The First Ever Global Meeting on Cyber Norms Holds Promise, But Broader Challenges Remain
Josh Gold is a research assistant at Citizen Lab at the Munk School, University of Toronto.
Earlier this month, the United Nations (UN) held the first ever global meeting on peace and stability in cyberspace.
The Open-Ended Working Group (OEWG) is the latest iteration of the decades-long process to deliberate on the issue of security in information and communication technologies (ICTs). Since 2004, a UN Group of Governmental Experts (GGE)—limited to between fifteen and twenty-five states—has convened five times in this context.
The OEWG is a new process, emerging from a November 2018 Russian resolution to establish, alongside the GGE, a “more democratic, inclusive, and transparent” body for studying responsible state behaviour and cooperative measures in cyberspace. Russia pushed this knowing that a larger group makes consensus more difficult, and also so as to include more countries who would support its own interests in cyberspace.
The meeting began, unsurprisingly, with a split: the non-aligned movement released a statement emphasizing state sovereignty in cyberspace, sovereign equality, and non-interference in states’ political affairs, while European states released a statement emphasizing an open, free, and secure cyberspace.
This difference speaks to the inherent and intractable disagreement between nations on how to govern and control cyberspace. Some states are interested in establishing control and sovereignty in the ICT space to mitigate threats to their regime stability. However, liberal democracies continue to promote and defend a free and open internet, despite challenges from online disinformation and the need for some content moderation.
Despite consensus that existing international law applies in cyberspace, opinions in the group differed on how it should be applied. China expressed concern that determining how international law applies in cyberspace would legitimize military conduct. This was promptly rebuffed by several states including Norway, which noted that to say international law leads to war is to say that speed limits on roads encourage reckless driving. Disagreement over the applicability of international law in cyberspace and the clash between ‘free internet’ and ‘cyber sovereignty’ hobbled the GGE—contributing to its failure to reach consensus in 2017—and will continue to play out at the OEWG.
Some states in the working group pushed for greater sovereign control over internet governance institutions such as ICANN, which have been historically kept separate from geopolitics and state control. China raised supply chain issues related to the rise of 5G and Huawei, indicating that economic competition in the ICT space will feature on the agenda of upcoming meetings.
Despite this, this month's OEWG was largely positive. The meeting saw high participation, with almost eighty delegations making statements or interventions. Unlike the GGE, the OEWG was streamed online. It also involved various civil society groups, though eighteen NGOs were denied accreditation—allegedly by Russia and Cuba.
Moreover, states expressed consensus on several key issues. Perhaps most important was the reaffirmation that the OEWG does not start from zero. From this common base, member states largely agreed that the OEWG should focus on proposing practical measures for the implementation and application of the eleven non-binding norms agreed upon in the 2015 GGE report, such as the right to human rights and free expression on the internet, ensuring the integrity of supply chains, and that states should not knowingly allow the malicious use of ICTs in their territory.
Much of the focus on norms implementation was aimed at developing states, many of whom have nascent cyber capacities. The need to develop and streamline capacity building efforts was mentioned by almost every delegation; delegates offered support and pledged resources, and experts described existing initiatives that could be expanded upon, such as FIRST, MERIDIAN, and an Estonian cyber diplomacy school.
Another major focus throughout the week was on confidence-building measures (CBMs) – measures taken to boost trust, transparency, communication, and mutual understanding to reduce conflict. Notable was the recognition that—in opening the door to all countries and some organizations—the OEWG itself constitutes a global CBM. As with capacity building, states agreed that finding practical ways to implement these CBMs should be a priority. Canada’s position paper outlined this best, proposing that the 2019-20 OEWG first and foremost examine what concrete actions states could take to ensure greater operationalization and implementation of CBMs and norms agreed in past GGE consensus reports.
The first substantive meeting of the OEWG was historic. It provided the first ever opportunity for all countries to participate in the development of rules and norms for cyberspace. It has the potential to be a valuable forum for norm implementation, capacity building, CBMs, and constructive discourse. In doing so, it can complement the parallel work of the GGE.
But there is little reason to expect states to reach a final agreement on major issues. Despite most delegates’ lip service to an “open” ICT environment, this is not what many want in reality. Moreover, the United States and Russia remained uncharacteristically passive and agreeable throughout the week. This may not last long.
The OEWG began with a split and will, in the big picture, end with one. But so long as states remain focused on consensus areas and win-win pragmatism, this new global forum could have a lot to offer.