In December 2018, the UN General Assembly (UNGA) adopted two important resolutions: 73/271 on ‘Developments in the Field of Information And Telecommunications in The Context of International Security’; and, 73/2662 on ‘Advancing Responsible State Behaviour in Cyber-space in the Context of International Security’. By these two resolutions, the UNGA has set up two parallel processes for dealing with cyber-security. Interestingly, neither of the two resolutions mentions the word cyber-security. Instead, they use the phrase threats posed by the Information and Communications Technology (ICT) to international security.
By the first resolution, an Open-Ended Working Group (OEWG) comprising the entire UN membership will be set up in 2019. The OEWG will report to the UNGA in 2020. Its mandate will be:-3
Setting up of a broad based, inclusive OEWG with a widest possible mandate is new beginning by the UN to deal with the pressing issue of cyber-security. On the face of it, this is a laudable step. Resolution 73/27 was sponsored by Russia. However, the United States and the European Union voted against the resolution.
The second resolution, number 73/266, was sponsored by the United States. A number of countries including Russia and China voted against it. By this resolution yet another Group of Governmental Experts (UNGGE) will be set up to study the question of norms and behaviours in cyber-space. The new group will have 25 members. Its chair will also hold informal consultations with all UN member states in between its sessions as well as with regional organisations such as African Union, the European Union, the Organisation of American States and the Organisation for Security and Cooperation in Europe and the ASEAN regional Forum. The UNGGE will produce its report by 2021. The mandate of the group is to continue to study4:-
It can be seen that the mandate of the two groups is overlapping. The setting up of two parallel processes with similar mandates is an unprecedented step reflective of the deep divide in the international community on how to go about dealing with cybersecurity.
The group of countries led by the United States and European Union have insisting upon the need to preserve freedom of expression, human rights and human freedoms in cyber-space. These countries oppose state regulation of cyber-space. Russia and China on the other hand are concerned that open Internet and cyber-space would we used to interfere in the internal affairs of countries to undermine state sovereignty and social stability. In fact, the resolution 73/27 refers to a UN document of 1981 which lays down the “duties” of states not to interfere in the internal affairs of any countries on any pretext whatsoever. The philosophy of the Internet is just the opposite. Globalisation has made it easy for state and non-state actors to interfere with any country in a time. The Russians and the Chinese oppose this vehemently. The differences between the two strands of thinking on cyberspace have continued to mar the consensus on cyber-security.
Way back in 1998, Russia had first introduced a resolution in the First Committee on the threats posed by ICT to international security. Since then the UN Secretary General set up Groups of Governmental Experts (GGE) on five occasions to study the nature of threats in cyberspace and how to deal with them. The GGEs is made limited progress in their work.
These expert groups deliberated on what should be the norms of state behviour in cyber-space. In their reports of 2013 and 2015, the UNGGEs come to the conclusion that international law should apply to cyber-space. Thus, the principle of state sovereignty, peaceful uses of ICT, refraining from the use of force or the threat of use of force, observing human rights and human freedoms in cyberspace, et cetera apply to cyber-space as well. The UNGGE identified 11 norms, culled out of UN Charter and international law, which should be adhered by all states in cyber-space. These norms have been included in the resolution 73/27, adopted on 5 December 2018.
While all countries agree with these norms, the problem is that cyber-space is borderless, not owned by the governments and attribution is difficult. No matter how laudable the norms are, implementation is challenging. Cyber-space provides anonymity to state and non-state actors. Under such conditions it is difficult to implement the norms identified by the UNGGE and endorsed by the USGA.
The setting up of an Open-Ended Working Group will be seen by the Russians as a major victory. US in turn would be happy to have reselected the UNGGE process. But, the divisions in the international community have come to the fore although some countries have voted for both resolutions. The US has severely criticised Russia for bringing in the OEWG resolution. Russia has criticised the US for making the discussions on cybersecurity as the preserve of a club of a select few. Russia may have scored a victory and emerged as a champion of inclusivity but in practical terms it remains to be seen how the work of OEWG will proceed. Any country can break the consensus, as has happened in the UNGGE in the past.
While such discussions would go on interminably, the march of technology continues. Already, the advent of artificial intelligence and machine learning type of technology has made the task of dealing with cyber-security that much more difficult. As reports suggest, attacks in cyber-space using new technologies have increased. The number of malware introduced in the cyber-space every month runs into millions. Most ordinary consumers do not have the necessary knowledge or tools to deal with cyber threats effectively. The attacks on critical infrastructure are growing. Increasingly, states are using non-state actors in cyber-space for nefarious purposes. Incidents of cyber-crime have increased. In this backdrop, the task of the two new groups is cut out.
We are entering an interesting phase in cyber-security discussions. Will the two newly set up groups compete or complement each other? The past experience of the GGEs shows that reaching a consensus on cyber-security issues is extremely difficult and time consuming. What if the two groups reach different conclusions? How will the differences be resolved? Only time will tell whether the two parallel processes which the USGA has launched would be helpful or counter-productive for advancing cyber-security dialogue.
Links:
[1] https://www.vifindia.org/2019/april/24/a-tale-of-two-un-resolutions-on-cyber-security
[2] https://www.vifindia.org/author/arvind-gupta
[3] https://undocs.org/A/RES/73/27
[4] https://undocs.org/A/RES/73/266
[5] https://securecdn.pymnts.com/wp-content/uploads/2017/11/cybersecurity.jpg
[6] http://www.facebook.com/sharer.php?title=A Tale of two UN Resolutions on Cyber-security&desc=&images=https://www.vifindia.org/sites/default/files/cybersecurity.jpg&u=https://www.vifindia.org/2019/april/24/a-tale-of-two-un-resolutions-on-cyber-security
[7] http://twitter.com/share?text=A Tale of two UN Resolutions on Cyber-security&url=https://www.vifindia.org/2019/april/24/a-tale-of-two-un-resolutions-on-cyber-security&via=Azure Power
[8] whatsapp://send?text=https://www.vifindia.org/2019/april/24/a-tale-of-two-un-resolutions-on-cyber-security
[9] https://telegram.me/share/url?text=A Tale of two UN Resolutions on Cyber-security&url=https://www.vifindia.org/2019/april/24/a-tale-of-two-un-resolutions-on-cyber-security