On June 24, the UN secretary-general’s office made public a report submitted by a Group of Government Experts (GGE) on “Developments in the field of information and telecommunications in the context of international security”. The GGE consisted of experts from Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, Russia, the UK and the US. The group deliberated on the report in three sessions during 2012 and 2013.
The submission of the report is a welcome and timely step. In recent years, concerns have grown over the misuse of cyberspace by criminals, terrorists, states and their proxies for disruptive and malicious activities. Cases of cyber espionage, attacks on critical infrastructure, financial thefts and cyber terrorism have grown manifold. Cyber security has become a high-profile issue between China and the US. The use of the worm Stuxnet in 2010 to disrupt Iranian centrifuges being used for uranium enrichment has raised concerns about undeclared cyber warfare.
The report recognises categorically that information and communication technologies (ICTs) have a bearing on international security. ICTs are being used for purposes that are “inconsistent with national peace and security”. Attribution of cyber crime being a difficult exercise, the actors misuse cyberspace with impunity. The report mentions clearly that “individuals, groups or organizations, including criminal organizations, may act as proxies for states in the conduct of malicious ICT actions”. International security might be jeopardised due to the increased risk of “mistaken attribution” leading to “unintended escalation”. The absence of a common understanding on what constitutes acceptable state behaviour in cyberspace could endanger international peace and security. Without naming Stuxnet, the report notes that the use of ICTs in disrupting industrial control systems creates “new possibilities of disruption”.
To mitigate the impact of cyber security, the report urges the UN to play a leading role in promoting “dialogue among states”. It stresses the need for a common understanding on how norms based on existing international law could be applied in cyberspace. Co-operation among states to fight criminal use of ICTs through harmonisation of legal approaches should be promoted. Private sector and civil society should be encouraged to play a role in improving security in cyberspace. The critical recommendation made by the GGE is that “States must meet their international obligations regarding internationally wrongful acts attributable to them”. Further, the states should not use proxies to commit internationally wrongful acts. They should also ensure “their territories are not used by non-state actors for unlawful use of ICTs”.
The report goes on to recommend confidence-building measures in cyberspace such as voluntary exchange of views and information sharing, creation of bilateral, regional and multilateral frameworks, increased co-operation on incident response and synergy among law enforcement agencies. The emphasis is on the need to enhance common understanding and co-operation.
Other measures recommended by the group include strengthening of bilateral, regional, multilateral and international capacity-building efforts to secure ICT use and ICT infrastructure, harmonisation of national legal frameworks, creation of law enforcement capabilities and identification and dissemination of best practices. Incident response capabilities including strengthening CERT to CERT (Computer Energy Response Teams) co-operation has also been advised. Research institutes and varsities can play special roles on ICT security.
Many recommendations made in the report, mainly on international co-operation on cyber security, have been made earlier in numerous reports. However, two aspects need highlighting. First, the recognition and admission by the experts that the states may be using “proxies” for unlawful activities. They recommend responsible behaviour in cyberspace by states consistent with their obligations under the international law. Second, the report takes a clear view that the international norms are applicable to cyberspace. This is important considering several critics hold that given the nature of threats in cyberspace where attribution is difficult, the application of international norms may not be possible.
There has been intense debate whether cyberspace also requires international cyber security confidence-building measures and rules on the lines of similar conventions in other areas of international security. In fact, countries like Russia, Tajikistan, China, Uzbekistan, Kazakhstan and Kyrgyzstan have come out with drafts for cyberspace. Experts take note of this but do not take a clear view whether a cyber convention to govern states’ behaviour in cyberspace is needed. This is because there are considerable gaps in the thinking of the US on one hand and Russia and China on the other with regard to a cyber convention. However, it does give a hint. It implies that whatever norms are agreed upon must have international legitimacy and UN blessing.
One weakness of the report is that it does not offer clear guidance on how to build consensus on key cyber security issues. In cyberspace, even the vocabulary is contentious. A common understanding of issues such as what is cyber warfare and what implies the use of force needs to be developed. It would be useful to set up a UN mandated forum, much like the UN Committee on the Peaceful Uses of Outer Space, to deliberate on technical and legal issues. The International Law Commission could also be involved to develop the international law governing cyberspace. In the context of cyber warfare, involving attacks on their critical infrastructure by states or proxies, use of force in cyberspace becomes important. The cyber doctrines of some states stipulate that attacks would elicit response that may not be confined to cyberspace.
A lot of conceptual work still needs to be done to understand if cyberspace is emerging as a new arena of warfare. Does the international law codified in Geneva Conventions apply to cyberspace? The report has skirted these issues and focused on the lowest common denominator of cyber norms. This is necessary but not a sufficient condition to ensure cyber security.
The author is director general, Institute for Defence Studies and Analyses. Email: firstname.lastname@example.org