Rules, laws, and norms: Creating a cyberspace based on rules, laws, and norms: How can stakeholders support governments?

2 Dec 2019 20:00h - 23:00h

Event report

Through resolution 73/27, the UN General Assembly established the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security which – in addition to the intergovernmental nature of its work – also provides the possibility of holding intersessional multistakeholder consultations. The first intersessional consultative meeting took place on 2-4 December 2019 with sessions that included the tech industry, civil society, academia, and member states.

The second meeting focused on, ‘Creating a cyberspace based on rules, laws, and norms: How can stakeholders support governments?’ The session was moderated by the OEWG Intersessional Chair, Mr David Koh (Chief Executive, Cyber Security Agency, Singapore), and introduced by scene-setting presentations from Temple University, the Center for Technology and Society, and the International Committee of the Red Cross (ICRC).

The 2015 report of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) establishes that existing international law applies to cyberspace; however, open questions remain on how these norms can be operationalised. As highlighted by the delegate from Temple University, four components should lead the approach to rules implementation: assessment; interpretation, such as what constitutes ‘critical infrastructure’ and ‘sovereignty in cyberspace’; invocation; and, incentives, meant as reasons to follow the rules – such as but not limited to – adequate and enforceable consequences. In this context, different stakeholders can strengthen the implementation of these components as a means to achieve a more systematic implementation of norms. As the delegate further explained, current challenges related to how states differ in the interpretation of such rules remain; despite this, a possible solution is that the so-called ‘overlapping consensus’ should be put in place by developing agreements on how to behave – even without general consensus – by focusing on reasons and values for doing so.

Another scene-setting was proposed by the Center for Technology and Society focusing on the activities of terrorist groups, both through and on, private platforms. Governments, private platforms, and courts need to work together in order to address terrorist misuse of digital media in an adequate manner that does not censor online legitimate expression. As the Paradigm Initiative further stressed, some countries are using the challenges posed by the misuse of media as a means to approve more oppressive laws. To this extent, the Santa Clara Principles on Transparency and Accountability in Content Moderation should be implemented through three main steps. First, there should be transparency from the tech platform on how the moderation practices are carried out; second, the company should always provide reasons for bans or content removals; and finally, users should be able to appeal to appropriate mechanisms for complaint.

The final scene-setting was framed by the ICRC with a focus on malicious and unlawful cyber operations targeting civilian infrastructures. Given its increased digitalisation, the health sector has been particularly vulnerable to such attacks.

While international law applies to cyberspace, current challenges are raised with regard to attacks on civilian infrastructure or population during peacetime, which do not fall under the law of armed conflict. Further discussions on how existing international frameworks apply are needed, and initial steps have been undertaken by the ICRC in its position paper to the OEWG and in the Cyber Law toolkit, which tries to envision how existing international law applies to cyber operations. The dichotomy of the applicability of international law in peacetime and warfare was further stressed by Chatham House, whose delegate proposed the principles of sovereignty and non-interference as a means to address the current applicability challenges related to low-intensity attacks that do not reach the level of intensity required for the application of international humanitarian law (IHL).

The intersessional meeting then featured a multistakeholder discussion with two guiding questions about the roles of different stakeholders in promoting the implementation of norms, and how international law applies to cyberspace.

On the role of different stakeholders for the implementation of norms, the Association for Progressive Communications (APC) pointed out that the civil society has an important role to play in: developing evidence-based research; advocacy and awareness-raising activities; contribution to validation and socialisation of norms which results in the fostering of trust and compliance; capacity building activities; in playing a ‘watchdog’ role; and, in providing technical and policy-oriented solutions. Such a multi-level and complex role of the civil society was supported by other delegates. However, the role of civil society was not the only one being promoted. DXC Technology stressed the responsibility of the private sector in developing more partnerships with industry peers and other stakeholders for further research on how international law frameworks apply in cyberspace. Additionally, the Forum for Incident Response and Security Team (FIRST) underlined the crucial role played by national and local Computer Emergency Response Teams (CERTs) and how there is an imminent necessity to emphasise partnerships and inclusion during the design phase of norms development; foster ongoing capacity building and awareness training of the issues we are trying to solve; and finally, to have a proactive networking in place able to successfully reach the community. Building on this comment, the delegate from the Igarapé Institute pointed out the importance of bridging the gaps between technical experts from CERTS and policymakers. This led to the second main question of the session: how international law applies in cyberspace and how – as underlined by the Igarapé Institute – its implementation should be envisioned.

Addressing the second question, various comments were made by the delegations on how to implement the agreed norms in the 2015 final report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). The Oxford Institute for Ethics, Law and Armed Conflict underlined that in order for academics to contribute to the development of the norms and their interpretation, it is necessary to have access to relevant information such as states’ interpretation and beliefs of what constitutes a norm in cyberspace – as also stressed by the EU Cyber Direct – especially with regards to due diligence practice when a state’s critical infrastructure is used by a third party entity, potentially located outside the jurisdiction of that country.

The norms implementation aspect raised two main discussions: whether a new convention or international outcome is needed, and how the implementation should be developed. On the first point, ICT4Peace stressed the need to have a more comprehensive prohibition of irresponsible and unlawful behaviour in cyberspace, while other delegates proposed strengthening existing legal frameworks such as the Budapest Convention before shifting efforts and attention to new mechanisms, as pointed out by the R Street Institute. A different perspective was instead proposed by Trend Micro, which using a zero-day vulnerability example, highlighted as unilateral actions from states could result in universal disarmament. As the delegate explained, the main clients of zero-day vulnerabilities in the black market are governments, and this leads to the stockpiling of such vulnerabilities rather than their disclosure. Unilateral actions by a single government to commit to not stockpiling vulnerabilities would result in universal disarmament: this public commitment would not require the implementation of a treaty.

Vulnerability disclosure was indeed a recurrent topic throughout the discussions, further recalled by the Cybersecurity Tech Accord, Foundation Karisma, and the Cyberpeace Institute. The latter proposed a broader view on addressing the effective implementation of norms focusing on the environment and on the victims. On the first point, the delegate called upon governments to engage in multistakeholder conversations when developing their policies, given that the expertise often resides with different actors. With regards to the victims, he recalled that most of the attacks use existing vulnerabilities on existing systems, and there is an urgent need to look at the risks that new technologies can provide when it comes to mass manipulation of data in order to modify the forensic footprint of an attack. This last point should also be linked to the current context of the supply chain that, as further underlined by Research ICT Africa, implies interoperability among systems and actors, and therefore requires a collective analysis approach connecting intelligence that has cybercrime and intrusion as a service.

In conclusion, different perspectives on how to implement the existing international legal framework and the recently established norms were proposed. These could be contextualised on a spectrum ranging from the perspective that existing mechanisms are enough for the development of new frameworks. In this context, proposals for accountability review mechanisms (proposed by APC following a previous proposal by Mexico and Global Partners Digital) as well as the establishment of an International Cyber Court (advanced by Tech Micro in its Project 2020) were presented as ideas for further discussion.