This is the third edition of Eneken Tikk’s Cyber Norms Blogposts. In these posts Dr. Eneken Tikk, Senior Advisor ICT4Peace Foundation, offers her insights on the international cyber norms dialogue in view of the forthcoming negotiations in the context of the UN GGE and the UN Open Ended Working Group (OEWG).
It may be overlooked that the cyber norms discussed and recommended by regional and international bodies can only be implemented at the national level. This explains why the UN GGE’s recommendations on cooperation, information exchange, even due diligence, have no real prejudice on international law – from the perspective of most of Western diplomats, they are not about international law. They are about national level political attention, effort, performance and responsibility.
This vocabulary is, no doubt, confusing and even alarming to the international law community. Due diligence, seen by many as a legally binding obligation, seems to be reduced to a ‘voluntary and non-binding’ status. Such views are in line with the Russian conception of norms: norms cannot be implemented until they become binding, either by a treaty or as part of customary international law.
Both understandings of the status of ‘norms’ are present in any international cyber dialogue. This blog post focuses on the first proposition – the complex and cumbersome, but also fruitful and inevitable interrelationship, in achieving cybersecurity, between national and international law and regulation. In short, it examines how international level cybersecurity relies on national law and highlights how national cybersecurity, in turn, depends on international law.
When addressing the interaction of national and international efforts, one must be clear about what cybersecurity is about. At the international level, we have all learned to push back on the term ‘information security’. Some of us have also concluded that cybersecurity is not the right terminology much for speaking about international telecommunications, because cybercrime, human rights and the global culture of cybersecurity are less at issue. About what is it then?
This is in large part to the manner in which international dialogue on this matter is currently structured. Under the UN First Committee mandate, it has been framed as, and therefore limited to, issues of international peace and security that require, justify and allow normative responses at international level. In this context, the Russian position broadly reads that issues of cybersecurity require extensive normative intervention at international level through a binding international instrument, whereas the American proposition is that cybersecurity requires extensive normative intervention at national level.
Europe and America would slightly disagree about the nature of national level normative action. Europe, in particular the European Union, has a long and successful tradition of regulating issues like electronic communications, personal data protection, intellectual property, information society services and e-commerce. The US normative culture is less immediate regulation heavy, based more on policies and principles.
Regardless of the legal system in question, at the national level cybersecurity becomes everything it in international peace and security discussion it is not. National strategies and legislation break this politically framed complex issue back into pieces like telecommunications, data protection, prevention of cybercrime, consumer protection and product liability. This is how national level legislation works. In individual countries, cyber security becomes good old information assurance, with added emphasis on political risk, the increased need of international cooperation and better coordination across government authorities as well as with the private sector.
Even the about dozen specifically focused national cybersecurity acts to date break cyber down into computers, computer networks, data, information and communication. They translate security into known and established considerations of confidentiality, integrity and availability, at individual, organizational, national, and even international level. They typically add the regulation on critical infrastructure and/or critical information infrastructure and create or coordinate mechanisms of large-scale IT security incident prevention and management.
At the national level, therefore, cybersecurity becomes a “handshake” – mutual recognition and consideration – between different government institutions, operators of critical infrastuctures and services, Internet and IT service providers, academia and the general population. This handshake is testimony of an understanding of the importance of cybersecurity as a guarantee to our way of life. It rests on an acknowledgment of our dependence on the functioning of ICT infrastructure, availability of services and trust in products and processes.
For the international discussions, understanding the nature and extent of the relationship between national and international law is essential in several ways. First, this understanding facilitates managing expectations as to what does, and what does not, belong to the international peace and security discussion. Second, it allows clarity about what needs to, and can, be mitigated at international (as opposed to national or regional) level. Third, minding this connection prevents unnecessary tension between the political and academic, technical, legal and diplomatic communities. Fourth, it explains how the recommendations, such as those of the 2014-2015 UN GGE, should not be merely promoted as new norms but, to a large extent, referred to new normal. After all, these recommendations are based on expert guidance (that, for sure, is premised on respective national (!) experience), but also on the actual national legal and strategic approaches to the issue. Furthermore, national legislation, just as national strategies, offer important leads on how to interpret and implement the sentences in the UN GGE report or the OEWG resolution.
It is not hard to see how the international and national cyber and information security processes and efforts are not only compatible but mutually reinforcing. Acknowledging their respective difficulties, challenges, but also successes and achievements is a prerequisite to maximizing the utility of their respective tools – be it rules and standards of international law, national strategies, confidence-building measures, computer incident or emergency response capacity, or cybercrime cooperation.
For further work, if one dives deeper in the UN-level exchange about security implications of uses of ICTs, one would find that there are many recommendations as to what has and should be achieved at the national, rather than international, level. From a national legislation point of view, it is easy to find support to already proposed norms as well as their actual implementation, which, in turn, helps with calibrating future discussions on universal implementation of cyber norms. And for those who are looking for inspiration for their next norm proposals – national laws are a real muse!
Dr. Eneken Tikk
Disclaimer: The views expressed in these Blogposts are not necessarily those of the ICT4Peace Foundation.