Accountability: the missing ingredient in the comments by states on the OEWG draft report

In reviewing the extensive commentary on the Chair’s “Pre-draft” report on the UN Open Ended Working Group (OEWG) Negotiations submitted by states (some 44 national submissions), I am struck by the absence of a key concept: “accountability”.

With the exception of one indirect reference to the term in the submission from Argentina, the word (and concept) is absent from the input states have provided. The “Pre-draft” report’s reference to accountability are indirect as well, being noted only in the context of a “binding framework” (para 28) and a “common approach to attribution” (para 32) as possible side benefits.

This is in marked contrast to the role the concept played in statements from other stakeholders as evidenced by the dedication to this theme of an entire section of the report on the intersessional meeting with stakeholders held December 2-4, 2019 (see paras 57-60).

It should be noted that the terms “transparency and accountability” are mentioned in the comments from the Netherlands and South Korea, but only in the context of principles that should apply to the capacity-building efforts of states. Why one might ask are the benefits of applying these concepts to state action only to be confined to capacity building endeavours and not extended to other dimensions of state action?

The answer presumably lies in the reluctance of states to acknowledge the value of subjecting official action in cyberspace to some form of public or peer scrutiny. Certain states are sensitive to having their cyber operations reviewed and possibly questioned.

The joint proposal put forward by Australia and Mexico and several other states calls for the creation of a survey of implementation by states of agreed norms. Such a survey, especially one based on a common template permitting comparative analysis, would indeed be a useful measure to assist in filing the information void that currently exists on state conducted or sponsored cyber operations. It would also enable self-reporting by states on their implementation of the existing agreed norms, with all the pluses and minuses of this form of information sharing.

Input to a shared survey on implementation represents, however, a necessary if insufficient measure to achieve meaningful accountability for state cyber action.
Unless such a survey is linked in some fashion to a review process that enables states to be questioned and even challenged on their actions, and which permits for input from non-state stakeholders, its ultimate value will be limited. Having the Office of Disarmament Affairs issue a compilation of state inputs to such a survey request, doesn’t progress much beyond the current compilations of states views produced pursuant to earlier UNGA resolutions.

At a time when damaging malicious cyber activity is on a rise (many states stressed in their comments the unacceptable attacks on health care services occurring during the current pandemic) there is a real “urgency” (as Mexico noted) for the international community to devise effective remedial steps in response.

ICT4Peace in its submission on a “Cyber Peer Review Mechanism” has tried to respond to the desirability of ensuring accountability for state behaviour in cyberspace (at least as perceived by non-governmental stakeholders). The proposal is inspired by the Universal Periodic Review mechanism the Human Rights Council employs (human rights being another realm of sensitivity for states) and provides for both an inter-active peer review by states of implementation and substantive input from other concerned stakeholders.

More time may be needed before a mechanism along these lines can be realized, but to do so will also require a willingness on the part of states to subject themselves to a degree of external review on their actions. We have already witnessed some calls by a group of states for the need to hold states to account for their international cyber security activity. This to date has however been expressed in the need to hold other states to account, rather than in seeking a mechanism for holding all states accountable for their behaviour in cyberspace, responsible or otherwise.

Eventually the international community will need to embrace a comprehensive mechanism for reviewing state action if there is to be a credible, multi-stakeholder process for ensuring accountability.

Paul Meyer
Senior Advisor
ICT4Peace

April 29, 2020