Your browser lacks required capabilities. Please upgrade it or switch to another to continue.
Loading…
Before continuing, please answer the following questions*:
1) What is your full name? <<textbox "$Name" "">>
2) What is your official title? <<textbox "$Title" "">>
3) What country or regional organization do you represent? <<textbox "$Affiliation" "">>
4) Do you have any prior experience in cyber discussions?
<<textarea "$Previous_Experience" "">>
5) What is the most important priority for your country or organization?
<label><<radiobutton "$Priority" "National Security">> Protecting against nation state attacks in cyberspace</label>
<label><<radiobutton "$Priority" "Cybercrime">> Protecting against cybercriminals and other non-state actors</label>
<label><<radiobutton "$Priority" "Economic Development">> Promoting economic development through the promotion of digital technologies</label>
6) What do you think the goal of upcoming cyber discussions should be?
<label><<radiobutton "$Goal" "Treaty">> A formal treaty</label>
<label><<radiobutton "$Goal" "New Norms">> Progress in developing new norms and other informal measures</label>
<label><<radiobutton "$Goal" "Implementation">> Progress in implementing existing norms and other informal measures</label>
<hr size="10" noshade>
How confident do you feel in your understanding of the following subjects?
7) The history of UN cyber discussions
<label><<radiobutton "$Confidence_History_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_History_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_History_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_History_Start" "4">> Very Confident</label>
8) The role of the different UN institutions (the UN First Committee, the GGE, the OEWG, etc.) in ongoing cyber discussions
<label><<radiobutton "$Confidence_UNInstitutions_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Start" "4">> Very Confident</label>
9) The role of outside groups like regional and civil society organizations in ongoing cyber discussions
<label><<radiobutton "$Confidence_OutsideOrgs_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Start" "4">> Very Confident</label>
10) The priorities of your home government or organization in cyberspace
<label><<radiobutton "$Confidence_Priorities_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_Priorities_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_Priorities_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_Priorities_Start" "4">> Very Confident</label>
11) The role of norms, confidence building measures, and capacity building in ongoing cyber discussions
<label><<radiobutton "$Confidence_Norms_CBMs_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Start" "4">> Very Confident</label>
12) The application of international law in cyberspace
<label><<radiobutton "$Confidence_IntlLaw_Start" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Start" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Start" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Start" "4">> Very Confident</label>
<hr size="10" noshade>To what extent do you agree with the following statement:
13) I feel confident in my ability to participate in a UN cyber discussion
<label><<radiobutton "$Preparedness_Start" "1">> Strongly Disagree</label>
<label><<radiobutton "$Preparedness_Start" "2">> Slightly Disagree</label>
<label><<radiobutton "$Preparedness_Start" "3">> Neither Agree Nor Disagree</label>
<label><<radiobutton "$Preparedness_Start" "4">> Slightly Agree</label>
<label><<radiobutton "$Preparedness_Start" "5">> Strongly Agree</label>
<em>*Completion of this survey is required for the processing of reimbursements through this program. Responses provided through this survey will be collected and retained by the CSIS Technology Policy Program for no longer than three years to satisfy grant reporting requirements. Responses may be shared with the U.S. State Department for operations planning. For questions about this data policy or to request information about data that has been collected, please email [email protected].</em>
<hr size="10" noshade><div class="footer-nav__links">
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Course Introduction]]</div>
<div class="nav-btn next-btn">[[Submit->Module 1: Hisory and Structure of UN Cyber Discussions]]
<div class="next-text">Module 1: History of UN Cyber Discussions</div></div>
</div>
</div>
<h1>CSIS Online Course -- International Cyber Engagement</h1>
Welcome to <a href="https://www.csis.org/programs/technology-policy-program">CSIS'</a> online course on international cyber engagement. This set of training modules is designed to help prepare government officials and diplomats to take part in UN First Committee discussions of cybersecurity. These build on more than a decade of experience in the UN which has focused on developing norms for responsible state behavior, confidence-building measures, and capacity building. This course will explore all three topics, along with other related international efforts to improve cybersecurity.
In the 1970s, scientists developed a new technology that let distant computers connect to each other. This became the internet. The internet’s designers did not expect it to become a globe-spanning network of networks that connects billions of people and serves as a critical platform for businesses and governments after it was commercialized in 1995. Security was not a priority. This unexpected growth has produced immense economic benefit, but it has also created a new set of problems for international security, due to increased opportunities for new kinds of conflict.
International attention to cybersecurity has increased dramatically. Cyberspace has become a central global infrastructure. States have recognized the need for global cooperation to make this global infrastructure more stable and secure. To achieve this, one of the main venues for discussion and negotiation has been the <a href="https://www.un.org/en/ga/first/">UN’s First Committee</a>, responsible for Disarmament and International Security. It has discussed the security of information and communications technology (ICTs) since <a href="https://undocs.org/A/RES/53/70">1998</a>. Regional organization also pay an important role, especially in developing and implementing confidence-building measures, and capacity building.
These UN discussions have developed shared understandings on how states should behave in cyberspace and how these fits with a country's existing international commitments. Beginning in 2004, the UN First Committee established Groups of Governmental Experts (GGEs) to examine developments in the field of information and telecommunications in the context of international security. The latest in this series of efforts grows out of two resolutions in 2018 – <a href="https://undocs.org/A/RES/73/266">A/RES/73/266</a> and <a href="https://undocs.org/A/RES/73/266">A/RES/73/27</a>. They established a new GGE and, for the first time, a new Open-Ended Working Group (OEWG). The GGE will carry out its mandate from 2019 through 2021, while the OEWG is set to issue its final report in 2020. While the GGE is limited to twenty five national experts selected by the Secretary General and its meetings are closed, the OWEG is open to all member states and a large number have taken advantage of the opportunity to attend and discuss cybersecurity issues and present national views.
This online course will provide background information on the development of multilateral cybersecurity discussions and explore the issues that are likely to arise during the GGE and OEWG meetings. It is structured in four modules:
<ol>
<li>History and Structure of UN Cybersecurity Discussions</li>
<li>Cybersecurity Discussions in Regional Groups and International Organizations</li>
<li>Issues in UN Cybersecurity Discussions</li>
<li>Preparing for UN Cybersecurity Discussions</li></ol>
These modules will help prepare for the GGE and OEWG discussions, build cybersecurity expertise, and promote the principles of an open, secure, and reliable cyberspace. By the end of the course, you should be familiar with the following key concepts and their overall impact on International Cyber Engagement.
<ol>
<li>Since it started working on developments in the field of information and telecommunications in the context of international security, the UN First Committee on Disarmament and International Security has commissioned six Groups of Governmental Experts (GGEs) and one Open-Ended Working Group (OEWG) to study existing and potential threats in the sphere of information security and possible cooperative measures to address them.</li>
<li>The 2015 GGE report, adopted by consensus, presents eleven voluntary norms, which together with existing international law and the UN Charter set the framework for responsible state behavior in cyberspace. Confidence-building measures and capacity building are key to their implementation.</li>
<li>Efforts to address cybersecurity threats—particularly as they relate to the Sustainability Development Goals (SDGs)—are underway in other UN bodies, regional organizations and NGOs.</li>
<li>The current GGE and OEWG UN cyber negotiations are expected to prioritize the discussion of the following: Existing and Potential Threats; Applicability of International Law; Rules, Norms and Principles of Responsible State Behavior; Regular Institutional Dialogue, Confidence Building Measures; and Capacity Building.</li><li>The unique threat environment each nation faces will affect how state representatives at the GGE and the OEWG prioritize issues and negotiate throughout the discussions</li></ol>
To begin, please complete the following survey.
<div class="nav-btn next-btn">[[Next->Survey]]
<div class="next-text">Survey</div></div>
<h1>Cybersecurity Discussions in Regional Groups and International Organizations</h1>
Progress towards a stable and secure cyberspace benefits from the development of common understandings among states and non-state actors. While negotiations in the UN GGE have made significant progress since 2010, there are many regional, multilateral, and non-governmental organizations that also seek to reduce these risks to the stability and security of cyberspace. These organizations took the 2013 and 2015 GGE Reports and have made real progress in implementing the recommendations, particularly for confidence building and capacity building. Regional organizations have been crucial to the GGE process since they serve as the platforms for those states to implement GGE recommendations. This module will explain the role these organizations play in promoting cooperation on cybersecurity.
<div class="footer-nav"><hr size="10" noshade><div class="footer-nav__links"><strong>Click the links below to explore this module</strong>
<<if hasVisited("Regional Organizations")>> <span class="complete"> [[Regional Organizations->Regional Organizations]] </span> <<else>> [[Regional Organizations->Regional Organizations]]<</if>>
<<if hasVisited("Other Regional")>> <span class="complete"> [[Other government and regional bodies->Other Regional]] </span> <<else>> [[Other government and regional bodies->Other Regional]]<</if>>
<<if hasVisited("Other UN Bodies")>> <span class="complete"> [[Related efforts by other UN bodies->Other UN Bodies]] </span> <<else>> [[Related efforts by other UN bodies->Other UN Bodies]]<</if>>
<<if hasVisited("CSOs")>> <span class="complete"> [[Civil Society Organizations->CSOs]] </span> <<else>> [[Civil Society Organizations->CSOs]] <</if>>
</div>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
<div class="nav-btn next-btn">[[Next Module->Module 3: Other Issues in UN Cyber Negotiations]]
<div class="next-text">Module 3: Other Issues in UN Cyber Negotiations</div></div>
</div>
</div><h1>Civil Society Organizations</h1>
Until 2019, only UN Member States were involved in UN First Committee cybersecurity talks. There is now a recognition that discussions should involve the multi-stakeholder community - companies and civil society. The resolution that created the OEWG clearly stated this, with the understanding that the participation of the multi-stakeholder communities is intended to increase transparency and inclusivity.
After the failure of the 2017 GGE to reach consensus, companies and civil society produced numerous private initiatives for norms in cyberspace. Common themes include the need to define responsible behavior in cyberspace for States and companies, for cooperation between the private and public sectors, and to constrain or even avoid the use of cyberattacks.
Microsoft, for instance, has been particularly active in this front, going as far as proposing a <a href="https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QH">Digital Geneva Convention</a>. This proposal met with a mixed reception as it faces all the obstacles that would face any binding convention for cyber conflict. Other tech companies have shown less interest in becoming involved in this kind of initiatives, and are more interested in the regulation of cross-border data flows and data protection, topics that the UN treats separately from cybersecurity.
Many civil society groups hold events that serve as platforms for discussion between representatives of governments, industry, academia, and non-governmental organizations. Civil society groups attended the first OEWG meeting and made brief <a href="https://www.un.org/disarmament/open-ended-working-group/">presentations</a> as part of the proceedings. The organizations linked below are examples of the kind of initiatives that civil society has undertaken for the development of common principles for behavior in cyberspace.
The <a href="https://cybertechaccord.org/">Cybersecurity Tech Accord</a> and the <a href="https://new.siemens.com/global/en/company/topic-areas/cybersecurity/charter-of-trust.html">Charter of Trust</a> are examples of industry-led voluntary initiatives to identify guiding principles for trust and security, strengthen security of supply chains and improve training of employees in cybersecurity. Other initiatives include the <strong>Freedom Online Coalition's</strong> <a href="https://www.freedomonlinecoalition.com/wp-content/uploads/2014/04/FOC-WG1-Recommendations-Final-21Sept-2015.pdf">Recommendations for Human Rights Based Approaches to Cyber security</a>, the <strong>Internet Society's</strong> <a href="https://www.manrs.org/">Mutually Agreed Norms for Routing Security (MANRS)</a>, and the <a href="https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf">Paris Call for Trust and Security in Cyberspace</a>. The Paris Call established by French President Macron in 2019 is the most prominent of these efforts.
Other initiatives include:
<ol>
<li><a href="https://www.thegfce.com/">Global Forum of Cyber Expertise (GFCE)</a></li>
<li><a href="https://www.thegfce.com/about/gccs">Global Conference on Cyber Security (the London Process)</a></li>
<li><a href="https://cyberpeaceinstitute.org/">Cyber Peace Institute (CPI)</a></li>
<li><a href="https://cyberstability.org/about/">Global Commission on the Stability of Cyberspace (GCSC)</a></li>
<li><a href="https://ict4peace.org/activities/">ICT4Peace</a></li></ol>
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 2: Global Landscape]]</div>
</div>
</div>
<h1>Regional Organizations</h1>
<h2>The Association of Southeast Asian Nations (ASEAN) and the ASEAN Regional Forum (ARF)</h2>To strengthen cooperation among its members, the <a href="https://asean.org/">ASEAN</a> created a <a href="https://www.csa.gov.sg/-/media/csa/documents/sicw2016/amcc/factsheet_accp_final.pdf">Cyber Capacity Programme</a> (ACCP) in 2016. In 2019, it created the <a href="https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2018/9/opening-remarks-by-mr-s-iswaran-at-the-asean-ministerial-conference-on-cybersecurity?page=1_6">Singapore-ASEAN Cybersecurity Centre of Excellence</a> (ASCCE), which tries to align cyber diplomacy with operational issues such as incident response and information sharing.
Some ASEAN members have proposed establishing an ASEAN mechanism to improve cyber coordination across the group and strengthen a unified perspective. The ASCCE seeks to support strategy development among ASEAN states through training and research, enhance resilience with more national <span class='tooltip'>CERT<span class='tooltiptext'>Computer Emergency Response Team</span></span> training, and promote information sharing among these <span class='tooltip'>CERTs<span class='tooltiptext'>Computer Emergency Response Teams</span></span>.
The <a href="https://asean.org/asean-political-security-community/asean-regional-forum-arf/">ARF</a> is the most important group in ASEAN for work on cybersecurity. It facilitates regional engagement on cybersecurity issues, particularly in countering cybercrime, establishing a regional framework for confidence building measures, and building regional cyber capacity. The forum holds regular dialogues on cybersecurity through intersessional meetings and workshops. By convening its members (including at the Ministerial level) to discuss relevant topics they seek to increase regional understanding and cooperation as well as prepare nations for UN meetings.
<h2>The Organization for Security and Cooperation in Europe (OSCE)</h2>The <a href="https://www.osce.org/secretariat/cyber-ict-security">OSCE</a> is a treaty-based group for collaboration on security issues among European states. In cybersecurity, it has focused on developing <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> among its 57 member states. The OSCE has adopted 16 <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> since 2013, and in 2017, foreign ministers from its member states <a href="https://www.osce.org/secretariat/390830?download=true">committed</a> to redoubling efforts to implement more <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span>. These fall into three main categories: (1) cyber capability sharing, (2) crisis communication mechanisms such as diplomatic procedure, and (3) preparedness.
<iframe width="560" height="315" src="https://www.youtube.com/embed/vvMpdJjxzrc?start=1452&end=1538" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
The OSCE provides assistance in preparing member states to guard against transnational and subnational cyber/<span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> threats through the <a href="https://www.osce.org/secretariat/256071?download=true">OSCE Secretariat’s Transnational Threats Department</a>. The Department’s Cyber Security Officer offers <a href="https://www.osce.org/secretariat/107810">guidance and policy advice</a> for cyber protection against organized criminals and terrorists.
The OSCE also maintains its own inter-regional network of more than 80 experts trained in cyber diplomacy to assist in the development of regional cyber norms and offers sub-regional trainings for policymakers in South-East Europe and Central Asia.
<h2>The European Union (EU)</h2>Cybersecurity work in the EU focuses on three main pillars: (1) cyber resilience, (2) deterrence, and (3) international diplomatic engagement.
The cyber resilience initiative provides direction on CBMs and information sharing between European states. The <a href="https://www.enisa.europa.eu/">European Union Agency for Network and Information Security</a> (ENISA) has been working since 2004 to provide training and capacity building in Member States.
The deterrence pillar includes a framework for dissuading potential cyber criminals and malicious actors, including improvements to law enforcement detection, tracing, and prosecution capabilities. The EU also adopted the <a href="https://www.enisa.europa.eu/events/artificial-intelligence-an-opportunity-for-the-eu-cyber-crisis-management/workshop-presentations/20190603-eeas-eu-cyber-diplomacy-toolbox.pdf/view">cyber diplomacy toolbox</a> which identifies potential responses to malicious cyber activities.
The final pillar, international diplomatic engagement, endorses the norms, rules and principles of responsible state behavior articulated in the GGE Reports. This pillar also lays out guidelines for cybersecurity capacity building intended to increase the level of cybersecurity globally.
<h2>The Organization of American States (OAS)</h2>The <a href="https://www.oas.org/en/sms/cicte/prog-cybersecurity.asp">OAS</a> has three main priorities for promoting increased cybersecurity in its Member States: (1) policy development, (2) capacity building, and (3) research and outreach. The OAS has been working with companies and civil society groups to improve regional stability in cyberspace; and it considers that awareness building is key to advancement.
Through its <a href="https://www.oas.org/en/sms/cicte/default.asp">Inter-American Committee against Terrorism</a> (CICTE) <a href="https://www.oas.org/en/sms/cicte/prog-cybersecurity.asp">Cybersecurity Program</a>, OAS has promoted understandings on norms and regional <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> endorsed by the GGEs. In addition to helping advance nations’ understanding of cyber norms and <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span>, CICTE helps establish and develop national teams of cyber experts to respond to emergencies (<span class='tooltip'>CERTs<span class='tooltiptext'>Computer Emergency Response Teams</span></span> or <span class='tooltip'>CSIRTs<span class='tooltiptext'>Computer Security Incident Response Teams</span></span>), and also seeks to build effective and efficient information-sharing and coordination systems among OAS members.
The <a href="https://www.oas.org/juridico/english/cyber.htm">Inter-American Cooperation Portal on Cyber-Crime</a> facilitates further cooperation and information exchange between OAS country experts in cybercrime investigation and prosecution. Economic growth in Latin America has coincided with a rise in cybercrime. To counteract this trend, OAS also releases reports and cooperates regularly with industry partners to build cyber capacity in the private sector.
<h2>The African Union (AU)</h2>The <a href="https://au.int/en/infrastructure-energy-development">AU</a>’s objectives are to ensure that every member state has a national cyber strategy, adopts legislation related to cybersecurity and cybercrime, and create its own <span class='tooltip'>CERT<span class='tooltiptext'>Computer Emergency Response Teams</span></span>.
In 2014, the AU passed the <a href="https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf">Convention on Cyber Security and Personal Data Protection</a>, also known as the Malabo Convention. The Malabo Convention was intended to form the backbone of intercontinental cooperation on cyber security in Africa. As of June 2019, only 14 countries have signed the treaty and 5 have ratified it.
The AU in collaboration with the Council of Europe, Interpol and others organized the <a href="https://au.int/en/newsevents/20181016/first-african-forum-cybercrime">First African Forum on Cybercrime</a> in 2018 which endeavored to advance policies and legislation in member states, foster international cooperation, and build capacity in emergency response.
The <a href="https://au.int/sites/default/files/decisions/9559-assembly_en_1_3_february_2009_auc_twelfth_ordinary_session_decisions_declarations_message_congratulations_motion.pdf">Specialized Technical Committee on Communications and ICTs</a> (STC CICT) has allowed African ministers with jurisdiction over <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> and telecommunications to coordinate their approaches. The Committee, established in 2009 by the AU Assembly, is responsible for developing frameworks for <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> policy and regulation harmonization in Africa. It has met three times, all since 2016 and developed <a href="https://au.int/sites/default/files/newsevents/workingdocuments/31357-wd-a_common_african_approach_on_cybersecurity_and_cybercrime_en_final_web_site_.pdf">A Global Approach on Cybersecurity and Cybercrime in Africa</a>, published in 2016. STC CICT has also <a href="https://au.int/sites/default/files/decisions/33909-ex_cl_decisions_986-1007_e.pdf">called for</a> the establishment of a specialized AU Cyber Security Collaboration and Coordination Committee (AUCSC3). The AUCSC3 provides guidance and recommendation on cyber policy to the AU.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 2: Global Landscape]]</div>
</div>
</div>
<h1>Other Government and Regional Bodies</h1>
<a href="http://www.g8.utoronto.ca/">Group of 7</a> (G7): The G7 issued the <a href="https://www.mofa.go.jp/files/000160279.pdf">G7 Principles and Actions on Cyber</a> at the G7 Ise-Shima Summit. It is also attempting to develop norms for protecting financial sector networks (which are opposed by a few key nations). In May 2019, the G7 <a href="https://www.reuters.com/article/us-g7-france-cyber/g7-countries-to-simulate-cross-border-cyber-attack-next-month-france-idUSKCN1SG1KZ">simulated</a> a cross-border cyberattack in France. In August 2019, the <a href="https://www.elysee.fr/en/g7#sommet">G7 Summit</a> covered five themes, including the opportunities created by AI and digital technology.
<a href="https://g20.org/en/Pages/home.aspx">Group of 20</a> (G20): In June 2019, the G20 Summit covered topics including global data governance and discussed how to improve inclusivity, safety, and trust in this age of digitalization. Japanese Prime Minister Shinzo Abe hosted the “Leaders’ Special Event on Digital Economy”; the discussion resulted in attendees supporting the new <a href="https://www.wto.org/english/news_e/news19_e/osaka_declration_on_digital_economy_e.pdf">Osaka Declaration on Digital Economy</a>, which called for international rule-making for the digital economy and develop common rules for cross-border data transfers.
<a href="https://infobrics.org/">BRICS</a>: the BRICS nations consist of Brazil, Russia, India, China and South Africa. In August 2019, BRICS Ministers released a <a href="http://www.chinatoday.com.cn/ctenglish/2018/tpxw/201911/t20191113_800184922.html">joint declaration</a> regarding cooperation on cybersecurity, digital infrastructure, 5G, and the Internet of Things. Its work complements to the efforts of the <a href="http://eng.sectsco.org/news/20180126/377347.html">Shanghai Cooperation Organization</a>, a security organization composed of eight nations (India, Kazakhstan, China, Kyrgyzstan, Pakistan, Russia, Tajikistan, and Uzbekistan).
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 2: Global Landscape]]</div>
</div>
</div>
<h1>History and Structure of UN Cyber Discussions</h1>
The United Nations (UN) is the global forum for multilateral negotiations on cybersecurity. In 1998, the Russian Federation brought cybersecurity before the UN in a proposal for a binding treaty. This was prescient, but premature. In thinking about the proposal, a number of scholars and diplomats concluded that it would be first necessary to build trust among nations using an agreed framework of norms and confidence- building measures (CBMs) to guide national decisions.
While many UN bodies discuss cybersecurity, the <a href="https://www.un.org/en/ga/first/">UN First Committee on Disarmament and International Security</a>—one of the six main committees of the UN General Assembly (UNGA)—has the lead on international security and cyber conflict. The First Committee has been involved in cybersecurity since 1998 when it adopted the <a href="https://undocs.org/A/RES/53/70">Resolution on Developments in the field of information and telecommunications in the context of international security</a>, and the UN has adopted annual resolutions on the issue ever since.
Starting in 2004, the First Committee established Groups of Governmental Experts (GGEs) (in <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/58/32">2004</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/60/45">2009</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=%20A/RES/66/24">2012</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/243">2014</a>, <a href="https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf">2016</a> and now <a href="https://undocs.org/A/RES/73/266">2019</a>), tasked with studying how Information and Communication Technologies (ICTs) affect international security and developing recommendations for the Secretary General. The latest GGE was mandated to continue the work of earlier GGE’s to advance common understandings on responsible state behavior in cyberspace in the context of international security. The GGE process became the focal point for cybersecurity negotiations and the background of the “expert” from each country changed from emphasizing technical knowledge to experts with experience in diplomacy and arms control or non-proliferation. In 2018, in a departure from past practice, the First Committee also set up a new parallel process to the GGE, an <a href="https://undocs.org/A/RES/73/27">Open-Ended Working Group (OEWG)</a>, with a mandate similar to the GGE. Guided by strong chairs, the work of the two groups has been complementary.
In addition to the First Committee there are simultaneous efforts at improving governance and safety in cyberspace taking place in other UN bodies. This module will provide an overview of the discussions at the GGE and OEWG, and look at their most relevant tasks: developing rules, norms and principles of responsible state behavior, establishing confidence-building measures and promoting capacity building.
<div class="footer-nav"><hr size="10" noshade><div class="footer-nav__links"><strong>Click the links below to explore this module</strong>
<<if hasVisited("First Committee")>> <span class="complete"> [[UNGA First Committee->First Committee]] </span> <<else>> [[UN First Committee->First Committee]] <</if>>
<<if hasVisited("GGE & OEWG")>> <span class="complete"> [[The 2019 GGE & OEWG->GGE & OEWG]] </span> <<else>> [[GGE & OEWG->GGE & OEWG]] <</if>>
<<if hasVisited("Rules & Norms")>> <span class="complete"> [[Rules, Norms and Principles of Responsible State Behavior->Rules & Norms]] </span> <<else>> [[Rules, Norms and Principles of Responsible State Behavior->Rules & Norms]] <</if>>
<<if hasVisited("CBMs")>> <span class="complete"> [[Confidence-Building Measures->CBMs]] </span> <<else>> [[Confidence-Building Measures->CBMs]] <</if>>
<<if hasVisited("Capacity Building")>> <span class="complete"> [[Capacity Building->Capacity Building]] </span> <<else>> [[Capacity Building->Capacity Building]] <</if>>
</div>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Survey]]</div>
<div class="nav-btn next-btn">[[Next Module->Module 2: Global Landscape]]
<div class="next-text">Module 2: Regional Groups and International Organizations </div></div>
</div>
</div><h1>Preparing for UN Cyber Discussions</h1>
Cybersecurity is an evolving area of policy and practice. Countries are issuing national policy documents that explain and define their interests in cyberspace. Understanding what underlies a State’s position when taking part in multilateral discussions on cybersecurity—their national strategies, organization and law—is particularly helpful.
Better cybersecurity requires national strategies, rules, and institutions. Developing a national strategy is the first and foundational best step to achieve a more stable and secure cyber environment. Strategies can provide a policy framework under which countries can organize their cybersecurity efforts. After establishing a structure and assigning responsibilities, there is a need for domestic development of adequate laws for cybercrime, critical infrastructure, and data protection. CSIS has compiled a global index of cyber strategies which you may access for your reference <a href="https://www.csis.org/programs/technology-policy-program/cybersecurity-and-governance/global-cyber-strategies-index">here.</a> In this module we will explore some of the issues that countries across the board have considered a priority.
<div class="footer-nav"><hr size="10" noshade><div class="footer-nav__links"> <strong>Click the links below to explore this module</strong>
<<if hasVisited("National Security")>> <span class="complete"> [[National Security->National Security]] </span> <<else>> [[National Security->National Security]] <</if>>
<<if hasVisited("Economic Development and Trade")>> <span class="complete"> [[Economic Development and Trade->Economic Development and Trade]] </span> <<else>> [[Economic Development and Trade->Economic Development and Trade]] <</if>>
<<if hasVisited("Cybercrime and Terrorism")>> <span class="complete"> [[Cybercrime and Terrorism->Cybercrime and Terrorism]] </span> <<else>> [[Cybercrime and Terrorism->Cybercrime and Terrorism]] <</if>>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 3: Other Issues in UN Cyber Negotiations]]</div>
<div class="nav-btn next-btn">[[Next Module->Module 5: Future Prospects]]
<div class="next-text">Module 5: Future Prospects</div></div>
</div>
</div><h1>Other Issues in UN Cyber Discussions</h1>
Resolutions <a href="https://undocs.org/A/RES/73/266">73/266</a> and <a href="https://undocs.org/A/RES/73/27">73/27</a>, which established the current GGE and OEWG respectively, set similar agendas for the current UN cyber negotiations. Besides developing rules, norms and principles of responsible state behavior, establishing <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> and promoting capacity building—explored above—the groups are mandated to work on exploring existing and potential threats faced by states in cyberspace, considering applicability of international law to cyber issues, and developing ways to support regular institutional dialogue to encourage progress on cybersecurity matters.
<div class="footer-nav"><hr size="10" noshade><div class="footer-nav__links"> <strong>Click the links below to explore this module</strong>
<<if hasVisited("Existing and Potential Threats")>> <span class="complete"> [[Existing and Potential Threats->Existing and Potential Threats]] </span>
<<else>> [[Existing and Potential Threats->Existing and Potential Threats]] <</if>>
<<if hasVisited("International Law")>> <span class="complete"> [[Applicability of International Law->International Law]] </span> <<else>> [[Applicability of International Law->International Law]] <</if>>
<<if hasVisited("Institutional Dialogue")>> <span class="complete"> [[Regular Institutional Dialogue->Institutional Dialogue]] </span> <<else>> [[Regular Institutional Dialogue->Institutional Dialogue]] <</if>>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 2: Global Landscape]]</div>
<div class="nav-btn next-btn">[[Next Module->Module 4: Preparing for First Committee Cyber Discussions]]
<div class="next-text">Module 4: Preparing for First Committee Cyber Discussions</div></div>
</div>
</div>
<h1>Confidence-Building Measures</h1>
Confidence-Building Measures (CBMs) reduce mistrust and increase cooperation among states. They reinforce norms by increasing transparency in national practices for observing norms and by facilitating communication. CBMs can reduce misunderstandings that cause mistrust and fear and they increase opportunities for cooperation. They are a frequently used tool in international relations. Building on the 2015 GGE Report, regional organizations—especially the <span class='tooltip'>OSCE<span class='tooltiptext'>Organization for Security and Co-operation in Europe</span></span>, the <span class='tooltip'>OAS<span class='tooltiptext'>Organization of American States</span></span>, the ASEAN Regional Forum (ARF) and the <span class='tooltip'>AU<span class='tooltiptext'>African Union</span></span>—have led in the development and implementation of cyber CBMs.
CBMs fall into general categories of <strong>transparency</strong>, <strong>communication</strong>, and <strong>restraint</strong>. They often include the regular exchange of information on national policies, doctrine and strategies. Formal agreements among nations to refrain from certain activities that could be perceived by others as destabilizing or to consult during an incident can build confidence and trust.
The <a href="https://undocs.org/A/65/201">2010 GGE report</a> called for states to develop CBMs “to reduce the risk of misperception resulting from ICT disruptions.” The <a href="https://undocs.org/A/68/98">2013 report</a> identified voluntary CBMs that nations could use to promote trust and increase predictability, so as to reduce the possibility of conflict between states because of events or actions in cyberspace. These include:<ul>
<li>The voluntary exchange of views and information on national strategies and policies, best practices, decision-making processes, relevant national organizations and measures to improve international cooperation;</li>
<li>The creation of bilateral, regional and multilateral consultative frameworks for confidence-building, which could entail workshops, seminars and exercises;</li>
<li>Developing mechanisms for sharing information among States on <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> security incidents; </li>
<li>Exchanges of information and communication between national Computer Emergency Response Teams (CERTs) bilaterally, within CERT communities, and in other forums, to support dialogue at political and policy levels;</li>
<li>Increased cooperation among states to respond to incidents that could affect <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> or critical infrastructure that rely upon <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span>-enabled industrial control systems; </li>
<li>Mechanisms for law enforcement cooperation among national agencies to reduce incidents that could otherwise be misinterpreted as hostile State actions.</li></ul>In 2015, the GGE report called attention to the <a href="https://www.un.org/disarmament/wp-content/uploads/2019/09/A-51-182-Rev.1-E.pdf#page=53">Guidelines for Confidence-Building Measures</a> from the 1988 Disarmament Commission, adopted by the <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> through <a href="https://undocs.org/A/RES/43/78">resolution 43/78</a> (H). Building on the previous report, it presented further recommendations for states to continue cooperating and developing CBMs:
<ul>
<li>Identification of points of contact at the policy and technical levels to address <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> incidents;</li>
<li>Development of mechanisms for bilateral, regional, sub-regional and multilateral consultations to reduce the risk of conflict;</li>
<li>Voluntary information sharing measures on national views, regarding threats, vulnerabilities, policies and strategies, data protection and critical infrastructure</li></ul>
The development of regional and sub-regional mechanisms to increase inter-state trust has been carried out at the regional level, and most work on CBMs has been <a href="http://www.oas.org/en/sms/cicte/Documents/Sessions/2018/FINAL/RES%201%20Resoluci%C3%B3n%20Medidas%20Regionales%20de%20Fomento%20CICTE01217E.doc">undertaken</a> <a href="https://www.osce.org/pc/227281?download=true">by</a> <a href="https://au.int/sw/node/34663">regional</a> <a href="http://aseanregionalforum.asean.org/wp-content/uploads/2019/01/List-of-ARF-Track-I-Activities-1994-2018-by-Subject-as-of-August-2018-1.pdf">organizations</a> – most notably in the <span class='tooltip'>OSCE<span class='tooltiptext'>Organization for Security and Co-operation in Europe</span></span>, the <span class='tooltip'>OAS<span class='tooltiptext'>Organization of American States</span></span>, and the <span class='tooltip'>ARF<span class='tooltiptext'>ASEAN Regional Forum</span></span>.
One question for the current UN negotiations is what the role of the UN should be in either implementing or coordinating CBMs, or serving as a “repository” for the different regional efforts, or for national documents on CBMs.
<iframe width="560" height="315" src="https://www.youtube.com/embed/74YJj8R7zkA?start=77" frameborder="0" allow="accelerometer; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Which of the following CBMs do you believe should be prioritized for implementation?
<label><<radiobutton "$CBM_Priority" "1">> The identification of points of contact at policy and technical levels and the creation of a directory of national cybersecurity contacts. This could include the development of focal points for the exchange of information on cybersecurity and for the provision of assistance in investigations or the development of crisis communication mechanisms (like hotlines);</label>
<label><<radiobutton "$CBM_Priority" "2">> The sharing among members of national views and information on cyber threats and best practices for responding to them, including processes to allow for information exchange on vulnerabilities and attacks. </label>
<label><<radiobutton "$CBM_Priority" "3">> The development of permanent consultative mechanisms. This could include permanent processes and contact for communication at the senior policymaker level. In a real cyber incident, senior policymakers and even heads of state would be directly involved in decision making, and there is a need for contacts who can facilitate communication at senior levels</label>
<label><<radiobutton "$CBM_Priority" "4">> The exchange of national views on critical infrastructure protection, including information on national laws and policies for critical infrastructure protection. These national views policies and laws for cybersecurity could be organized into a central repository open to all member and managed by the OAS; </label>
<label><<radiobutton "$CBM_Priority" "5">> The creation of exchange programs for cybersecurity and law enforcement personnel, along with programs for exchanges between research and academic institutions.</label>
<label><<radiobutton "$CBM_Priority" "6">> Regular exercises could strengthen regional cooperation in cybersecurity;</label>
<label><<radiobutton "$CBM_Priority" "7">> Agreement to respond to requests from other States in investigating and mitigating cybercrime or malicious cyber activity can also build confidence.</label>
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
</div>
</div><h1>Capacity Building</h1>
For many countries, one of the most important barriers to progress in cybersecurity is a lack of technical, legal, and policymaking expertise. Past GGEs have highlighted the importance of capacity building measures to improve the ability of countries to secure their infrastructure, investigate cyber incidents, and develop effective legal systems for addressing cybercrime and cybersecurity.
A country's ability to implement norms and CBMs relies on its national cyber capacity. Capacity building, identified as a priority in the 2010 GGE Report, has benefited from the development of a range of initiatives since then, including the <a href="https://www.thegfce.com/">Global Forum on Cyber Expertise (GFCE)</a>. Countries in all regions of the world now have cybersecurity initiatives, reflecting regional mandates, multilateral and bilateral discussions, and efforts at assistance in developing national programs.
One lesson we have learned is that nations need not only technical capacity but also policy-making capacity. This includes developing policy documents, such as national strategies, to define their interests in cyberspace for national security, law enforcement, data protection, and their economy. There are <a href="https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf">now</a> <a href="https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map">many</a> <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf">examples</a> <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx">of</a> <a href="https://www.ciberseguridad.gob.cl/media/2018/06/PNCS_Chile_ES_FEA.pdf">national</a> <a href="https://chinacopyrightandmedia.wordpress.com/2016/12/27/national-cyberspace-security-strategy/">cyber</a> <a href="http://www.mcit.gov.eg/Upcont/Documents/Publications_12122018000_EN_National_Cybersecurity_Strategy_2017_2021.pdf">strategies</a> developed by <a href="https://www.nisc.go.jp/eng/pdf/cs-strategy2018-en-booklet.pdf">countries</a> <a href="http://nic.af/Content/files/National%20Cybersecurity%20Strategy%20of%20Afghanistan%20(November2014).pdf">around</a> <a href="https://www.gov.za/sites/default/files/gcis_document/201512/39475gon609.pdf">the</a> <a href="https://cybersecuritystrategy.homeaffairs.gov.au/AssetLibrary/dist/assets/images/PMC-Cyber-Strategy.pdf">world</a>.
Even the wealthiest countries face capacity challenges. Developing a cyber workforce, along with policy and organization is a shared problem. Regional organizations such as the <span class='tooltip'>ARF<span class='tooltiptext'>ASEAN Regional Forum</span></span>, <span class='tooltip'>AU<span class='tooltiptext'>African Union</span></span>, and <span class='tooltip'>OAS<span class='tooltiptext'>Organization of American States</span></span> have played an invaluable role in helping their members to develop these policy-making skills.
The interconnection between development and capacity building is increasingly clear. Progress and advances in technological availability and expertise across the world will not only contribute to economic development but ensure a safer and more stable cyberspace that can support growth. In an interconnected world, improvements in cybersecurity have broad effects everywhere. Cybersecurity, by making networks more resilient and secure, can reinforce the <a href="https://www.un.org/sustainabledevelopment/sustainable-development-goals/">Sustainable Development Goals</a>.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
</div>
</div><h1>International Law</h1>
While UN member states agreed that international law applies to cyberspace, there is no consensus on how it applies. The tension over how to apply international law had been present in all GGEs and the issue of applicability has been avoided (except in 2017) for the sake of reaching consensus. Prior reports have used brief statements on applicability and the need for further study. This formula—deemed acceptable by all member states— allowed for further discussion without diminishing the importance of international law (or disagreements over how it is applied). The issues that have arisen over international law in the GGE discussions include whether new laws are needed, how the existing law applies to cyber conflict, and how to take the principle of state sovereignty into account.
One of the main obstacles for consensus in the 2017 GGE were the disparities in state’s understanding of the application of international law to cyberspace and whether new legal instruments need to be negotiated. In 2015, several member states submitted to the Secretary General a draft <a href="https://undocs.org/a/69/723">International Code of Conduct for Information Security</a>. The Code calls for national control over the “information space” and non-binding commitments to renounce “hostile activities or acts of aggression” and to avoid proliferation of “information weapons and related technologies.” Many nations believe that the Code seeks to redefine and narrow protections for fundamental rights found in the <a href="https://www.un.org/en/universal-declaration-human-rights/index.html">Universal Declaration of Human Rights</a>, like freedom of speech, in ways they find unacceptable.
The fundamental issues for international law revolve around <a href="https://legal.un.org/repertory/art2.shtml">Article 2(4)</a> and <a href="https://legal.un.org/repertory/art51.shtml">Article 51</a> of the UN Charter. Article 2(4) of the UN Charter establishes the prohibition for states to resort to force or the threat of force against another. This prohibition on the use of force, however, finds an exception in Article 51, which recognizes the inherent right to self-defense. A general lack of familiarity with cyber warfare also hampers the discussion, since the technologies are new and actions are often covert.
Finding the balance between sovereign rights and multilateral commitments has been a constant issue in cybersecurity. Sovereignty has become more important in the cybersecurity discussion as in recent years, many countries have been extending sovereign control of their national networks in order to protect citizens and data, and the 2015 GGE Report recognizes their right to do this. Cyberspace is created by a physical construct, with its infrastructure located within borders subject to national jurisdiction. The speed of data movement and its worldwide reach gives the illusion that there are no borders, but they exist and are defined by the cables and devices that make up the physical structure of the internet. As governments accepted this reconceptualization, they began to apply their national laws to the use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span>. How to apply of sovereign rights and responsibilities is an important part of GGE and OEWG discussions.
What rules apply to cyber conflict is also a subject for debate. Most malicious cyber activities appear to fall under the threshold of the use of force, which some states say makes it difficult to determine how, or if, <a href="https://www.icrc.org/en/doc/assets/files/other/what_is_ihl.pdf">International Humanitarian Law</a> applies. Many nations worry that applying International Humanitarian Law to cyberspace could legitimatize conflict and the militarization of cyberspace (although the <a href="https://www.icrc.org/en/document/cyber-warfare-ihl-provides-additional-layer-protection">International Committee of the Red Cross</a>, a leading arbiter of how international law applies, says this is inaccurate), while many states consider that cyberattacks are already regulated by existing international law.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 3: Other Issues in UN Cyber Negotiations]]</div>
</div>
</div><h1>Future Prospects</h1>
Cybersecurity requires coordination and cooperation among nations. There is a growing desire to make this new space more stable and secure. As a result, the pace of international activity on cybersecurity has increased rapidly in recent years. Progress towards a stable and less dangerous cyberspace requires the further development of common understandings among states and non-state actors. There has been progress towards this, and the ongoing meetings of the Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) offer further opportunity to create common understandings.
Work on implementing norms has proven to be difficult, but norms create a framework for responsible state behavior that can guide state action. There has been more progress in developing CBMs. Some states have called for a framework to harmonize <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> and legislation, and for a work plan in the OEWG that links <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> to regional implementation. It could also be beneficial for regional organizations to share best practices and consider joint cross-<span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span>.
Nations are also paying much greater attention to the contribution cybersecurity can make to development. The "digitalization" of economic activity as commerce moves online makes cybersecurity important for economic development and UN discussions are likely to look at how cybersecurity reinforces the <a href="https://www.un.org/sustainabledevelopment/sustainable-development-goals/">Sustainable Development Goals</a> by making networks resilient and secure.
Negotiations on cybersecurity will now be a permanent part of the international agenda. This is a new diplomatic responsibility for states as we move towards the growing digitalization of society. These negotiations currently must consider several general issues, including the need for regular dialogue in the UN, how to increase common understandings among nations on cybersecurity, and whether a binding cybersecurity convention or treaty would be useful.
The Internet is a global infrastructure and creates new economic growth in digital products and services. The growth of the digital economy presents unique challenges. Policy and regulatory frameworks for security, localization, privacy, intellectual property and data protection are evolving. Economic growth will be hampered by a lack of security, but if we can find ways in the UN and other bodies to reduce risk and increase stability, it will ensure opportunism for development and growth in the global economy. As we approach the 75th Anniversary of the UN in September, there is an opportunity to raise the profile and reinforce the observation of the normative framework agreed upon in 2015 as a first step towards stability.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 4: Preparing for First Committee Cyber Discussions]]</div>
<div class="nav-btn next-btn">[[Final Survey->Final Survey]]
</div>
</div>
<h1>UNGA First Committee</h1>
The <a href="https://www.un.org/en/ga/first/">UNGA First Committee on Disarmament and International Security</a> deals with threats and challenges to peace to the international community and has a long record of negotiation and action on nuclear arms control, nonproliferation and other disarmament issues. The First Committee mandated the formation of the GGEs (in <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/58/32">2004</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/60/45">2009</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=%20A/RES/66/24">2012</a>, <a href="http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/243">2014</a>, <a href="https://unoda-web.s3-accelerate.amazonaws.com/wp-content/uploads/2016/01/A-RES-70-237-Information-Security.pdf">2016</a> and now <a href="https://undocs.org/A/RES/73/266">2019</a>), tasked with analyzing the implications of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> for international security.
The First Committee is supported by the UN Office of Disarmament Affairs (UNODA). UNODA is headed by the UN’s Undersecretary for Disarmament Affairs and High Representative for Disarmament (currently <a href="https://www.un.org/disarmament/high-representative/">Izumi Nakamitsu</a>, an experienced and senior UN diplomat). UNODA provides support for both the GGE and the OEWG.
The cybersecurity GGE is different from other GGEs set up by other UN bodies in that it does more than study the problem: it has become a negotiating platform used by states as they develop recommendations for the Secretary General to present to the annual meeting of the General Assembly. The First Committee GGEs have produced three consensus reports, in <a href="https://dig.watch/sites/default/files/UN%20GGE%20Report%202010%20%28Res.%20A-65-201%29.pdf">2010</a>, <a href="https://undocs.org/A/68/98">2013</a>, and, most importantly, in <a href="https://dig.watch/sites/default/files/UN%20GGE%20Report%202015%20%28A-70-174%29.pdf">2015</a>. The 2013 and 2015 reports recognized that international law, in particular the Charter of the United Nations, is essential to maintaining peace and stability in the <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technologies</span></span> environment. Building off this consensus, the 2015 report recommended 11 norms of responsible State behavior in cyberspace. In <a href="https://undocs.org/a/res/70/237">Resolution 70/237</a>, all UN member states agreed by consensus to be guided by the 2015 report.
The 2017 GGE was not as successful as its predecessors in achieving consensus. Having established that international law applies in cyberspace, the participants were tasked not only with continuing the previous GGE’s line of work, but to explore how international law applies to the use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> by States. It is generally understood that the divergent understandings on this issue prevented the group from making progress.
The failure of the 2017 GGE to achieve consensus reflects the difficult task that delegations will face in this round of talks. The chief area of disagreement continues to be the application of international law to cyber conflict. Although many hailed the 2017 failure as the end of the UN negotiations on the matter, in 2018 the UNGA established both a new <a href="https://undocs.org/A/RES/73/266">GGE</a> and the <a href="https://undocs.org/A/RES/73/27">OEWG</a>. Although they share similar mandates, there is a crucial difference: where the GGE is limited to 25 national experts, the OEWG is open to all UN member states and offers an opportunity for those that have not participated in previous GGEs to offer their views on <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> effect on international security. Many states have taken advantage of the OEWG opportunity to provide their views on cybersecurity and both the OEWG and the GGE highlight the importance of transparency and inclusivity in the international cybersecurity discussion.
That the OEWG and the GGE fall under the UN’s First Committee has important implications for their work. Because the First Committee focuses on disarmament and international security, previous GGEs have decided that issues such as crime, internet governance, or privacy should not be the focus of the Group’s work. The Chairs of the current OEWG and GGE have continued this decision, in part because discussion of these topics is already underway in other UN bodies.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
</div>
</div>
<h1>The 2019 GGE & OEWG</h1>
In December 2018 the UNGA created two processes to consider cybersecurity and develop areas of agreement on norms, CBMs, and capacity building. This module will explain how they work.
<iframe width="560" height="315" src="https://www.youtube.com/embed/F5Ng0LuYvzU" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<h2>What is a Group of Governmental Experts (GGE)?</h2>GGE's are a common mechanism used in the UN to study a contentious matter, bringing together experts from a select number of nations to discuss and explore it. Their ultimate goal is to issue a consensus report with their findings.
The delegates, including the five permanent members of the UN Security Council (UNSC) and experts from other countries chosen "on the basis of equitable geographical distribution," report their conclusions to the Secretary General if the GGE reaches consensus. If there is no consensus, there is no report. The ability to reach to an agreement and issue a subsequent report is of particular relevance in the context of the cyber GGEs because, unlike those dealing with other issues—and until the OEWG was created—they have functioned as a substitute mechanism for formal negotiations on cybersecurity, with attending national experts mostly being drawn from experienced diplomats (in many cases from the special cybersecurity offices many countries have established in their foreign ministries).
The first GGE on cyber issues was established in 2004. It failed to reach agreements (some would say this was the result of external political issues rather than substantive disagreements). The subsequent <a href="https://dig.watch/sites/default/files/UN%20GGE%20Report%202010%20%28Res.%20A-65-201%29.pdf">2010</a>, <a href="https://undocs.org/A/68/98">2013</a>, and <a href="https://dig.watch/sites/default/files/UN%20GGE%20Report%202015%20%28A-70-174%29.pdf">2015</a> GGEs all reached consensus and their recommendations created a framework for responsible state behavior in cyberspace. However, the last GGE concluded its work in June 2017 also without reaching consensus on the key substantive issue of the application of international law.
In addition to disagreement over how international law applies to cyber space, there were concerns in 2017 over the nature of the GGE format. Many UN member states wanted a more transparent process with broader membership. In 2018, these concerns led to the establishment of the OEWG, set to operate concurrently with the <a href="https://www.un.org/disarmament/group-of-governmental-experts/">2019 GGE</a>.
The <a href="https://undocs.org/A/C.1/73/L.37">2019 Group of Governmental Experts</a>, like its predecessors, had its members selected by the Secretary-General and Office for Disarmament Affairs. It is composed of representatives of 25 countries– the number of experts involved has varied throughout the different GGEs. Currently, the member states that have been included are: Australia, Brazil, China, Estonia, France, Germany, India, Indonesia, Japan, Jordan, Kazakhstan, Kenya, Mauritius, Mexico, Morocco, Netherlands, Norway, Romania, Russian Federation, Singapore, South Africa, Switzerland, United Kingdom, United States and Uruguay.
The GGE will run from 2019 until 2021 and will host regional <a href="https://www.un.org/disarmament/wp-content/uploads/2019/12/collated-summaries-regional-gge-consultations-12-3-2019.pdf">consultations</a> as well as informal consultations with all UN member states during that time. Regional organizations such as the <a href="https://europa.eu/european-union/index_en">European Union</a> (EU), the <a href="http://www.oas.org/en/">Organization of American States</a> (OAS), the <a href="https://www.osce.org/">Organization for Security and Co-operation in Europe</a> (OSCE), the <a href="https://asean.org/">Association of Southeast Asian Nations</a> (ASEAN), and the <a href="https://au.int/">African Union</a> (AU) have already held consultations with the group. The GGE Chair is also <a href="https://undocs.org/A/RES/73/266">tasked</a> with organizing two open-ended meetings during which all member states “can engage in interactive discussions and share their views, which the Chair shall convey to the group of governmental experts for discussion.”
<h2>What is the Open-Ended Working Group?</h2>Open-Ended Working Groups are another standard UN process. This <a href="https://www.un.org/disarmament/open-ended-working-group/">OEWG</a> was created by the First Committee in parallel with the GGE process, which means that their mandates and schedules overlap. One of the most important differences is membership. In contrast to the GGE, the 2019 OEWG is open to participation by all interested UN member states, “with a view to making the United Nations negotiation process on security in the use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> more democratic, inclusive, and transparent.” The OEWG offers the opportunity for states that have not previously participated in a GGE to engage in the international cybersecurity discussion.
Representatives from 140 countries attended the OEWG’s first session.
The OEWG also offers an opportunity for the multi-stakeholder community (principally non-governmental organizations with an interest in disarmament) by convening “intersessional consultative meetings with the interested parties, namely businesses, non-governmental organizations and academia, to share views on the issues within the group’s mandate.”
Originally scheduled to run from mid-2019 through September 2020, the OEWG’s mandate has been extended in light of the Covid-19 virus. It will now run in tandem with the GGE schedule, both processes set to present their reports at the September 2021 <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span>. The OEWG has met twice and already made progress, putting forward a <a href="https://unoda-web.s3.amazonaws.com/wp-content/uploads/2020/03/200311-Pre-Draft-OEWG-ICT.pdf">pre-draft</a> of the report in order to guide upcoming meetings. However, this draft will change significantly as negotiations progress.
<h2>Mandates</h2>The mandates for the OEWG and GGE are similar, but not identical. There are important parallels between <a href="https://undocs.org/en/A/RES/73/27">Resolution 73/27</a>, which established the 2019 OEWG, and <a href="https://undocs.org/A/RES/73/266">Resolution 73/266</a>, which established the 2019 GGE. Both resolutions reaffirmed the outcomes of the 2013 and 2015 GGEs, the importance of respect for human rights in the use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span>, and “that international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible, and peaceful ICT environment.”
The mandates call for the groups to study existing and potential threats in the sphere of information security and possible cooperative measures to address them, how international law applies, as well as <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> and capacity-building, and to submit a report on their work to the Secretary General. The mandates also allow "if necessary," changes to the 2015 norms (a point of contention among many nations, as some consider that no new norms are necessary) or proposing additional norms.
But the OEWG mandate is broader than the focus taken by the GGE’s. In addition to the common lines of work, the OEWG will also “study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations.”
Both Groups work by consensus, which means that their final reports must be agreed to by all participating member states. The final reports are then submitted to the Secretary General, who transmits them to the General Assembly.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
</div>
</div><h1>Related Efforts by Other UN Bodies </h1>
The <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> First Committee focuses on international security and relations among nation-states. This shapes the GGE and the OEWG agendas. Other UN bodies have the lead on issues such as cybercrime, internet governance and the relationship of cybersecurity to development. These include:
<strong>United Nations Economic and Social Council (ECOSOC):</strong> ECOSOC is one of the UN’s most important bodies and was established by the UN Charter in 1945. In 2001 it <a href="https://www.un.org/press/en/2001/dev2353.doc.htm">established</a> the UN <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> Task Force, “mandated to facilitate global interconnectivity and spread the benefits of the digital revolution.” In 2011 it sponsored an <a href="https://www.un.org/en/ecosoc/cybersecurity/">event</a> on cybersecurity and development, and has adopted <a href="https://unctad.org/en/Pages/CSTD/ECOSOC-Resolutions.aspx">several resolutions</a> on the matter of science, technology and innovation for development. Because of objections by two permanent members of the Security Council, only ECOSOC accredited NGOs are allowed to attend and speak at the OEWG
<strong>UNGA Third Committee on Social, Humanitarian & Cultural Issues:</strong> Following ECOSOC’s <a href="https://undocs.org/en/E/RES/2019/19">recommendation</a>, the <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> adopted <a href="https://undocs.org/en/A/RES/74/173">Resolution 74/173</a> “Promoting technical assistance and capacity-building to strengthen national measures and international cooperation to combat cybercrime, including information-sharing,” based on the <a href="https://undocs.org/A/68/456/Add.2">report</a> by the Third Committee. Back in 2013, the Third Committee issued a report on the promotion and protection of human rights; affirming that the same rights that people have offline must also be protected online. The <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> adopted this report through <a href="https://undocs.org/A/RES/68/167">Resolution 68/167</a> on the right to privacy in the digital age.
<strong>Secretary-General’s High-Level Panel on Digital Cooperation (HLP):</strong> The Secretary General convened the <a href="https://www.un.org/en/digital-cooperation-panel/">HLP</a> in 2018 to consider how to collectively realize the potential of digital technologies while mitigating their risks. The HLP delivered its report “<a href="https://digitalcooperation.org/wp-content/uploads/2019/06/DigitalCooperation-report-web-FINAL-1.pdf">The Age of Digital Interdependence</a>” in June 2019. Among other goals, it calls for a Global Commitment on Digital Trust and Security to strengthen the implementation of norms for responsible uses of technology. The HLP follow-on process is developing recommendations for the Secretary General on trust and security.
<strong>United Nations Office on Drugs and Crime (UNODC):</strong> UNODC is the most important UN body for addressing cybercrime. Through its <a href="https://www.unodc.org/unodc/en/cybercrime/global-programme-cybercrime.html">Global Program on Cybercrime</a>, UNODC assists member states, particularly developing countries, in their fight against cybercrime. UNODC uses its specialized expertise on criminal justice systems and policing to provide technical assistance and capacity building.
<strong>Commission on Crime Prevention and Criminal Justice (CCPCJ):</strong> The CCPCJ is the UN’s principle policymaking body. In 2010, <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> <a href="https://www.unodc.org/documents/Cybercrime/General_Assembly_resolution_65-230_E.pdf">requested</a> the CCPCJ to establish an <a href="https://www.unodc.org/unodc/en/cybercrime/egm-on-cybercrime.html">open-ended intergovernmental expert group</a> (EGM) to conduct a comprehensive study of the problem of cybercrime, in order to consider the most efficient national and international legal responses to it. The EGM has had three <a href="https://www.unodc.org/unodc/en/cybercrime/egm-on-cybercrime/meetings.html">meetings</a> since 2011.
<strong>Human Rights Council:</strong> The 2018 Report of the High Commissioner for Human Rights on <a href="https://documents-dds-ny.un.org/doc/UNDOC/GEN/G18/239/58/PDF/G1823958.pdf?OpenElement">The Right to Privacy in the Digital Age</a> provides an overview of the obligations and responsibilities that states and private actors hold as it relates to the promotion and protection of the right to privacy, tackling issues such as the collection of personal data, state surveillance and communications interception.
<strong>International Telecommunication Union (ITU):</strong> The <a href="https://www.itu.int/">ITU</a> is a UN specialized agency that promotes cybersecurity by providing countries – particularly developing countries – with tools, assessments, and technical assistance. The ITU, although an autonomous agency, reports to ECOSOC.
<strong>The Internet Governance Forum (IGF):</strong> The <a href="https://www.intgovforum.org/multilingual/">IGF</a> is a global multi-stakeholder platform that facilitates the discussion of public policy issues pertaining to the Internet, established in 2006 by the UN Secretary General. Although it does not make binding decisions, and serves only in an advisory capacity, some have suggested that it could play a larger role in international cybersecurity discussions and its last session, in Berlin in 2019 devoted considerable attention to the issue.
<strong>International Law Commission (ILC):</strong> To encourage the development international law, the <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> <a href="https://legal.un.org/docs/?path=../ilc/texts/instruments/english/statute/statute.pdf&lang=EF">established</a> the International Law Commission (ILC) in 1947. Composed of 34 member states, it develops draft conventions and clarifies topics where State practice is already extensive. The ILC’s work on extraterritorial jurisdiction looks at innovations in communications, particularly the transborder use of the internet and the ILC included the “<a href="https://legal.un.org/docs/?path=../ilc/publications/yearbooks/english/ilc_2006_v2_p2.pdf&lang=EFSRAC">Protection of personal data in the transborder flow of information</a>” as part of its <a href="https://legal.un.org/ilc/programme.shtml">long-term program of work</a>. A few states use the ILC’s work to guide their positions in the GGE and OEWG, while others question that work, particularly the Draft <a href="https://undocs.org/en/A/RES/56/83">ILC</a> Articles on State Responsibility, which has not been universally accepted.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 2: Global Landscape]]</div>
</div>
</div>
Thank you for completing this online course on international cyber engagement. In order to log your participation, please complete this final survey and click submit at the bottom.
1) Which of the following sets of issues will be the most important focus for your country during the upcoming discussions?
<label><<radiobutton "$Issue_Priority" "1">> Developing new norms and principles for state behavior</label>
<label><<radiobutton "$Issue_Priority" "2">> Clarification of how international law applies in cyberspace</label>
<label><<radiobutton "$Issue_Priority" "3">> Progress on capacity building and CBMs</label>
2) What is the most important priority for your country or organization?
<label><<radiobutton "$Priority_Final" "National Security">> Protecting against nation state attacks in cyberspace</label>
<label><<radiobutton "$Priority_Final" "Cybercrime">> Protecting against cybercriminals and other non-state actors</label>
<label><<radiobutton "$Priority_Final" "Economic Development">> Promoting economic development through the promotion of digital technologies</label>
3) What do you think the goal of upcoming cyber discussions should be?
<label><<radiobutton "$Goal_Final" "Treaty">> A formal treaty</label>
<label><<radiobutton "$Goal_Final" "New Norms">> Progress in developing new norms and other informal measures</label>
<label><<radiobutton "$Goal_Final" "Implementation">> Progress in implementing existing norms and other informal measures</label>
<hr size="10" noshade>
How confident do you feel in your understanding of the following subjects?
4) The history of UN cyber discussions
<label><<radiobutton "$Confidence_History_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_History_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_History_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_History_Final" "4">> Very Confident</label>
5) The role of the different UN institutions (the UN First Committee, the GGE, the OEWG, etc.) in ongoing cyber discussions
<label><<radiobutton "$Confidence_UNInstitutions_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_UNInstitutions_Final" "4">> Very Confident</label>
6) The role of outside groups like regional and civil society organizations in ongoing cyber discussions
<label><<radiobutton "$Confidence_OutsideOrgs_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_OutsideOrgs_Final" "4">> Very Confident</label>
7) The priorities of your home government or organization in cyberspace
<label><<radiobutton "$Confidence_Priorities_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_Priorities_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_Priorities_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_Priorities_Final" "4">> Very Confident</label>
8) The role of norms, confidence building measures, and capacity building in ongoing cyber discussions
<label><<radiobutton "$Confidence_Norms_CBMs_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_Norms_CBMs_Final" "4">> Very Confident</label>
9) The application of international law in cyberspace
<label><<radiobutton "$Confidence_IntlLaw_Final" "1">> Not Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Final" "2">> Slightly Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Final" "3">> Moderately Confident</label>
<label><<radiobutton "$Confidence_IntlLaw_Final" "4">> Very Confident</label>
<hr size="10" noshade>To what extent do you agree with the following statements:
10) I feel confident in my ability to participate in a UN cyber discussion
<label><<radiobutton "$Preparedness_Final" "1">> Strongly Disagree</label>
<label><<radiobutton "$Preparedness_Final" "2">> Slightly Disagree</label>
<label><<radiobutton "$Preparedness_Final" "3">> Neither Agree Nor Disagree</label>
<label><<radiobutton "$Preparedness_Final" "4">> Slightly Agree</label>
<label><<radiobutton "$Preparedness_Final" "5">> Strongly Agree</label>
11) This course was a useful resource in preparing to be a part of ongoing cyber discussions at hte UN
<label><<radiobutton "$Course_Usefulness" "1">> Strongly Disagree</label>
<label><<radiobutton "$Course_Usefulness" "2">> Slightly Disagree</label>
<label><<radiobutton "$Course_Usefulness" "3">> Neither Agree Nor Disagree</label>
<label><<radiobutton "$Course_Usefulness" "4">> Slightly Agree</label>
<label><<radiobutton "$Course_Usefulness" "5">> Strongly Agree</label>
<hr size="10" noshade><div class="footer-nav__links">
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 5: Future Prospects]]</div>
<div class="nav-btn next-btn">[[Submit->Fin]]
</div>
</div>
<img src="https://res.cloudinary.com/csisideaslab/image/upload/v1593537281/tech-policy/csis_logo_rgb-01.png">
Thank you for completing this CSIS course on international cyber engagement.
You can download a printable one page summary of the contents of this course <a href="https://res.cloudinary.com/csisideaslab/image/upload/v1593537092/tech-policy/CSIS_Intl_Cyber_Engagement_One_Pager.pdf">here</a>.
To learn more about international cybersecurity negotiations and other related issues, visit the <a href="https://www.csis.org/programs/technology-policy-program">CSIS Technology Policy Program's website</a>, and follow us on Twitter <a href="https://twitter.com/CyberCSIS">@CyberCSIS</a>.
If you have any additional questions, please contact [email protected]
Credit for the development of this course goes to James A. Lewis, SVP and Director, CSIS Technology Policy Program, and to Eugenia Lostri and William Crumpler of CSIS.
Special thanks to J. Zhanna Malekos Smith, Arthur Nelson, Logan Ma, Sean Kucer, Dathan Duplichen, Annie Lehman-Ludwig, Benjamin Shaver, Maggie Tennis, and Sevan Araz.
<<script src="https://code.jquery.com/jquery-3.3.1.min.js">><</script>>
<<script>>
var sendData = JSON.stringify({"Date": Date.now(), "Name": State.variables['Name'], "Title": State.variables['Title'], "Affiliation": State.variables['Affiliation'], "Previous Experience": State.variables['Previous_Experience'], "National Priority": State.variables['Priority'],"National Priority Final": State.variables['Priority_Final'], "Norm Priority": State.variables['Norm_Priority'], "Norm Obstacle": State.variables['Norm_Obstacle'], "CBM Priority": State.variables['CBM_Priority'], "Issue Priority": State.variables['Issue_Priority'], "ICT State Actors": State.variables['ICTStateActor'], "ICT Non-State Actors": State.variables['ICTNonStateActor'], "Cyber-Offensive Capabilities": State.variables['CyberOffense'],"Critical Infrastructure": State.variables['CI'], "Information Operations": State.variables['InfoOps'], "Levels of Capacity": State.variables['Capacity'], "Terrorism": State.variables['Terrorism'], "Threat Open Response": State.variables['ThreatOpenResponse'], "Goal Initial": State.variables['Goal'], "Goal Final": State.variables['Goal_Final'], "Confidence - History Initial": State.variables['Confidence_History_Start'], "Confidence - History Final": State.variables['Confidence_History_Final'], "Confidence - UN Institutions Initial": State.variables['Confidence_UNInstitutions_Start'], "Confidence - UN Institutions Final": State.variables['Confidence_UNInstitutions_Final'], "Confidence - Role of Outside Organizations Initial": State.variables['Confidence_OutsideOrgs_Start'], "Confidence - Role of Outside Organizations Final": State.variables['Confidence_OutsideOrgs_Final'], "Confidence - National Priorities Initial": State.variables['Confidence_Priorities_Start'], "Confidence - National Priorities Final": State.variables['Confidence_Priorities_Final'], "Confidence - Norms CBMs and Capacity Building Initial": State.variables['Confidence_Norms_CBMs_Start'], "Confidence - Norms CBMs and Capacity Building Final": State.variables['Confidence_Norms_CBMs_Final'], "Confidence - International Law Initial": State.variables['Confidence_IntlLaw_Start'], "Confidence - International Law Final": State.variables['Confidence_IntlLaw_Final'], "Confidence - Preparedness Initial": State.variables['Preparedness_Start'], "Confidence - Preparedness Final": State.variables['Preparedness_Final'], "Course Usefulness": State.variables['Course_Usefulness']});
$.ajax({
url:"https://script.google.com/macros/s/AKfycbyI-YFsoEikYwjKrqFPieuyfQJD6LJ5rElsBADj2bgf_IUHEDo/exec",
method: "POST",
dataType: "json",
data: sendData
}).done(function() {});
<</script>><h1>Rules, Norms and Principles of Responsible State Behavior</h1>
Three GGEs, under the astute direction of chairs from Russia, Australia and Brazil, were able to create the structure for the international discussion of security and stability in cyberspace and ultimately, a framework for responsible state behavior. The outline for work was set forth by the GGE Report of 2010, including: (a) norms, rules, and principles for the responsible state behavior, (b) confidence-building measures (CBMs), and (c) cyber capacity building. These elements continue to shape the international discussion of cybersecurity and form the basis of the UN framework for responsible state behavior agreed in 2015.
Capacity building, <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span>, and norms form an integrated package that defines responsible state behavior. A country's ability to implement norms and <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span> rely on its national cyber capacity. Capacity building (both technical and political) strengthens the ability to observe norms, while confidence building provides evidence that norms are being observed. Capacity building prepares the ground for the political support needed for consensus on how to implement the norms and principles for responsible state behavior and is one way to ensure that the interests of all nations are reflected in the discussion of cybersecurity by linking it to the <a href="https://www.un.org/development/desa/disabilities/envision2030.html">Sustainable Development Goals</a> (SDG), particularly <a href="https://www.un.org/development/desa/disabilities/envision2030-goal16.html">SDG 16</a> which calls on states to protect fundamental freedoms and prevent violence and combat terrorism and crime.
The <a href="https://undocs.org/A/70/174">2015 GGE’s</a> most important contribution was the development of eleven voluntary, non-binding norms, rules or principles of responsible behavior of States, endorsed by all UN member states. Norms are understandings among states on practices that identify and guide appropriate behavior. In international relations, norms are also in some cases, commitments, on how states should behave. Countries observe norms because they believe it is in their interest to do so, as norms can protect sovereignty and increase predictability in international relations. Norms are not laws, although some norms are incorporated into international law or codified in treaties. Norms are rarely "enforced" because the costs of enforcement are high, but most states choose to voluntarily observe them. A norm must be widely observed by the community of nations to have force.
The eleven voluntary norms agreed upon are the following:
<img src="https://res.cloudinary.com/csisideaslab/image/upload/v1593544657/tech-policy/gge_cyber_norms.png">
GGE reports have developed norms for stability in cyberspace. The 2013 and 2015 reports placed the approach to state practices for cybersecurity in the existing framework of international relations. These Reports included agreements that national sovereignty, international law, and the UN Charter apply to cyberspace and should guide international relations on cyber issues. This makes the burden for states in negotiating cybersecurity easier, since technical knowledge is less important than knowledge of international relations and national objectives. And although the 2015 norms are voluntary, that does not mean that they do not have force, especially after the 2015 General Assembly called on all states to be guided by them.
Recognizing the importance of national sovereignty embeds the discussion of international cyber security in the existing framework of commitments among states. Along with this, there was also recognition that what we call cyberspace, or the internet, is based on physical infrastructure located in sovereign territory. The new construct is that national sovereignty applies to the Internet and cyberspace, subject to a country’s international commitments on trade, human rights, and security. This recognition of national sovereignty in cyberspace means that despite the speed at which data is transferred among countries (which gives the illusion of borderlessness), there is no such thing as a cyber commons where domestic law does not apply.
The 2013 Report stated that international law and the UN Charter apply to cyberspace and that States have jurisdiction over <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> infrastructure in their territories. Measures to improve cybersecurity must respect human rights and fundamental freedoms. States should cooperate against criminal or terrorist use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span>, harmonize legal approaches and strengthen collaboration in law enforcement, and meet their international obligations regarding internationally wrongful acts. The 2013 Report called upon states to not use proxy forces in cyberspace and ensure that their territories are not used by non-State actors for unlawful acts.
The 2015 Report built on the conclusions of the 2013 Report and called on states to exchange information, cooperate in protecting critical infrastructure, and assist each other in the prosecution of cybercrime. 2015 reiterated the need to show full respect for human rights and privacy. It recommended that states take steps to ensure <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> supply chain integrity, share information on IT vulnerabilities, and not interfere with other nations' computer emergency response teams.
One of the 2015 Report's most important contributions is the recommendation that states protect their national infrastructure and do "not knowingly conduct or support actions that intentionally damage or impair critical infrastructure contrary to its obligations under international law." This is not a ban on cyberattacks. These are still permitted if states observe the basic principles of "humanity, necessity, proportionality and distinction" general principles in <a href="https://www.icrc.org/en/doc/assets/files/2013/130621-cyberwarfare-q-and-a-eng.pdf">international humanitarian law</a> recognized in the 2015 Report.
The norms agreed to in the 2013 and 2015 GGEs are "non-binding." States are not ready to make formal, binding commitments (e.g. a treaty or convention). While there is a general interest in moving towards a binding commitment, it could take years to reach agreement. A binding treaty would face serious issues in guaranteeing compliance and establishing verification. There are important definitional issues that need to be resolved, such as what is a “cyber weapon” or whether a cyber attack can rise to the level of use of force. Efforts to define “information weapons,” for example, quickly run afoul of the overwhelmingly commercial use and availability of information technologies. There is no consensus on these issues. While a binding agreement could ultimately be valuable, there are disagreements among nations that must be worked through first.
The most salient disagreement among member states on cybersecurity is over the application of international law to cyberspace; a disagreement that resulted in the inability of the 2017 GGE to produce a consensus report even though there was general agreement on other topics. Some states are reluctant to agree that international law as it exists now is adequate for cyber conflict.
What would be the best way for norms on state behavor in cyberspace to be developed?
<label><<radiobutton "$Norm_Priority" "1">> A new specific treaty</label>
<label><<radiobutton "$Norm_Priority" "2">> Developing new voluntary norms </label>
<label><<radiobutton "$Norm_Priority" "3">> Adjusting existing norms and principles</label>
<label><<radiobutton "$Norm_Priority" "4">> Existing norms and principles are sufficient</label>
Which is the main impediment for a secure, stable, accessible and peaceful <span class='tooltip'>ICT<span class='tooltiptext'>Information and Communication Technology</span></span> environment?
<label><<radiobutton "$Norm_Obstacle" "1">> Lack of transparency and communication between states on incidents</label>
<label><<radiobutton "$Norm_Obstacle" "2">> Lack of transparency and communication between states on strategies</label>
<label><<radiobutton "$Norm_Obstacle" "3">> Different levels of capacity among states </label>
<label><<radiobutton "$Norm_Obstacle" "4">> Lack of a specific international treaty</label>
<label><<radiobutton "$Norm_Obstacle" "5">> Vulnerability of critical infrastructure</label>
<label><<radiobutton "$Norm_Obstacle" "6">> Insufficient cooperation with private sector actors</label>
<label><<radiobutton "$Norm_Obstacle" "7">> Vulnerability of the supply chain</label>
<label><<radiobutton "$Norm_Obstacle" "8">> Impossibility in implementing agreed upon measures</label>
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 1: Hisory and Structure of UN Cyber Discussions]]</div>
</div>
</div>
<h1>Existing and Potential Threats</h1>
Cyberspace provides major opportunities for social and economic development, but along with all the benefits that an interconnected world brings, it has also opened the door for crime and conflict. Identifying threats in cyberspace is fundamental for the development of policies and agreements to build a more secure and stable cyberspace.
Good cybersecurity builds confidence and trust in internet technologies. Cybersecurity protects tenets of economic development like online financial systems, intellectual property, critical infrastructure, and supply chains. But it is also an enabler for malicious activity. A growing desire to make this new space more stable and secure has propelled the pace of international activity on cybersecurity in recent years. Even more so than in other areas, cooperation among states is crucial for the development of better security in cyberspace.
The growing availability of offensive tools and resources for state and non-state actors has led to a dramatic increase in the number of cyber incidents. States believe that information operations and disinformation campaigns interfere with their internal affairs in violation of international law, and overall malicious activities carried out through ICTs substantiate the claim that cyberspace is increasingly becoming militarized.
Whether through disruption of critical infrastructure or influencing citizens of another state, cyber actions are still subject to international law, although how exactly it applies remains to be determined, as the following section in this module will make clear.
<iframe width="560" height="315" src="https://www.youtube.com/embed/Jya1_Tr75nk" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Below you will find a list of threats that have been previously identified in GGE Reports. Please indicate the three that you consider to be the most serious threat faced by your state:
<<checkbox "$ICTStateActor" false true>> Increase in incidents involving malicious use of ICTs by state actors
<<checkbox "$ICTNonStateActor" false true>> Increase in incidents involving malicious use of ICTs by non-state actors
<<checkbox "$CyberOffense" false true>> Development of cyber-offensive capabilities
<<checkbox "$CI" false true>> Attacks against critical infrastructure
<<checkbox "$InfoOps" false true>> Surge in information operations and their destabilizing effect
<<checkbox "$Capacity" false true>> Varying levels of capacity across the board
<<checkbox "$Terrorism" false true>> Use of ICTs for terrorist purposes
Other (please explain) <<textbox "$ThreatOpenResponse" "">>
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 3: Other Issues in UN Cyber Negotiations]]</div>
</div>
</div><h1>Regular Institutional Dialogue</h1>
One of the complaints about the GGE process was that it was a closed discussion limited to a small number of states. Many states believed that the international discussion of cybersecurity would be better served by regular meetings under the auspices of the UN and open to all member states. Paragraph 29 of the 2013 GGE Report (in the section on <span class='tooltip'>CBMs<span class='tooltiptext'>Confidence-Building Measures</span></span>) recommended the creation of “regular institutional dialogue under the auspices of the UN.”
Many nations want to make cybersecurity negotiations permanent and formal, but agreeing on format will be complex. At the end of the 2015 GGE, members recognized the limitations of the GGE format, given its restricted membership and lack of transparency. This led to a discussion of alternatives, such as moving international cybersecurity to the <a href="https://www.unog.ch/80256EE600585943/(httpPages)/BF18ABFEFE5D344DC1256F3100311CE9?OpenDocument">Conference on Disarmament</a> or creating a permanent body like the <a href="http://www.unoosa.org/oosa/en/ourwork/copuos/index.html">Committee on the Peaceful Use of Outer Space</a> or an OEWG.
In many ways, the OEWG is a model for Regular Institutional Dialogue. Some major issues remain, such as how this would be paid for, how often it would meet, what the format for these meetings would be, whether it would be limited to member states or open to civil society participants, and how its agenda would be defined. The <a href="https://unoda-web.s3.amazonaws.com/wp-content/uploads/2020/03/200311-Pre-Draft-OEWG-ICT.pdf">OEWG “predraft”</a> contains initial work on these issues.
Part of the discussion of regular dialogue is whether a biding convention on cybersecurity would be part of this. Ultimately, a binding convention or treaty may make sense, and while some nations believe the time is right for a treaty, others disagree. A treaty faces several problems, including how it would address compliance and verification. Binding commitments to avoid attack or hostile actions may be unworkable if they go much beyond the existing constraints found in international laws of armed conflict. There are difficult definitional problems – efforts to define "cyber weapons," for example, quickly run afoul of the overwhelmingly commercial use and availability of information technologies, and there are unanswered questions as to what kind of agreement would be most effective. If there is agreement to establish a regular dialogue, discussing a binding convention would likely be one of its tasks.
Reaching agreement on a binding treaty will be difficult. Nations are not ready to agree to a binding agreement or treaty until there are common understandings on cybersecurity developed by the GGE and OEWG.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 3: Other Issues in UN Cyber Negotiations]]</div>
</div>
</div><h1>National Security</h1>
Threats to national security create powerful incentives that explain much of the attention paid to cybersecurity. The threat environment can look very different for each region and country, and can range from state-sponsored cybercrime, attacks on critical infrastructure, to disinformation campaigns that threaten political independence. The primary goal of GGE and OWEG negotiations is to reduce these risks by finding ways to promote cooperation for security and stability in cyberspace.
It is useful for participation in these discussions to have a clear picture of the security interests and priorities for your country, and how they may be threatened by cyber activities.
One area of common interest for states is the protection of critical infrastructure, such as electrical power, finance, transportation, and government networks. All countries share an interest in defining general principles to reduce these risks. If the greatest concern of a country is the threat of another nation state targeting their critical infrastructure, then norms and clarifications around the use of force will be a priority. If, instead, the greatest concern is the risk of disruption by non-state actors or criminal organizations, then capacity building efforts and information sharing arrangements may be of greater concern.
From the denial of service attacks against Estonian government networks in 2007 and Stuxnet’s cyber disruption of Iranian nuclear facilities event of 2010, to the current wave of disinformation campaigns targeting governments around the world, recent cyber events have left many nations fearful of the way the internet can be used to compromise their national security and sovereignty without threatening critical infrastructure. Agreements over state responsibility in cyberspace and the applicability of international law can address these issues to reduce risk.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 4: Preparing for First Committee Cyber Discussions]]</div>
</div>
</div><h1>Economic Development and Trade</h1>
Digital technologies create economic opportunities, promote development by expanding markets, accelerating businesses, and reducing transaction costs. While the purview of the GGE and OEWG’s work is limited to disarmament and international security, this does not mean that other priorities are not affected by their negotiations. Access to the Internet and broadband services can increase productivity, national income, and employment. It is a catalyst for growth. However, these opportunities come with risk, and the development goals of many states are affected by cybersecurity. Countries are looking to digital technologies to drive growth for their economies, but poor cybersecurity could undercut economic opportunity
Development and its relationship to cybersecurity are a new and important topic in the discussion of cybersecurity. Nations are paying much greater attention to the contribution cybersecurity can make to development. The "digitalization" of economic activity as commerce moves online makes cybersecurity important for economic development. UN discussions are likely to look at how cybersecurity reinforces the <a href="https://www.un.org/sustainabledevelopment/sustainable-development-goals/">Sustainable Development Goals</a> by making networks resilient and secure.
<iframe width="560" height="315" src="https://www.youtube.com/embed/qek_eG4-w-0" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
States must think closely about how they combine cybersecurity with development goals, and understand how improved security can support development. Flexible regulatory regimes can promote economic growth by spurring the creation of a thriving service. Creating common understandings can improve security by creating a consistent set of best practices, a pool of cybersecurity talent, and a more inviting investment environment for multinational firms.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 4: Preparing for First Committee Cyber Discussions]]</div>
</div>
</div><h1>Cybercrime and Terrorism</h1>
The use of <span class='tooltip'>ICTs<span class='tooltiptext'>Information and Communication Technologies</span></span> for crime and terrorism are matters of deep concern for states. Although crime and terrorism do not fall under the purview of the First Committee, states have expressed their concerns over them during cyber negotiations in the context of the GGE and OEWG. Other mechanisms within the UN have undertaken specific initiatives in order to counter them, recognizing the need for international cooperation and assistance to deal with these threats of a truly global nature:
<strong>Cybercrime</strong>: nations face significant threats to public safety due to the <a href="https://www.csis.org/analysis/economic-impact-cybercrime">spread of cybercrime</a>. Though crime and law enforcement is not an issue set covered by the GGE or OEWG, the ability of nations to combat cybercrime is shaped by their approach to international cooperation on cyber issues, and can benefit from capacity building efforts initiated through the GGE and OEWG processes. Where law enforcement is weak, cybercriminals face little risk of arrest. A flourishing online black market supports cybercrime.
Many nations are signatories to the <a href="https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680081561">Budapest Convention on Cybercrime</a>. A Russian <a href="https://documents-dds-ny.un.org/doc/UNDOC/GEN/N19/440/28/pdf/N1944028.pdf?OpenElement">proposal</a> for a new UN group to discuss a global cybercrime convention won approval in December 2019. This group has not yet started work—the <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> resolution calls for the ad hoc committee to meet in August 2020 to outline its activities.
International cooperation is particularly important for effective cybercrime enforcement due to the transnational character of cybercrime. The global nature of the internet allows criminals from anywhere in the world to target a country’s internet users, meaning that for most countries, the vast majority of cybercrime losses will be attributable to actors outside their jurisdiction. A number of issues considered under previous GGEs, like mechanisms to promote information sharing on malicious cyber actions or the responsibility of states to prevent their territory from being used for wrongful acts are directly applicable to the issue of cybercrime. GGE and OEWG participants should understand the threat landscape in the cyber domain, and how cooperation could help to address cybercrime issues.
At the UN, the response to cybercrime is led by <span class='tooltip'>UNODC<span class='tooltiptext'>United Nations Office on Drugs and Crime</span></span> and their <a href="https://www.unodc.org/unodc/en/cybercrime/global-programme-cybercrime.html">Global Programme on Cybercrime</a>. Through capacity building and technical assistance, this body aids member states, particularly developing nations. The Open-ended Intergovernmental Expert Group Meeting on Cybercrime, established by <a href="https://www.unodc.org/documents/Cybercrime/General_Assembly_resolution_65-230_E.pdf">Resolution 65/230</a>, developed a <a href="https://www.unodc.org/documents/organized-crime/cybercrime/CYBERCRIME_STUDY_210213.pdf">comprehensive study</a> of the problem in order to develop legal and policy responses both at the national and international level. Furthermore, the <span class='tooltip'>UNODC<span class='tooltiptext'>United Nations Office on Drugs and Crime</span></span> hosts a <a href="https://sherloc.unodc.org/cld/v3/cybrepo/">repository on cybercrime</a>, including case law, legislation and national strategies, incentivizing the sharing of information and cooperation.
<iframe width="560" height="315" src="https://www.youtube.com/embed/6SNEsBnslT8" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<strong>Terrorism</strong>: concern over the use of the internet for terrorist purposes was first expressed by the UN in 2006, when the <span class='tooltip'>UNGA<span class='tooltiptext'>UN General Assembly</span></span> <a href="https://undocs.org/A/RES/60/288">mandated</a> the Counter-Terrorism Implementation Task Force to look into countering “terrorism in all its forms and manifestations on the Internet”. In 2012, said Task Force and <span class='tooltip'>UNODC<span class='tooltiptext'>United Nations Office on Drugs and Crime</span></span> published a <a href="https://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf">report</a> on the topic. This document is intended as technical assistance for member states to respond to cases involving the use of the internet as a tool for terrorist purposes – excluding the use of the internet as a means of attack. Included in this categorization are the “glorification of terrorist acts, incitement, recruitment and radicalization, financing, training, planning and the commission of terrorist attacks.”
The <span class='tooltip'>UNSC<span class='tooltiptext'>UN Security Council</span></span> Counter-Terrorism Committee Executive Directorate (CTED) has also <a href="https://www.un.org/sc/ctc/focus-areas/information-and-communication-technologies/">worked</a> on the issue for several years; their efforts have included not only <span class='tooltip'>UNSC<span class='tooltiptext'>UN Security Council</span></span> <a href="https://www.un.org/sc/ctc/wp-content/uploads/2019/06/ctc_cted_fact_sheet_designed_ict_december_2018.pdf">resolutions</a> on the topic, but partnerships with the private sector. Another key element has been assisting member states with their efforts to gather admissible evidence for the prosecution and conviction of terrorist suspects in their courts.
<div class="footer-nav"><hr size="10" noshade>
<div class="footer-nav__btns">
<div class="nav-btn back-btn">[[Back->Module 4: Preparing for First Committee Cyber Discussions]]</div>
</div>
</div>