We use Google Analytics to learn more about who is reading the resources on our website. Please read Google Analytics privacy policy for further information. Close

logo_reaching-critical-will

Cyber Peace & Security Monitor, Vol. 2, No. 4

Time for action on cyber peace
27 March 2022

Allison Pytlak

Download the full edition in PDF

If the COVID-19 pandemic brought the urgency of global cyber security to the fore of our collective conscience, then Russia’s war on Ukraine has put it into even clearer focus. While cyber operations have been a less integral part of the war than many experts predicted initially, there is undoubtedly a digital dimension to this conflict. This may also have an impact on the forthcoming second session of the UN’s second Open-ended Working Group (OEWG II) on Security of and in the Use of Information and Communications Technologies (ICTs). It should have an impact—in the form of a call to action 

A spate of malicious cyber operations targeted government agencies and private actors in Ukraine in the weeks leading up to the Russia’s physical invasion, in line with a longer history of Russian cyber aggression against Ukraine. This stoked fears about the potential for more destructive cyber operations to come—either in Ukraine as part of the invasion, or in countries critical of Russian aggression. Ukraine subsequently put out an open call to establish an “IT Army,” a call that has been responded to by hacktivists, proxy groups, as well as other governments. The involvement of these individuals has raised important questions about their status as either civilians or combatants under international law, particularly international humanitarian law (IHL). Meanwhile, non-state actors that are sympathetic to Russia, ranging from cybercriminals to hacker groups with varying levels of formal relationship to the government, have also rallied. In addition to the above, there have been significant state-led disinformation and censorship activities involving ICTs that impact human rights, giving rise to questions about transparency and the responsibility of social media and other digital platforms.

It is against this backdrop that the OEWG II will have its second substantive session. This is not to say that malicious cyber operations haven’t been ongoing for years and that other states are not also conducting them, including within the time since Russia launched its war. But the conflict has put a public spotlight on the topic that will—or should—up the ante for the OEWG to deliver results. The framework for responsible for state behaviour in cyberspace that has been established by the United Nations through successive Groups of Governmental Experts (GGEs) and affirmed by the 2019–2021 OEWG (OEWG I) is being tested.

The framework is premised on the applicability of international law to cyberspace and relevant cyber behaviour. In this context, states are called upon to avoid and refrain from taking any measures not in accordance with international law and the UN Charter and have affirmed the relevance of legal principles such as sovereignty, non-intervention, and the settlement of disputes by peaceful means. The UN voluntary norms that supplement these legal responsibilities and include, among others, the recommendation to not damage critical infrastructure and to prevent ICT misuse within one’s country or territory.

The OEWG II is tasked with many things, including continuing to study how international law applies to the use of ICTs by states, and to further develop the rules, norms, and principles of responsible state cyber behaviour for their implementation and, if necessary, to introduce changes to them or elaborate additional rules of behaviour. If political will allows for it, the OEWG could become a vital vehicle for bringing clarity to matters of legal ambiguity demonstrated by Ukraine-related incidents. It could identify gaps in the framework or develop a baseline assessment of how the framework is being implemented by states. Importantly, it could establish accountability mechanisms. But doing so depends on how easily, and quickly, participating states can decide to focus their collective efforts and how the role of the OEWG within the broader constellation of cyber security actors and frameworks is understood.

In a letter dated 7 March, OEWG II Chairperson Ambassador Gafoor of Singapore outlined several guiding questions upon which states should focus their interventions during the second substantive session. By providing a brief overview of the discussions had during the first substantive session in December under each thematic area, the letter and its questions seek to take discussions in this second session further and begin to identify either areas of substantive agreement or actions the OEWG could take. The final day of the second session will be devoted to discussing the Group’s annual report, which presumably will be the focus of the third substantive session in July 2022. After that, the OEWG will not meet again until March 2023—a big gap in time. In order to meet the expectations expressed by states and the Chair during the first substantive session that this OEWG be more than just a “talk shop,” states should seek to go further than producing a report of their discussions and also seek to adopt recommendations or decisions.  

In all these endeavours, it will important that the OEWG is aware of ongoing relevant initiatives occurring within academia, the technical community, and civil society writ large. As demonstrated during an informal exchange with civil society held on 24 March (see our summary elsewhere in this edition), there is a lot of existing work that the OEWG should avoid duplicating, but could seek to complement or benefit from.

However, as if the real-world geopolitical context were not challenging enough, OEWG II is also in deadlock over the issue of civil society participation modalities. The standoff pits Russia and a small group of allies against most of the rest of the UN membership, in particular Western states. 

The participation of civil society actors in formal meetings has been an issue of debate for nearly one year, due to the anonymous vetoing of the participation of all non-ECOSOC accredited organisations that applied to attend meetings of OEWG I. A majority of UN member states are requesting at a minimum greater transparency in the accreditation process to allow relevant stakeholders to participate, but a small minority continue to object. This issue was unresolved when the OEWG II’s first substantive session convened in December 2021 and became the focus of daily “informal informals” to broker a solution. As WILPF’s reporting from that meeting shows, there was enough support in the room at the close of the session to have adopted the proposal that was on the table then, but more time was granted to allow states to consult with their capitals. A new proposal was subsequently tabled and put under silence procedure January, which was broken by a group of eight countries and led to more consultations.

Because no decision has been reached, there is not an accreditation process in place for any civil society organisations to participate formally in the second session. Rather, the Chair convened his own consultation with stakeholders in advance of the session on 24 March, and a second informal opportunity for member states to engage with stakeholders is proposed to take place during the session on 31 March, with a suggested focus on cyber capacity-building.  

Political dynamics in OEWG I were more constructive than had been anticipated, but so far, it’s been a more divisive environment in OEWG II. Hopefully states can overcome these tensions and find common ground to address urgent cyber security threats and build on their collective past work. Cyber harm is not an abstract concept or phrase, but a reality for the people who have been affected by malicious cyber operations. Just as the international community seeks to prevent and address the damage caused by physical weapons or violence, cyber harm deserves action and attention.

[PDF] ()