Turning down the heat on cyber norms?
Responsible behaviour in cyberspace, especially of states, has been a priority topic for the policy and law-makers in the past decade. The United Nations Group of Governmental Experts on developments in the field of information and telecommunications in the context of international security (UN GGE) as one of the principal avenues for inter-state cyber diplomacy has made great advances in discussing possible rules for the road: emphasising the applicability of international law, recommending the adoption of a set of 13 cyber norms as well as elaborating on the necessity of confidence and capacity building measures. After three consecutive UN GGEs managed to adopt a consensus report, the last session in 2016-2017 did not produce a consensus report.
The UN GGE working format allows for two outcomes, either there is a consensus report or there is no report. Because the participating experts could not agree on a full consensus report, the wider public will not know whether and what progress was actually made content-wise and specifically on cyber norms. We should also not forget that this is not the first time when no consensus was found. The very first UN GGE in 2004-2005 also yielded no report, yet the UN GGE continued four years later and produced a successful report in 2010.
However, the international response to the non-report result in 2017 was framed among others in terms of ‘failure’, ‘death of the UN GGE’, and ‘end of an era’. UN GGE is a high-level closed process with little transparency and limited participation. By leaving other stakeholders ‘out of the loop’, the non-report created a fertile ground for panic and frenzy. Some of the UN GGE experts explained that the reason for the non-consensus lay in the fundamental differences among states pertaining mainly to the application of international law. Some participants were anonymously called out for wanting to ‘walk back on the progress made by previous GGE reports’. This quickly led to academic accounts framing it as ‘the end of cyber norms’ and finding new approaches to international cyber security challenges, i.e. ‘getting beyond norms’ or moving the regulatory discussion to the domestic level. The discussion over the process and institutionalisation of the cybersecurity dialogue, i.e. how to move forward format-wise, trumped the discussion on the content, i.e. what norms does the international community need for responsible state behaviour in cyberspace. Besides being a trend in the academic literature, also the United States and Australia have both put forth their idea to focus more on imposing consequences for the perpetrators of cyber attacks.
These developments are surprising, given the fact that other fora which unite the major international powers such as the UN Security Council are known for having difficulties to agree by consensus on several topics. Nevertheless, the importance of those fora bringing together states to negotiate topics of international peace and security is fundamental for international stability. Thus, instead of framing it as the death of the UN GGE or cyber norms, the non-report only shows the need for continuing the dialogue between states. Academics, think tanks, private sector and even states are still searching for ways forward regarding cyber norms. Additionally, dismissing the progress that has been made thus far is short-sighted. Projects such as the UN GGE Commentary of Voluntary and Non-Binding Norms led by Leiden University take stock of the progress that the UN GGE has made, offer guidance on possible implementation and identify gaps that could serve as future research initiatives.
Conflating the process with the aim and purpose of the UN GGE diminishes the value of the progress already made. Furthermore, the discussion on how to move on format-wise can offer an opportunity for creating a more inclusive and transparent process for the cyber norms discussion. One non-report does not mean that we do not know how to move forward and while the process is as important as the content for constructing global norms on cyber security, the pause on one does not condition the death of the other.