The ICT4Peace Foundation, as part of its ongoing work on Cybersecurity and Resilient Internet has called for enhanced cooperation among states to promote a peaceful, secure, open and cooperative ICT environment. In particular it calls for norms, rules and principles of responsible behaviour by States and Non-State actors, as well as voluntary measures to increase transparency, confidence and trust among them.

At the Seoul Conference on Cyberspace in October 2013, ICT4Peace convened a meeting to discuss how the international and regional cybersecurity processes can be made more inclusive of and also more relevant to the cybersecurity concerns and priorities of a broader range of state and non-state actors. The meeting inter alia agreed that norms and CBM processes need to be underpinned by the principles of shared responsibility, responsible behaviour, inclusion, collaboration and transparency (see more here and the ICT4Peace Seoul Statement here).

In recent months we also witnessed an increase in diplomatic activities related to Cybersecurity at the UN General Assembly, in particular the First Committee (Disarmament & International Security) and the Third Committee (Human Rights). Please find below a description of and commentary on these activities by Ambassador Paul Meyer (ret.) (Canada), Adjunct Professor of International Studies and Fellow in International Security at Simon Fraser University and Senior Advisor of the ICT4 Peace Foundation, published in Opencanada.org.

###

The issue of cyber security is quickly making its way up the agenda of global public policy issues demanding attention. At the current 68th session of the UN General Assembly, the subject of cyber security has surfaced in two resolutions: one before the First (Disarmament & International Security) Committee and the other before the Third (Human Rights) Committee[1]. The policy guidance contained in these resolutions will have considerable influence on how the international community will treat this quintessentially global issue in the months to come.

The First Committee resolution, entitled: “Developments in the field of information and telecommunications in the context of international security”, has just been adopted without a vote in the Committee. It builds on a succession of resolutions in recent years, initiated by Russia, which have drawn attention to the potential use of these technologies for purposes “inconsistent with the objectives of maintaining international stability and security” and have authorised studies by a UN Group of Governmental Experts (GGE) yielding consensus reports in 2010 and 2013.

These reports, which carefully balance the views of the 15 member state representatives participating, have generated several recommendations, including that states sustain a dialogue regarding “norms of responsible state behaviour” and consider adopting confidence building measures “to help increase transparency, predictability and cooperation”. The 2013 report also included the significant affirmation that “international law, and in particular the Charter of the UN, is applicable [in cyberspace]”; this in response to suggestions from some quarters (e.g. China) that new laws may be required. As noted in my on the most recent GGE report, such confidence building is especially desirable at the international level in the wake of the confidence destroying revelations of former NSA contractor Edward Snowden.

The adopted First Committee resolution, while making no explicit reference to these developments, does direct the establishment of a further GGE with an expanded mandate that would include, in addition to the study of threats and cooperative measures, the issues of the use of information and communication technologies in conflicts and how exactly international law applies to state use of these technologies. This GGE is to begin its work in 2014 and to report its findings to the 70th session of the General Assembly in 2015.

Although the consensual adoption of the resolution suggests an encouraging harmony on the part of states, this like-mindedness is veneer thin. In the First Committee debates surrounding the cyber security issue, the divergent views of states on substance were frequently evident. Australia, which had supplied the chair for the latest GGE, stressed the importance of the conclusion that existing international law applies to cyberspace and lamented the fact that the current resolution “was silent on this key issue”. In a general statement presented by Sweden on behalf of 40, chiefly European states, the emphasis was placed on the importance of the “free flow of information in cyberspace” and upholding the principle (recognized by the UN Human Rights Council last year) that “the same rights we have offline need to be protected online”. The U.S. representative spoke of the need “to create incentives for cooperation on shared threats and to avoid conflict, and to create disincentives for states to disrupt one another’s networks or infrastructure”. While supportive of the resolution, the U.S. did register a complaint over the plans to expand the new GGE from 15 to 20 members, citing cost and efficiency concerns. Canada, for its part, underlined that freedom of opinion and expression was not a source of insecurity.

Contrasting views were advanced by other states taking the floor on this subject in the First Committee. Russia, at the origins of the resolution, was suitably humble about its success, but made its aim to counter emerging cyber warfare perfectly clear. In speaking of the GGE report, the Russian representative said its key achievement was that it “is focused rather on the need to prevent interstate conflicts in information space than on their legitimisation”. The Pakistani representative declared that “the hostile use of cyber technologies can indeed be characterized as weapons of mass destruction and disruption” and called for their use to be regulated sooner than later. The Egyptian representative also warned of the danger of cyber attack and said that the UN Charter prohibition on the use or threat of force would encompass “the destruction or causing harm in any form to all layers of the information and communication technologies infrastructure, whether physical or digital, of a member state”. Cuba chose to use the issue as a handle to complain of the U.S. campaign of “radio terrorism” against it, referring to the use of aircraft to broadcast illegally to Cuban territory in violation of international telecommunication regulations.

In light of the adopted resolution, the GGE’s study of the international security dimension of cyberspace will continue, but as the mandate of the group becomes more specific it will increasingly be challenged to find enough common ground on which to base a consensual report that adds value to what has already been produced. The conflicting currents of state views as evidenced in the First Committee debates are unlikely to be resolved via the GGE process and states will have to look to other multilateral, regional and bilateral forums to see what might be feasible in terms of confidence building measures and agreed norms of behaviour.

If the Snowden revelations were a silent presence during the First Committee deliberations on cyber security, they were front and centre in the context of the Third Committee’s work. It is no coincidence that the lead sponsors of a new draft resolution entitled, “The right to privacy in the digital age” just submitted to the Committee are Brazil and Germany, the prime victims of NSA electronic surveillance operations directed at their leadership. Brazilian President Dilma Rousseff told the General Assembly back in September that her country was not going to let this incident pass and called for action “to prevent cyberspace from being used as a weapon of war” (see OpenCanada Oct 23). Although President’s Rousseff’s language suggested an initiative on the international security front at the UN, in the end, Brazil and Germany decided it was best to present the matter in the context of respect for international human rights law and the right to privacy in particular.

The draft resolution has been submitted to the Third Committee and should come to a vote at some point prior to the Nov 27 termination of the Committee’s session. When it does reach the voting stage, it is likely to enjoy wide support. The text, which avoids naming any state culprit, is framed in the human rights law and tradition of the UN system. It emphasises that “illegal surveillance of communications, their interception and the illegal collection of personal data constitute a highly intrusive act that violates the right to privacy and freedom of expression and may threaten the foundations of a democratic society”. The draft recalls the obligation of states to “ensure that measures taken to counter terrorism comply with international law” and cites the right to privacy provisions of the International Covenant on Civil and Political Rights as well as the Universal Declaration of Human Rights. In its operational section, the resolution calls upon states “to take measures to put an end to violations of those rights” and specifically “to establish independent national oversight mechanisms capable of ensuring transparency and accountability of state surveillance of communications, their interception and collection of personal data;”. Finally the resolution requests that the UN High Commissioner for Human Rights report “on the protection of the right to privacy in the context of domestic and extraterritorial surveillance of communications, their interception and collection of personal data”, with an interim report to be submitted by next year and a final report to the 2015 session of the General Assembly.

Debate on this draft will soon get underway in the Third Committee and should make for some lively discussion. Whatever the nature of these diplomatic exchanges, the fact of the resolution’s introduction represents a decision on the part of some influential capitals to take state-conducted cyber espionage out of the shadows and place it in the dock of global public opinion as represented by the General Assembly. Ironically, it will be difficult for the U.S. and other defenders of human rights online to contest the call for state action to prevent violations of some of these key rights being perpetrated in cyberspace. The difficult political and legal questions underlying references to “unlawful interference with privacy” and constraints on “extraterritorial surveillance” should keep lawyers and diplomats busy for months if not years to come.

At the same time, the challenge of reconciling the occasionally conflicting imperatives of ensuring national security and respecting human rights cannot be ignored by governments or citizens alike. At the multilateral level, the UN will have to begin to address the cyber security issue in a more coherent fashion. The General Assembly can ill afford to have two deliberative streams (i.e. the First and Third Committee) acting in ignorance of one another. The airing of declaratory policy at the annual General Assembly sessions should not substitute for purposeful action by states in more operational forums to tackle the pressing problems raised by destabilizing state conducted cyber operations. As national as well as global “netizens”, we all have a stake in sustaining “an open, secure, peaceful and accessible” cyberspace.

[1] The First and Third Committee resolution texts can be accessed through the UN official document service website via their respective document numbers, A/C.1/68/L.37 and A/C.3/68/L.45.”

See also by Paul Meyer