Diverse voices are calling for more robust accountability to international law and agreed norms for responsible behavior in cyberspace. Building more common understanding and vision about cyber accountability mechanisms is crucial for strengthening implementation laws and norms, reducing cyber threats, and improving resilience and stability.
But questions remain: What type of accountability should we look at? How can the UN Framework of Responsible State Behaviour and UN discussions contribute to accountability? What roles do non-governmental stakeholders and regional frameworks play?
These and other questions formed the basis of a side event held on 14 December 2023 in connection with the sixth session of the UN’s Open-ended Working Group (OEWG) on international cyber security. The event, “An Accountability Mechanism For Cyberspace?” was co-organized by the EU Cyber Diplomacy Initiative (EU Cyber Direct) the Stimson Center, Switzerland, and the European Union. The side event took place in the context of Stimson Center’s ongoing cyber accountability project and collaboration with EU Cyber Direct on this topic.
The wide-ranging moderated discussion explored different dimensions of accountability, a word that does not necessarily exist in all UN languages, as some speakers highlighted. Moderator Allison Pytlak of the Stimson Center explained that in Stimson’s research on accountability mechanisms in non-cyber fields, a central theme has been that positive and negative accountability are both important. The former refers to upholding and implementing commitments that keep cyberspace secure, and the latter to consequences for violating or undermining law and norms. Capacity-building is essential for both, as is drawing on existing relevant initiatives and practices.
Leonard Rolland of France spoke about the proposal to create a UN program of action (PoA) “to advance responsible State behaviour in the use of information and communications technologies in the context of international security.” A resolution was recently adopted in the UN General Assembly by a vote of 161-9-11, setting out a way forward for the instrument’s development by 2026. As Rolland explained, the implementation of positive norms should be at the core of the PoA, and it would not be the forum to focus on the negative dimensions of accountability. Rolland acknowledged accountability systems already exist within the UN, such as the UN Charter but that some Member States want to avoid discussions about those systems, including within the OEWG.
Louise Marie Hurel of RUSI spoke about research she is conducting about cyber accountability within Latin America. Hurel highlighted three recent developments that have characterized how accountability has been addressed in the region: the adoption of national cybersecurity strategies as a transparency mechanism; formal and informal regional forums and technical information exchange among incident responders as a space for trust-building; and the emergence of cybersecurity-focused bills to ensure that existing strategies are implementable and further detailed. This research will be published by EU Cyber Direct in 2024 as part of a series of briefing papers on accountability. In the context of RUSI’s project on Responsible Cyber Behaviour, Hurel explained the close relationship between accountability and responsibility, and stressed the necessity of focusing on behavior, practical examples and cultural sensitivity– what behavior is considered unacceptable? What is acceptable, and what are the layers of that?
Jeffrey Bean of ORF America presented a new report about political attribution from ORF America and co-authored by two Stimson Center advisors. The report examines the effectiveness of political attribution statements in the context of advancing accountability. It concludes that to date, “naming and shaming” has not been sufficient to deter malicious cyber activity and sometimes has unintended side effects. It argues for greater collaboration and streamlining in attribution processes and evidentiary-based approaches, including among and between the actors involved in technical attribution (the private sector) and political attribution (national governments). Bean likened attribution activities to three popular American board games: Clue, Monopoly, and Risk, in that private entities are effectively playing Clue when they make technical attributions, while governments engage also in Monopoly and Risk by applying both economic context and a geopolitical lens when weighing whether to attribute incidents publicly.
John Hering of Microsoft built on and reinforced several of these points including that there is a need for more uniformity in government-led attribution processes. Such attribution should also be viewed as a cumulative process, he argued, explaining that this approach enables better tracking of actors and the incidents which comprise a cyber operation. Hering also touched on the issue of transparency and public reporting, which is often easier for the private sector to undertake than for states. He further spoke about the potential role of the private sector within UN cyber accountability mechanisms or efforts, current or future, and encouraged governments to reference the UN norms or international law within their attribution statements. This point was supported by others.
Closing remarks from Daniel Klingele of Switzerland outlined some of the accountability tools that the European Union employs as part of its Cyber Diplomacy Toolbox, such as sanctions. Klingele underscored that there may not be a “one size fits all” solution and that what works for some states may not be a fit for others.
An active Q&A session also took the discussion in many directions. Below are several key takeaways building on both the Q&A and contributions from speakers.
- There are existing mechanisms and practices that contribute to accountability, even if they are not described as such. This includes national cyber security strategies; relevant national legislation; national mechanisms for attribution; information-sharing practices and forums that foster trust, including across and within global regions; private sector public reporting; and existing international law including the UN Charter.
- Given the above, accountability can be understood as a toolbox or regime comprised of multiple layers, tools, and mechanisms. Within this, the role of existing international law and the UN Charter is extremely important. There is a potential role for the Cyber PoA, particularly in advancing positive accountability. Peer review mechanisms might offer another approach. Capacity-building is critical in the above.
- Yet, existing approaches appear limited in their ability to deter or dissuade malicious activity. As one speaker highlighted, operations targeting critical infrastructure are frequent despite a norm against doing so. There is also insufficient reference to existing law and norms within political attribution statements.
- Attribution is an important aspect of accountability. While advances have been made in their rapidity and quality, attribution methods can still be improved upon including through better consistency, predictability and uniformity. However, the possibility of establishing a UN or other universal mechanism to aid in attribution has already been explored and largely dismissed as too challenging to create and maintain, although some see value in continuing to explore options of this nature.
- There is a role for governmental and non-governmental actors within attribution; it is a shared process.
