concept. Within the context of arms control, verification means keeping track of whether or not the corresponding party is doing what it promised. In this context, verification becomes an issue only after an agreement has been signed.
Within the complex ambiguity of cyberspace, verification has a second meaning. Verification becomes part of the attribution problem. This function of verification goes with the second action “detection of cyber attacks”. In order for the international community to act in the event of a cyber emergency, there must be in place a mechanism that will determine the source of a cyber attack. This is a difficult and not well understood problem. For example, it is possible on occasion to identify the source of malicious code causing a disturbance. The cyber-forensic expert looks in the code for signs of the creator. By keeping track of all malicious code, it may be possible to define a set of “fingerprints” for different code originators. Often, hackers will sign their code.(65) But in the same way that signatures might be forged, likewise it is possible to introduce code into a piece of malware that leads to an attribution of the code to the wrong party. This is why the principle of verification is so crucial to the attribution of a cyber attack. Without knowing the source of a cyber attack, it is not possible to take any concrete action in the Security Council. The concept of “detection of cyber attacks” is another challenge for the international community. There is in place, already, a working system of coordination and information sharing between CERTS and vendors of information technology. The effect of this coordination is an informal but highly effective system for discovering the emergence of a cyber emergency, and rapidly making adjustments to combat the effects of the malware so as to mitigate the resulting damage. This system has grown up over time, and evolved with the spread of the Internet. It is definitely not the result of central planning of any type. For the most part, it is not the result of government policy. This system is the “poster boy” example of a type of cyber innovation that some believe would be placed into danger should the heavy hand of government planning (and restriction) gain a controlling advantage in the evolution of control systems for cyberspace. Yet there are in place a number of international warning systems that have been built up over time and along the same line of evolution as the informal nature of Internet governance. For example, the Tsunami Warning System (TWS) operates in the Pacific Ocean region. It links together efforts of twenty-six participating member States.(66) The operational center is located near Honolulu, Hawaii. The United Nations has facilitated development of a global tsunami warning system.
The UN-coordinated . . . global system [is] . . . comprised [of] regional warning centres in the Indian, Atlantic and Pacific oceans, and the Caribbean seas [and] . . . has about 60 standard deep-ocean tsunami detectors that provide data, freely shared among nations, for forecasting tsunami impacts. . . . [There are] multiple regional tsunami service centres providing warning products to all nations [including] . . . three regional centres in the Indian Ocean: (i) Australia, (ii) India and (iii) Indonesia.(67)
It is possible that the Under Secretary-General had in mind the creation of a UN-coordinated system that could give advance warning of a global cyber emergency. This is one of many possibilities that might be undertaken by the United Nations. To set up such a system for providing advance warning in the cyberspace, it would of necessity involve the linking together of efforts in government, the private sector, and probably in academia. There is a stark difference between “coordination” of such a system, and the operation and control of such a system. Here, if the United Nations were to engage in coordination of different parties for combating a cyber emergency, then we can expect that the private sector, academic and other elements of civil society would be involved. If this were the case, then it is unlikely that this “government interference” in the free market for development of technology would have a deleterious effect on innovation. In contrast, it would require the extensive involvement of commercial enterprise because it is commercial entities that would need to supply the technology to design, provision, and make operational such an entity. There is no record yet of any discussion in the First Committee concerning these issues and the potential of technology to create an early warning system for a cyber emergency.
Question 6 — Speed of Deliberation
The sixth and final question posed by the Under Secretary-General dealt with how aggressive and proactive the First Committee was being in addressing the problem of cyber war and the threat of the proliferation of cyber weapons: “Are we moving fast enough, and are we doing so in a way that addresses these challenges strategically and holistically?” The general question concerns the dynamics of the race between technological change and the ability of government to develop workable public policy to mitigate potential untoward consequences. Perhaps in posing the question there is a sense that the First Committee was moving too slow, but this is a matter of interpretation of what otherwise is a neutral statement of concern. History has shown that arms control negotiations move at approximately the same rate that glaciers melt, thus there is little to be done about this, and no need for further discussion of this concern.
(1)UN Document A/C.1/72/PV.1 (28 Sept 2017)
(2)Izumi Nakamitsu, Under Secretary-General and High Representative for Disarmament Affairs
(3)UN Document A/C.1/72/PV.2 (2 Oct 2017) p. 5
(5)Members are: Brunei Darussalam, Cambodia, Indonesia, the Lao People’s Democratic Republic, Malaysia, Myanmar, the Philippines, Singapore, Viet Nam and Thailand. Statement of Virachai Plasai of Thailand.
(6)Ibid, p. 9–10 (7)Ibid, p. 10 (8)Bande of Nigeria. (9)Ibid, p. 10
(10)Pennelope Althea Beckles,
(11)Ibid, p. 13
(12)E. Courtenay Rattray
(13)UN Document A/C.1/72/PV.3 (3 Oct 2017), p. 7 (14)Represented by Alon Roth-Snir
(15)Ibid, p. 12
(16)Statement of Nguyen Phuong Nga, Ambassador Extraordinary and Plenipotentiary of Vietnam, UN Document A/C.1/72/PV.3 (3 Oct 2017) p. 23
(17)Statement of Gillian Bird of Australia at Ibid, p. 19 (emphasis added)
(18)Statement of Robbert Jan Gabri ̈else, the Netherlands Permanent Representative to the Conference on Disarmament.
(19)Ibid, p.21 (emphasis added)
(21)Statement of Dian Triansyah Djani, Ambassador Extraordinary and Plenipotentiary
of Indonesia, UN Document A/C.1/72/PV.4 (4 Oct 2017), p. 8 (emphasis added) (22)See statement of Bassem Yehia Hassan Kassem Hassan of Egypt, Ibid, p. 11 (“Cybersecurity has become a vital field affecting all aspects of daily life and the safety and
stability of the strategic facilities and infrastructure of every State.”)
(23)Statement of Nawaf Salam of Lebanon, Ibid, p. 12
(24)See statement of Vinicio Mati, Minister Plenipotentiary, Permanent Representative of
Italy to the Conference on Disarmament, Ibid, p. 15
(25)See statement of Julio C ́esar Arriola Ram ́ırez, Ambassador Extraordinary and Plenipotentiary of Paraguay, Ibid, p. 17
(26)See statement of Bakri Al-Khalifa, League of Arab States, Ibid, p. 24
(27)See statement of Nobushige Takamizawa, Delegation of Japan to the Disarmament
Conference, Ibid, p. 27
(28)See statement of Koki Muli Grignon of Kenya at p. 23, UN Document A/C.1/72/PV.5
(5 Oct 2017)
(30)UN Document A/C.1/72/PV.5 (5 Oct 2017), p. 20
(31)These were not defined. Ibid
(32)See statement of Tae-yul Cho, UN Document A/C.1/72/PV.6 (6 Oct 2017), p. 3 (33)See statement of Kaha Imnadze, UN Document A/C.1/72/PV.6 (6 Oct 2017), p. 5;
see also Olivia Paschal, Challenges for security and stability in the Black Sea region, quoting the Ambassador, published online by The Whitney and Betty MacMillan Center for International and Area Studies at Yale, March 15, 2017; https://macmillan.yale. edu/news/challenges-security-and-stability-black-sea-region
(34)This problem has become the subject of concern a number of times in the deliberations of the First Committee. Sri Lanka expressed a similar concern. The “command and control” of nuclear weapons could be threatened by cyberattacks. This could lead to their “accidental, mistaken or unauthorized use”. See statement of Amrith Rohan Perera, UN Document A/C.1/72/PV.6 (6 Oct 2017), p. 9
(35)See statement of Qun Wang, UN Document A/C.1/72/PV.6 (6 Oct 2017), p. 8
(36)See statement of Pennelope Althea Beckles at p. 23, UN Document A/C.1/72/PV.6 (6 Oct 2017)
(38)See statement of Cristina Maria Cerqueira Pucarinho of Portugal at UN Document A/C.1/72/PV.7 (9 Oct 2017), p. 7
(39)See statement of Yerbolat Sembayevv, UN Document A/C.1/72/PV.7 (9 Oct 2017), p. 12
(40)See statement of Rauf Alp Denkta ̧s, First Counselor, Turkish Mission to the United Nations, Elected 2017 Vice Chair of the Disarmament Commission, UN Document A/C.1/72/PV.7 (9 Oct 2017), p. 1
(41)See statement of John Khoo Wei’en UN Document A/C.1/72/PV.7 (9 Oct 2017), p. 15
(43)See UN Document A/68/98
(44)See statement of Rosemary McCarney, UN Document A/C.1/72/PV.7 (9 Oct 2017),
(45)See statement of Mr. Manitah, UN Document A/C.1/72/PV.7 (9 Oct 2017), p. 25 (46)See statement of Georgi Velikov Panayotov, UN Document A/C.1/72/PV.7 (9 Oct
2017), p. 26
(47)See statement of Farukh Amil, UN Document A/C.1/72/PV.8 (10 Oct 2017), p. 13
(48)See statement of Merle Lust, UN Document A/C.1/72/PV.8 (10 Oct 2017), pp. 25–
6; see also Merle Lust, Building up the radiation protection infrastructure in Estonia, International Nuclear Information System 55, 24 February 1995
(49)See statement of Kathleen Lawand, of the Arms Unit of the International Committee of the Red Cross at UN Document A/C1/72/PV.9 (10 Oct 2017), p. 7
(50)Izumi Nakamitsu, Under Secretary-General and High Representative for Disarmament Affairs
(51)UN Document A/C1/72/PV.10 (11 Oct 2017), p. 2; Note: The summary of her very detailed and comprehensive statement here is condensed to focus on ICT and cyber weapons. For details of other technologies (drones; biotechnology, etc.) please consult the original statement.
(52) See Table 1 on Page 5.
(53)The Under Secretary-General was speaking of several classes of new weapons, including cyber, artificial intelligence, drones, and others, but the one theme they all had in common was a strong nexus with information technology. The discussion below is placed within the context of cyber weapons, the threat of cyber war, and the spectre of a cyber arms race.
(54)The same might be said of the current arms control establishment.
(55)Looking Russian history, it is easy to appreciate there is good reason for this.
(56)We will never know until real negotiations get underway.
(57)c.2000–c.2017, before the harsh effects of the policies of the Trump administration
in its desire to address the unequal trade balance between China and the United States resulted in a downward spiral in the Chinese economy.
(58)This is not criticism of Chinese policy, merely a description. Governing China always has been extremely difficult, and there never has been a tradition of liberal democracy. The Government of China does not need back seat drivers on the outside giving it advice on how to run Chinese society. It is perfectly capable of making its own decisions.
(59)Through Article 53 of the Charter, which refers to “purposes” of the United Nations.
(60)One hypothesis regarding the failure of the Group of Governmental Experts to reach a consensus is that some States were pushing for more regulation of cyberspace than was acceptable to the liberal democracies. But another is that countries such as China did not wish to accept that their cyber practices were already in violation of their obligations regarding human rights under the United Nations Charter.
(61)Some of the original technology was developed by DARPA.
(62)It is said that the greatest concentration of mathematicians and computers on the entire earth is located in Ft. Meade, Maryland, home of the NSA.
(63)In the United States the Tennessee Valley Authority
(64)Unfortunately, it is difficult to separate defensive cyber technologies from use of the same technology in cyber weapons development.
(65)Recent (2019) analysis of highly effective Chinese code has discovered messages such as “Fuck AV Software” embedded in various places in the malware code, including places where it is very likely to be discovered. This is a type of hacker signaling. The term “Fuck AV Software” is slang or colloquial English with the approximate meaning of “See that I have been able to break through the Anti-Virus software that you thought was protecting you.” It is a type of “in-your-face” boasting, and it also serves a dual purpose of being a type of intimidation.
(66)The Tsunami Warning System (TWS) monitors the seismological and tidal stations spread across the Pacific basis. It has technology that evaluates the potential of any earthquake to generate a tsunami (“tsunamigenic earthquake”). It is a system to disseminate tsunami warning information, hopefully working in time to save lives and mitigate property damage.
(67)The Pacific Tsunami Warning Center (PTWC). See Eddie Bernard & Vasily Titov, Evolution of tsunami warning systems and products, 373 Philosophical Transactions of the Royal Society, 7–8, 1–14, 2015