Josh Gold is a research assistant at Citizen Lab, at the University of Toronto’s Munk School.
This past December, 114 non-governmental organizations and almost 100 governments convened at the United Nations to articulate and exchange thoughts on norms, rules, and principles for state behavior in cyberspace.
The meeting, a three-day informal intersessional consultation, follows the first meeting of the Open-Ended Working Group (OEWG) in September. It is the latest step in a longstanding UN process to discuss security in information and communications technologies (ICTs). The OEWG, open to all UN member states, exists in parallel to a twenty-five-state Group of Governmental Experts (GGE).
December’s meeting is the first time that UN deliberations on cyberspace governance and state behavior have been held in a multistakeholder format, whereby businesses and civil society groups could submit their views to UN member states. Such openness was particularly welcome following the denial of accreditation at the September OEWG meeting to all NGOs without prior UN consultative status. Non-governmental participation included a wide range of think tanks, human rights groups, cybersecurity organizations, multinational firms, development organizations, and academic groups.
Yet in many ways, despite a packed room, the meeting’s makeup fell short of a truly inclusive and global representation. In advocating for the OEWG in 2018, Russia promised that it would be open, democratic, and include non-state groups—in contrast to the more closed GGE proceedings preferred by the United States. Despite Russia’s adoption of democratic rhetoric, not a single non-governmental group from Russia was present. In fact, the absence of non-governmental—particularly human rights-focused—representation from Russia and Eurasia, India, the Middle East, and North Africa was conspicuous, albeit unsurprising. The same was true for China, with the exception of some Chinese universities.
Convening people from across the world in New York is difficult and costly. Recognizing this, some institutions provided travel assistance to help boost civil society attendance. The Canadian government sponsored attendance for seven Latin American NGOs, and for experts to participate in a side event examining why gender considerations matter in cybersecurity.
But the largest such assistance effort was led by EU Cyber Direct, an EU-funded group that promotes the development of a secure, stable, and rules-based international order in cyberspace. Through the EU Engagement Support Programme, EU Cyber Direct sponsored over forty delegates from thirty-one countries to attend the intersessional—mostly from the Global South. It also arranged supplemental programming focused on showcasing the EU’s engagement with partner countries in the developing world. Many of these delegates are not included in decision-making within their own countries; the EU support empowered their voices and provided a forum wherein representatives could emphasize their unique local contexts to better inform EU engagement and assistance. (Disclaimer: the author was a beneficiary of EU Cyber Direct support.)
Topics covered throughout the intersessional’s six sessions included the human cost of cyberattacks on critical infrastructure, the disproportionate vulnerability of marginalized groups, accountability measures for norm violations, and developing a new norm against attacks on nuclear infrastructure. However, the most promising topic was cybersecurity capacity building (CCB).
CCB provides both the basis for countries to improve their digital economies and boost their resilience against cyber threats. Many states lack resources to do so on their own; as of early 2019, only thirteen African countries had national computer emergency response teams (CERTs), and many more lack cybercrime legislation and cybersecurity policies and strategies.
Capacity building is largely uncontroversial and apolitical, and a set of practical steps for how to strengthen CCB efforts would be a promising outcome of the OEWG process. As Microsoft’s submission to the intersessional noted, norms for responsible state behavior in cyberspace—the ultimate focus of the OEWG—“will only be effective if member states have the capability and capacity to implement them.” Moreover, CCB efforts designed to respect human rights and align with the UN sustainable development goals would help strengthen democratic values and further the peaceful use of ICTs.
Ultimately, the OEWG is a fundamentally intergovernmental process; governments will determine its final product. The OEWG chair will now summarize the intersessional proceedings into a report, which will be presented to member states prior to the next OEWG substantive meeting in February.
Whether last month’s intersessional will have any impact on the final OEWG report in July 2020—assuming countries agree to one—remains to be seen. It is also uncertain whether non-governmental groups without prior UN consultative status will even be allowed to participate in February. While meaningful in some areas, such as capacity building, the effectiveness of a multistakeholder approach for developing rules for state behavior in cyberspace is unclear.
Despite these uncertainties, listening to diverse non-governmental voices can provide valuable input to states, including practical guidance on how to best apply and implement previously agreed-upon norms. Better implementation is a shared objective of all member states, and greater state capacity enables better implementation of norms. This, for example, is an area where civil society has a lot to offer.