We use Google Analytics to learn more about who is reading the resources on our website. Please read Google Analytics privacy policy for further information. Close

logo_reaching-critical-will

Cyber Peace & Security Monitor, Vol. 2, No. 3

Trust, transparency, and time
21 December 2021

Allison Pytlak

Download the full edition in PDF

The UN’s second open-ended working group (OEWG) on information and communications technologies (ICTs) embarked on its five-year cycle substantive work with a well-attended and content-rich first substantive session.

As referenced and explained in the preview edition of the Cyber Peace & Security Monitor, “not starting from scratch” continued to be a message voiced by many delegations, although in this instance has been expanded to also refer to recommendations, conclusions, and proposals made during the first UN OEWG (OEWG I), which concluded its work earlier this year.

Indeed, throughout the five days and across all six thematic topics, there were references to some of the tangible activities that the OEWG I had discussed and in some instances recommended. This included proposals regarding a national survey; operationalising the eleven norms for state behaviour; utilising the Cyber Policy Portal hosted by the UN Institute for Disarmament Research; submitting national views on how international law applies to state action in cyber space; establishing repositories and national contact points; and making use of the annual reports that states are invited to submit voluntarily to the UN Secretary-General. More details can be found in the topic-by-topic reporting within this edition.

The session was also replete with other phrases and expressions, including an African saying first introduced by Ambassador Gafoor, the OEWG Chair: “If you want to go fast, go alone. If you want to go far, go together.”

This speaks to what may be one of the most significant obstacles for progress in the OEWG—creating trust. Doing so requires transparency. By design, much of the ICT environment is hidden or not physically visible, and when taken in the context of international peace and security this is doubly so. ICT-related operations are frequently conducted in the shadows, in connection with military or intelligence gathering operations, or implemented by actors that fall between the loopholes of legal responsibility. As Izumi Nakamitsu, the UN High Representative for Disarmament Affairs, stated in her opening remarks, “Trust is a two-way street. Undermining trust can threaten international peace and security, while building trust supports it.”

Numerous initiatives that states and non-governmental stakeholders are proposing for the OEWG would aid in building trust and transparency. For instance, there are encouragements to share national understandings or definitions of key terms; disclose national policies around state use of ICTs; report and discuss national positions and views about the applicability of international law; and build on existing confidence-building and regional dialogue forums.

Throughout the session, nearly all delegations acknowledged that the threats posed by ICTs are rising in scale and severity, and that technology is evolving more rapidly than policy and law. Several were specific about this, as the summaries of the general exchange and the meeting on threats demonstrates. A growing number of delegations are highlighting the human impact of malicious cyber operations, and the fallout when supply chains are interrupted or critical infrastructure affected, particularly medical facilities throughout the COVID-19 pandemic. Trust is being eroded by such actions in real-time, even as diplomatic initiatives like the OEWG seek to foster it.  

One thing that would truly alleviate the situation would be for states and other actors to stop engaging in malicious cyber operations and to not weaponise technology in this way. As Egypt noted in a statement, “When the discussion turns to issues of self-defence and rules of engagement in the ICT context, in ways that legitimise turning the ICT environment into a zone of conflict, it diverts attention from addressing the right question about preventing conflict from occurring in the first place.” 

Some have observed that that train has left the station, however, and ICTs are now too integrated into military operations or otherwise accepted and relied upon to reach strategic goals. If that is the case—and WILPF would argue that it’s not too late to turn back the clock— then it becomes necessary to not only build greater resilience but to also establish repercussions for actions that go against the existing normative framework, and to be explicit about when such violations have occurred. 

Most delegations defend that the existing normative framework—which consists of the 11 UN norms for state behaviour in cyberspace coupled with the application of existing international law—is sufficient to prevent cyber harm and curtail malicious operations. This may be accurate, but for that argument to be realised, then breaches of the framework need to be called out as such. Given the political intricacies of attribution, as described by Germany and other delegations last week, there is hesitancy to do so. The creation of accountability mechanisms has been a core call from civil society organisations following OEWG I, and many of us hope this will rise to the fore in future sessions.  

Trust was also central to the debate during the session about the modalities for civil society participation. More detail on that is provided elsewhere in this edition, but what certainly stood out to anyone following last week is that the primary motivation behind the request for improved accreditation modalities, particularly for organisations that do not have ECOSOC status, is a basic one of transparency and trust. Anonymous vetoing of legitimate stakeholders is problematic and if member states are unwilling to voice to their concerns about this with their peers, it does not bode well for overall trust and confidence-building.

The debate about stakeholder participation modalities also highlights the limitations of consensus decision-making, which, as Mexico outlined, should be an aspiration to bring parties closer together. It should not become a veto, or “straitjacket,” in the words of Costa Rica. This is a point that civil society and some states have made repeatedly in international security forums over many years, and was borne out last week during the Review Conference of the Convention on Certain Conventional Weapons in Geneva, where one state managed to block substantive progress across a range of proposals including on autonomous weapons, and even to remove previously-agreed language from the final declaration.

The OEWG II is a five-year long process, which is a lot of time. At various points in the session, diverse delegations and the Chair stressed their interest in action-oriented outcomes and that the OEWG not become just a “talk shop,” a point WILPF stressed in the preview edition of this Monitor. There is a risk that consensus-decision making could be used to block meaningful progress or lead to watered down results; but the time also affords the opportunity to work together.

Another phrase from OEWG I that surfaced again in OEWG II is that notion of cyber security as being a “team sport”. In his closing remarks, the Chair expanded the sports metaphor this by likening the OEWG to running a marathon. He pointed out that what matters not is how quickly the first mile is run, but rather, how strong you finish—a point to which any runner can attest. There are many more miles to go in this OEWG, and they need to be run together, he urged.

[PDF] ()