For more than 20 years, countries have been trying to negotiate some way to bring order over cyberspace. During those years cyberattacks have only increased.
In fact, for the past three years, two United Nations bodies — the Group of Governmental Experts (GGE) and the Open-Ended Working Group on cybersecurity (OEWG) — have separately been working on the same governance issues, with little progress to show. This is often portrayed as fighting between Western and authoritarian governments.
However, some experts, including Josh Gold, a former research assistant at the University of Toronto’s Citizen Lab who specializes in cyber governance, think a quiet proposal by France and Egypt earlier this month may pave the way to getting something done.
Called a Programme of Action on Advancing Responsible State Behaviour in Cyberspace (PoA for short), it suggests creating a new body that can split governance into several issues to be dealt with individually. Where there is consensus, countries will start acting. Where there isn’t, those issues will be left alone.
A problem with both the GGE and OEWG is they both rely on consensus. If one country objects, resolutions fail. A cyber PoA gets around that. Its goal would be urging countries to implement cyber principles they agreed to in 2015.
It’s one of several suggestions for ending the dual-track GGE and OEWG talks on norms for cyberspace and moving to a single body. The future of the OWEG will be discussed in December.
If there is unanimous approval the PoA proposal could be part of the OEWG’s final report, which is scheduled for release in March 2021.
A cyber PoA “could eliminate redundancy, duplication, and the added cost of having two bodies dealing with essentially the same thing,” Gold, who just left Citizen Lab, said in an interview last week.
Gold said the proposal hasn’t been finalized. Among diplomats, it’s called a “Food for Thought” document. However, it is getting notice.
Earlier this month a blog by two French researchers argued that a cyber PoA “allows for concrete discussions and progress within working groups devoted to specific issues.” In that sense, they wrote, it could combine the best of the Group of Experts and the Open-Ended Working Group.
Gold also said Australia recently released an informal discussion paper outlining the pros and cons of the proposal.
Meanwhile, Russia, which insisted in 2018 on creating the OEWG on cybersecurity, is now proposing creating a new Working Group with a five-year mandate. To some that essentially would keep countries just talking.
By contrast, the cyber PoA, which is based on a 20-year-old UN program for limiting the international distribution of small arms, is aimed at accomplishing goals. The suggestion is it would start with a “political declaration” reaffirming that international law applies in cyberspace and the 11 norms of responsible state behaviour in cyberspace agreed by consensus in the 2013 and 2015 GGE sessions. Crucially, the 2015 agreement was adopted by the entire UN. After that, the goal of the PoA would be getting countries to implementing what has already been agreed to.
Briefly, the 2015 GGE:
- Recognizes the principle of state sovereignty, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States, applies to cyberspace.
- Recognizes that states must comply with their obligations under international law to respect and protect human rights and fundamental freedoms.
- Agrees that UN should play a leading role in developing common understandings on the application of international law and norms, rules and principles for responsible State behaviour.
- Agrees with other norms, rules, and principles on the responsible behaviour of States. One was that countries should not conduct cyber activity that intentionally damages critical infrastructure. Another is that states should not harm authorized computer emergency response teams (CERTS).
A cyber PoA would focus on how countries are implementing these principles. The suggestion is it would meet every year, with nations publicly presenting their progress. The world would see who isn’t progressing. Every five years there would be a consensus-based review conference, which would potentially allow the introduction of new norms or resolutions.
So far 40 countries have signed on to the proposal including Egypt, Singapore, Japan, Norway, Ecuador, Gabon, the United Kingdom and the European Union. Canada and the U.S. aren’t among them.
In response to a question from IT World Canada, Global Affairs Canada said the government is interested in the Programme of Action proposal. “The proposal offers a way forward that would allow the UN and the international community to focus on implementing the acquis of previous UN Groups of Governmental Experts when it comes to norms of State behaviour, confidence-building measures and the applicability of international law in cyberspace.
“Canada welcomes the broad and diverse support that this proposal has received among UN member States and looks forward to discussing this proposal in more detail at the December 1-3 OEWG informal meeting, which will focus on the future UN cyber mechanism.”
A separate UN body is also looking at possible rules to smother cybercrime. Called the ad hoc committee of experts on cybercrime, it was created in December 2019. Before COVID-19, it had been scheduled to meet in New York in August 2020. So far, Russia has support for a resolution proposing the creation of a global cybercrime treaty. However, Global Affairs Canada says Canada and others believe nations should use existing tools. One of them is the 2004 Budapest Convention, which sets out common procedures for law enforcement co-operation in cybercrime cases. One expert says Russia’s attempt to get a treaty advances its long-standing goal of replacing the Budapest Convention.
The GGE approach had been showing promise until 2017 when countries failed to reach a consensus on a final report.
Gold was watching the OEWG as part of his work for Citizen Lab, even attending three sessions as an observer in New York before the pandemic shut down in-person meetings. In a column for the Council on Foreign Relations, he summarized proposals made to the OWEG in April.
About 120 countries have either joined statements of others or given statements, he said. “That’s been really valuable for different countries to hear what others are thinking, and it helps with the back and forth. A lot of countries understand things better. Not every country has diplomats who have been dealing with cybersecurity issues for decades, so this [discussion] helps get other countries on the same level. The whole group serves as a confidence-building measure in that when things are tense or when views are misunderstood there’s a forum where countries can get together and speak.”
At the moment the second draft of a final resolution is circulating. Canada is among the countries proposing changing certain wording of the draft including guidance on implementing the norms agreed to by the 2015 GGE.
Since physical meetings of the OEWG have been replaced with phone calls it’s hard to assess the mood, Gold said. There are new proposals from the informal September meetings, but he says the movement is “stagnating.” There are also meeting proposed for November and December.
Asked if at this point there is a movement to the necessary consensus, Gold said, “based on what I’ve heard from diplomats they give it a one out of three or 50/50 chance of a [final] report.”