In his introductory remarks, Mr Stéphane Duguin (Head of the European Internet Referral Unit within Europol) said that efforts to create norms on international cyber conflict and warfare have increased, and that the international community faces the challenge of reducing the suffering of people through cyber conflict.
Ms Kerstin Vignard (Head, UN Institute for Disarmament Research (UNIDIR) support team to General Assembly processes pursuant to resolutions 73/27 and 73/266) first talked about the UN’s cybersecurity framework over the last two decades. She emphasised that the UN first initiated its cybersecurity efforts in 1998, when the resolution sponsored by Russia was adopted. Since then, the UN has hosted a number of closed-door interstate negotiations on cybersecurity. The recognition that the international humanitarian law (IHL) applies to cyberspace was still limited in the 2000s, however, progress was made in 2015 when the General Assembly unanimously adopted the resolution that called for member states to be guided in the use of information and communications technology (ICTs) by the UN Groups of Governmental Experts (GGE) report. In 2018, with the adoption of resolution 73/27, the General Assembly established an Open-Ended Working Group (OEWG). Vignard highlighted that the current situation, where the UN has two cybersecurity-related working groups, may create tension because these two working groups could make recommendations that are contradictory to one another. Furthermore, she stated that the process of norm building does not have to be time consuming, and that norms can emerge from practice. Finding an appropriate balance between creating norms and implementing them should be the focus from now on.
Mr Kevin Chang (Legal Advisor, International Committee of the Red Cross (ICRC)) explained that the application of IHL to cyberspace has been recognised by an increasing number of states, as well as many other international actors. However, he said that the challenge is how – and to what extent – it should be applied. Chang noted that many states have begun to develop cyber-military capabilities, both to offend and defend. He expressed the ICRC’s concern that the vulnerability of civilians in cyberwarfare is not sufficiently addressed, for instance, the lives of civilians could be disrupted in case of a cyber-attack on the health sector or public services (water, electricity, etc.). He pointed out that a cyber weapon is capable of attacking a specific target, which means that the parties involved in the cyber conflict should agree to refrain from indiscriminate attacks on civilians. From the legal perspective, he raised concerns over how the IHL should be applied and interpreted. For example, the IHL requires the separation of civilian and military actors in a conflict, however, it is almost impossible to separate these two in cyberspace. In response to the moderator’s question on whether the existing IHL can protect civilians in cyber conflicts sufficiently, he said that the ICRC has been attempting to identify the key component in the existing IHL to prove that it is a sufficiently legally binding instrument to protect civilians in cyber conflict. This remains a challenge because the Geneva Convention and the IHL are not designed to address conflicts in the cyber domain.
Ms Kaja Ciglic (Senior Director, Digital Diplomacy, Microsoft) gave the tech industry’s perspective, saying that more than 60 countries have admitted to having cyber-military capabilities, although their size and quality vary. What has enabled a large number of states to develop these capabilities is the affordability of cyber weapons, compared to conventional weapons. Furthermore, she noted that cyber warfare is a hot topic across the globe, allowing states to acquire funds fairly easily. The proliferation of cyber weapons, she highlighted, could be dangerous because these weapons can easily be stolen by malicious online actors if they are not stored securely. Ciglic stated that investment in secure technology is insufficient and unbalanced given the reliance on Internet connectivity in our society. Lastly, she highlighted the importance of inclusivity in the conversation on cyber conflict. Traditionally, the conversation was led by governments, in particular western countries. However, an inclusive multistakeholder approach is the most important, such as, for example, the Paris Call for Trust and Security in Cyberspace. She added that the role of states in the discussion is to continue the political momentum by engaging, adhering to the norms, and calling out the violators. However, she alerted that simply calling out is not enough and may accelerate the tendency of tit-for-tat. What the international community needs to make the discussion constructive, she said, is to identify on what ground the violation was called out.
In their closing remarks, the moderator and panellists said that the use of vocabulary and narrative is important for navigating the conversation on cyber conflict. While Vignard pointed out that using the terms ‘cyber warfare’ or ‘cyber weapons’ can sometimes limit our breadth of thinking, Ciglic mentioned that the use of buzzwords is effective in mobilising as many actors as possible.