The United Nations Doubles Its Workload on Cyber Norms, and Not Everyone Is Pleased

Alex Grigsby is the assistant director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.

The United Nations is set to double its workload as it relates to the international security dimensions of cyberspace over the next few years.

Last week, the General Assembly’s first committee adopted two separate (and some would say competing) resolutions on the actions of states in cyberspace. One resolution, sponsored by Russia, creates an open-ended working group of the General Assembly to study the existing norms contained in the previous UN GGE reports, identify new norms, and study the possibility of "establishing regular institutional dialogue ... under the auspices of the United Nations." The other resolution, sponsored by the United States, creates a new Group of Governmental Experts (GGE) to study how international law applies to state action in cyberspace and identify ways to promote compliance with existing cyber norms. 

Although a previous draft of the Russian resolution called for a new GGE, that was quickly replaced with an open-ended working group (OEWG). That distinction is significant. Procedurally, GGEs have a smaller membership—previous cyber GGEs had anywhere between fifteen and twenty-five participants—and have time-bound mandates, which theoretically curb diplomats’ urge to kick the can down the road. By contrast, OEWGs have much bigger memberships—any of the 193 UN member states can participate in its deliberations, and their open-ended nature means that they can go on forever or until member states agree to dissolve it.

By advocating for an OEWG, Russia tried to position itself as an advocate of democratic participation and inclusivity. During the debate over the motion (video here, starts at 29:00), the Russian representative framed the U.S. proposal for a new GGE as an "exclusive club" that would fail to take into account the views of the entire UN membership. He also said that the current status quo of GGEs were untenable given the increasing buildup of cyber capabilities, and that the lack of consensus in the 2016-17 GGE was proof that the old model was no longer working, selectively omitting the fact that it played a significant role in blocking the previous consensus report. In essence, Russia framed itself as a defender of the rules-based international order, committed to multilateral solutions to international challenges. 

Russia further revised its resolution to strip it of language pulled from the Shanghai Cooperation Organization's International Code of Conduct on Information Security. That likely made its text more palatable to some in the General Assembly given that the code undermines human rights protections to online activity.

The United States and its allies heavily criticized the Russian proposal, arguing that it mischaracterized and cherry-picked language from previous GGE reports, and accused Russia of being divisive by proposing a way forward that would not enjoy consensus whereas the last two decades of resolutions on the topic had. The United States also pointed out that the Russian resolution includes language from a controversial 1981 General Assembly resolution that claims states have a "duty" to "abstain from any defamatory campaign, vilification or hostile propaganda" that interferes in the internal affairs of states. Instead, the United States made the pitch for its resolution, noting that its text was closer to what reached consensus in the past and that the new GGE would have two consultation sessions to allow for member state input into its deliberations.

Although Russia and the United States had positioned each other’s resolutions mutually exclusive, the majority of the General Assembly didn’t see it that way and voted in favor of both. During the debate, countries like Indonesia, Malaysia and the Philippines said that while they would have preferred a single resolution, having a small group of experts and a much larger group of generalists could complement each other, and raise awareness of cyberspace challenges within the entire UN membership.

I’m not so optimistic. If anything, having two separate groups is likely to split the General Assembly's attention on the issue. Only the countries with the largest staff at their UN missions in New York will have the dedicated manpower to adequately monitor the work of the two new groups. Moreover, splitting the UN cybersecurity discussion in two provides an excellent way for countries to go forum shopping, a practice that has plagued other UN organizations such as the International Telecommunication Union. Finally, while having more member states participate in the cybersecurity conversation should be applauded, reaching consensus among 193 member states in an OEWG format is much more daunting than getting agreement among fifteen or twenty-five in a GGE setting.

The international conversation about cyber norms has always been fairly messy, as countries, regional organizations, private sector entities, and non-profits promote their preferred norms and approaches. In the last week, France launched the "Paris Call For Trust and Security in Cyberspace" and the Global Commission on the Stability of Cyberspace released its "Singapore Norms Package." Splitting the UN General Assembly's work in two just made the norms debate even messier.