Cyber Peace & Security Monitor, Vol. 2, No. 6
Editorial: Action, accountability, and ambition
22 July 2022
The diverse negative impacts of malicious cyber operations and the misuse of information and communication technology (ICT) continue to be prominent within discussions about international peace and security, international law, and human rights. While the cyber component of Russia’s invasion of Ukraine has been less severe than predicted, the digital dimensions of the conflict are nonetheless present; they have been the focus of political statements of attribution from other governments, raise unique questions about international humanitarian law, and are causing human harm. A recent report has highlighted the dramatic increase in ransomware attacks on health facilities in at one country, sometimes conducted by other governments, and news is ripe with revelations about state use of surveillance software. Regional rivals increasingly deploy cyber operations against one another; one such recent operation even generated a kinetic result. All of this reinforces the need for action and accountability—but also ambition on the part of the international community.
The third session of the UN’s second Open-ended Working Group (OEWG II) on ICTs takes place from 25-29 July in New York, as the world continues to grapple with the implications of the ongoing and deepening war in Ukraine and fluctuating geo-political landscapes. The session will seek to adopt an annual progress report that has been developed by the OEWG II Chairperson, Ambassador Burhan Gafoor of Singapore and his team.
A zero draft of the report was published in mid-June and states were invited to comment on it during an informal consultation held on 12 July (some have posted their comments online). A revised draft was circulated on 20 July, and this will be the focus of the session over its first two days. The Chair’s intention is to present a third and hopefully final version midway through the session with a view to adopting it at the end of the week.
As stated in its introduction, the annual progress report is not a comprehensive summary of discussions by states but rather is intended to capture the “concrete proposals” made in the OEWG to date. The proposals encompass a broad range of things, from how future OEWG sessions should focus future meetings, decisions it could adopt, mechanisms it could establish, or substantive outcomes and national or international action that the OEWG could endorse. They are grouped under the six agenda items of the OEWG II and within each, the report identifies recommended next steps. In this way, the Chair seeks to use the report to move from the “what” to the “how”, as he expressed it during the final day of the second substantive session in March 2022.
During the March session, a few states offered thoughts on the content and structure of the report, mainly that it should be balanced and objective. For example, Brazil and others encouraged the Chair to include all proposals that have been tabled so far, suggesting that the report could serve as a sort of map which would encourage states to elaborate their ideas more fully. Colombia observed that capturing proposals in a report could add a layer of action-oriented progress to the OEWG process. Mexico and Colombia both encouraged that the report take into account proposals that have been made by non-governmental stakeholders as well as the International Committee of the Red Cross, and not only governmental proposals. Australia said that while the report should be in a structure that could quickly gain consensus, it hoped that this would not leave the OEWG without ambition.
“Ambition” is an important concept as we approach this third session because the stakes are high for the OEWG—and by extension, the UN—to demonstrate meaningful progress on advancing cyber peace and security and reducing risks in a troubled time. In her opening remarks to the second substantive session in March, the UN High Representative for Disarmament Affairs stated that “Ensuring the peace and security of the ICT environment is one of the most urgent and far-reaching priorities on the international agenda. This working group must continue to do its part to achieve progress – not despite the current challenging international security environment but because of it.”
The zero draft was a mixed bag in this respect, and the revision is an improvement in many areas. It includes more of the proposals that have been made in the earlier OEWG II sessions. Some of the recommended next steps would usefully focus future OEWG sessions on topics that are perhaps politically challenging but therefore in need of dialogue, such as in the area of international law; or provide guidance for states on how to implement the UN cyber norms. There are also several recommended next steps that request the UN Secretariat to collect and collate various types of information submitted by member states—on a voluntary basis—which would help to identify where there are gaps and needs in capacity, whether technical, legal, or otherwise; or on best practices. Many of the proposed next steps build directly on proposals that have been detailed in working papers and written submissions to the OEWG, such as the National Survey of Implementation or Cybersecurity Capacity Maturity Model.
Concern has been expressed about the OEWG II potentially replicating actions and activities that are being conducted by non-governmental organisations, regional organisations, or other parts of the UN, such as in relation to cyber capacity building. This isn’t necessarily negative and in many instances, these steps constitute practical action, but if they are endorsed and implemented in a way that excludes relevant non-governmental stakeholders, they could introduce redundancy or duplication of efforts. And as the only global diplomatic process focusing on international cyber security and state use of ICTs, it could be argued that the OEWG should set the bar higher by focusing its energy on more politically sensitive and challenging topics.
The revised draft does better than the zero draft did to account for the diverse roles that a range of non-governmental actors play in cyber security in the real world as well as our contributions to the OEWGs. Similarly, the revision responds to concerns expressed by states in the informal consulations about the zero draft not reflecting the strong and growing support for gender perspectives in cyber security, whether that be gender-sensitive capacity building or improving women’s participation in the OEWG II, both of which referenced in the 2019-2021 OEWG report.
A part of the report which could be challenging to agree on is the topic of “regular institutional dialogue”, which effectively is code for how the UN will continue to approach the issue of ICTs in the context of international security in future. It could mean dialogue within the current OEWG, or through a future group—or, it could refer to dialogue that takes place through other UN mechanisms. Here, the draft report’s reference to the proposal to create a cyber UN programme of action (PoA) on state behaviour in cyber space is what might be divisive for member states.
This proposal was first made by France and Egypt in 2020, and there are now around 60 states that formally endorse it. In May, France convened a first-ever diplomatic retreat to further discuss the proposal with other supporters, and Canada, the Netherlands, and CyberPeace Institute organised a workshop that engaged the views of non-governmental stakeholders on a possible cyber PoA. The workshop was premised around an “options and priorities” research paper authored by WILPF and commissioned by Canada, which explores formation, architecture, and technical aspects of a possible cyber PoA. While no member state has on record opposed the PoA proposal, there are strong views about how a PoA process would relate to the work of the OEWG II. Therefore, how it is referenced in the report—and taken up in future OEWG meetings—could be a source of debate. A future PoA should not seek to supplant the OEWG, and the intention of its supporters is to create a complementary instrument that would focus on improving and supporting implementation of the UN norms for state behaviour in cyberspace.
Meanwhile, the issue of civil society participation has continued to be fraught. The modalities for accreditation and participation of non-governmental organisations were not resolved when the OEWG II convened its first substantive session in December 2021 and continued to be a subject of heated debate through March 2022, preventing the second session from being held in a formal mode and not allowing for any non-governmental organisation to participate. Modalities were finally agreed to in late April and are an improvement from those of the 2019-2021 OEWG—when an organisation’s accreditation request is objected to, states can now request from the Chair which country it was, introducing some transparency into the process. However, the objecting state has no obligation to share the reason for the objection. With the issue finally resolved, hopes were high for a robust participation from civil society in the third session—nonetheless, 32 groups were objected to, including many with direct and relevant expertise and knowledge to share. In this instance, it was Ukraine and Russia who made objections. Several of these organisations as well as those who were accredited signed onto a letter to the Chair outlining their concerns.
The Chair held a hybrid informal consultation with non-governmental stakeholders in advance of the session, which was open to any organisation regardless of accreditation. Those who were approved to participate in the OEWG will deliver statements to the session on Wednesday. While it might feel like progress to have any accreditation at all go through, it’s clear that resistance remains and that the playing of politics has continued to hamper access and participation. Excluding civil society from OEWG II or making it challenging to participate meaningfully will only be detrimental to the process—both its credibility and its impact.
Given that the next OEWG session isn’t until March 2023 and the rapid pace of offensive and harmful cyber action is increasing, states should take bold ambitious steps at this session. The progress report should set a blueprint that will set up the OEWG for success in its future meetings and send an important signal to the outside world. Moving from the “what” to the “how” should be done with purpose and to have impact.
“The OEWG II is tasked with many things,” this publication noted in a past editorial. “If political will allows for it, the OEWG could become a vital vehicle for bringing clarity to matters of legal ambiguity demonstrated by Ukraine-related incidents. It could identify gaps in the framework or develop a baseline assessment of how the framework is being implemented by states. Importantly, it could establish accountability mechanisms. But doing so depends on how easily, and quickly, participating states can decide to focus their collective efforts and how the role of the OEWG within the broader constellation of cyber security actors and frameworks is understood.”