ICT4Peace experts have called since 2004 for more robust international cooperation among states against threats resulting from the malicious use of ICTs to reduce risk and enhance security and to promote a peaceful, secure, open and cooperative ICT environment. ICT4Peace called for norms, rules and principles of responsible behaviour by States, as well as voluntary measures to increase transparency, confidence and trust among them. And they must do so in cooperation with the private sector and civil society. ICT4Peace experts have been involved in or supported the work at the OSCE to develop Confidence Building Measures (CBMs) for the Cyberspace or the “UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security“ (UN GGE) in New York. Regarding CBMs for the Cyberspace, ICT4Peace recently held a workshop at ETH Zurich, the report of which is here.

Regarding the work of the UN GGE on Developments in the Field of ICT and International Security, the UN has now published its latest report, which is, given the present international political environment remarkably constructive and presents a very useful road-map with recommendations for future work, around the following three main areas: 1.)  Recommendations on norms, rules and principles of responsible behaviour by States; 2.) Recommendations on confidence-building measures and the exchange of information; and 3.) Recommendations on capacity-building measures.

Please find below a brief commentary on this report by Ambassador Paul Meyer (ret.) (Canada), Senior Advisor, ICT4Peace, Adjunct Professor of International Studies and Fellow in International Security at Simon Fraser University and member of the ICT4 Peace Foundation Team, published in Opencanada.org:

“In the world of multilateral diplomacy, to have states arrive at a consensus agreement on anything is a cause for some celebration. Given the sensitivity of the subject matter and the disparities in power, the fact that a 15 nation UN Group of Governmental Experts was able to issue an agreed report on prospects for international cyber security cooperation is a welcome development. Such expert groups or GGEs are frequently resorted to when UN member states wish to address a relatively new topic, and  to generate recommendations as to how the issue should be handled in future.  The GGE “on Developments in the Field of Information and Telecommunications in the Context of International Security” finalized its report in early June, and it has just been released as one of the documents to be considered by this fall’s 68th session of the UN General Assembly.

The current report follows upon an earlier GGE study in 2010, which in turn reflects a widely-supported Russian-led initiative at the General Assembly to consider the international security implications of the new environment of cyberspace.  The terminology here is still in flux – the UN study uses “information and communication technologies (ICTs)”– but the focus is on the Internet and the threats to cyber security that exist in this unique environment. These threats, the report notes, have increased in recent years “as ICTs are used for crime and the conduct of disruptive activities”. Not surprisingly, the GGE recognizes that “States also have an interest in preventing conflict arising from the use of ICTs” and concludes that “international cooperation is essential to reduce risk and enhance security”.

So far so good, but what exactly is the content of this international cooperation that the GGE espouses? The experts’ recommendations are set out in three sections: norms, confidence building measures and capacity-building. The carefully crafted text reveals both the potential and the limits of the envisaged international cooperation. Under the section on “norms, rules and principles of responsible behaviour by States” the report affirms that “The application of norms derived from existing international law relevant to the use of ICTs by States is an essential measure to reduce risks to international peace, security and stability”. This assertion of the relevance of international law to the new domain of cyberspace was a key objective of the U.S. and other Western states. The inclusion of this sentence will be viewed as a gain, even if it is immediately conditioned by two other sentences noting that how these norms apply to State behaviour requires further study, and that additional norms geared to the unique attributes of ICTs could be developed in future.

The latter caveats represent views that non-Western states, notably Russia and China, have expressed. These two states are the chief proponents of the “Code of Conduct for Information Security” which was put before the UN in 2011 as a basis for state behaviour in cyberspace and which emphasizes sovereign control over a country’s “information space”. Given this orientation, it is understandable why Russia and China could not convince the GGE to do more than “take note” of their proposal. This balancing act between Western and non-Western preferences continues throughout the discussion of norms, with a paragraph on the applicability of  international law for instance being immediately followed by one affirming the applicability of state sovereignty to ICT-related activities and infrastructure.

Confidence-building measures are the focus of the next section. The report endorses, albeit rather tepidly, the role of such measures in reducing the risk of conflict: “States should consider the development of practical confidence-building measures to help increase transparency, predictability and cooperation…” The report provides an illustrative list of possible measures, including the exchange of information on national strategies and policies; the creation of bilateral, regional and multilateral consultative frameworks for confidence-building; enhanced information sharing on ICT security incidents; and enhanced mechanisms for law enforcement cooperation.  This last measure points to the security challenge posed by cyber criminals or terrorists to inter-state cooperation as the report notes that enhanced international law enforcement cooperation would “reduce incidents that could otherwise be misinterpreted as hostile State actions”.  This section presents a reasonable menu of confidence-building measures, but their actual adoption is left up to states to decide on, bilaterally or in multilateral forums, and to date the take up has been limited.

The last set of recommendations concerns capacity building, which the report observes “is of vital importance to an effective cooperative global effort on securing ICTs and their use”.  The great disparities in cyber capacity and the developmental orientation of the majority of UN member states explains why a call by the GGE for states “to provide technical and other assistance to build capacities in ICT security “ would figure in the report.

The GGE report concludes by noting that progress in the international cyber security realm “will be iterative, with each step building on the last”.  Left unsaid is that the iterative process may not simply be in the direction of enhanced security for state actions can detract from as well as contribute to the level of international security in cyberspace.  Recent revelations of sophisticated state-conducted actions of espionage and sabotage demonstrate the real risks to the international community’s welfare if “norms of responsible state behaviour” are not developed and implemented internationally.  The GGE’s issuance of a consensus report, even if its recommendations are modest, is a welcome development. The real test of its significance however will be the extent to which states actually embrace its recommendations and incorporate the proposed measures into their foreign policies for cyber security”.

Please find also the following publications of ICT4Peace on cyber security and a resilient Internet.