In view of the ongoing UN Negotiations (UN OEWG and UN GGE) ICT4Peace Proposed [1] a State “Cyber Peer Review Mechanism” for state-conducted foreign cyber operations.
It has been generally acknowledged that some form of mechanism to hold states to account for their cyber operations affecting other states would be desirable. Such a mechanism would be premised as a cooperative process that would be state-centric, but which would also provide for the input of other stakeholders. Among existing models, the Human Rights Council’s Universal Periodic Review (UPR) mechanism [2] is especially relevant to the cyber security context in its combination of state-led mutual examination and NGO input and participation. The Universal Periodic Review applies to all 193 UN member states with a periodicity of approximately once every 4.5 years. While this timing and scope is appropriate for the scrutiny of human rights implementation, something more selective and frequent for foreign cyber activity would be preferable.
It is suggested that the initial scope of the cyber peer review (CPR) would be those states which have declared a capability for offensive cyber operations by their militaries or foreign intelligence agencies. These states (estimated at some 30) merit being the focus of scrutiny due to their practical capacity to engage in projecting cyber force beyond their borders and their declared commitment to abide by international law in their cyber operations. The smaller subset would also permit the CPR to have a more regular periodicity, perhaps on an annual basis. On this basis the CPR would consist of the following six stages:
- State under Review (SuR) would submit a report on its foreign cyber activity and its implementation of agreed UN norms of responsible state behaviour in cyberspace.
- Other stakeholders could submit their own input regarding the conduct of the SuR.
- Secretariat would compile these reports and post them to publicly accessible website.
- A working group of three states not part of the CPR pool would hold a half-day session with the SuR after which it would prepare a report with findings/recommendations.
- The SuR would have the opportunity to submit a written response to the WG report.
- The WG report plus SuR response would be forwarded to an oversight body which would hold each year one-hour long sessions per state for consideration of these inputs with provision for oral statements by the SuR, other states and other stakeholders. The oversight body could be the First Committee, a subsidiary body of the First Committee or some other inter-governmental forum assigned this task. The CPR session would be webcasted and documents posted to the CPR website. Costs could be limited by incorporating the CPR into the work program of an existing body. The private sector might be encouraged to contribute to a CPR fund given its interest in accountability.
This basic framework would respect the principle of a transparent, state-led review mechanism incorporating input from civil society and the private sector. It would enable those states possessing the capability for offensive cyber operations to reassure the international community that these capabilities were being employed in a manner consistent with international law and agreed UN norms of responsible state behaviour. The establishment of such a CPR mechanism would be a worthy recommendation from the OEWG and would represent a pro-active response to the threat to international peace and security posed by unrestricted state-conducted foreign cyber operations.
The suggested CPR would build on the proposal by the Mexican delegation to establish a reporting process for the implementation of norms and to identify and share best practices in this area.[3]
Paul Meyer, Senior Advisor ICT4Peace, March 1, 2020
***********
[1] ICT4Peace has launched this proposal at the second substantive Meeting of the UN Open Ended Working Group (UN OEWG) from 10 to 14 February 2020 at the United Nations New York, (See ICT4Peace Statement).
[2] Human Rights Council’s Universal Periodic Review (UPR) mechanism.
[3] The proposed CPR would complement the ICT4Peace proposal for an independent network of organizations engaging in attribution peer-review, see link here