Cyber Stability, Conflict Prevention, and Capacity Building
May 22, 2020
This commentary is an adaptation of remarks delivered before the UN Security Council.
I thank Estonia for this opportunity to speak before the Security Council. International attention on cybersecurity has increased dramatically in recent years as cyberspace has become a central global infrastructure. This enables development and growth but also provides expanding opportunities for conflict and crime. States have recognized the importance of cyberspace, and with it, the need for global cooperation to make it more stable and secure. The United Nations plays a central role, since states are those responsible for the most damaging and destabilizing malicious acts. This can be determined by a simple tallying of major incidents. This gives the United Nations a central role in addressing the problem of trust and security, and it highlights the importance of the UN framework for responsible state behavior created in 2015.
The core of this agreed framework is the norms described in the 2015 Report of the UN Group of Governmental Experts, the GGE. Norms are understandings among states on practices that identify and guide appropriate behavior. Norms define the international obligations that states have accepted. Norms are not “implemented.” They are observed. How countries choose to observe norms varies with national practice and national law and policy. Today’s discussion provides an opportunity to accelerate global adoption and observation of these UN norms.
Toward International Agreement
In 1998, the Russian Federation brought cybersecurity before the United Nations in a proposal for a binding cyber treaty. This was prescient, but premature. In thinking about this proposal, a number of scholars and diplomats concluded that it would be first necessary to build trust among nations, using an agreed framework of norms and confidence building measures to guide national decisions.
This framework has been created by Groups of Governmental Experts, established by the UN First Committee, to examine developments in the field of information and telecommunications in the context of international security. The latest in this series of efforts grows out of two resolutions in 2018—A/RES/73/266 and A/RES/73/27—which established a new GGE and, for the first time, a new Open-Ended Working Group (OEWG). These UN discussions have developed shared understandings on how states should conduct themselves in cyberspace and how this fits with a country's existing international commitments.
The culmination so far of this effort was in 2015, when the GGE Report proposed 11 norms and measures to improve cybersecurity. These norms establish the framework for responsible state behavior. At the 2015 meeting of the General Assembly, all UN member states agreed by consensus to be guided by the 2015 report. This UNGA agreement created a global framework to guide state behavior in cyberspace and forms the basis for future work. Events such as today’s Arria-Formula event can help change this, but additional action is needed to highlight the important of the GGE conclusions, international law, and the UN Charter.
Capacity building is the third pillar of the framework for responsible state behavior. In 2010, noting that he was speaking for the developing world, the South African GGE expert insisted that capacity building be part of any agreement. His intervention launched a global effort to build cyber capacity. Capacity building has benefited from the development of a range of initiatives since then, including the Global Forum on Cyber Expertise. Many countries in all regions of the world now have cybersecurity initiatives, reflecting regional mandates, multilateral and bilateral discussions, and efforts at assistance in developing national programs.
Capacity building, confidence building measures (CBMs), and norms form an integrated package that define and shape responsible state behavior. A country's ability to implement norms and CBMs rely on its national cyber capacity. Capacity building (both technical and political) strengthens the ability to observe norms, while confidence building provides evidence that norms are being observed. Capacity building prepares the ground for the political support needed for consensus on how to implement the norms and principles for responsible state behavior and is one way to ensure that the interests of all nations are reflected in the discussion of cybersecurity by linking it to the Sustainable Development Goals.
Elements of the Framework for Responsible State Behavior in Cyberspace
Three GGEs, under the astute direction of chairs from Russia, Australia, and Brazil, were able to create the structure for the international discussion of security and stability in cyberspace and ultimately, a framework for responsible state behavior. The core elements were set forth by the GGE Report of 2010. They are (a) norms, rules, and principles for the responsible state behavior; (b) confidence-building measures; and (c) cyber capacity building. These elements continue to shape the international discussion of cybersecurity.
The GGE Reports placed state practices for cybersecurity firmly in the existing structure of international relations and international law. These reports recommended that the principles of sovereignty, state equality, the UN Charter, and international law guide state relations in cyberspace. The reports included recommendations to cooperate with and assist other states, avoid destabilizing actions (such as the use of proxies or unlawful attacks on critical infrastructure), share information on threats, vulnerabilities and vulnerability mitigations, and build cyber capacity.
The 2013 Report established a number of important principles. International law, state sovereignty, and in particular the UN Charter, apply to cyberspace. States have jurisdiction over and are responsible for information and communications technology (ICT) infrastructure in their territories. Measures to improve cybersecurity must respect human rights and fundamental freedoms. States should cooperate against criminal or terrorist use of ICTs, harmonize legal approaches, and strengthen collaboration in law enforcement, and meet their international obligations regarding internationally wrongful acts. The 2013 Report called upon states to not use proxy forces in cyberspace and ensure that their territories are not used by non-state actors for unlawful acts.
The 2015 Report built on the conclusions of the 2013 Report and called on states to exchange information, cooperate in protecting critical infrastructure, and assist each other in the prosecution of cybercrime. 2015 reiterated the need to show full respect for human rights and privacy. It recommended that states take steps to ensure ICT supply chain integrity, share information on information technology vulnerabilities, and not interfere with other nations' computer emergency response teams.
One of the 2015 Report's most important contributions is the recommendation that a state must protect its national infrastructure and should "not knowingly conduct or support actions that intentionally damage or impair critical infrastructure contrary to its obligations under international law." This is not a ban on cyberattacks. These are still permitted if states observe the general principles of "humanity, necessity, proportionality and distinction" recognized in the 2015 Report.
In 2015, critical infrastructures such as electrical power, finance, or transportation were considered the areas of greatest vulnerability. However, threats to international peace and security have advanced since 2015. The most important of these involve political and election interference using hacking to acquire sensitive information, which is then used on social media to achieve political effect. Defending against these actions can create an inherent tension, with the fundamental right of the freedom of expression. This new kind of conflict that combines cyber actions with social media campaigns poses complex issues for the discussion of sovereignty and fundamental rights. The emphasis on protecting critical infrastructure found in the 2013 and 2015 Reports may need to be expanded to address these new threats.
The norms agreed to in the 2013 and 2015 GGEs are "non-binding." States are not ready to make formal, binding commitments (e.g., a treaty or convention). There are disagreements among nations that must be worked through first. A binding treaty would face serious issues developing agreed definitions, assuring compliance, and establishing verification. There are unanswered questions as to what kind of agreement would be most effective and difficult definitional problems—efforts to define “information weapons,” for example, quickly run afoul of the overwhelmingly commercial use and availability of information technologies. However, non- binding does not mean the agreed norms have no effect.
Application of the 2015 Norms to Date
We know from long experience that it can take years to reach agreement on important matters. The question before us then is how UN member states can reinforce both ongoing processes and existing agreements on norms, confidence building, and capacity building to increase stability and security in cyberspace and reduce the chances of conflict. The best approach will be to solidify and expand shared understanding of what has already been agreed.
If we were to measure progress by looking at adherence to existing norms, we would have to say that the results are mixed. There is an agreed framework for stability and security in state use of ICTs, derived from the recommendations of the 2015 Report of the UN Group of Government Experts (henceforth referred to as the “framework”). There has been good progress in the development of more inclusive and transparent processes, most notably with the creation of the Open-Ended Working Group. There has been significant work by regional organizations, chief among them the Organization of America States (OAS), the ASEAN Regional Forum (ARF), the African Union (AU), and the Organization for Security Cooperation in Europe (OSCE), in the establishment of confidence building measures. The attention and resources devoted to capacity building have increased significantly (although more is needed). All of these are positive steps, but there remains a deep sense of unease and concern in the international community over the potential for malicious state action in cyberspace.
The sources of this concern are the difficulty of assessing risks created by new technology and by profound changes in the international system, including the rise of influential new actors, pressures on the international structures created in 1945, and increasing tensions among major powers. Cyber incidents come at a time of increasing interstate conflict, often in the digital domain, and when international institutions created after World War II have come under increasing stress. In light of this, we can ask if the 2015 framework is sufficient.
Measuring the effectiveness of agreed norms and CBMs requires assessing if and how state behavior has changed. Given the degree of covertness used in most cyber operations, it can be difficult to calculate this. However, a number of nations have concluded that there have been instances were norms were not observed, and that in the absence of consequences for a failure to observe norms, the incentives to change behavior are small. The conclusion that there must be consequences when a norm is violated will reframe the discussion of cybersecurity. While the imposition of consequences could increase risks to stability in the short term, in the long term it is less destabilizing than a failure to act.
This makes the development of tools to manage cyber conflict, based on the 2015 Framework, an essential task. As national policies become more conflictual, risk will increase. One issue for multilateral discussion is how to slow this trend and minimize harm. An initial conclusion is that in this effort, the tools of diplomacy can be wielded more effectively through regular discussion among states, by increasing work on capacity building, and by finding stronger global mechanisms for building confidence and reducing distrust among potential opponents.
This discussion of threats and offensive cyber operations points to the difficult issue of the application of international law. While member states agree that international law applies to cyberspace, along with the principles found in the UN Charter, there is disagreement over how it should be applied. Some argue that new law is needed. The 2015 UNGA agreement removed a major impediment to the collective consideration of cybersecurity, the difficulty of defining “use of force” and “armed attack.” It created a new agreed threshold: “ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.”
In addition, the ability to attribute the source of a malicious cyber action has improved to the point where there is sufficient information on some incidents to allow states to discuss them. Agreed norms call for caution in attribution and in ensuring that “all relevant information, including the larger context of the event,” is taken into account, but this was not intended to block all discussion.
These are areas where agreement is likely to be ultimately determined by state practice rather than some prescriptive or academic approach, and in this examination and definition of state practice there is an important role for the Security Council. In the interim, however, we should begin with the recognition that states’ obligations under international law in the physical world apply equally to cyberspace. Deciding on the appropriate consequences consistent with international law and practice for a decision by a state not to observe the 2015 norms has not received adequate attention. Progress in this area will depend on the further development of common understandings of state responsibility.
The more difficult question is whether, despite the growing sense of concern, risks to international peace and security in cyberspace are seen as sufficient to justify the accommodations and concessions necessary for effective agreement. It is worth noting that previous agreements such as the Geneva Conventions or the Responsibility to Protect were often post-facto, developed after some incident or conflict that led the international community to act. We may be approaching this point as the number of potential attackers and the consequences of a cyberattack continue to grow. If nothing else, the work taking place today can help us prepare. Discussion is complicated by growing disputes over the technology and governance of the digital environment, but the goal of reducing the risk of damaging conflict in cyberspace is in the interests of all nations and is achievable if the right mechanisms and processes can be created to put into practice the 2015 Framework.
Building Confidence in the Observation of Norms
CBMs fall into general categories of transparency, communication, and restraint. These often include the regular exchange of information on national policies, doctrine, and strategies. Formal agreements among nations to refrain from certain activities that could be perceived by others as destabilizing or to consult in the event of an incident that increases tension can also build confidence and trust. Since 2015, regional organizations (the OSCE, OAS, ARF, and AU) have led in the development and implementation of cyber CBMs. The work of the regional organizations engendered by the 2015 norms has been a major element of the implementation of the 2015 Framework.
If the initial issue for the 2010 GGE was that there was not enough trust among nations for a binding agreement, the situation has not improved at a global level, despite agreement in 2015 and the work of the regional organizations. Creating a repository of regional CBMs, as had been proposed in the OEWG, will not fundamentally increase confidence. Two questions to address are, where is there a broadly shared perception of risk sufficient to impel further agreement and how to further develop a consensus for further action, building off the progress made at regional levels.
A discussion of how to improve the observation of norms, define the scope of action for attributable incidents, and expand the remit of CBMs, highlights the value of convening a new Group of Government Experts. At the conclusion of the discussion in 2015 there was general agreement that a more inclusive and transparent process was needed. This helped lead to the creation of the OEWG and the level of discussion and participation in the OEWG has been impressive. It provides a vehicle to take forward the idea of regular dialogue on cyber issues among all member states. But in practice, the OEWG, while valuable for allowing all member states the opportunity participate and expressing their views, is a difficult venue for interactive or deep discussion of complex issues. Convening a group of experts using the GGE format allows for sustained and closed discussion that increases the likelihood of finding compromise and agreement.
Next Steps for Multilateral Discussion
Cybersecurity was for too long considered a tertiary issue for international security. This has changed. As digital infrastructures become central to economic and social activity, the ability to interference with them could create grave consequences. The need to prevent such consequences has become a central issue for national and international security. Cybersecurity’s importance for international security will continue to grow, and the international security agenda must reflect this. What can usefully be done in a politically constrained environment? This brief discussion points to an agenda of work of the international community. The items on that agenda could include:
- The development of some mechanism for regular institutional dialogue on cybersecurity under the auspices of the United Nations (perhaps through some continuation of the OEWG);
- Strengthening the connection between regional and global agendas on cybersecurity;
- Creating a mechanism to globalize the progress made regionally on CBMs (and this means more than a repository);
- Defining appropriate responses for the non-observation of agreed norms; and
- Expanding cyber policy capacity in coordination with private initiatives (like the Global Forum on Cyber Expertise).
Many of these topics have been the subject of research and analysis, and each deserves separate discussion. But as we approach the 75th anniversary of the United Nations in September, there is an opportunity to raise the profile and reinforce the observation of the normative framework agreed upon in 2015. Today’s discussion is a valuable step in this direction.
James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2020 by the Center for Strategic and International Studies. All rights reserved.