Cyber peace and security
The word “cyber” has come to refer to an ever-widening spectrum of activities encompassing espionage, surveillance, privacy intrusions, denial-of-service attacks, ransomware, and malware operations that variously impact nations and individuals. Many of these activities have the ability to disrupt, disable, or destroy vital physical infrastructure or national or human security and well-being. Some constitute criminal activity while others occur within legal grey areas. Cyber operations have become an effective tool for states seeking to exercise power by causing disruption or confusion in other countries and is transforming espionage. Digital technology has added new means by which governments can control or repress the human rights of their citizens.
There are important points of intersection with militarism and traditional arms proliferation: for example, the dark web facilitates illicit arms trafficking while certain other technologies raise concerns related to surveillance and intelligence gathering. The vulnerability of certain existing weapon systems—notably nuclear weapons, uncrewed aerial vehicles (drones), and potentially autonomous weapons, if developed—to digital attack present new areas of alarm, but also compelling incentives to disarm.
WILPF is increasingly concerned by the militarisation of cyber space and supportive of solutions that move us closer to cyber peace and beyond seeking stability. The concept of cyber peace is evolving and being defined in different ways. Some have noted that it is more than the mere absence of conflict and must be grounded in a concept of positive peace that eliminates structural forms of violence; while others have explored how cybersecurity due diligence, global commons regimes such as those for the sea or outer space, and bilateral investment treaties can form the basis of a cyber peace approach.
WILPF believes that the pursuit of cyber peace necessitates processes that will understand cyber space on its own terms and consider its specific characteristics, including its overwhelmingly civilian nature, by avoiding an approach that imports concepts from traditional disarmament and arms control. WILPF recommends that the humanitarian and human rights impact of cyber operations be a guiding principle and central to multilateral discussions of cyber peace and security rather than being treated as a secondary after-thought to national security concerns.
WILPF believes that existing international law, including international human rights law and international humanitarian law applies to activities in cyber space provides a shared baseline. But this should not be taken to mean that the existing legal framework is sufficient. In fact, the current framework can be seen as a patchwork in which differing interpretations and understandings of key concepts and actions have created an easily exploitable vacuum, in which problematic emerging practice risks become the norm.
WILPF recommends steps that reduce the motivation to pursue aggressive cyber capabilities, such as through positive obligations or actions, and encourages efforts to break through playing of politics on this issue. Inclusivity and transparency are imperative.
Issues of concern and debate
Concerns about the negative use of digital technologies, or “information and communication technologies (ICTs)” to use the phrase common within the UN community, are multi-dimensional and complex, engaging different actors in different ways to address a very wide spectrum of threats and concerns. For example, the actors involved in addressing cybercrime activities in pursuit of financial gain are different than the actors who are concerned about protecting our human rights online, or those who are interested in the role that digital technologies play in international relations, particularly in conflict and rivalry between states.
The issues of concern and debate described in this section relate to cyber peace and security as it fits within international relations and does not encompass all aspects of this issue. That said, it’s important to underscore the importance of wide and multi-stakeholder engagement, given the ubiquity of this problem.
The militarisation of cyber space
Since the first instances of malicious cyber operations between states were uncovered, there has been a growing presupposition of cyber space as a militarised space. This is a dangerous path for states to continue down, given the civilian and dual-use nature of cyber space and digital networks.
Consider, for example, the growing role of digital operations within military doctrines and strategy. Precise estimates vary, but it is generally accepted that at least a dozen states, and possibly as many as 30, are developing or have in place offensive cyber capabilities in connection with their military structures and/or doctrine. Some, including NATO, have acknowledged cyber space as a new operational domain of warfare.
Moreover, the way in which we talk about cyber security in the context of international relations (using terms like “cyber weapon,” “cyber deterrence,” or “cyber bomb”) reinforces the weaponisation of this space by grafting onto the characteristics and concepts associated with war and violence. ICT security discussions have largely taken place within the same fora as traditional disarmament and arms control, further weaponising what is an inherently civilian technology. In these fora, states have overwhelmingly expressed concern about the security of their “critical infrastructures” without making the link between those infrastructures and the human lives that they service and protect.
By treating cyber primarily as a military and security issue, states and other actors risk institutionalising and taking for granted the broad idea of cyber conflict. In the ongoing discussions about norms of responsible state behaviour in cyber space, it’s essential that such norms are viewed as obligatory commitments and that space is also given to articulating a vision of cyber peace.
Applicability of international law
The applicability of international law to cyber space has been a primary point of disagreement among UN member states in recent years, particularly with respect to articulating precisely how law would apply. Two of the five UN Groups of Governmental Experts (GGEs) on ICTs declared in 2013 and 2015 that “international law, and in particular the Charter of the United Nations,” were applicable to cyber space. At the time this agreement was well-received by the international community at large, and no state contested that the right to self-defence would not apply in response to cyber operations that meet the threshold of an armed attack under Article 51 of the UN Charter.
Yet, the fifth UN GGE (2015-2016) “failed” because of disagreement on this point. Some states maintained that to affirm the application of the UN Charter, in particular the principles of use of force, would result in the militarisation of cyber space. Others insisted on acknowledging the right to apply “countermeasures” in scenarios that fell below the threshold of the use of force in cyber space. There was debate around linking the malicious use of ICTs with an armed attack and what the legal implications of that would be, as well as if a cyber operation could ever cross the high legal threshold of an armed attack.
Relatedly, the applicability of international humanitarian law (IHL) to cyber operations has become contentious. Some states argue that applying IHL to cyber space would legitimise taking military activities within it—which they claim to oppose. Some other states affirm IHL’s applicability and are careful to delineate that doing so does not signal any form of acceptance of cyber conflict. The International Committee of the Red Cross (ICRC) has highlighted that adherence to IHL means that attacks cannot be directed at civilians or civilian objects, and that critical civilian infrastructure—including the cyber infrastructure on which they operate or rely, such as networks or equipment—are civilian objects and therefore protected against attack, unless they have become military objectives.
Various multilateral processes on cyber security, including the GGEs referenced above, have articulated behavioural norms for states in cyber space. The precise status of these recommended norms are ambiguous; while they were developed by a small and non-transparent group of countries, they were later adopted by the UN General Assembly as a whole. Other forums have also outlined ideal behavioural norms (described below). How these are all meant to interact with one another, and how much states want to be bound by them, remains unclear.
While the term “information security” has been used widely for two decades within the UN system, it has always suffered from fundamental differences of understanding among states. This has ramifications for efforts to reach agreement on norms of state behaviour and is intrinsically linked to human rights considerations and their place in the discussion about digital technologies in a security context. Some govnerments tend to prioritise the importance of the free flow of information and access to it. Certain others view information technology and the free flow of information as a threat to be contained.
For example, China views “information security” as including not only the risks relating to vulnerabilities of structures and systems, but also the political, economic, military, social, cultural problems that arise from technology use within its own borders. China and Russia have preferred to focus on “international information security” in the context of multilateral discussion fora as a safer formula than addressing it in a way that would draw attention to their domestic actions in this regard. On the other hand, the United States has regularly reaffirmed that implementing information security measures cannot infringe on basic individual freedoms. The United Kingdom avoids using the term “information security” at all because it can be misused or misinterpreted as a way to justify limitations on personal freedoms.
Attribution, definitions, and non-state actors
Finally, the nature of digital technologies and cyber space present unique challenges for the international community. For example, it is difficult—but not impossible—to attribute responsibility for an operation because identities can be easily disguised. This in turn complicates the potential for retaliation and thereby creates incentives for anonymity, which is different than traditional conflict or fighting, in which the perpetrator seeks recognition for its “win”. If a perpetrator is misidentified, there is a risk of misguided retaliation, increasing the potential for innocent individuals to be harmed as a result. Moreover, if it holds that international law and particularly IHL apply to cyber space, then it would be necessary to identify the perpetrator to justify any armed response, whether digital or kinetic.
A lack of universal definitions and understanding about key terms and concepts has long-bedeviled efforts to develop policy whether internationally or domestically. As the section above about information security demonstrates, this is in some cases a result of basic conceptual understandings that stem from culture or worldview. In other instances—such as when trying to define a “cyber attack,” for example—there are political and legal implications that influence the discussion. A report released in October 2014, for example, compiled existing definitions for commonly-used cyber security and information security-related terms used by governments, security bodies, and research institutes, in which there were thirteen recorded entries for the definition of a cyber attack.
The active role of non-state actors in malicious cyber operations has become another complicating factor. Individual hackers, programmers, or technicians can wreak havoc of their own volition, of course, and in certain places the law has not been sufficiently developed to respond to these actions—when the individual responsible can be identified. Moreover, some countries are known for recruiting individuals to work as part of unofficial state-sponsored espionage campaigns or hacking groups, which further blurs legal and ethical lines and complicates attribution efforts.
United Nations initiatives
The United Nations has been considering “developments in the field of information and telecommunications in the context of international security” since 1998, when Russia introduced the first draft resolution on the subject at the UNGA First Committee.
The centre of discussion has largely been within Groups of Governmental Experts (GGEs) on ICTs established by the UN General Assembly (UNGA) as of 2004.
Five GGEs have since been convened, each meeting either in Geneva or New York four times over a two-year cycle. Their sizes have ranged from 15–25 states.
Each GGE sought to agree by consensus a report of its proceedings. These may include conclusions and recommendations, which are returned to the wider UN membership for adoption. This has had varying levels of success; since their inception, the GGEs have suffered from a level of mistrust among their memberships and divergent views on definitions and basic approaches to information security. Overtime they have also been increasingly criticised for their closed and non-transparent nature.
Yet the third and fourth Groups produced what are widely considered to be substantive outcomes (in 2013 and 2015 respectively), in the way of affirming the applicability of international law to cyber space and articulating eleven recommendations for voluntary and non-binding norms, rules, or principles for state behaviour, confidence-building measures, international cooperation and capacity building, and positive recommendations.
Following stalemate and breakdown during the fifth GGE, UN discussions were at an impasse. In 2018, Russia introduced new and controversial elements into the annual UNGA First Committee resolution, prompting the United States to draft its own counter-resolution. While Russia ultimately modified some of the more problematic elements of its draft, wider politicisation during the 2018 UNGA First Committee session prevented agreement and compromise. As a result, the UNGA established both a new GGE and for the first time, an Open-Ended Working Group (OEWG) that will meet concurrently throughout 2020 and 2021. The two entities have similar, yet not identical, mandates and varying modalities to receive inputs from either non-governmental stakeholders or, in the case of the GGE, non-Group members.
In November 2020, the General Assembly voted to establish, through resolution A/C.1/75/L.8/Rev.1 a second OEWG, that will commence work in 2021 when the current OEWG completes it work. This second OEWG will report back to the General Assembly in 2025.
Elsewhere within the UN system are the annual reports of the UN Secretary-General (UNSG) on ICTs. One of the provisions of the original 1998 resolution on ICTs was a call on member states to inform the UNSG of their views and assessments on four key questions relating to information security. These form the basis of the annual reports on ICTs that UN Secretary-Generals have published since 1999.
Current UN Secretary-General António Guterres has also promoted a peaceful ICT-environment by including two action points on cyber security within his 2018 Agenda for Disarmament, Securing our Common Future. Guterres notes in this document that “global interconnectivity means that the frequency and impact of cyberattacks could be increasingly widespread, affecting an exponential number of systems or networks at the same time.” He further states that “in this context, malicious acts in cyber space are contributing to diminishing trust among States.”
Other multilateral initiatives
The work within the UN is supplemented by an external patchwork of global and regional discussion fora for various stakeholders. Some of these fora have come to play an increasingly important role given stalemate and politicisation within the UN system.
France initiated its ‘Paris Call for Trust and Security in Cyber space’ in November 2018 which gained the support of dozens of countries, civil society organisations, and private technology companies. Also in 2018 the Global Commission on the Stability of Cyber space (GCSC) outlined six new global norms to help promote the peaceful use of cyber space. Proposals have also come from the private sector, notably Microsoft’s suggestion for a digital Geneva Convention and leadership in the development of the Cybersecurity Tech Accord, now supported by around 100 technology firms.
Regional agreements have enabled information-sharing and support between states on a practical and tactical level, including between Computer Emergency Response (or Readiness) Teams, also known as CERTS. Some agreements, like NATO’s Enhanced Cyber Defence, also incorporates legal considerations. The NATO Cooperative Cyber Defence Centre of Excellence (technically not a NATO organisation) commissioned the development of what is known as the Tallinn Manual. The Manual outlines how international law applies to cyber conflicts and cyber warfare and was developed by an international group of approximately twenty experts.
Other regional cooperation agreements have a focus on other aspects of cybersecurity such as cybercrime (the Budapest Convention), data protection and cyber security (African Union Convention on Cyber Security and Personal Data Protection) or information security (Shanghai Cooperation Organization’s agreement on “Cooperation in the Field of Information Security”).
In the context of the UN OEWG, a proposal to establish a cyber programme of action through the UN General Assembly has been gaining support. A PoA is a politically binding instrument.
Human rights considerations
The human rights impact of digital technologies is being addressed in different UN fora than where national security impacts are discussed, and usually by different actors within the international community. There has been very little intersection between security-based and human rights-based approaches or discourses, including for reasons outlined in the section above on information security. In general, many states prefer to keep content and human rights distinct from national security approaches, although Sweden, in cooperation with certain other states, have at times delivered statements in the UNGA First Committee linking human rights and ICTs.
Some human rights-based approaches have necessarily focused on specific human rights such as the right to freedom of expression, as protected by Article 19 of the Universal Declaration of Human Rights and of the International Covenant on Civil and Political Rights (1966). The human rights to privacy and assembly are also frequently at risk in a digital context. The right to privacy is guaranteed by Article 17 of the International Covenant on Civil and Political Rights (1966). Article 15 of the International Covenant on Economic, Social and Cultural Rights (1966) protects the right of everyone to “enjoy the benefits of scientific progress and its applications” which can be interpreted to include the right to use the Internet. There has also been reaffirmation of women’s human rights that are threatened by targeted online activities like revenge porn and cyberstalking (see section below).
The UN Human Rights Council (HRC), a UN body comprising 47 UN member states with foremost authority over human rights issues, has now passed multiple resolutions relevant to the Internet or digital contexts more broadly. The first, adopted in 2012, was considered landmark for not only being the first on the subject but also for its affirmation that “the human rights people enjoy offline, also apply online”. The resolution built on a 2011 report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression.
The right to privacy in the digital age has also been taken up by the UNGA Third Committee. In December 2013, the UNGA adopted resolution 68/167 “The Right to Privacy in the Digital Age” which called on all states to review their procedures, practices, and legislation related to communications surveillance, interception, and collection of personal data. It further emphasised the need for states to ensure the full and effective implementation of their obligations under international human rights law. The resolution was the foundation for a 2014 report of the Office of the United Nations High Commissioner for Human Rights on the same subject, for which the views of multiple stakeholders were solicited and for a follow-up resolution in 2015.
The UN Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression recently issued a report focused on the obligations of states and companies, by aiming to find user-centric and human rights law-aligned approaches to content policy-making, transparency, due process, and governance.
Beyond the United Nations are the day-to-day advocacy and other initiatives of non-governmental organisations and individual human rights defenders. Technologists have added to their work by developing applications and software to prevent intrusions, detect censorship, or enable anonymity online and give a measure of digital protection to those most at risk. As just one example, the Open Observatory of Network Interference has created free software for detecting censorship, surveillance and traffic manipulation on the internet. In 2018 4,000 anonymous Google employees raised ethical and other concerns over the appropriate use of artificial intelligence and machine learning in the context of Project Maven, causing the company to step back from the military contract and commit to not design or deploy artificial intelligence for use in weapons. Tech workers from Google became allies of the Campaign to Stop Killer Robots over the course of 2018 and especially after the publication in April of the letter demanding the company commit to never build “warfare technology.”
Digital technologies are increasingly being used in the pursuit and defense of human rights, for example to capture violations and facilitate information sharing, such as through Amnesty International’s Citizen Evidence Lab. Particularly during the Arab Spring, and subsequently in countries as diverse as Iran and Moldova among others, digital technologies and platforms are powerful platforms for social organising—which has resulted in backlash and crackdowns. The sale of surveillance and other malware from private companies (most famously but not limited to Hacking Team) to governments and law enforcement agencies has shown that just as ICTs can unlock new channels for good, they can also become dangerous tools of repression and abuse. From Venezuela to Zimbabwe, China to Cameroon, there are multiple examples of Internet shutdowns, content removal from websites, and censorship including through offline punishment and intimidation practices.
Around the same time as social media began to be used for political organising and expression, the Edward Snowden revelations about United States’ (US) surveillance activities underscored the fact that Western democracies also have an active hand in online human rights abuse, although in such countries it tends to be more discreet, taking the form of surveillance rather than shutdown, for example. Investigative journalists, academics, and activists are working to reveal the actual agendas and activities of intelligence networks like the Five Eyes alliance or domestic agencies involved in surveillance activities that infringe on citizen rights.
In 2021, the UN Working Group on the use of mercenaries put out a call for submissions towards its report on the human rights impact of cyber mercenaries. WILPF provided a submission, and looks forward to viewing the Working Group's report when it is presented to the Human Rights Council and UN General Assembly in 2021.
Online gender dynamics are multi-faceted and often reinforce or even amplify the patterns and preconceptions of the offline world.
At a structural level, the militarisation of cyber space should be understood as an expansion of the patriarchal structures of power that perpetuate violence and repression. This militarisation not only overlooks systemic and root causes of violence but sets out to exacerbate and potentially create violence in a new medium where it does not necessarily otherwise occur.
In this vein, a militarised view of cyber space reinforces a prioritisation of national over human security and opens up a new space in which toxic and violent masculinities can flourish. This is already a known trend within the field of technology; coupling that with the entrenched patriarchy of military institutions risks shutting out alternative visions and conceptions of security and peace.
It is also important to consider how the weaponisation of technology and the fabrication of a new space for war-fighting may have profit incentives and motivations for private industry in a way not dissimilar from the traditional military-industrial complex. While there are a few differences in the response from some technology firms and individual technologists to the possibility of cyber conflict, the potential remains for the commodification and weaponisation of digital technologies writ large.
At a societal and individual level, digital networks are being used to harm people on the basis of gender in new and disturbing ways. With the emergence of social media in particular, sexual and intimate partner violence have taken on new dimensions that include bullying, defamation, impersonation, surveillance, tracking, and harassment as well as non-consensual sharing of photos or messages. Online gender-based violence (GBV) is often directed at those who break from—or are perceived as breaking from—traditional gender norms in any range of ways, whether it be sexual orientation or gender identity, choice of profession, physical appearance, lifestyle, athletic or intellectual ability, or political views, as just some examples. Non-conforming behaviour frequently becomes the focus of abuse; a lot of trolling, for example, uses language and insults that are highly gendered—misogynist or anti-gay rhetoric, threats of rape, etc. In some contexts, online GBV is exacerbated by the anonymity that an abuser can have on a social media platform; whereas in others it is bound up in other forms of intimate partner violence and used as a form of control.
In some circumstances, ICTs have been shown to facilitate economic and political empowerment by opening up channels of communications and information—but the same platforms can become spaces of exclusion, in particular for women.
Data collection and social surveillance practices, whether undertaken by individuals, governments, or corporations, have a gender dimension as well. Those activities are inherently about labeling and categorising individuals through methods that are often predicated on existing gender norms and can be discriminatory. Systems developed by such data can be exploited in ways that either perpetuate such norms—for example, by contributing to unrealistic expectations of female beauty or binary definitions of gender—or to limit access and discriminate against those who do not conform.
For more on this, read our report, Why gender matters in international cyber security, published together with the Association for Progressive Communications (APC).
Center for Strategic and International Studies, Timeline of significant cyber incidents
Chatham House, Cyber and Nuclear Security project
Council on Foreign Relations, Cyber Operations Tracker
Joint civil society statement on cyber and human security to the 2018 UNGA First Committee (Statements from earlier years can be found be viewing the “civil society” section of the “statements” page within RCW’s annual reporting along with reporting and analysis in our First Committee Monitor).
Felicity Ruby’s research on the Five Eyes, surveillance, and democracy
UN Institute for Disarmament Research (UNIDIR), Cyber Policy Portal
WILPF, Programming action: observations from small arms control for cyber peace, February 2021
WILPF, Report from the UN Security Council meeting on cyber stability, conflict prevention, and capacity building, May 2020
WILPF and the Association for Progressive Communications, Why gender matters in international cyber security, April 2020
ICT4Peace, Submission to UN Negotiations on Cybersecurity (OEWG), August 2019
International Committee of the Red Cross, The Human Cost of Cyber Operations, Blog series, May 2019.
International Committee of the Red Cross, The Potential Human Cost of Cyber Operations, 29 May 2019.
Global Partners Digital, UN First Committee Processes on Responsible State Behaviour in Cyber space: An Explainer, 1 May 2019.
Privacy International, Reclaiming Privacy: A Feminist Manifesto, 8 March 2019
Privacy International, “Online gender-based violence: a privacy matter?”, 7 March 2019
Allison Pytlak, “Solving the Rubik’s cube: what’s next for norms in cyber space”, Forum on the Arms Trade, 27 December 2018.
Ronald J. Deibert, “Toward a Human-Centric Approach to Cybersecurity”, Ethics and International Affairs, Volume 32, Issue 4, December 2018.
Paul Meyer, “Global Cyber Security Norms: A Proliferation Problem?”, ICT4Peace Foundation, 3 December 2018
Giacomo Persi Paoli, The Trade in Small Arms and Light Weapons on the Dark Web: A Study, 22 October 2018
Mika Kerttunen and Eneken Tikk, Parabasis: Cyber-diplomacy in stalemate, Norwegian Institute of International Affairs, May 2018
Allison Pytlak and Brandon Valeriano, “The Frontlines of Cyber Repression: The Venezuelan Digital Caudillo”, 14 September 2017
Scott Shackelford, “The Law of Cyber Peace”, 16 July 2016
Heather M. Roff, Cyber Peace: Cybersecurity through the lens of positive peace, March 2016
UN Office of Disarmament Affairs (UNODA), “Developments in the field of information and telecommunications in the context of international security”, Website, n.d.