The United Nations Institute for Disarmament Research (UNIDIR) held a Cyber Stability Conference on June 6, 2019 at UN headquarters in New York. The highlights were:
Launch of the UNIDIR Cyber Policy Portal;
Discussion of emerging norms of responsible nation state behavior in cyberspace; and
Dual track of activities by Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG).
UNIDIR Cyber Policy Portal
A briefing on the Cyber Policy Portal was given by Oleg Demidov, a UNIDIR researcher. The portal has a wealth of information including UN documentation and reports, documents from a number of intergovernmental entities, and links to cyber policies of different countries. There are a number of very substantial reports available including Cyberwarfare and International Law by Nils Melzer ; The Cyber Index: International Security Trends and Realities, published by UNIDIR with contributions by James Andres Lewis of the Center for Strategic and International Studies and Götz Neuneck of the University of Hamburg; and The United Nations, Cyberspace and International Peace and Security: Responding to Complexity in the 21st Century by Camino Kavanagh.
Emerging Norms of Nation State Behavior in Cyberspace
Discussion of emerging norms can be found in the Report of the First Committee (19 November 2018; United Nations Document: A/73/505) pp. 7-8. There are thirteen suggested norms. In these norms, there is recognition of the attribution problem. "Accusations of . . . implementing wrongful [cyber] acts brought against States should be substantiated." States should not allow non-State actors to operate on their territory while carrying out cyber terrorism. Also, governments should not hire private contractors or civilian vigilante groups to carry out cyber attacks. There also is a norm calling for a hands off policy on emergency response teams. There was disagreement in the meeting with the United States Deputy Coordinator for Cyber Issues in the Office of the Coordinator for Cyber Affairs Michele G. Markoff calling for an end to further norm setting, but Frédérick Douzet of the French Institute of Geopolitics calling for a completion of needed norms.
Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG)
The Group of Governmental Experts has been working for years. However, in the 45th Plenary Meeting of the General Assembly a resolution called Developments in the Field of Information and Telecommunications in the Context of International Security (United Nations Document: A/RES/73/27, paragraph 5, it was decided to create "an open-ended working group acting on a consensus basis . . . to further develop the rules, norms and principles of responsible behavior of States" as regards cyber. The working schedule for these two groups is in Figure 1.
Discussion with participants in the UNIDIR Cyber Stability Conference indicate that the GGE group is supported by the United States and its Western Allies, whereas the OEWG is supported by Russia and other like-minded states. Members of the UNIDIR staff and others expressed surprise that the General Assembly had approved both lines of activities.
In Figure 1, we have added two linkages in December 2019 and February 2020 when the meetings of the two groups might be held back to back, and this should enable some exchange of opinion. It is likely, however, that the two groups will disagree in certain areas, leading to a slow-down in work for everyone. The OEWG works "on a consensus basis" which in UN terms means that any party can have a veto over its conclusions. In practice, this will mean that for any decision, if either Russia or the United States disagree, then there will be no progress.
A Disarmament Conference without Discussion of Disarmament
This blogger's surprise at the UNIDIR Cyber Stability Conference was the lack of discussion on disarmament. There was no discussion of cyber weapons, or the cyber arms race. Controlling an arms race is the traditional job of Disarmament. Much of the discussion dealt with capacity-building, development of norms, cooperative measures, rules of behavior, and confidence-building measures.
Capacity-Building generally is a term for development, and usually the allocation of international funds to developing countries. Capacity-building, according to one national representative, "is little more than developing countries wanting money". This does not exactly fit into the historical mission of UNIDIR, because development is handled in other parts of the UN, and is not generally associated with disarmament.
Development of Norms reflects a theory in development of international law. Norms represent customary international law. These are informal rules of behavior that are not binding but over time form a context for law, and may lead eventually to codification. We will examine the norms in a future blog but a preliminary analysis shows that the norms discussed do nothing to control the development of cyber weapons. However, one norm does address the important problem of proliferation:
"1.10 States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions." (A/RES/73/27 p. 4)
Cooperative Measures refer to how states work together on events or problems that are transnational in nature. Norm 1.8 calls for states to respond if another state asks for assistance in dealing with a cyber emergency. There already is a large legal infrastructure in place for cooperation in international criminal matters, including cyber crime.
Rules of Behavior refers to something more compelling than voluntary norms. It will be a long time before binding rules are adopted for state behavior in cyberspace.
Confidence-Building Measures are actions that states hostile to each other can take to lower tensions. Presumably this would mean measures involving cyber relations, and this presupposes states are in a state of "cyber hostility". There seems to be no record yet of any situation where confidence-building measures in cyber are being addressed.
Cyber Weapons and United Nations Peacekeeping
Like any form of military force, we can envisage a situation in which the United Nations Security Council would approve the use of cyber force in response to a breach of international peace and security. "Cyber Peacekeeping". This idea was not discussed, and there will be a detailed blog entry on this concept later. In addition, we will address cyber and Article 39 of the Charter.