We commend Ambassador Gafoor, Chairperson of the OEWG, and the new Working Group for its work to date as outlined in the revised Zero Draft of the OEWG Progress Report.1https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/oewg-II/documents/chairs-letter_20July.pdf – Updated from original draft https://documents.unoda.org/wp-content/uploads/2022/06/Letter-from-the-OEWG-Chair-22-June-2022.pdf In line with the invitation to provide statements on how “stakeholders can work together with States to contribute to the implementation of the concrete, action-oriented proposals made by States at the first and second substantive sessions of the OEWG across all areas of the OEWG’s mandate,” we will utilize the opportunity to share some of our thoughts and information on Stimson’s cyber security initiative to build capacity in the application of cyber norms and international law, and foster greater accountability.2https://www.stimson.org/project/cyber-security/
The 2021 OEWG consensus report reaffirmed the commitment of UN Member States to the framework for responsible behavior of States in the use of ICTs [information and communications technologies]; and States agreed that adherence to existing international law and implementation of voluntary norms of responsible State behavior are key to addressing existing and potential cyber threats to international peace and security.3https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf We applaud the adoption of a State voluntary self-assessment survey tool of implementation.4https://nationalcybersurvey.cyberpolicyportal.org/ However, enhanced capacity is required to realize the full potential initiated by this survey. The next question raised is what is that capacity and what is the appropriate process for facilitating it.
Let me explain. With regards to capacity building, many are working to assist in building technical capacity to limit vulnerabilities and better develop immediate responses to incidents, for example through better cyber hygiene and collaborative response teams. However, our group is working to consider capacity building for the implementation of agreed norms and law, which include developing states’ accountability mechanisms to address malicious cyber incidents and thereby to potentially reduce their likelihood.
Some in-depth work is being done to offer interpretations of international law and norms, thus facilitating their application. Indeed, we commend the work done in this area by the International Committee of the Red Cross, the Oxford Process, the Hague Program on International Cyber Security, and others, as well as the submissions provided by member states to the OEWG on this topic.5For example, see: https://cyberlaw.ccdcoe.org/wiki/Main_Page. However, the actual application of these norms and law is not being well communicated and monitored in a transparent and consistent way that could serve to reinforce those norms and international law and support the application of agreed interpretations.6https://www.universiteitleiden.nl/en/research/research-output/governance-and-global-affairs/revisiting-past-cyber-operations-in-light-of-new-cyber-norms-and-interpretations-of-international-law-inching-towards-lines-in-the-sand
Processes are lacking that could help foster progress from commitment to application of norms and law through States’ efforts to effect accountability.
What processes? Governments have supported calls for more effort going into building capacity to develop and implement recommended processes for the actual application of norms and law:
- Canada tabled some norms guidance text in the first OEWG and proposed that the 2021-25 OEWG consider supporting more work in this area with building capacity for States’ implementation.7See: https://front.un-arm.org/wp-content/uploads/2021/02/new-updated-norms-guidance-text-feb-11-clean.pdf and https://documents.unoda.org/wp-content/uploads/2021/12/Canadian-position-paper-2021-25-OEWG-final-Dec-6_Annex-Gender-Considerations.pdf
- The Republic of Korea noted, “The current international law on peaceful settlement does not just impose an obligation of resolving a dispute peacefully, but also provides us with a variety of procedural options, including fact-finding ones. The law of State responsibility too can be read in this way as a process of addressing an alleged breach, rather than merely apportioning blame. Thus, we can seek to expound on procedural guidance as to how a State can best address an alleged breach, step by step, in relation to other States.”8https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/oewg-II/statements/30March_ROK_law.pdf
- Japan noted, “The difficulty in applying international law in cyberspace relate to the difficulty of making judgment on attribution. If an act cannot be attributed to a state, the relevant obligation under international law cannot be applied. However, it should be possible to hold the state responsible for due diligence obligations if it can be shown that a cyber-activity originated from the territory of that state even if the cyber-activity cannot be attributed to that state. Japan is of the view that it is important for respective governments to make public their basic position on how international law applies in cyberspace. It will increase transparency on how respective governments view cyberspace. The accumulation of state practice will deepen shared understanding on how international law applies in cyber space.”9https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/oewg-II/statements/30March_Japan_law.pdf
A key part of implementation is States’ transparency about their own adherence to the norms and international law. We also need to be able to assess the actions States have taken to hold other actors accountable.
Unfortunately, the solution isn’t as simple as requiring reporting. As Costa Rica noted: “However, imposing reporting requirements or requesting regular updates from States the OEWG should be mindful of capacity challenges, and this reiterates the foundational nature of capacity building efforts.”10https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/oewg-II/statements/31March_CostaRica_CB.pdf Perhaps encouraging reporting and providing assistance to build capacity are better ways. Indonesia, for example, suggested the development of comprehensive guidance.11https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/oewg-II/statements/15Dec_Indonesia.pdf The key message is that States want clear guidance and assistance with respect to implementation of norms and international law in cyber space.
Much can be learned from research into approaches agreed to reduce risks in other areas of international affairs when those risks were newly recognized in the international community. Stimson Center’s cyber security initiative is structured to find those lessons that can be applied to the cyber domain to support the implementation of norms and law most efficiently and effectively. We believe this review of other risk areas will help recommend processes to inform capacity building in the application of norms and law and improve accountability.
In undertaking systematic research in this area, we will collaborate with others who are committed to fostering greater accountability through the application of international law and the agreed norms of responsible state behavior in cyberspace. We greatly appreciate the support we are already receiving from some States and organizations.12https://www.stimson.org/project/cyber-security/ We are also already beginning to establish relationships with key stakeholders working on accountability in cyber so that we can ensure our research is complementary and directly relevant to others.13For example, to support and complement other efforts, e.g., https://gcscc.web.ox.ac.uk/, and leverage existing collaborative forums such as this OEWG, https://thegfce.org/, Paris Peace Forum. We invite other funders to support this work and look forward to working with other interested stakeholders.
To that end, Stimson has previously suggested that the United Nations Institute for Disarmament Research (UNIDIR) share non-governmental Points of Contacts among stakeholders willing to collaborate in selected areas and Stimson reiterates this recommendation.14Stimson’s initial research project will require accessing/developing communities with knowledge and experience in technical cyber threat assessments and legal/policy applications to help ensure that the research being done can be applied in cyberspace. UNIDIR could develop a matrix of interests including these and other areas such as incident response and gender interests and allow stakeholders with interests in their selected areas to share their points of contact. UNIDIR could explore doing this in collaboration with https://cybilportal.org/ This OEWG has the opportunity to inspire collaboration and to support important elements of the Secretary-General’s Common Agenda and the United Nation’s Sustainable Development Goals.15https://www.un.org/en/content/common-agenda-report/
Further, as our research on efforts in other areas of international risk proceeds, a pilot effort can be undertaken among civil society actors and/or States (perhaps through UNIDIR) to produce a compendium of States’ statements and actions that have supported the application of accepted norms and law. Such a compendium of information would serve as a baseline to assess norms implementation and legal interpretation to date and progress the work of the OEWG. The Stimson Center, as part of its second stage of work, proposes to engage with the development of such a collaborative and comprehensive databank with the capability to serve multiple stakeholders, e.g., from States seeking guidance on interpretations on international law and norms to private sector actors such as businesses and insurers seeking a better understanding of trends in the tactics, techniques and procedures of malicious cyber incidents.
Thank you for this opportunity to share our vision and work.
For further information, contact:
Debra Decker, Senior Advisor, Stimson Center, Washington, DC
Notes
- 1
- 2
- 3
- 4
- 5For example, see: https://cyberlaw.ccdcoe.org/wiki/Main_Page.
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13For example, to support and complement other efforts, e.g., https://gcscc.web.ox.ac.uk/, and leverage existing collaborative forums such as this OEWG, https://thegfce.org/, Paris Peace Forum.
- 14Stimson’s initial research project will require accessing/developing communities with knowledge and experience in technical cyber threat assessments and legal/policy applications to help ensure that the research being done can be applied in cyberspace. UNIDIR could develop a matrix of interests including these and other areas such as incident response and gender interests and allow stakeholders with interests in their selected areas to share their points of contact. UNIDIR could explore doing this in collaboration with https://cybilportal.org/
- 15