Since 2022, the Cyber Accountability Project has examined the experiences of the international community in seeking to address diverse international threats to identify lessons learned in accountability that may be instructive for, or applicable to, cyber security.
In doing so, the Stimson Center has investigated how states and private industries have attempted to regulate or mitigate risks in various other domains and issue areas such as conventional weapons, environmental security, and outer space.
These non-cyber mechanisms are examined through several case studies that are featured in the report, leading to several overarching conclusions and considerations for policymakers.
During the launch event, Cyber Program Lead and report co-editor Allison Pytlak outlined these conclusions. The importance of a toolbox or “integrated regime” approach to cyber accountability and governance was a strong learning from the other domains and issue areas, as is the importance of inclusivity. The report also recommends focusing more on behavior and activity regulation, rather than on specific technologies and suggests that “cross domain governance” could be better leveraged. As in other efforts to encourage responsible behavior, cyber governance would benefit from greater use of so-called carrots and sticks, and political will is fundamental.
In addition to the overarching findings, every case study in the report contains its own unique recommendations. For example, Cyber Program Fellow James Siebens and Anne-Marie Buzatu, Director of ICT4Peace and moderator of the launch event, co-authored a case study examining The Montreux Document on private military and security companies. In the study, they posit that the “co-regulation” approach undertaken by states and private companies through The Montreux Document and the subsequent establishment of the International Code of Conduct for Private Security Service Providers are useful models for how to establish common interpretations of how international law applies in cyberspace, as well as for clarifying and fostering accountability around the legal obligations and normative commitments of both states and private companies engaged in relevant cyber activity.
As part of the launch event, the Stimson Center invited a few individuals to offer perspectives and responses to the report as based on their own knowledge of non-cyber issues and threats, in ways that dovetailed with case study findings. Jérôme Barbier of the Paris Peace Forum outlined what the cyber community can learn from outer space governance, for instance, while Danielle Yeow of the National University of Singapore described parallels and comparisons with accountability mechanisms under environmental regimes. Kerry-Ann Barrett of the Organization of American States stressed an important report recommendation about the foundational role of cyber capacity-building for in enabling accountability.
The Stimson Center has collaborated with EU Cyber Direct (EUCD) over the last year in its work on cyber accountability. As an output of that cooperation, the two organizations will jointly publish a series of papers considering accountability in relation to deterrence, capacity-building, and from three regional perspectives: Africa, Europe, and Latin America. Pytlak described this partnership and spoke about Stimson’s cyber program during a briefing to a cohort of EUCD Fellows, attending the OEWG session in New York.
Accountability was also an important theme during an OEWG side event organized by Chatham House, on the topic of countermeasures and how they apply in cyberspace, per a recent Chatham House report on the topic. Cyber Program Lead Allison Pytlak spoke at the event and reflected on the current cyber threat landscape and the potential of countermeasures, including collective countermeasures, as an accountability tool in response to cyber aggression. What constitutes an appropriate and lawful countermeasure in the cyber context is a complex topic worthy of further discussion and analysis, with states having divergent views on the topic. As more governments offer national interpretations about the applicability of international law to the cyber domain, it would be useful to include their position on the role of countermeasures.
An aspect of the cyber threat landscape includes maintaining the cybersecurity of the civil nuclear sector. This is the focus of another recent Chatham House report that was also presented through a side event at the OEWG, at which Stimson Senior Advisor Debra Decker spoke. Decker spoke to past research conducted by the Stimson Center’s Nuclear Security program.
The prospect of developing new international law is controversial and politically unpopular. It has therefore been important to make space for discussions about accountability mechanisms or levers of pressure as distinct from a new cybersecurity treaty.
Accountability has always been a sensitive topic in the context of UN cyber talks, despite the centrality of responsible state behavior being in the framework developed by the UN over several decades to guide how states use their cyber tools. The framework consists of the application of existing international law and a set of eleven, complementary, and voluntary norms. The prospect of developing new international law is controversial and politically unpopular; an idea championed by Russia and a few of its allies but largely rejected by much of the rest of the UN membership, at least for the time being.
Considering the growing frequency, scale, and severity of cyberattacks as outlined in the Annual Progress Report (APR) adopted by UN member states during the July OEWG session, accountability in upholding the UN framework is a growing imperative.
This is doubly true at a time when the Framework is being called into question by a few states that have sought to reduce or remove references in the APR to norms operationalization, or to acknowledge the applicability of certain types of international law, notably international humanitarian law (IHL), which is absent from the report.
With only one year left in the current OEWG’s mandate, UN member states are also facing decisions about the future of how the UN will uphold international cyber governance. This was a hot topic during the session, although major decisions have been punted to next year. Beyond the OEWG, negotiations to conclude a UN Global Digital Compact and a Pact for the Future by the start of the new UNGA session in September run adjacent to efforts in dedicated fora like the OEWG but are important to not lose sight of.
