Continued Discussions in the First Committee (Disarmament)
Discussions in the First Committee (Disarmamant) of the United Nations during 2017. Cyber stability and the Cyber arms race.
As discussions continued, various representatives expressed different vectors of concern regarding developments in cyberspace and the emerging dangers to the international community. One major area of concern was how cyber attacks against weapons systems could lead to disaster. The Secretary-General of the Conference on Disarmament focused on the “heightened risks of cyberattacks on nuclear facilities”. Sweden’s Ambassador for Disarmament(1) focused on how disruptions “by unauthorized actors such as rogue military units, terrorists and cyberattackers” could lead to “failures of, and false reports by, early-warning systems” and “the possibility of early-warning data being misinterpreted” so as to “lead to intentional but erroneous launches” [of nuclear weapons]. There was also a risk of “technical failure or operator error”.(2) The statement by Sweden was a laundry list of things that can go wrong in the control of nuclear weapons. Of particular importance was the notion that cyber attacks could lead to malfunctions in the warning and control systems of nuclear weapons, thus raising the possibility of a nuclear explosion. The Swedish view was that nuclear weapon systems already are dangerous enough, but cyber terrorism can make them even more so. Similar concerns were expressed by Costa Rica as regards “nuclear weapons that are in a high state of alert” and at “risk of cyberattacks”.(3) The representative of Austria expressed the concern that cyberattacks “related to nuclear weapons” had “further increased” the “risk of nuclear war actually occurring”.(4)
Similar concerns were expressed regarding how cyber attacks might destabilize systems operating in outer space. The Director of the United Nations Office for Outer Space Affairs (UNOOSA) expressed concern that cybersecurity was becoming more risky for “the broader application of space operations” while at the same time there was an “increased strategic value of space [that has] . . . increased the need to enhance the safety of space operations and the security of space assets and systems”.(5) This concern was echoed by the representative of the Satellite Industry Association speaking for commercial satellite operators.(6)
The representative of Belarus emphasized the need for identification of “possible legal gaps” that would help constrain the threat of “development of scientific and technological progress”. Emerging threats included a) cyberweapons; b) lethal autonomous weapon systems; c) the weaponization of artificial intelligence; d) the danger of WMDs “falling into the hands of terrorist groups; e) robotics; f) “improved means of delivery” [of nuclear weapons] and g) “the growing role of non-State actors”.(7) Germany expressed concerns regarding yet another cyber vulnerability. A cyber attack might harm the “security of radioactive sources in civilian use”. This refers to applications such as the sources for X-Rays found in medical facilities.(8)
Mexico also was in favor of the First Committee taking up further the problem of cybersecurity.(9)
Review by Chairman of Group of Governmental Experts
Making the comments to the First Committee could not have been easy for the Chairman.(10) After all, it was a report on failure. After all of the work and investment of time, there was no report to show for it. It had been two years. Nothing. The Chairman of the Group of Governmental Experts started by emphasizing the continued relevance of the work on cyber. There were “increases in incidents involving the malicious use of ICT by States, non-State actors and actors acting as proxies, as well as the spread of malicious ICT capabilities”. These events were “incompatible with the maintenance of international peace and security and in violation of international law”.(11) There was danger of a major international cyber emergency that would span entire regions of the world. “[M]alicious ICT activity . . . could disrupt or impair the general functionality of global ICT systems”.(12) The “security of data, including its confidentiality, integrity, availability, accessibility and authenticity” all could be destroyed. Cyber could be used “by States to interfere in the internal affairs of other States” and also could be used “for terrorist and other criminal purposes”.
In spite of the lack of consensus on a final report, the Chairman was able to report positively on “very helpful observations on how to take forward the non-binding norms, rules and principles for the responsible behaviour of States [that had been] presented in the 2015 report” of the Group of Governmental Experts.(13) A number of the recommendations were still valid and likely to go forward: a) “[N]ational structures, policies, processes and cooperation mechanisms necessary to facilitate responses to serious ICT incidents” would be studied further and in some cases set up between States; b) Work would continue on the “[d]eploy[ment of] incident assessment templates”;(14) c) States would continue to “[e]stablish procedures for official notification [to each other in case of a] . . . cyber incident”; and d) More work would be done to “[s]et up procedures for States to request and provide assistance” to each other in case of a cyber emergency. There was no discussion that reviewed the progress being made in these various areas, or even any providing of examples of projects or activities that had worked. Consequently, it is difficult to know if the Chairman was speaking primarily of events or activities that might take place in the indefinite future, or of events already underway.
Concerns remained regarding “how to prevent the proliferation of malicious ICT tools and techniques” and “how to prevent non-State actors from conducting malicious ICT activities”. In addition, the debates continued to return to the problem of “harmful hidden functions” within the cyber supply chain.(15)
There was a brief discussion of confidence-building measures.(16) In many cases, the use of confidence-building measures relies on the consulting and advisory capabilities of the United Nations Secretariat. The Chairman also touched upon capacity-building.(17) There also was emphasis placed on Sustainable Development Goals.
The source of the problem that destroyed the ability of the Group of Governmental Experts to reach a consensus interpretation on “how international law applies to the use of ICT by States” and what “conclusions [could] . . . be drawn that might lead to “recommendations for future work”. The Chairman described frantic efforts made to obtain consensus once it was clear a potential divergence of national views was emerging. The High Representative for Disarmament Affairs was called in to “explor[e] . . . ways to retain the many good elements that the experts had identified in their work. The Chairman “suggested an extraordinary informal GGE(18) meeting” and confirmed that the “majority of experts” in the Group would be able to perform additional work. This effort was rejected by some States. In spite of this bump in the road, the Chairman continued to stress the central role of the United Nations in development of public policy for cyberspace:
Each and every Member State has a stake in cyberstability, just as each will be weakened by an ICT environment that is not open, secure, stable, accessible and peaceful. There is a need to retain the progress made, to continue discussions in the United Nations and to increase transparency and inclusivity. Global issues such as the use of ICT in the context of international security require a global understanding of the threat situation and of ways to address and mitigate such threats, including the applicable rules. Such a global understanding must be pursued in the United Nations.(19)
There was some thought that using the Group of Governmental Experts approach might not be the best way forward. Although the work could “continue as before”, there was no “perfect track record”. There were concerns about using an organization “consisting of 25 experts was helpful or whether [it was] . . . too large to allow for [effective](20) . . . exchange and interaction [or was] . . . too small to be representative of the wider United Nations”.(21) Going forward, if the mechanism of a Group of Governmental Experts was not to be used, then what were the alternatives? A number of options were touched upon, but only briefly. These included a) Forming an open-ended working group; b) Setting up a Subcommittee of the First Committee to focus on “the use of ICT in the context of international peace and security”; c) Taking the matter to the Conference on Disarmament; d) Moving the issue to the Disarmament Commission; or e) Convening a conference of interested States.(22) In retrospect, it is most unfortunate that the Chairman(23) did not go into detail regarding the causes of failure of the Group of Governmental Experts to reach a consensus. We know from various statements that there was a lack of consensus relating to the applicability of international law. In more than one instance it was reported that some States, not identified, had refused to recognize the applicability of international law to problems in cyberspace. If we divide the group of States into two camps, one the Western liberal democracies and the other the inheritors of Marxism-Leninism, it is possible to see how either side possibly could become the source of the obstruction to reaching a consensus.
For the Western liberal democracies, the resistance would have come as they bristled under the prospect that an international system of binding rules of behavior would be set up that would rely on an international body such as the United Nations to establish laws to be observed in cyberspace. At the heart of this discussion was the idea that too many rules would “reduce innovation”, but likely the essential source of the rejection is simply concerns about loss of sovereignty, and possible loss of control over technology and cyberspace itself. For example, a binding set of international rules administered by an international organization might severely curtail the effective power of the private sector. On the other hand, it is just as feasible that the States with a heritage of Marxism-Leninism and strong centralized governance by the nation State might have objected to the idea that the International Covenants respecting Human rights and freedom of expression and communication also were binding on their State behavior, including what happened within their sovereignty through Article 53 of the United Nations Charter. They might have been facing the prospect of losing their rather restrictive control over the Internet and its content in exchange for more binding international obligations. Either scenario or even both are feasible as explanatory paths to understand the source of the blockage.(24)
Movement of Non-Aligned Countries
The Non-Aligned Countries expressed a unique perspective on the challenge caused by the threat of cyber conflict. The representative of Indonesia spoke on behalf of the Movement of Non-Aligned Countries (NAM). The Movement called for more work by the First Committee in the area of cyber.
The development of a legal framework . . . should be pursued within the United Nations, with the active and equal participation of all States. The . . . use of [cyber] . . . technologies [should be] . . . in accordance with the purposes and principles of the Charter of the United Nations; international law, especially the principles of sovereignty and non-interference in internal affairs, and internationally known rules of peaceful coexistence among States. NAM stresses the central role of the United Nations in developments in the field of information and telecommunications in the context of international security.(25)
Much of the statement focused on making sure that the Non-Aligned Countries had a seat at the table in any negotiations on cyberspace. The representative called for discussions to be “transparent and inclusive [for] . . . participation . . . on an equal footing”. In particular, Indonesia was in favor of establishing “an open-ended working group of the General Assembly” to work on cyber issues. There was no definition of what “open ended” meant in practice, but from the context it is clear that such a group would be like in contradistinction to the Group of Governmental Experts which was considerably limited in number. There was no sense in the representative’s statement that the Chairman’s concerns regarding the size of any group working on cyber issues might have an effect on its basic efficiency.(26) In addition, since the Movement of Non-Aligned Countries was being represented in this statement, there may be a hint that at some point the organization might play a role in the nomination process for participants in the open ended group.(27)
It was emphasized that if discussions on cyber were to continue at the United Nations, it would require “transparency and the strict application of the principle of equitable geographical representation, particularly with regard to the composition of groups of governmental experts”. Indonesia also introduced a draft resolution that pressed multilateralism as the preferred path for arms control negotiations.(28)
[I]n the globalization era and with the information revolution, arms regulation, non-proliferation and disarmament problems are more than ever the concern of all countries in the world . . . [There is a] need to advance further in the field of arms regulation, non-proliferation and disarmament on the basis of universal, multilateral, non-discriminatory and transparent negotiations . . . [yet there has been a] continuous erosion of multilateralism in the field of arms regulation, non-proliferation and disarmament . . . multilateralism [is] . . . the core principle in resolving disarmament and non-proliferation concerns.(29)
Another important theme in the statement concerned what were termed “discriminatory practices and policies that hinder access by developing countries to the benefits of information and communication technologies”. Although these policies were not spelled out, they might include the strict enforcement of intellectual property rules, or the use of export controls that have as their objective the throttling of exports of militarily dual-use technologies. The representative also appears to have condemned the type of freedom of expression found on social media. They noted “with concern cases of the illegal use of new information and communications technologies, including in social networks, to the detriment of States members of the Movement, and expresses its strongest rejection of those violations”. There was no example given of these allegedly illegal uses of social networks. It likely refers to the use by anti-government protesters who rely on social media for organization of their protests. Even though it is a basic human right, in many States, public dissent is illegal.
There also was a fear that cyberspace could be used “to endanger international peace and security”. It was envisaged that as a system of international rules was put in place, it should emerge as being fully in accordance with the purposes and principles of the Charter of the United Nations; international law, especially the principles of sovereignty and non-interference in internal affairs, and internationally known rules of peaceful coexistence among States. These statements were generally in accordance with the historical traditions of the Movement.
It also was recognized that cyber technologies were important for socioeconomic development, and consequently nothing should stand in the way of its global diffusion.
The representative of Bangladesh emphasized the advantages of cyber technologies, and acknowledged the “useful work done by the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security”.(30) It was “look[ing] forward to constructive ways to overcome and move beyond the setback that the Group’s work faced during its most recent session”. It expressed support for the draft decision that had been circulated by Russia, China and a number of developing countries, but one that did not have the co-sponsorship of the United States or any of its Western allies.(31) The objective of the draft decision was to continue consideration of cyber issues at the next (seventy-third) session of the General Assembly.(32) Bangladesh also “recognize[d] the critical importance of promoting normative behaviour and international cooperation to ensure information security, including through appropriate transparency and confidence-building measures”.
This in effect was stating agreement with the recommendations of the previous Report by the Group of Governmental Experts. It also warned of a “proliferation of non-State actors trying to take advantage of cyberwarfare or an arms race”.(33) It also expressed support for the draft resolution on the general role of science and technology in disarmament.(34) The resolution would call for “Member States . . . to make disarmament-related technologies available to interested States”.(35) In addition it called for setting up another panel of experts “from diverse fields in science and technology, including industry . . . to meet for 5 days each in 2018 and 2019 . . . to assess current developments in science and technology and their potential impact on international security and disarmament efforts”.(36) Bangladesh also supported a draft resolution submitted by Indonesia that called for “the international community to devote part of the resources made available by the implementation of disarmament and arms limitation agreements to economic and social development”.(37) It also supported a draft resolution, again submitted by Indonesia that tied disarmament and arms control to the environment and Sustainable Development.(38)
It is difficult to assess how these resolutions could possibly apply to control of the cyber arms race, particularly the draft resolution on the environment. If human resources development was considered to be part of the general concept of development, then the spreading of cyber defense technologies to countries in the developing world would certainly require extensive levels of training. There is nothing inherently wrong with these draft resolutions, or the ideas they purport to suggest, yet they do have the effect of driving the First Committee further away from arms control and into the area of environmental issues, economic development, and the general concept of the Sustainable Development Goals. This is probably counter-productive for the overall arms control effort. Bangladesh supported also the draft resolution from Indonesia on the promotion of multilateralism.(39)
The representative of Iran(40) expressed support for the statement of Indonesia representing the Movement of Non-Aligned Countries.(41) Iran was not in favor of export controls in cyberspace. It emphasized the “sovereign rights of all States, including the right to the development, acquisition, use, import and export of, and access to, ICTs and the related know-how, means and services without any restriction or discrimination”. It criticized the work of the Group of Governmental Experts and argued that its activities had not been inclusive enough. A “common understanding” on “ICT security . . . cannot emerge or be adequately promoted merely through the work of a group of governmental experts”. It called for an “open-ended working group . . . to prepare the ground for developing an international strategy” for cyber security. It accepted “as a general principle [that] international law is applicable . . . to the use of ICTs . . . by States.” It also expressed support for application of a) the purposes and principles of the Charter of the United Nations; b) the settlement of international disputes by peaceful means; c) the prohibition of the threat or use of force in any manner inconsistent with the purposes of the United Nations; and d) the prohibition of intervention and interference in the internal affairs of States. Iran also expressed sensitivity to issues involving social media and freedom of expression and communication. It stated that “the right to the freedom of expression should be fully respected [but] . . . that right should in no case be exercised contrary to . . . national laws and the principles of the protection of national security, public order, . . . or morals and decency”. This expression of policy is one of government control over personal expression and communication. Iran also called for “States [to] . . . refrain . . . from the . . . development and use of information weapons.”(42) Included in this prescription was the use of “transboundary dissemination of information . . . in contravention of . . . the national legislation of targeted countries”. This in effect was a call for international regulation that would force States to prevent the transmission from their territory of information considered illegal by another country. Iran was particularly concerned with actions that “undermine or . . . destabilize the political, economic or social systems of other States or . . . erode their cultural, moral, ethical or religious values.” To prohibit any information that would “undermine” the political system is the same as universal censorship of political opinion that disagrees with public policy. Although couched in diplomatically gentle terms, these ideas were in direct contravention of the United Nations’s basic principles of human rights.(43)
Group of Arab States
Algeria expressed support for the statements by the Movement of Non-Aligned Countries and the Group of Arab States.(44) It was noted that cyber “offer[s] opportunities for social and economic development”. Nevertheless, the “non-peaceful [use] . . . by terrorists and criminal groups represents a real threat to international peace and security”. Although there was a need for “strengthening international coordination . . . to prevent . . . use [of] ICT for criminal purposes . . . concerns about the dual use of such cutting-edge technologies must not hinder the transfer of ICT to States that need them, especially developing States”. There was a pressing need for a “unified strategy to fight transnational digital crime”. Another concern was centered on “lethal autonomous weapons systems [which] pose ethical, humanitarian and legal challenges”. Finally, it noted that “artificial intelligence [makes] . . . possible catastrophic consequences”,(45) and it noted that the Review Conference on the Convention on the Prohibition of Certain Conventional Weapons [had] . . . established an open-ended Group of Governmental Experts to address” the issue. This was another hint at the growing support for an “open-ended” approach to setting global cyber policy. The failure of the Group of Governmental Experts to reach a consensus was “unfortunate”. Yemen expressed a general concern about the use of cyber “against the interests of States in the political, military, economic and scientific fields”. It called for more international cooperation and maintaining a “central role” for the United Nations in this area.(46)
Association of South East Asian Nations
The Association of Southeast Asian Nations(47) (ASEAN) was represented by Singapore.(48) The representative stressed the “huge potential for growth” of the “digital economy”, but warned of the dangers of “cyberthreats and cyberattacks”. He reviewed ASEAN’s “regional capacity-building measures” including a) the ASEAN Computer Emergency Response Team Incident Drill; b) ASEAN Ministerial Conference on Cybersecurity; c) ASEAN Defence Ministers’ Meeting-Plus Experts’ Working Group on Cybersecurity; and d) ASEAN Regional Forum Inter-Sessional Meeting on Security of and in the Use of Information and Communication Technologies.(49) The ASEAN countries supported “adoption of basic, operational and voluntary norms of behaviour to guide the use of” cyber technologies.(50) Strong support was expressed for the role of the United Nations in these efforts:
ASEAN is [making] ...efforts ...on a set of global norms on cyberspace and to enhance regional and international cooperation [for] . . . cybersecurity. . . . [T]he United Nations should continue to play a central role in . . . cybersecurity and . . . facilitate a more inclusive and open process to address emerging cybersecurity threats. . . . ASEAN supports moving forward discussions on the adoption of basic, operational and voluntary norms of behaviour to guide the use of information and communication technologies (ICTs).(51)
Strong support also was expressed for capacity-building “for cooperation among Computer Emergency Response Teams”, sharing of information, “and the need to enhance training and technical support in cybersecurity cooperation”. The representative also emphasized the role of the private sector:
The large percentage of cyberinfrastructure, resources and expertise in the hands of the private sector necessitates the private sector’s involvement in our discussions.(52)
The representative of the European Union(53) expressed support for a) strategic frameworks for conflict prevention, cooperation and stability in cyberspace; b) application of existing international law, particularly the Charter of the United Nations in its entirety; c) development and implementation of universal norms of responsible State behaviour; and d) regional confidence-building measures between States.(54)
The international legal principles supported by the European Union included: a) sovereign equality; b) non-intervention in the internal affairs of other States; c) the obligation to settle international disputes by peaceful means in a manner such that international peace, security and justice are not endangered; d) the right to respond, including by non-forcible countermeasures, to internationally wrongful acts committed through the use of ICTs; e) the obligation to refrain in international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations; f) respect for human rights and fundamental freedoms; g) the inherent right to self-defence; and h) international humanitarian law, including the principles of precaution, humanity, necessity, proportionality and distinction.(55)
The European Union also recognized the norms that had been identified in previous reports from the Group of Governmental Experts. These included: a) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts emanating from their territory; b) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; c) States should take appropriate measures to protect their critical infrastructure from ICT threats; and d) States should guarantee full respect for human rights, including privacy and freedom of expression.
Support was expressed for “regional confidence-building measures”. In addition, various capacity-building measures supported included a) assisting third countries in responding to [cyber] threats; b) increasing law-enforcement capabilities to investigate and prosecute cybercrime; c) developing domestic policies or legislation; d) protecting infrastructure; e) increasing provisions for training; and f) upholding the rule of law and respect for human rights in cyberspace. The European Union recently had “adopted a framework for a joint EU diplomatic response to malicious cyberactivities”:
[R]estrictive measures aim to bring about a change in policy or activity by the target country, government, entity or individual concerned in line with the objectives set out in the Council decision. Such measures can include, inter alia, travel bans, arms embargos, freezing funds or economic resources. . . . A Member State that is the victim of malicious cyber activity that constitutes an internationally wrongful act may, under certain conditions, lawfully resort to non-forcible and proportionate countermeasures. These countermeasures constitute actions directed at another State that is responsible for the internationally wrongful act, which would otherwise violate an obligation owed to that State.(56)
It was noted(57) that various “measures within the Common Foreign and Security Policy,(58) including restrictive measures, can be used to prevent and respond to malicious cyberactivities”. It is interesting that the measures in the framework “aim to protect the integrity and security of the EU, its member States and their citizens, encourage cooperation, facilitate mitigation of threats and influence the behaviour of potential aggressors, both State and non-State actors”.(59) These policies of the European Union specifically sanction a defensive response to a cyber attack. As it would turn out, international recognition of the right of States to take defensive actions in reponse to a cyber attack would emerge as a major line of disagreement between Europe and China.
The representative of the Netherlands attempted to put the best face on the failure of the Group of Governmental Experts to reach any consensus.(60) It noted that “the lack of consensus . . . of the Group of Governmental Experts does not in any way diminish the foundations on which the convocation of the most recent iteration of the Group was based”.(61) It emphasized the importance of international law in management of global cyber issues:
[I]nternational law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. . . . [I]nternational law . . . provides a legal framework for interaction among States no matter whether that interaction takes place on land, on the high seas, in the air or in cyberspace itself.(62)
The representative of the Netherlands then gave what might be hints regarding where points of disagreement had been responsible for the lack of consensus by the Group of Governmental Experts:
[T]he Group of Governmental Experts could have provided guidance on the application of the inherent right of self-defence[;] . . . how the law of State responsibility applies to the use of ICT by States; [application of] international humanitarian law . . . to the use of ICT in the context of an armed conflict, including the principles of precaution, necessity, proportionality, distinction and humanity [and] . . . obligations under international human rights law.(63)
Still it is not possible to discern which side of the debate the Western liberal democracies or the Marxist-Leninist heritage States would object to. Agreeing to being bound by human rights obligations might be objectionable to the latter, depending on the interpretation. The international regulation under international law of international cyber conflict might be a step too far for the Western liberal democracies, including the United States, who still were in the process of assessing the emerging domain of cyberspace. The practical sense of the issue is that States are unwilling to make binding international agreements without fully understanding their implications, and cyberspace at the time was too undefined to fully appreciate the ramifications of any binding rule. The Netherlands nevertheless supported the decision to place the same issues before the next General Assembly.
The representative of Finland(64) pointed out that the 2013 report from the Group of Governmental Experts had “affirmed that international law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment”.(65) Two years later, the 2015 report of the Group of Governmental Experts had confirmed that “the Charter applies in its entirety to the uses of ICT”.(66) She expressed “regrets that consensus was not within reach” in the Group of Governmental Experts.(67) Finland was of the view that “international humanitarian law” was applicable to cyberspace because “cybermeans are already being used in armed conflicts”.(68) In addition, Finland’s view was that the United Nations Charter’s “provisions on the use of force provide a sufficient basis for addressing any security threat” in the cyber area.(69) She also discussed “standards for what States should do at the national level and how they should cooperate with each other . . . in protecting critical infrastructure, ensuring the integrity of the supply chain or preventing the proliferation of malicious ICT tools and techniques, and in sharing information.”
In addition, States have an “obligation not to knowingly allow their territory to be used for [cyber] activities that may cause significant harm to other States”. Reference was made to the confidence-building measures that had been adopted by the Organization for Security and Cooperation in Europe.(70) The representative of Finland seemed to suggest a hierarchy of legal principles and State behaviors that would aid in achieving a type of stability in global cyberspace. At the core of the mechanism was the foundation in international law that had been developed since the 15th Century. The United Nations Charter was an expression of that, because it was a treaty. Yet its core principle was setting up a system of arrangements that would guarantee international peace and security, e.g., keep nations from going to war with each other, or mitigating as much as possible any conflict that broke out.
Next, the norms of State behavior were voluntary and non-binding because they were not entrenched in an international treaty. Their basis was compulsion of a political nature. Many of these norms already were operating. Consequently, their recognition was merely a codification of what already was happening. Nevertheless, codification of these practices had the potential to spread their influence, as other States not currently involved in those types of activities and behaviors then would integrate them into their policies. At this point, the current beneficial practices would be allowed to spread. Finally, it was recognized that adoption of useful State behavior in cyberspace for many States would require extensive training, education, and investment in infrastructure. This investment is the final “ring” of activity, and is of crucial importance, particularly in developing countries.(71)
The representative of Estonia(72) supported the policy statement from the observer of the European Union (EU),(73) and expressed strong support for “freedom of expression on the Internet”.(74) Estonia said it was “unfortunate” that the Group of Governmental Experts had failed to issue a 2017 report, and “could not make any further progress in analysing how international law applies to the use of information and communication technologies (ICT)”.(75) It then listed four areas that the Group of Governmental Experts had been unable to resolve in regards to how international law applies to the use of information and communication technologies (ICT). These were a) the principle of due diligence; b) adoption of non-forcible countermeasures in case of a cyber-attack; c) the right to self-defence in cyberspace; and d) the application of international humanitarian law.
The issue of due diligence refers to the role a State might have in assisting in the identification of the source of a cyber attack. We can speculate that problems might occur in defining the boundaries and responsibilities of the State vis-a-vis the private sector of other parties involved in operation of the world’s cyber infrastructure. In the United States, for example, it is difficult to imagine the Federal Government requiring any binding cooperation from the private sector in computer security.(76) The same may be true elsewhere. On the other hand, if there were a private sector or civil society entity placed in charge of conducting due diligence, then how would it come to be bound by an international agreement? Enabling legislation is required for this purpose, but any legislation that makes binding international obligations on private entities within the United States is problematical. The private sector abhors government control. There are two possible reasons why the Group of Governmental Experts would have problems reaching agreement in this area. First, it could be that there is a fundamental objection to having any international obligation to due diligence.(77) A second vector could be that although there was an effort to proceed in examining due diligence on the part of States, in practice it is too complicated, or requires too much specificity from State-to-State. This would be the case if the variability of Internet governance and maintenance between States were so great as to make it impossible to come to an agreement on a way to do due diligence that would be universally applicable. A large variability in the basic conditions of governance from one state to another if severe would make it impossible to work a universally applicable international agreement. Another explanatory alternative is that some States simply were not eager to commit to any obligations regarding due diligence.(78)
The representative also pointed to problems in rules regarding the “adoption of non-forcible countermeasures in case of a cyber-attack”. Here, the term “non-forcible” means “non-kinetic”. As we have seen, the European Union has worked out a number of counter-measures that might be taken in case of a cyber emergency, assuming it is possible to satisfactorily identify the source of the cyberattack. Perhaps this difficulty in the Group of Governmental Experts arose as a result of an attempt to elevate an international level the European consensus regarding non-kinetic countermeasures to that would be applicable to all states. To do this would have been a significant advancement in development of public policy, but it was stopped.
We must assume that the members of the European Union had an interest in having their system of countermeasures recognized internationally and adopted as a standard for operations worldwide. Consequently, any opposition must have come from either the United States, or from the Marxist-Leninist derivative States. On the part of the United States, a reasonable guess as to the source of push-back would be the notion that the United States was unwilling to “tie its hands” in the formulation of responses to a cyber attack. This could be because a) some of the proposed measures are incompatible with US law; b) the adoption of such countermeasures would in effect limit the applicability of other responses deemed to be necessary by the United States; or c) There was a concern that by agreeing to the use of non-kinetic responses to a cyber attack, it was either ruling out the use of a kinetic response, or was making the eventual use of a kinetic response dependent upon having attempted with no success all of the possible non-kinetic remedies. We must assume that the United States wished to maintain the option of responding with a 100% kinetic response to a cyber attack. To agree to this would have been a case of “disarmament by stealth”.(79)
If the opposition did not come from the United States, then it came from the Marxist-Leninist derivative States. Since in particular Russia often is a target of international sanctions, it is easy to imagine that there would be opposition to agreement on yet another set of possibilities for the West to impose sanctions against Russia. In general, since Russia is a Permanent member of the United Nations Security Council, it has the power to use the veto to prevent any sanctions being put against it by the United Nations. All sanctions that have been placed against Russia have been done outside of this context. Consequently, agreement on a formalized system of non-kinetic measures would be an example of Russia unilaterally giving up its veto power over the use of sanctions that might well be put in place against it. The same reasoning would have been present in China. There may be other explanations regarding why this particular line of discussion came to an end without resolution. After all, States are unlikely to unilaterally negotiate away their flexibility for movement in the future.(80) The notion of “right to self-defence in cyberspace” also gets at the heart of national sovereignty. One of the major problems in reaching agreement (consensus) here is that the United Nations Charter already has
Article 51(81) which clearly expresses the right of self-defense. There is a substantial debate regarding whether the language “if an armed attack occurs”(82) rules out any type of response to a cyber attack, since it might have no kinetic effect. In that line of thinking, then these discussions may have been aiming at revision of Article 51. Any diplomat knows that making changes in the United Nations Charter are more or less impossible. It would take years and it would “open up a can of worms”(83) leading quickly to a complete stalemate. The analysis of the Resolutions of the Security Council under Article 39 shows conclusively that it already has the authority to act on a cyber emergency. Consequently, the precise definition of the term “armed attack” in Article 51 may not be necessary to revive. Nevertheless, under a strict interpretation of the current rules, a State is not empowered by Article 51 to launch a kinetic military attack in response to a cyber-only attack. At the same time, if the level of cyber emergency became great enough, the matter without any change in the Charter could be taken up by the Security Council. As a result, the focus of these discussions were on how to formalize State behavior in cases of a non-kinetic cyber attack that was not of such severity as to rise to the level of damage that it would be taken up by the Security Council. It might have been argued that this is a subject that best might remain outside the purview of the United Nations, at least for the time-being. Voices arguing for caution always predominate when faced with uncertainty.
Discussions regarding the application of humanitarian law to cyber conflicts also were unable to reach a consensus. Humanitarian law is crucially important, but its application is dependent upon knowing the nature of the situation upon which it might be applied.
Since the Group of Governmental Experts was unable to define cyber emergencies or cyber war or other legal aspects of cyber conflict, it is easy to see how discussions regarding application of humanitarian law would flounder. That is, without any clear system of understanding regarding the permissible responses to a cyber attack, it certainly is impossible then to define how humanitarian law would be attached. In spite of these problems, the representative stressed “that significant progress was made . . . concerning new threats, confidence-building measures, capacity-building and norms of responsible behaviour”.(84) Estonia expressed support for “the establishment of a strategic framework for conflict prevention and stability in cyberspace that is based on international law, in particular the Charter of the United Nations, the development and implementation of universal norms of responsible State behaviour, as well as regional confidence-building measures and capacity-building”.
The representative of France aligned with the statement made by “the observer of the European Union”,(85) and emphasized the “rapidly changing world [in which] . . . civilian and military uses of cyberspace are increasing”(86) but there is “a proliferation of digital threats”. He emphasized that in the French view, “existing international law, especially the Charter of the United Nations in its totality and international humanitarian law, applies to cyberspace”.(87) The French representative then discussed the right of self-defense, and specifically stated that it was not necessary for an attack to be an armed attack to qualify for self-defense under Article 51 of the United Nations Charter:
Every State therefore is obliged to resolve disputes through cooperation and negotiation, without that negating its right to take the proportionate and necessary technical measures to neutralize the effects of a cyberattack launched against it, in accordance with its obligations under international law . . . [A] major cyberattack could constitute an armed attack under Article 51 of the Charter, and would therefore open up the possibility of the attacked State’s invoking its right to legitimate self-defence.(88)
The Government of France was stating its view of international policy, but it was not policy that had been agreed upon through any international negotiation. It was merely an interpretation of current international law. There was no settled law on the interpretation of Article 51. The fact remained that to interpret a cyber attack as being an “armed” attack under that Article is a re-interpretation of the plain language of the Charter. It is completely clear that when the Article was drafted in San Francisco in 1945, its meaning referred to “arms” as being guns, bombs, and other weapons used during the Great War and the Second World War. There was no cyber at the time, and it was impossible that “armed attack” possibly could refer to a cyber attack. At the time, such an event was not even contemplated in science fiction. As a consequence, the only way in which the interpretation of Article 51(89) could be extended in this way is by the emerging practice of States over time.(90)
The concept of “proportionate and necessary technical measures” that the French representative argued were a “right” of States were not defined. For example, if these measures were taken completely within the jurisdiction and national sovereignty, then there could be no question under international law that their use would be questionable, or that these measures would be exercise of a national “right”. Since the representative of France was discussing these measures as a “right”, then it follows he must have been referring to actions in cyberspace to be conducted in self-defense by a State but that would have an effect outside of its jurisdiction. For example, if a foreign-owned satellite was traversing in orbit around the earth, but emitting dangerous and disruptive signals aimed at disturbing the cyber infrastructure of a State, then there would be a “right” to shoot down or otherwise disable the satellite, even though the location of the satellite is outside of the national jurisdiction of the State activating self-defense. Consequently, the representative of France was arguing for a comprehensive right of self-defense to a cyber emergency, even if such defensive counter-measures would have an effect outside of the national jurisdiction of the State being defended. It should be noted that since the representative brought up both the right to take measures as well as the interpretation of Article 51, he left open the option for the use of a kinetic response under Article 51 in response to a cyber attack.(91) This is not stated clearly, but is implied. Nevertheless, the importance of the French statement is the assertion of a right of cyber self-defense, within the context of the broadening of the interpretation of Article 51.
Of particular concern is the insight the French representative gave into the inner-working of the Group of Governmental Experts. This is important because there never was any report on the details of why it had been impossible to reach consensus. France stated that certain “agreements were reached before discussions stalled”.(92)
These concerned a) export controls to combat proliferation of cyber weapons; and b) stronger prohibition on non-State actors “carrying out offensive activities in cyberspace”.
An initial benchmark for regulating the international trade in offensive cybertools was established in 2013 by including intrusion software in the dual-use list of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.(93)
Although the Wassenaar Arrangement constantly is updated, it is not a universal agreement. After all, two of the States at which it is aimed are Permanent Members of the United Nations Security Council. The arrangement is not a formal treaty, but a type of semi-formal agreement between selected States.(94)
The essence of the Arrangement is to prevent proliferation. This means that the inclusion of spying software into the export control list in the Arrangement is one of the earliest forms of active cyber arms control. The Wassenaar Arrangement is very useful for understanding the type of detail and specificity needed to control the export of commercially manufactured cyber weapons. First the dual-use tools (technologies) must be identified, then evaluated to determine their potential for abuse or adverse use. The specific vendors and their products that fit into the category must be identified, and in case of ambiguity in matching the prohibited category to specific products must be worked through.
From the beginning of its discussions, the Wassenaar group had problems with how to regulate dual-use technology. As one participant in the exercise stated:
“The code that is a weapon in one context, is a method of diagnostics and cyber defense in another. It was impossible to take out cyber weapons without crippling defense capabilities. In addition, much work in tracking down bugs is done on a collaborative basis involving parties dispersed across the globe. Laws on proliferation might make exchange of such code illegal because transferring across national boundaries samples of malware from one collaborative analysis center to another might violate export control agreements.”(95)
The level of specificity in the Arrangement is consistent with the legal traditions of the European Union. There are, however, limitations to this approach. First, it is not universal in scope. Many countries are not included. Second, it covers only known and identifiable dual-use technologies that are commercially manufactured. Consequently, it does not include non-commercial products, or those that are made by informal hackers, criminals, terrorists or others. It also does not include any technology that is made specifically by a nation state for the purpose of building offensive cyber capability. It does, however, provide a glimpse or sketch of how a comprehensive arms control framework might operate. An additional factor is that that French representatives noted the “legitimate interests of cybersecurity businesses and academia”.(96) There was no discussion of how these interests would be taken into consideration, and how matters would be handled in case of a disagreement. The Final Declaration establishing the Arrangement included national representatives, but no participation from academia or the private commercial sector.(97) There is, however, an outreach program operated by the Secretariat.
The Wassenaar Arrangement also conducts outreach dialogue with individual countries and from time to time may undertake bilateral outreach visits . . . The . . . Secretariat interacts on a regular basis with a variety of international and regional organisations . . . Other activities to raise awareness . . . include seminars, workshops and participation in international conferences in various parts of the world which often include representatives from industry and academia, as well as governments.(98)
From the available documentation, there does not appear to be any specific mechanism for including feedback or active consultation with either private industry or academia.(99)
A second report of agreement concerned the prevention of “non-State actors from carrying out offensive activities in cyberspace, on their own behalf or on behalf of others”.(100) In much normal parlance regarding international relations, the term “non-State actor” refers to terrorist or criminal groups engaging in attacks against nation states. But here, the French representative was speaking about limiting the conduct of the private sector from engaging in defensive actions.
The goal is to prevent companies from retaliating autonomously under the pretext of defending themselves from cyberattacks and potentially causing damage on the territory of another State, which could spark uncontrolled escalation.(101)
Here, the objective was to solidify the principle of nation State supremacy in all instances involving international cyber disturbances. The prohibition implies that when a corporation was subjected to a cyber attack originating outside of the jurisdiction in which it resided, it would be prevented from acting “autonomously”. This means that companies would be required to engage in consultation with a governmental party before taking any action. One problem with this idea is timing. There are plenty of instances in which in order to be effective, the response to a cyber attack or intrusion must be instantaneous, otherwise it will be impossible to mitigate significant damage. A second problem is that in many cases, there is a need for private corporations to keep the existence of cyber attacks completely private so as to avoid any untoward reputation effect in the market for its securities. For example, any bank is extremely reluctant to discuss in public any aspects of its security, particularly instances of failures in security. So the rule suggested by France would cut out this option for private enterprises. The language also hints that if non-State actors (corporations) take defensive measures by themselves, then it is under a “pretext”. The term “pretext” implies that the reason is made-up or not completely valid. Whether or not a defensive action is valid depends on the question of attribution for the cyber attack. It is true that a corporation may have no better idea than a government regarding the true origin of a cyber attack. The reverse also is true. That is, there is no guarantee that a government will know anything more about the origins of a cyber attack than will a private company. There also is the issue of how to handle a situation in which the private enterprise and government disagree.(102)
The key term in the statement is “retaliating”. This means that what is being banned is not all defensive actions of a cyber nature, but only actions that reach out and touch the originator of the cyber attack. There is a note that such a response could potentially cause an effect on the territory of another State. In a narrow sense, the French representative does not rule out retaliation against a perpetrator if they are located in the same jurisdiction. The representative also expresses concern regarding escalation of the conflict. This is mere speculation, and there is no specification regarding who would be involved in the escalation. Presumably the representative is referring to an instance in which a cyber war breaks out between two companies, but then the nation States get involved in conducting counter-attacks on behalf of their home corporations. For the United States, this type of scenario is impossible to contemplate. The U.S. government is incapable of providing cyber security to the private sector, or even to itself. The idea that NSA’s Cyber Command would respond as a matter or legal obligation to an attack against a U.S. corporation is fanciful at best.
On the other hand, in China, almost all, if not all of the major multinational enterprises are owned by the Government of China and operated by the Communist Party. There, it is more realistic for the government to respond to an attack on what actually are government interests. So in terms of being a regulation against the private sector engaging in defensive cyberwarfare, the regulation is problematical for private sector interests of the Western liberal capitalist democracies. From the point of view of a Chinese parastatal company,(103) the prohibition would place limitations on the government if it were acting on behalf of a parastatal corporation, but since the interests are the same, the practical effect of the rule would be to give a unilateral advantage to the parastatal corporation. This is because unlike in the Western liberal democracies, there is much closer coordination between the government and the company. Western companies would face barriers, Chinese parastatals would not. In light of this glaring inconsistency, it is not surprising that it was not possible to reach complete agreement. In this connection, it is astonishing that the representative of France is reporting there was consensus. Assuming that there was some type of general agreement, it merely suggests that the representatives in the Group of Governmental Experts were easily willing to assume the automatic supremacy of government response in the realm of cyberspace. Nevertheless, it is an indication that the Experts were searching for different approaches to prevent escalation of cyber conflict.(104)
The representative of Germany focused on “some of the arguments on issues that seem to have contributed to our not having agreed a report by the Group of Governmental Experts”.(105) He touched upon the areas where it appears there was the most disagreement. In his view, the term “cyberspace” is a “metaphor” that is “misleading”. He noted that it was crucial to focus on the effects of a cyber disturbance and the applicability of international law.
If a State agent . . . were to carry out a cyberoperation in another State – for example, to stop an electricity plant in order to disable machinery or to bring down financial markets – that would not happen somewhere in cyberspace. It would happen on the territory, and in the jurisdiction of, the two countries involved. It would affect the bilateral relations between those two countries. And those relations are governed by international law.(106)
A second issue concerned “lawful countermeasures”. Discussion on this issue had been clouded by the problem of attribution. In Germany’s view, attribution “is not cyber-specific at all”.
Under general international law, as laid out by the International Law Commission, a State can be held responsible for an action that constitutes a breach of an international obligation and is attributable to that State. It is attributable if it is actually carried out by a State organ or person exercising elements of governmental authority. . . . [T]he issue of attribution of a certain conduct to a State is not new at all. International law indeed provides the necessary criteria.(107)
In addition, the representative of Germany found that “key provisions of the Charter of the United Nations – namely, Article 2, paragraph 4, on the prohibition of the use of force, and Article 51, on the right to self-defence – are applicable to cyberoperations”.(108)
[W]e can of course imagine cyberoperations being carried out by one State against another that cause as much damage as the deployment of more classical means of force. Why should digital operations somehow be miraculously exempt from the general prohibition on using force if they cause the same damage?(109)
A similar statement was made regarding the right of Self-Defense under Article 51 of the Charter.
The same line of argument also applies to Article 51, in principle. Again, First Committee experts have no difficulty imagining cyberoperations by one State against another that could be as grave as a classical armed attack. Again, though, I would ask why we should privilege a cyberoperation that in scale and effect rises to that level by exempting it from the application of Article 51. Can we deny the right to self-defence to a State targeted by such a cyberoperation?(110)
These statements stand out in their clarity of thought. It is unfortunate that the representative was unable to go into more detail regarding the nature of the reservations or uncertainty on the part of other States.
The representative of Austria(111) speaking also on behalf of Hungary expressed alignment with the “statement delivered by the observer of the European Union”.(112) Failure of the Group of Governmental Experts to reach consensus was “regretable”. It was of the view that the work should be continued so as to “be the basis of our work to strengthen stability and security in an open and peaceful Internet, where human rights and fundamental freedoms are respected”.(113) He noted that because there was a “lack of a consensus . . . among the members of the” Group of Governmental Experts, it was “more urgent” for work to continue on the confidence-building measures that had been adopted by the Organization for Security and Cooperation in Europe (OSCE). These measures were adopted in 2016.(114) These confidence-building measures for the most part are agreements on exchange of different types of information. Types of information for sharing include a) “national views on . . . national and transnational threats”;(115) b) measures . . . to ensure an open, interoperable, secure, and reliable Internet”;(116) c) exchange of best practices;(117) d) “information on capacity-building regarding security of and in the use of ICTs, including effective responses to related threats”;(118) e) information regarding “national organization; strategies; policies and programmes — including on co-operation between the public and the private sector”(119); f) “list of national terminology related to security of and in the use of ICTs accompanied by an explanation or definition of each term”(120); and g) “reporting of vulnerabilities affecting the security of and in the use of ICTs”.(121) The capacity-building measures also encourage a large number of briefings and meetings between countries to practice responses to emergencies and to exchange other information. In that connection, Austria was participating in the Organization for Security and Cooperation in Europe (OSCE) Informal Working Group on Cybersecurity.(122)
Austria had “a steadfast commitment to applying existing international law — including, inter alia, the Charter of the United Nations and the International Covenant on Civil and Political Rights — to the cyber context”.(123) The representative encouraged further development of “a normative framework for responsible State behaviour in cyberspace”.(124)
The representative of Switzerland(125) viewed the failure of the Group of Governmental Experts to reach a consensus on the application of international law to cyberspace a “setback”.(126) In the Swiss view, an “open, free, accessible and stable” cyberspace can be achieved through “implementation of international law, voluntary norms, rules and principles of responsible State behaviour, confidence-building measures and capacity-building”.(127) She noted that the Group of Governmental Experts had “made significant progress with regard to . . . existing and emerging threats, the norms, rules and principles for responsible State behaviour, confidence-building measures and capacity-building”.(128)
Switzerland is concerned about the hesitation of certain States to recognize the crucial role of international law in promoting a peaceful and cooperative approach to cybersecurity. . . . existing international law applies in cyberspace. Cyberspace is not a new sphere of activity that is void of norms and rules. International law sets the legal framework for State action and therefore applies to State use of information and communication technology. States must comply with their obligations under the Charter of the United Nations and other provisions of international law everywhere, including in cyberspace. Switzerland believes that the Charter of the United Nations fully applies to all State action in cyberspace and therefore prescribes the prohibition of the use of force, the peaceful settlement of disputes, the principle of due diligence, respect for human rights and fundamental freedoms, both online and offline, and the inherent right of States to act in self-defence in response to an armed attack. Furthermore, States must comply with their obligations under international humanitarian law, including the principles of precaution, distinction, proportionality, necessity and humanity.(129)
Switzerland called for the United Nations to continue its work on cyber issues and increase the “involvement of the relevant non-State actors, such as those from the private sector or civil society”.(130) It also noted that the Group of 20 and Group of Seven had made statements in favor of the conclusions of previous reports of the Group of Governmental Experts.
The Three Superpowers
The representative of the United States described “international cyberstability” as being “a climate in which all States can enjoy the benefits of cyberspace, all have incentives to cooperate and avoid conflict, and all have good reason not to disrupt or attack one another”.(131) In spite of the lack of consensus from the current Group of Governmental Experts, the conclusions and recommendations from the previous three reports were useful and remained valid. The representative introduced a draft resolution calling on States to comply with their agreements and commitments regarding disarmament.(132) There was no significant change in U.S. policy, but also no repeating of previous positions. By this time, the U.S. seems to have settled on a policy of “cyberstability” as the goal of the First Committee. There was no more discussion of cyber arms, or of a cyber arms race, and no mention of disarmament in the cyber world.
The representative of China(133) emphasized the need to “show respect for others’ core interests and major concerns” in cyberspace governance. It also emphasized principles of “sovereign equality, non-interference in domestic affairs, no use or threat of use of force and the peaceful settlement of disputes”. The representative gave some hint that China may have been part of the reason for a lack of consensus in the Group of Governmental Experts in their work.
Countries should discuss the application of international law in a manner that helps to maintain peace and avoid introducing force deterrence and countermeasures in cyberspace, so as to effectively prevent an arms race in cyberspace and reduce the risk of confrontations and conflict.(134)
Here there is a disagreement between the position of the European Union and China. The Chinese position is that there is no right of self-defense in cyberspace, or if there is, States should agree not to use it. As the German representative had said, if this line of thinking is followed in cyberspace the rights guaranteed under Article 51 of the United Nations Charter suddenly are suspended. It also is unclear what “core interests” are. This phrase likely refers to the policy in China to suspend application of the Universal Declaration of Human Rights when the governing party determines it is in the interest of the country to do so. Complaining about Internet governance policies within China would be an example of interference in the internal affairs of a member State, and thus prohibited, according to the Chinese view. China characterized defensive measures in cyberspace as “Cold War” thinking.
No country is immune from the threats and problems of cyberspace, and there is no such thing as absolute security. Countries should reject the Cold War mentality and zero-sum thinking and actively practice and promote a new security concept that features common coordination, comprehensiveness, cooperation and sustainability.(135)
In its view, cyber peace may be maintained merely through coordination and cooperation between States. There is no mention of the role of civil society. China also called for adopting “a multilateral approach . . . on the basis of cooperation and joint decision-making by all countries on an equal footing”. In effect, this means that China(136) would have a veto over development of policy. There is no discussion of the scope of decision making that is being referred to. The continued focus on Internet governance is in line with China’s attempt to gather more support to place its representatives in each of the major organizations that are involved in setting policy for the world’s Internet system. Finally, the Chinese representative discussed the connection between cyber security and development, highlighting the Digital Silk Road initiative.
China’s position deviates from the Western consensus on arms control and disarmament in cyberspace. There is no recognition of a right of self-defense. There is an aversion to adopting inside China policies that are required as regards human rights, and there is an expansive grasp for more decision making power at institutions around the world.
The representative of Russia was one of the very few participants who addressed the central problem of a cyber arms race.
As long ago as 1998, Russia was the first country in the world to raise the question in the United Nations of the growing threats in the global information space [and has] . . . consistently championed the prevention of wars and conflicts in the global information space. We vigorously oppose any attempts to unleash an information arms race. We are categorically against turning the digital arena into a battlefield and an area of conflict.(137)
The representative of Russia repeated policies similar to China including a) “the non-use of force”; b) “respect for State sovereignty”; and c) “non-interference in the domestic affairs of States”. But unlike China, it included “respect for fundamental human rights and freedoms in the digital arena”.(138) Russia supported “universal rules for responsible State conduct in cyberspace”,(139) but the discussions of the Group of Governmental Experts had been “essentially crippled and diverted to secondary aspects”. Russia was claiming that it was not responsible for the lack of consensus in the Group of Governmental Experts. It was placing the blame elsewhere. It appears that Russia’s position may have been similar to that of China. It denied the right of self-defense in cyberspace, because it claimed that right was being demanded only by countries that were more powerful in the cyber arena:
Our peace-oriented concept . . . clashed with . . . certain countries that seek to impose . . . unilateral rules of the digital game that [are] . . . designed to ensure that . . . those who possess a technological advantage – have free rein. . . . They want to . . . recognize the digital arena as a new theatre of military action, where it is the rules of warfare that will automatically prevail, not the principles of peaceful cooperation. The Western concept of the complete, unconditional applicability of existing international law to cyberspace has a hidden agenda. Its advocates deliberately ignore . . . establishing the source of computer attacks . . . they are already proposing the establishment of separate norms, including the right to self-defence, arbitrarily designating and punishing those who are guilty in their eyes, including through Security Council countermeasures and sanctions. . . . [T]he real reason . . . is to establish international legal cover . . . for forceful action in cyberspace.(140)
This statement confirms that Russia was one of the countries backing out of the emerging consensus regarding cyberstability. The development of cyber norms is characterized as being “separate” from other norms. The application of international law to cyber is characterized as being a “legal cover” for aggressive acts. Russia rejected the “complete, unconditional applicability of existing international law to cyberspace”.
The representative of Russia also objected to the increasing use of “regional forums that suit Western countries better and where it is apparently easier for them to suppress inconvenient alternative views”.(141) They were little more than “attempts to form a select debating society and to restrict those admitted”. The Russian view was the solutions could be achieved only if they had “universal legitimacy” and were “universally acceptable solutions”. This line of reasoning was compatible with that of China. The practical political effect is to maintain a veto over the evolution of policy, as this is the outcome of any process requiring unanimity of all participants. Russia introduced a draft resolution to keep the issue before the seventy-third session of the General Assembly.(142) The purpose was “to ensure the continuity of negotiations on international information security at the United Nations”.
The representative of India(143) emphasized the broader concept of conducting a “survey of current science and technology developments in emerging areas, such as information and communications technologies; biotechnology, including synthetic biology and genetics; artificial intelligence and autonomous systems; outer space; directed energy systems; and new materials and additive manufacturing”.(144) India was concerned about the potential for these emerging technologies to be “repurposed for military uses”. The cyber-related technologies emphasized were artificial intelligence and robotics.
The representative of Paraguay(145) was in favor of adopting “at the multilateral level, standards that regulate developments in information and telecommunications in the context of international security, which, inter alia, will make it possible to bridge the technological divide between developed and developing countries”. The emphasis on a multilateral solution was in line with countries that wished to keep the problem of cyber squarely within the purview of the United Nations. The desire to “bridge the technological divide” was a plea to increase the amount development funding allocated to the ICT sector. It noted that its National Secretariat for Information and Communications Technology had “brought together representatives of all sectors involved in the management and use of cyberspace . . . such as the national Government, the private sector, including Internet service providers, the education sector, civil society and international organizations”(146) for the purpose of improving its cyber policies.
The representative of Brazil(147) warned about the cyber arms race.
[A] growing number of countries have been investing in the offensive and defensive capabilities of a military nature in the use of ICT, there is a risk that the militarization of these technologies and the emergence of new systems of ICT-related weapons might lead to an arms race, increasing the risk of escalation and conflict.(148)
Brazil expressed support for “the strengthening of multilateral norms and principles applicable to the conduct of States in” cyber, provided that there is no derogation of “the free flow of information and respect for human rights, particularly the right to privacy”.
The representative then turned to the issue of applicability of international law to cyber. She recognized “that [in cyberspace] international law and the principles of the Charter of the United Nations apply to State behaviour”. Brazil then called for development of “a specific legal framework . . . for introducing a list of proscribed behaviours”. Some of the key issues to consider included a) the “offensive first use” of cyber weapons; b) concerns regarding “tampering with the supply chain” so as to engage in eavesdropping; and c) “intentionally introducing vulnerabilities into systems or networks” that have the effect of “compromising the information security of other States”. Brazil suggested that the “no first use” of nuclear weapons policy be applied to use of cyber weapons.
Brazil encourages Member States to consider the adoption of a no-first-use norm with regard to offensive operations using ICT. Such a norm will reduce the chances of a global ICT-related arms race and reassure the international community that ICT will not be used as tools of aggression.(149)
Finally, Brazil stated that the inability of the Group of Governmental Experts to reach any consensus on its report was “regretable”.
The representative of Pakistan characterized cyber weapons as a “weapon of mass destruction”.
Cyberwarfare poses serious challenges to international peace and security. . . . [T]he misuse and unregulated use of information and communication technologies could have serious implications for international peace and security in the event of a cyberattack launched on critical infrastructure. The hostile use of cybertechnology is fast approaching the stage where it can be characterized as a weapon of mass destruction and not just disruption.(150)
The representative also discussed other weapons systems that are highly dependent on ICT including a) lethal autonomous weapons systems; b) artificial intelligence; and c) unauthorized transborder use of armed drones outside of international armed conflict.(151) As a solution, Pakistan suggested that since the Group of Governmental Experts had been unable to reach a consensus on the conclusions to be drawn from its two years of work, the problem of cyber stability and the cyber weapons arms race might be moved “to a universal multilateral setting, including in the Conference on Disarmament” where it its view there was a better possibility of reaching consensus.
The representative of the United Kingdom expressed “regret” that the Group of Governmental Experts had failed to reach a consensus. It expressed support for “international stability frameworks for cyberspace based on the application of existing international law, agreed voluntary norms of responsible State behaviour and confidence-building measures, supported by coordinated capacity-building programmes”.(152) The representative also expressed support for “existing international law, including respect for human rights and fundamental freedoms, and the application of international humanitarian law to cyberoperations in armed conflict”. Like others, he expressed support for application of the rules from the Charter of the United Nations. This included several principles applicable to cyberspace a) “prohibition of the use of force”;(153) b) the “peaceful settlement of disputes” [in cyberspace];(154) c) the “inherent right of States to act in self-defence”;(155) d) the law of State responsibility as applied to “cyberoperations in peacetime”; and e) the “availability of the doctrine of countermeasures in response to internationally wrongful acts”. The United Kingdom policy was to continue supporting “operationalization of agreed norms of responsible State behaviour” including “international cooperation to deter malicious cyberactivity by criminals, State actors and their proxies”. The representative also expressed support for “confidence-building measures that contribute to transparency and trust among States in cyberspace”.
Cuba expressed support for a “legally binding international regulatory framework that is complementary to existing international law”.(156) This appears to go beyond the positions of the majority of Western Liberal Democracy type countries. They had expressed support for the application of international law, but there was no support for an additional binding regulatory framework that is outside of the already-in-place international framework. The objective of the Cuban position was to “prevent cyberspace from becoming a theatre of military operations”.(157) Here, again, there is a sense of fear that the alignment of cyber forces in the world favor the United States and its allies. There are expressions of support for international law, but at the same time a preference for policies that would use binding arrangements to limit the flexibility for cyber super powers to respond to attack.(158) There is a parallel to this type of approach in discussions regarding the control of nuclear weapons. For many countries, there is a resentment that they are not in the nuclear “club” and that efforts are made to prevent the technology from spreading. In the case of cyber, the technology is not as specific as the technology for nuclear weapons. Consequently, the expressions of resentment are coupled with general calls for greater flows of international aid in the utilization of ICT. In this line of thinking, just as developing countries should enjoy the benefits of development programs for hydroelectric power, irrigation, or medical infrastructure, so too should they receive similar economic development assistance for cyber. Development of data centers becomes parallel to development of hospitals. Development of fiber optic high-speed data networks becomes a substitute for investment in the highway and transportation system. In this context, ICT becomes merely yet another path of economic development.
The representative of Zambia spoke more about cyber crime than about disarmament. She expressed concern that the pace of development in cyber was too fast for States to develop legal and administrative mechanisms to cope with cyber crime. She recounted numerous policy actions taken in Zambia. These included a) “the creation of emergency response teams”; b) improving law enforcement by using “specialized units and inter-institutional platforms” to handle cybercrime issues; c) increasing collaborating between government, “the military and the academic and private sectors”; d) investing in “information and communication technologies [specialized] for law enforcement”, including “electronic surveillance and monitoring systems to detect suspicious financial transactions and track Internet protocol addresses linked to inimical activities”.(159)
These statements are evidence of the widespread export of surveillance and eavesdropping technologies to countries around the world. Many if not all of these key technologies have been developed in the United States and Israel. An example is the use of “deep packet inspection” technologies.(160) The export of cyber goods and services from developed to developing countries has not been covered extensively. Although there is nothing technically illegal with this trade, it many times runs into political objection, depending on the nature of the State being assisted. For example, if a totalitarian State is purchasing surveillance technology, many in liberal democracies consider providing this assistance to be morally bankrupt and unacceptable. The bulk of international trade in ICT, however, is of a technologically neutral nature, aimed at assisting in economic development. The representative of Zambia lamented that
“investigating and prosecuting . . . [cyber] crimes remains a challenge . . . [It] . . . require[s] new skills and procedural tools, such as [the ability to handle] . . . digital evidence . . . in criminal proceedings while [simultaneously] . . . protecting privacy, human rights and fundamental freedoms”.(161)
Zambia called for enhancement of “international cooperation and mutual legal assistance through law enforcement” in order to fight cybercrime. The statement of Zambia is notable in its absence of discussion regarding international regulation of cyberspace and arms control.Its statement focused only on the legal or illegal use of ICT within its borders. The international dimension of the problem was restricted to international cooperation in law enforcement. There is no discussion or definition regarding how cyber crimes are defined.(162)
The priorities expressed by Mexico included policies a) “to promote access to, and the peaceful use of, information and telecommunication technologies and cyberspace as a catalyst for development; b) “to ensure the sharing of ideas and the exercise and protection of human rights”; and c) “to achieve the secure use of information and telecommunication technologies and cyberspace [by] . . . the private sector and Government.(163)
Like several other States, Mexico expressed a desire to have cyberspace issues worked out in a multilateral framework.(164) The term “as a catalyst for development” fits into the emerging narrative that one important role of the First Committee was not Arms Control and Disarmament, but instead additionally it is economic development.(165)
Australia also expressed “regret” that the Group of Governmental Experts had failed to reach a consensus in its report. It also expressed support for the application of international law to cyberspace.
[Australia has a] commitment to existing international law, including respect for human rights and fundamental freedoms, and the application of international humanitarian law to cyberoperations in armed conflict [and] . . . reaffirms that the Charter of the United Nations applies in its entirety(166) to State actions in cyberspace, including the prohibition of the use of force, the peaceful settlement of disputes and the inherent right of States to act in individual and collective self-defence in response to an armed attack. The law of State responsibility also applies to cyberoperations in peacetime, including the doctrine of countermeasures in response to internationally wrongful acts. [There should also be a] respect for human rights and fundamental freedoms, and the application of international humanitarian law to cyberoperations in armed conflict”.(167)
In addition, the representative of Australia was able to illustrate the connection between the notion of “stability in cyberspace” and the dangers of escalation in a cyber conflict. She noted that “[m]alicious cyberactivity has the potential to threaten international peace, security and stability”.(168) When this happens, States will respond.
[A]s more and more States seek to exert power through cyberspace, there is increased potential for activities in this domain to lead to misperception, miscalculation, escalation and, in the most extreme cases, conflict.(169)
Australia expressed support for “an international cooperative architecture that promotes stability and responds to and deters unacceptable behaviour in cyberspace”.(170) The concept of a “cooperative architecture” should be compared to a system of “binding international rules” that some other States expressed support for. In general, “architecture” is a much broader concept. It would include not only application of international law, but also both formal and informal non-binding norms of State behavior as well as systems of cooperation and coordination between States, and other parties, all aimed at lessening the potential for cyberspace to become a domain of conflict.
At this point, the representatives to the First Committee appeared to be working with three general approaches to management of cyber. The first approach views “cyberspace” as a type of geographical territory where policies are being put in place to avoid it becoming a place of warfare. This is exactly analogous to the approach in the nuclear arena of having entire geographical zones declared to be “nuclear free’. By keeping offensive and defensive actions out of cyberspace, it is effectively prohibiting the use of cyber weapons in these areas. The only problem with this approach is that the term “cyberspace” is a synthetic representative term for something that does not exist. It is merely an entirely synthetic notion, with no real geographical coordinates.
The second approach is to put in mechanisms for coordination and communication between States. This in theory should lead to increases in communication, reducing the potential for mis-perception and miscalculation. Here, there is no assumption that it will be possible to stop the development of cyber weapons. The only conviction is that by improving the communications environment, there is less chance of an outbreak of cyberwar. This might be called the “hot line” approach. It is a mirror image of the communication channel set up in 1963 between Moscow and Washington. It was instrumental in resolving the Cuban nuclear missile crisis.
The third approach comes from the legal and regulatory perspective. It sees the management of cyberspace and the potential for conflict as a legal and administrate problem. In this approach, by putting in place a system of administrative procedure and legal commitments, including possibly sanctions for enforcement, it should be possible to so control the use of ICT by States that it is impossible for war or violence to break out.
The legal and regulatory vector is perhaps the more difficult approach for several reasons. First, it is difficult to get States to bargain away their flexibility to act in self-defense, however defined. Second, states that have a lead in armaments generally are less willing to give up their military and strategic advantage in the absence of a credible and compelling alternative.
Yet is is difficult to see any advantage for a cyber superpower in unilaterally giving up its advantage in this new and uncertain arena. The first approach to the problem is essentially the transfer of defensive cyber capabilities to vulnerable States. The code words for this are “capacity-building” and any term involving “development”. In this approach, weaker States are given transfers of defensive cyber technologies, including training (“capacity-building”) as a means of giving them assurance of their safety, assuming in the background that they are willing to give up the desire to develop cyber weapons. This approach is precisely similar to the guarantees that were discussed in the field of nuclear non-proliferation in which non-nuclear States were given security guarantees by the nuclear super-powers in case they were attacked or threatened with nuclear attack. In the nuclear domain, this approach did not go too far, because it was impossible to specificity the precise nature of any support that might be provided to a non-nuclear state falling victim to a nuclear attack. It is not clear whether or not this approach might work in the cyber world.(171)
The foreign ministry of Australia also reported on launching an “International Cyber Engagement Strategy” that included “the full spectrum of cyberaffairs” and was attempting to integrate together policy on a) digital trade; b) cybersecurity; c) cybercrime; d) international cyberspace security; e) Internet governance; f) cooperation on Internet policies; g) human rights in the online world; h) development of online democracy; and i) technology for development.
It also expressed support for what has emerged as a standard formula for the liberal democracies.
[E]xisting international law is complemented by the norms of responsible State behaviour. Norms promote predictability, stability and security. . . . That existing body of international law and norms is further complemented by confidence-building measures, which foster trust among States to prevent misunderstandings that could lead to conflict. Finally, the international stability framework is supported by coordinated capacity-building programmes.(172)
The First Committee also entertained an intervention by a representative of the Secretary-General’s Advisory Board on Disarmament Matters.(173) The Advisory Board had been asked during 2017 to consider a) the threat of cyberattacks by terrorists on nuclear facilities and the potential role of cybermeans in threats to biosecurity; b) the impact of artificial intelligence (AI) on international security; and c) disarmament and non-proliferation education.(174) Suggestions were made for formation of “a scientific advisory group to keep [the Secretary-General] . . . informed of critical scientific and technological advances that have security implications”.(175) The Advisory Board concluded that “the areas requiring the most urgent attention were cyberthreats to nuclear and , owing to the potentially catastrophic nature of successful attacks”. It had recommended that the United Nations Office of Counter-Terrorism add cyberterrorism to its work. Of particular interest is the Board’s conclusions regarding the potential role of the United Nations in helping governance of cyberspace.
The Board endorses the idea of the United Nations becoming the key norm entrepreneur in the cyberrealm. The United Nations is well placed to involve all stakeholders, including States, international organizations, industry and civil society, in crafting the necessary international governance arrangements. The Board recognizes the difficult trade-offs that have to be made between strengthening cybersecurity on the one hand and protecting civil liberties on the other.(176)
The term “norm entrepreneur” appears first in this statement. It is recognized that norms governing State behavior in cyberspace or in any other realm may emerge in a variety of ways. They can arise by habit, or by the creation of an agreement or set of working principles. The effort to adopt non-binding norms of State behavior is a way of speeding up the evolutionary process in State behavior that might take place over years or even decades. The reality is that other fora were at the same time working on the problem. It is not known if the United Nations has the capacity to handle such a complex issue that involves so many non-governmental organizations. Nevertheless, it is heartening that there was recognition to include participation from “industry and civil society” since these are the key parties that both build and operate most of cyberspace. It is unfortunate that academia was not included in the list, since historically it has played such an important part in the evolution of the Internet and cyberspace. It also should be noted that the focus on the problem of cyberthreats against biological and nuclear facilities was an issue that repeatedly had been brought up by delegates in other meetings of the First Committee. After all, the Stuxnet virus had shown that cyber can directly influence sensitive nuclear weapons facilities.(177)
The Board recommended that the International Atomic Energy Agency (IAEA) invest more “resources [in] . . . countering the cyberthreat to nuclear materials and installations [and] . . . become the global repository of information on potential and failed cyberthreats against peaceful nuclear installations”. In connection with biosecurity, the Board stressed that “[t]here is no standing verification or implementation body for the Biological Weapons Convention.(178) It suggested further work on “multilateral approaches . . . to deal with the cyberthreat to biosecurity”. Further work was needed by the Board on the implication of artificial intelligence for arms control.(179)
At that point, the work of the First Committee of the Seventy-Second Session of the General Assembly ended. It was the fall of 2017, a year that turned out to be populated by a number of significant cyber hacks. The victims included Bell Canada, the Defense Integrated Data Center of South Korea, Deloitte, the Erie County Medical Center, Equifax, Grozio Chirurgija, Heathrow Airport, Taringa! and Uber.
At this time(180), the records from the First Committee for the 2018 session of the General Assembly have not been published.
(1)See statement of Eva Walder,, UN Document A/C1/72/PV.10 (11 Oct 2017), p. 15 (2)See statement of Michael Møller, UN Document A/C1/72/PV.10 (11 Oct 2017), p. 5 (3)See statement of Juan Carlos Mendoza Garc ́ıa, Ambassador Extraordinary and Plenipo-
tentiary, Mission of Costa Rica to the United Nations at UN Document A/C1/72/PV.12 (12 Oct 2017), p. 29
(4)Statement of George Wilhelm Gallhofer, Counsellor, Permanent Mission of Austria to the United Nations at UN Document A/C1/72/PV.12 (12 Oct 2017), p. 9. He also pointed to the “crisis around the Democratic People’s Republic of Korea nuclear programme”.
(5)See statement by Simonetta Di Pippo, Director of the United Nations Office for Outer Space Affairs at UN Document A/C1/72/PV.11 (12 Oct 2017), pp. 3–4
(6)Statement of Charity A. Weeden at UN Document A/C1/72/PV.11 (12 Oct 2017), p. 5 (“Commercial satellite operators ensure system redundancies to mitigate the possi- bility of unresponsive, unmanoeuvrable satellite in a highly valued orbit. They also take measures to ensure the cybersecurity of their systems.”)
(7)See statement of Nikolay Ovsyanko, International Security and Arms Control Depart- ment, Ministry of Foreign Affairs, Belarus at UN Document A/C1/72/PV.12 (12 Oct 2017), p. 12
(8)See statement of Michael Biontino, Permanent Representative of Germany to the Conference on Disarmament, Geneva at UN Document A/C1/72/PV.12 (12 Oct 2017), p. 27
(9)See statement of Claudia Yuriria Garc ́ıa Guiz, Permanent Mission of Mexico to the United Nations, at UN Document A/C1/72/PV.17 (18 Oct 2017), p. 23
(10)Statement of Karsten Diethelm Geier, Cyber Policy Coordination Staff, Federal Foreign Office, Germany at UN Document A/C1/72/PV.19 (23 Oct 2017), p. 1–3
(11)Ibid, pp. 1–2
(13)See UN Document A/70/174
(14)There was no discussion defining these templates, or in describing what they are and how they would work.
(15)As discussed elsewhere, this concern relates to the use by national intelligence agencies and others to embed hidden code into ICT equipment for the purpose of eavesdropping and interception of communications. See for example Ryan Gallagher and Glenn Greenwald, How the NSA Plans to Infect ‘Millions’ of Computers with Malware, The Intercept (online) 12 March 2014; Leaky Apps and Data Shots: Technologies of Leakage and Insertion in NSA-Surveillance, 13 Surveillance and Security, 2015
(16)These included a) Providing guidance to States on how they might identify “appropriate points of contact” to be used in case of a cyber emergency; b) Providing “templates and procedures” for exchanging information between States;
c) Increasing “cross-regional exchanges of information” on how to go about implementing confidence-building itself.
(17)These are essentially a type of aid to developing countries. Measures mentioned were a) awareness-raising; b) educational and professional training activities related to security in the use of ICT; c) information-sharing; d) use of self-assessment tools; and e) involving Governments, the private sector, academia and civil society in capacity-building initia- tives.
(18)Group of Governmental Experts
(19)Ibid, p. 2 (emphasis added)
(20)The original term used by the Chairman was “informal”, but the word “effective” has been substituted because that is the implication.
(21)NB: Each Committee is a “Committee of the Whole” meaning that all member States participate in them.
(22)This presumably would solve the problem of having too many technology-weak States involved in attempting to set international policy for cyberspace.
(23)This comment applies to all diplomats who made statements.
(24)Further research, interviews, and the release of more of the United Nations records might perhaps help clarify what happened.
(25)See statement of Danny Rahdiansyah, Permanent Mission of the Republic of Indonesia to the United Nations at UN Document A/C1/72/PV.19 (23 Oct 2017), p. 13 (26)It generally takes larger number of participants longer to reach decisions. (27)Although this notion was not discussed.
(28)Draft resolution, Promotion of multilateralism in the area of disarmament and non-proliferation, UN Document A/C.1/72/L.32 (11 October 2017)
(29)Ibid, p. 2, para. 2; p. 2, para. 9; p. 3, para. 2 (emphasis added)
(30)See statement of Faiyaz Murshid Kazi, Counsellor, Permanent Mission of Bangladesh to the United Nations at UN Document A/C1/72/PV.20 (23 Oct 2017), p. 22-23
(31)Draft decision, Developments in the field of information and telecommunications in the context of international security, UN Document (12 October 2017)
(32)It is possible that since this draft decision was supported by Russia and China, it had been the United States and its allies that had been the source of the disagreement making it impossible for the Group of Governmental Experts to form a consensus.
(34)Draft resolution, Role of science and technology in the context of international security and disarmament, UN Document A/C.1/72/L.52 (13 October 2017) (emphasis added)
(35)Ibid, p. 2, para. 1
(36)Ibid, para. 2
(37)Draft resolution, Relationship between disarmament and development, UN Document A/C.1/72/L.30 (11 October 2017), p. 2, para. 3
(38)Draft resolution, Observance of environmental norms in the drafting and implementation of agreements on disarmament and arms control, UN Document A/C.1/72/L.31 (11 October 2017)
(39)Draft resolution, Promotion of multilateralism in the area of disarmament and non-proliferation, UN Document A/C.1/72/L.32 (11 October 2017)
(40)See statement of Nedaye Azadi, Representative to the First Committee, Iran at UN Document A/C.1/72/PV.20 (23 Oct 2017), pp. 21-22
(41)UN Document A/C.1/72/PV.19
(43)This conflict of ideology never has been settled.
(44)Statement of Mustapha Abbani of Algeria at UN Document A/C.1/72/PV.19 (23
Oct 2017), p. 24–25
(45)These were never specified.
(46)Statement of Marwan Ali Noman Al-Dobhany of Yemen at UN Document A/C.1/72/PV.19
(23 Oct 2017), p. 14
(47)The ASEAN members are Brunei Darussalam, Cambodia, Indonesia, Laos, Malaysia,
Myanmar, Philippines, Singapore, Thailand, and Vietnam. There is one “observer” nation — Papua New Guinea
(48)See statement of Choon Heng Joseph Teo, Coordinating Minister for National Security, Singapore, at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 14–15
(49)Ibid, p. 14
(50)Ibid, p. 15
(51)Ibid (emphasis added)
(53)See statement of Judit K ̈or ̈omi of the European Union at UN Document A/C.1/72/PV.19
(23 Oct 2017), p. 15-17. The statement was “aligned” with the views of Turkey, Mace- donia, Montenegro, Albania, Bosnia and Herzegovina, Ukraine, Republic of Moldova and Georgia.
(54)Ibid, p. 16
(55)Ibid, p. 16
(56)See General Secretariat of the Council, Draft implementing guidelines for the Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities, Council of the European Union Document 13007/17 (9 Oct 2017), p. 9
(57)Ibid, p. 17
(58)See High Representative of the Union for Foreign Affairs and Security Policy, Re- silience, Deterrence and Defence: Building strong cybersecurity for the EU, Joint Communication To The European Parliament And The Council, European Commission Document JOIN(2017) 450 final, (13 September 2017)
(59) (emphasis added)
(60)See statement of Carmen Gonsalves, representative of the Netherlands at UN Docu- ment A/C.1/72/PV.19 (23 Oct 2017), p. 23–24
(61)Ibid, p. 23
(62)Ibid, p. 23
(64)See statement of Marja Lehto at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 10–11
(65)See UN Document A/68/98
(66)See UN Document A/70/174
(67)See UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 11
(70)See Ju ̈rgen Altmann Confidence and Security Building Measures for Cyber Forces in C. Reuter (Eds) Information Technology for Peace and Security, Wiesbaden: Springer Vieweg, 2019; Patryk Pawlak, Confidence-Building Measures in Cyberspace: Cur- rent Debates and Trends in Anna-Maria Osula & Henry R ̃oiga (Eds) International Cyber Norms: Legal, Policy & Industry Perspectives Tallin: NATO CCD COE Publications, 2016; Pawlak divides Confidence-Building measures into seven categories: a) Communication and information exchange measures; b) Transparency and verification measures; c) Military restraint measures; d) Political measures; e) Economic measures; f) Environmental measures; and g) Societal and cultural measures. (See Ibid, Table 1. Traditional CBMs and cyber-related adaptations, p. 134)
(71)This is depicted in Figure 1 on Page 11. Note that the further one moves away from the center of the picture, the more short-term, unstable, and thus malleable becomes the situation being addressed. (Source: Author analysis based on comments of Representative of Finland.)
(72)Minna-Liina Lind, representative of Estonia.
(73)See UN Document A/C.1/72/PV.19
(74)See UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 11-12
(76)The only exception is in the event of a court order issued by a magistrate. (77)Although plausible, it also is easy to dismiss this consideration
(78)It is impossible to know the answer to this without interviews with members of the Group of Governmental Experts.
(79)Or “disarmament by bureaucracy”.
(80)To do so would violate a basic rule of diplomacy, which is that States will only agree to be bound by rules that are in their own advantage. If the same negotiated rules are to the advantage of other States, then that is acceptable providing the advantage conferred on others is not disproportionately greater.
(81)“Nothing . . . shall impair the inherent right of . . . self-defence if an armed attack occurs against a Member of the United Nations. . . . Measures taken . . . in . . . self-defence shall be immediately reported to the Security Council”
(83)Allow an opportunity of injection of dozens of peripheral issues that would further complicate negotiations.
(85)See UN Document A/C.1/72/ PV.19
(86)See statement of Louis Riquet at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 15-16
(88)Ibid, (Emphasis added)
(89)Article 51 (Self-defense)
(90)Customary international law.
(91)Otherwise, there was be no purpose in discussing both self-defense options.
(93)See Wassenaar Arrangement Secretariat, List of Dual-Use Goods and Technologies and Munitions List, Vol. II, Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, December 2018; (Defining “Intrusion software” as software “specially designed or modified to avoid de- tection by ‘monitoring tools’, or to defeat ‘protective countermeasures, of a computer or network-capable device, and performing any of the following: a. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.” at p. 221) (NB: A more colloquial expression for “intrusion software” is “spying software”.) (emphasis added)
(94)It is a type of cartel in reverse.
(95)Paraphrased from interview with Katie Moussouris, November 8, 2019. Moussouris served on the U.S. delegation to the Wassenaar meetings. She started the first “Bug Bounty” program for Microsoft.
(97)See Final Declaration: The Wassenaar Arrangement on Export Con- trols for Conventional Arms and Dual-Use Goods and Technologies, The Peace Palace in The Hague, 19 December 1995
(98)Secretariat, Wassenaar Arrangement, Outreach at https://www.wassenaar.org/outreach/, Vienna, Austria. (emphasis added)
(99)Meetings appear to be private.
(100)See UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 15-16
(101)Ibid, (emphasis added) This is a “government is superior” type of policy orientation.
(102)If the government is in error, then should it accept legal and financial responsibility for the consequences?
(103)A company that has significant ownership by the Government of China.
(104)There is no accepted and standard model for escalation of cyberspace conflict between States.
(105)See statement of Dr. Thomas Fitschen at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 16-17
(106) Ibid (107) Ibid (108) Ibid
(109)Ibid, (emphasis added) (110) Ibid
(111)See statement of Thomas Hajnoczi, Austria’s permanent representative to the United Nations Office at Geneva at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 19-20 (112)See UN Document A/C.1/72/PV.19
(113)UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 19
(114)See Permanent Council, Organization for Security and Co-operation in Europe, OSCE Confidence-Building Measures To Reduce The Risks Of Conflict Stemming From The Use Of Information And Communication Technologies, Decision No. 1202, Doc. No. PC.DEC/1202 (10 March 2016) noting that the confidence-building measures “were first adopted through Permanent Council Decision No. 1106 on 3 December 2013”.
(115)Ibid, No. para. 1
(116)Ibid, No. para. 4
(117)Ibid, No. para. 5 (118) Ibid
(119)Ibid, No. para. 7
(120)Ibid, No. para. 9
(121)Ibid, No. para. 16
(122)Reference to the work of D ́an K ́aroly, Permanent Representative of Hungary to the OSCE
(123)UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 20 (124) Ibid
(125)See statement of Sabrina Dallafior at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 18-19
(126)Ibid, p. 18 (127) Ibid
(129)Ibid, (emphasis added)
(130)Ibid, p. 20
(131)See statement of Kathleen H. Hicks at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 20
(132)Draft resolution, Compliance with non-proliferation, arms limitation and disarmament agreements and commitments, UN Document A/C.1/72/L.7 (6 October 2017)
(133)See statement of Qun Wang, Director-General of the Arms Control Department of the Ministry of Foreign Affairs of China at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 14-15
(134)Ibid, (emphasis added)
(135)Ibid, (emphasis added) The “new security concept” is a reverse way of rejecting the common set of assumptions regarding national security that up to that time were the basis of negotiations, as “new” necessarily means abandoning the “old”.
(136)Or any other country participating in Internet governance.
(137)See statement of Vladimir I. Yermakov, Director of the Russian Foreign Ministry
Department for Non-Proliferation and Arms Control at UN Document A/C.1/72/PV.20
(23 Oct 2017), p. 18-19, (emphasis added)
(138) Ibid (139) Ibid
(140)Ibid, (emphasis added) It is not clear what Russia was referring to, and the representative did not provide ample detail.
(142)See Draft decision, Developments in the field of information and telecommunications in the context of international security, UN Document A/C.1/72/L.44 (12 October 2017)
(143)See statement of Amandeep Singh Gill at UN Document A/C.1/72/PV.19 (23 Oct
2017), p. 21
(144)This refers to 3-D printing.
(145)See statement of Carrillo G ́omez at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 22
(147)See statement of Larissa Schneider Calza at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 22–23
(148)Ibid, p. 22, (emphasis added)
(149)Ibid, p. 23, (emphasis added)
(150)See statement of Masood Khan at UN Document A/C.1/72/PV.19 (23 Oct 2017), p. 26, (emphasis added)
(151)Ibid, p. 25
(152)See statement of Simon Cleobury at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 10
(153)United Nations Charter, Article 2, para. 4
(154)Ibid, Article 33
(155)Ibid, Article 51
(156)See statement of Lilianne S ́anchez Rodr ́ıguez at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 12
(158)Or to launch them.
(159)See statement of Ms. Linyama of Zambia at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 17
(160)Deep packet inspection (DPI) is technology that intercepts data flowing through the Internet. Depending on the settings of the equipment being used, the data can be blocked, re-routed, recorded in its entirely, or used to generate “meta data”. An example of metadata is identification of the “to” and “from” information, showing that Person A communicated with Person B. The original development of deep packet inspection was for the purpose of identifying malware (malicious code) that was hidden inside Internet data traffic. But the same capabilities that could check the content for malware code could be used to check for political content. This led quickly to use of DPI for censorship. Censorship is legal in many countries.
(162)It is likely that laws in Zambia are consistent with the Budapest Convention on Cybercrime.
(163)See statement of Isaac Morales at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 20 (Note: The UN Documents list the name as “Moralez”.), (emphasis added) (164)Ibid, (Stating that “Mexico accords priority to the multilateral discussion on the use of information and telecommunication technologies in the context of international security”.) (emphasis added)
(165) Although these functions generally are done through other parts of the United Na- tions, there persists a constant pressure in all fora to increase transfers from developed to developing countries.
(166)As noted earlier, States are obligated through the Chart to act in ways that carry out the purposes of the United Nations and this includes support for the Universal Declaration of Human Rights and other covenants that in some instances are in direct conflict with the policies of many States as regards freedom of expression and political participation.
(167)See statement of Vanessa Wood at UN Document A/C.1/72/PV.20 (23 Oct 2017), p. 20-21, (emphasis added)
(169)Ibid, (emphasis added) Note that it is not clear what type of “conflict” is being referred to. At the time, the two available variations were (1) a kinetic response; or (2) a cyber response. Since, however, the terms “misperception, miscalculation, escalation” generally are associated with conventional or even nuclear war, it is plausible the representative was pointing out the risk that cyber actions could lead to kinetic results.
(170)Ibid, (emphasis added)
(171)The conditions in cyber are so different that perhaps this might work, but only a hard-core optimist would come to this conclusion.
(172)Ibid, (emphasis added)
(173)See statement of Trevor Findlay of the Secretary-General’s Advisory Board on Disarmament Matters for 2017 at UN Document A/C.1/72/PV.21 (24 Oct 2017), p. 3-4; The Advisory Board was established in General Assembly, Tenth Special Session Resolution, S-10/2 Final Document of the Tenth Special Session of the General Assembly, 30 June 1978, p. 13, para. 124 “The Secretary-General is requested to set up an advisory board of eminent persons . . . to advise him on . . . studies . . . in the field of disarmament and arms limitation.”
(174)We disregard the third item. (175) Ibid
(176)Ibid, (emphasis added) The concerns expressed regarding civil liberties may have been a reflection of fears that some States might consider actions in cyberspace that although ostensibly for maintenance of cyber stability in reality would weigh heavily on exercise of basic human rights, particularly as concerns right of association, communication and freedom of speech.
(177)Stuxnet was developed by 2005 but was discovered in 2010. It caused damage to the Iranian nuclear weapon program by disrupting the work of Supervisory Control and Data Acquisition (SCADA) system in the centrifuges processing uranium for enrichment. It was a very effective cyber weapon that certainly had “kinetic effects” because it caused some of the centrifuges to blow up.
(178)Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on Their Destruction, Entered into force 26 March 1975; As of fall 2019 — Number of Signatory States: 109; Number of States Parties: 183
(179)Some see AI as being a major source of conflict in the future. See Jon M. Garon, Cyber-World War III: Origins, 7 J. L. & Cyber Warfare 1-59 2018
(180)Fall of 2019
Edward M. Roche