By – Dr Nishakant Ojha, Ph.D., Post-Doc, CEH, CISO, CISA
Former Principal Advisor -IT -Republic of Sudan
Advisor-Expert Cyber Security -TCIL
Expert -Counter Terriosm-Para Military Forces & Defence
I. INTRODUCTION
Today cyberspace pervades all aspects of our lives and has significant implications for not only economic development, but also for norms governing international relations. With the rapid development of information and communication technologies (ICTs), the issue of how cyberspace should be regulated is becoming increasingly complex and contentious, with a wide split emerging between the USA-led group of countries on one side and Russia and China led group of countries on the other. In 1998, Russia moved a draft resolution in the UNGA First Committee calling to develop international law regimes for preventing the use of information technologies for purposes incompatible with missions of ensuring international stability and security. Over the past two decades, a number of actors including experts, scholars, diplomates have grappled to develop a consensus over the norm governing responsible state behaviour in cyberspace, drawing on soft-law approach for norms development. However, these efforts have been partially successful. There is still not much clarity on how does existing international law applies in cyber domain. To this end, this papers highlights the current challenges of international law in regulating cyberspace, provides an overview of the role of international law in ensuring cyber stability, provides an overview of the development in cyber norm-making and examines the limits of UN Group of Governmental Experts (UNGGE) with the view to suggest the way forward to end present stalemate in cyber negotiations.
II. INTERNATIONAL LAW AT CRITICAL JUNCTURE
International law has increasingly been challenged by technological advances, especially evolving information and communication technologies (ICTs)- based innovations and applications. The growing incidence of cyber-attacks, data privacy and national security concerns have placed international law at critical juncture. Unique characteristics of cyber domain further exacerbates the norm development. The lack of boundaries and anonymity in cyberspace complicates the task of attribution of a specific cyber breach.
Technological advances continue to outpace legal developments in new arena of cyberspace. Interconnected ICT infrastructure challenges the ability of a state to exert sovereignty in cyberspace. This raises the question whether cyberspace can be considered a “global commons”. New ICT technologies have today sparked arms race among states to develop cyber offensive capability and devise strategies to make cyber operations an integral part of statecraft. The use of cyberspace operations has posed important international law issues, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. The latest developments in artificial intelligence and machine learning have intensified debate on how autonomous weapons system can comply with international humanitarian law.
The geopolitical and strategic dimensions of cyberspace have led major countries to engage in diplomatic manoeuvring on almost all cyber issues including Internet Governance, cybercrime, data access, and norms governing rules of responsible state behaviour in cyberspace. For examples, the UN adoption of the Russia-backed resolution on “Countering the use of information and communications technologies for criminal purposes” on 18 November 2019, shows that the rivalry between the USA and Russia over the Budapest Convention on Cybercrime is likely to continue in future. Both countries continue to engage in diplomatic manoeuvring, with Russia indulging in forum shopping – from Vienna process to New York process – to garner support for an international cybercrime convention. Russia, which has proposed draft international cybercrime convention, has consistently argued that Budapest Convention violates the principle of state sovereignty.
In case of cyber domain, there has been a paradigm shift in the dynamics of international law-making with state ceding rule-making space to non-state actors including IT companies, NGOs. This is because of multi-stakeholder approach in Internet Governance. There are a number of organizations and stakeholders identifying and proposing cyber norms. These include Russian-led SCO regional initiative on draft International Code of Conduct for Information Security in the UNGA in 2011 and a revised draft Code of Conduct in 2015; NATO’s Tallinn Manual on the International Law Applicable to Cyber Warfare (2013); Global Commission on the Stability of Cyberspace proposal on cyber norms (2018); Paris Call for Trust and Security in Cyberspace (2018); and the Microsoft initiative on Digital Geneva Convention (2018).
To sum up, the technological advances have created a volatile ICT environment with significant risk to international peace and security. The dynamic ICT environment offers both opportunities and challenges to the international community to explore how international law applies in cyberspace.
III. DEVELOPMENTS IN CYBER NORM-MAKING: UNGGE-OEWG PROCESS
Cyberspace is the new international legal frontier. There is need for a rules-based system to protect our global commons, such as the cyberspace. Since the challenges of cyberspace was first brought to the attention of the United Nations in the late 1990s, it is playing the central role in taking initiative on developing cyber norms based on ‘soft-law’ approach that have evolved over time. The UN established six Group of Governmental Experts (UNGGE) since 2004, including sixth UNGGE 2019-2021, to examine inter-alia how international law applies to use of ICT technologies by states and report findings at the UN General Assembly.
The third and fourth UNGGE are widely credited for producing substantive consensus reports in 2013 and 2015; outlining norms, rules and principles of the responsible behaviour of States in the cyberspace as well as confidence building measures, international cooperation and capacity building. The 2013 UNGGE report stated that international law, and in particular the UN Charter, is applicable to cyberspace. Building on this, the 2015 UNGGE report made significant contribution by outlining 11 cyber-norms governing responsible state behaviour and offering non-exhaustive six-point views on how international law applies to the use of ICTs by States. However, the 2017 UNGGE failed to produce a consensus report because of rigid standoff on certain contentious issues between the USA-led group of countries on one side and Russia and China led group of countries on the other. These issues included right to self-defence, applicability of IHL in cyberspace, and the right to apply counter-measures in cyberspace.
In December 2018, UNGA established two-track parallel negotiation process on cyber norm development — the sixth UN Group of Governmental Experts (UNGGE) and the Open-Ended Working Group (OEWG). This has resulted in resuming negotiations on cyber norms between the USA-led group of countries and Russian-led group of countries.
IV. UNGGE VERSUS OEWG
The OEWG differs from the sixth UNGGE in several important ways including membership, mandate and timeline. While sixth UNGGE has 25 members, the OEWG is open to all UN Member States. The mandate of the OEWG to study the possibility of setting up regular institutional dialogue with broader participation under the UN, hold discussions on cyber norms with all interested UN Member States and informal consultations with experts, private sector, NGOs and academia. The OEWG is required to submit its report to the UN General Assembly in 2020. The mandate of the new UNGGE inter-alia is to continue to study norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building, as well as how international law applies to the use of ICTs by states. Importantly, the new UNGGE is required to hold consultations with relevant regional organizations as well as organise informal open-ended consultations with all UN member states on the subject. The broader mandate of the sixth UNGGE for ‘UNGGE-Plus’ consultations is aimed to make UNGGE more inclusive and transparent. The current UNGGE will submit a report on the results of the study to the UN General Assembly in 2021, containing an annex on how international law applies to the use of ICTs.
The first meeting of the new UN Open Ended Working Group (OEWG) was held in September 2019. Broadly, there was convergence among participants that OEWG can build upon the previous UNGGE reports. The sixth UNGGE and the OEWG should be mutually supportive and avoid contradictions. The second substantive meeting of the OEWG was held in February 2020. The OEWG is supposed to prepare ‘zero’ draft of its report at its third meeting in July 2020. The OEWG will submit its final report to the 75th session of the UN General Assembly in 2020.
The sixth UNGGE held its first meeting in December 2019. The experts broadly affirmed that the 2015 UNGGE report should be the starting point of the work of the present sixth UNGGE. It was suggested that the new UNGGE could provide guidance on implementing confidence-building-measures (CBMs). Further, UNGGE is having a series of consultations with regional organisations such as the European Union the Organization for Security and Cooperation in Europe (OSCE), OAS (Organisation of American States), the African Union and the Association of Southeast Asian Nations (ASEAN) and the League of Arab States. The sixth UNGGE is supposed to prepare a consensus report by its fourth meeting in May 2021, for submitting it before the 76the session of the UN General Assembly in 2021.
V. LIMITS OF UNGGE-OEWG PROCESS
The UNGGE-OEWG process is consensus based decision-making process. This requires that reports of UNGGE-OEWG to be adopted by “consensus” amongst members of the respective groups. It is understandable that the consensus building in the OWEG group is quite a herculean task; but it is equally hard to arrive at consensus among 25 members of the sixth UNGGE. This is evident from the failure of the fifth UNGGE to produce a consensus report in June 2017, resulting in a stalemate in the cyber diplomacy for almost two years.
The consensus decision-making has become a defining feature of international law development since 1970s. The consensus, however, does not mean unanimity over the draft text among member states in the negotiation process. The draft text of the UNGGE report could be adopted by consensus, even if there is a divergent position of some countries on the text. However, formal objection by even a single member state can block the adoption of the UNGGE report. The consensus procedure thus provides veto power to any of the 25 member states to block adoption of the UNGGE report.
Over the past two decades, the cyber norm development process is characterized by divergence of views among the USA-led group of countries and Russia-China led groups of countries. The key divergent points including whether existing international law applies in cyberspace; how does international law applies in cyberspace; the need for an UN-led institutional mechanism for developing cyber-norms. The experience of the fifth UNGGE shows that developing a common understanding on the contentious cyber issues among the two groups of countries is a big challenge. The political and strategic dimensions of the cyber issues, in particular, securitisation of cyberspace, have further exacerbated the problem of consensus building in UNGGE-OEWG process. In such a scenario, the present sixth UNGGE may not be able to agree on a consensus report to be presented to the UN General Assembly in 2021.
VII. WAY FORWARD
Presently, the cyber -norm development process is at a crossroads. While cyber norms are slowly taking shape, certain key issues have emerged as critical to end the current stalemate in the cyber diplomacy. These contentious issues include threshold of cyber operations amounting to armed attack under the Article 51 of the UN Charter; definition of cyber warfare; right to self-defence; applicability of international humanitarian law (IHL) in cyberspace; attribution of cyber-attacks; the right to apply counter-measures in cyberspace; state sovereignty; data sovereignty; and cyber-crime cooperation mechanisms.
The on-going negotiations in the framework of the UNGGE-OEWG process offer a opportunity for international community to work together to develop cyber-norms to ensure stability and security in the cyberspace. While Member States may have differing perspectives on actions needed to address growing cyber threats, UNGGE-OEWG Chair can play a proactive role in building a consensus among all members to ensure stability in cyber domain through enhanced transparency, cooperation and capacity-building measures among states. In this scenario, it is also possible to reconcile national strategic interests of UNGGE-OEWG members and move forward significantly on advancing responsible state behaviour in cyberspace.
VIII. CONCLUSION
The cyber diplomacy underpinning the UNGGE-OWEG process highlights the political limits within which international law functions. While geopolitical interests of states are the principal determining factor in the development of cyber norms, it has not prevented countries to enter into bilateral cyber agreements. Most of these bilateral agreements recognise the applicability of international law to cyberspace in general. Similarly, regional organisations – such as SCO, OCSE, ASEAN, BIMSTEC – also take into UNGGE reports while working out confidence building measures at regional level. However, international community has not taken concrete actions for universalisation and implementation cyber norms as enunciated in the 2015 UNGGE. The internalisation of the cyber norms will pave the way for state practice to emerge in cyber domain. New UNGGE-OEWG process has opportunity to revitalise progress in the cyber negotiations and contribute in advancing responsible state behaviour in cyberspace. In this regard, the on-going cyber negotiations need to focus on the implementation of the previous UNGGE reports, enhancing cooperation against non-state malicious actors, and develop further confidence building measure to bridge the ‘trust-deficit’ amongst states.
