By Amb. Paul Meyer

A fragile consensus over norms of responsible state behaviour in cyberspace, as Paul Meyer observes, has fallen victim to East–West geopolitical tensions. Paul Meyer is Senior Advisor to ICT4Peace. His article was originally published in Opencanada.org on 15 November 2018.

If finding common ground on the sensitive issue of state conduct in cyberspace was not already difficult enough, then the results of this fall’s United Nations General Assembly First Committee, which focuses on disarmament and international security, has made it all that more complicated.

After more than a decade of slow but steady progress on identifying norms of responsible state behaviour in cyberspace, the existing consensus has broken down and a bizarre, bifurcated path has been adopted for the future.

Over the last decade, work at the UN on international cyber security had advanced via a set of consensus resolutions establishing a series of Groups of Governmental Experts (GGE) that had considered the matter. These groups are comprised of 15 to 25 state representatives who normally study an assigned issue for two years and issue a report if they can agree upon one. Three of these GGEs, in the years 2010, 2013 and 2015 respectively, had adopted consensus reports containing ever more detailed recommendations on norms and measures for responsible state behaviour in cyberspace. For instance, the 2013 report affirmed the applicability of international law to the novel realm of cyberspace and the 2015 report produced a set of measures to govern state conduct, such as refraining from cyber operations directed at critical infrastructure on which the public depends.

However, signs that this consensual approach was starting to fray came with the failure of the most recent GGE (2016-2017) to agree on a consensus report. Differences over defining how international law applied to the realm of state cyber action was the proximate reason for this failure, although it was clear that deteriorating geopolitical relations amongst leading cyber powers, such as the United States, Russia and China, was impinging on their GGE representatives’ ability to find compromises that would allow for consensus results.

Against this backdrop, there was considerable interest (and concern) as to how the entire issue of cyber operations and norms of responsible state behaviour would be handled when delegates to the First Committee assembled at UN HQ for their annual, month-long session starting October 8. 

Russia, which for 20 years had been the lead on UN resolutions providing for consideration of international cyber security, decided to move beyond the existing format of a series of consecutive GGEs and seek a more ambitious outcome. This took the form of a draft resolution that integrated elements of a “Code of Conduct for Information Security” that Russia and China have been peddling at the UN since 2011. Several of these elements emphasized the control of information and affirmed expansive sovereign rights for states to protect their “information space” against damage “resulting from threats, interference, attack and sabotage.” In practice these general and unilaterally determined “threats” could be utilized to justify censorship, surveillance and repression by authoritarian regimes. Not surprisingly, such language was viewed negatively by Western states.

Procedurally, Russia also opted to bypass the GGE format, with its restricted participation and opaque proceedings, in favour of an Open-Ended Working Group (OEWG), a diplomatic process that allowed for all interested UN member states to participate. The OEWG would also have more of a “negotiation” rather than a “study” mandate “to further develop the rules, norms and principles of responsible behaviour of States.”

The US and its Western partners reacted negatively to this innovation, with criticism that Russia was “cherry-picking” aspects of the previous GGE reports resulting in a selective and distorting depiction of what had been agreed earlier. These states also supported a continuation of the existing format of restricted GGEs, albeit with provision for a couple of days of open consultations with the wider membership, thereby responding to the mounting chorus of states calling for a more inclusive process. The US and associates introduced their own resolution that, ironically, in its specifying of a GGE that would operate over two years, largely reflected the content of the traditional Russian-led resolutions that had received consensus support up to now.

The First Committee was therefore presented by the end of October with two competing resolutions, one led by Russia and the other by the USNormally, the expectation would be that the respective originators of the two resolutions would work together in the two weeks remaining in the session to fashion a single resolution that would continue to attract general support and could be adopted without a vote (thus imparting more authority to its policy direction, not to mention greater efficiency in its implementation). 

Alas, it is a sad commentary on the current state of cooperation amongst states on this subject matter that forging such a compromise resolution proved impossible. Although Russia did offer up a revised version of its original draft, removing some especially contentious elements, the basic direction of its resolution remained unchanged.

In the event, the Russian and the US resolutions were voted on by the First Committee on November 8 with both texts being adopted by a considerable margin.

“The international community is now faced with two parallel and competing processes, ostensibly dealing with the same subject matter.”

Most delegates that took the floor with explanations of vote expressed disappointment that a single resolution had not been agreed, although some (mainly ASEAN states) tried to put a positive gloss on developments by suggesting that the two processes could somehow complement one another.

Canada, which aligned itself with the US, delivered an explanation of vote on behalf of a small grouping of Western states (Australia, Estonia, the Netherlands, Norway and the UK) that voiced regret over “the strange turn of events” and the inability to agree on a single resolution. The statement also expressed support for an “expert-led GGE that is both representative enough to bring about outcomes that all can agree to and nimble enough to do so in a reasonable time frame.” The support for continuing to entrust this work to “experts” would carry more weight if states were actually nominating subject matter experts to the cyber GGEs. The practice of states for some years, however, has been to populate the GGEs with serving foreign ministry officials with the inevitable result that these deliberations tend to mirror the official national positions put forward in the wider intergovernmental forums and do not necessarily yield progress.

Several states, such as Egypt and Iran, that had supported the Russian resolution and its establishment of an OEWG, argued that it was time to move beyond the “status quo” of small group consideration of norms and engage in a multilateral negotiation of concrete measures. The existing GGE process of the last 15 years, they said, was flawed and a new tack was necessary to produce tangible progress. 

The breakdown of consensus at this year’s First Committee on how the UN should manage consideration of cyber security in the future is a serious setback for those who had hoped that the international community could develop common understandings and collective approaches to defining norms for state conduct in cyberspace. 

The international community is now faced with two parallel and competing processes, ostensibly dealing with the same subject matter, which will challenge both the capacities and the coherence of the UN going forward. It will require a special diplomatic effort on the part of concerned states to retrieve some form of common purpose for international cyber security from the schism that has so dramatically opened up at this General Assembly session.