Josh Gold is a research assistant at Citizen Lab, at the University of Toronto’s Munk School.
Country representatives gathered in mid-February at the United Nations for the second formal meeting of the Open-Ended Working Group (OEWG) on international cybersecurity. Longstanding points of contention remained prominent at the weeklong meeting, raising questions about what the outcome of this process will look like in July when countries attempt to agree on a consensus report of recommendations and conclusions informed by the year of discussion.
Delegates from over seventy countries spoke at the recent OEWG. Some civil society groups made statements too, though as in the first formal OEWG session in September, all non-governmental groups without UN consultative status who sought accreditation for the ostensibly “open and inclusive” forum were denied access. This meant the exclusion of groups like Derechos Digitales, Citizen Lab, and Microsoft.
The meeting saw wide agreement—particularly on emerging threats, capacity building, and confidence-building measures. But two particularly contentious issues stood out. The first was on whether existing norms are sufficient, or if new norms or mechanisms are needed for improved peace and stability in cyberspace. Russia, Iran, Syria, Cuba, and Egypt—with some support from China—argued that the existing set of voluntary, non-binding norms, as endorsed by all states in the UN General Assembly (UNGA) in 2015, are insufficient to ensure peace and security in cyberspace.
These states asserted that a new treaty, convention, or “legally-binding instrument,” is needed to hold wrongdoers accountable, and new norms are necessary to cover security issues that have been overlooked. To support the claim that current norms are not enough to prevent malicious behavior in cyberspace, Russia’s representative ruefully asked the floor, “if international law applies in cyberspace, why are foreign hackers electing the president of the United States?”
Iran’s delegation, which also stated that the norms previously agreed upon by the UNGA are “not consensual anymore,” went so far as to propose a laundry list of a dozen new norms. These mostly focused on Iran’s perceived threats to its sovereignty, especially from “content threats” and threats to “public morals” and “societal values.” Seeking to make the binding treaty concept more palatable, Iran referred to it as a “FIFA-like mechanism” with “specific rules of play.”
In reality, the push for a treaty and new norms is often little more than an unproductive stall tactic—an attempt to distract from the need to respect existing norms in cyberspace. Negotiating a binding treaty would be a lengthy and divisive process, during which bad actors may think they could behave with impunity.
Pushing for a binding treaty also ignores that states are already, under international law, subject to legally-binding rules in cyberspace. As many states, including the United States, stressed, voluntary norms are meant to complement international law and clarify states’ obligations in a cybersecurity context.
Furthermore, as New Zealand’s delegate pointed out, cyberspace is not lacking norms; it lacks their implementation. Echoing this, a majority of voices in the room argued against a new treaty, supporting instead efforts to clarify how international law applies in cyberspace, and how to better implement existing norms. The Netherlands stood out as one of just a few states that offered how this could be done, proposing that countries protect the ‘public core’ of the internet, and refrain from attacking election infrastructure.
The second much-discussed point of contention concerned offensive cyber operations and the (poorly defined) “militarization” of cyberspace. Here, a number of states called for a ban on military cyber operations and offensive cyber capabilities—also in the form of a binding treaty. This again included Iran, Cuba, Russia, and China.
Besides the irony of these particular states calling for an end to state cyber operations, such a position also ignores reality; as far back as 2011, researchers identified over one hundred countries with military and intelligence cyberwarfare units.
Thus, most Western democracies maintain that a treaty on restricting offensive cyber capabilities is a chimera. Instead, they argue that states should make their cyber doctrines more transparent and align them with existing norms and law. This would reduce the chances for miscalculation and uncontrolled escalation between states. Advancing the notion of “technological neutrality,” many states stressed that their concerns are not about cyber capabilities themselves, but of their misuse.
When states articulate their positions on how international law applies in cyberspace, accountability, predictability, and stability follow. The UK even argued that developing cyber capabilities can further peace and stability—especially when used in lieu of less discriminating kinetic operations. But this push for transparency and accountability is disagreeable to states that worry it might limit their freedom of action.
Moving forward, the OEWG secretariat will prepare a draft consensus report of its recommendations and conclusions by early March. The draft will be discussed in two intersessional meetings in March and May in the hopes that states will agree upon a report at the third and final OEWG meeting in July 2020.
There might be room for some small degree of optimism, with countries largely in agreement on practical issues. Moreover, following efforts to boost women’s participation, the February meeting saw gender parity among countries’ interventions. Nevertheless, such progress may not be enough to transcend critical differences, and in this consensus-based UN forum, nothing is agreed until everything is agreed.