Through resolution 73/27, the UN General Assembly established the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security which – in addition to the intergovernmental nature of its work – also provides the possibility of holding intersessional multistakeholder consultations. The first intersessional consultative meeting took place on 2-4 December 2019 with sessions that included the tech industry, civil society, academia, and member states.
The fourth meeting focused on confidence-building and capacity building measures (CBMs).
Applying confidence building measures to cyberspace is challenging, noted the Cyber Security Tech Accord in its scene setting presentations, and the Azure Forum echoed the sentiment. This is due to the unique characteristics of cyberspace: the relatively nascent framework for behavioural norms, difficulties in recognising the capabilities other actors might have, and the role of the tech industry which owns and operates the majority of the Internet infrastructure. The Cybersecurity Tech Accord outlined a set of recommendations on how to strengthen CBMs, including: developing shared positions on key cybersecurity issues and concepts to avoid misunderstandings; engaging in dialogues on appropriate state and industry behaviour in cyberspace to set expectations; engaging in cybersecurity exercises to continue to build trust with key stakeholders nationally and internationally; and, engaging with the tech industry, especially on the latest threats and tools to improve the cybersecurity of individuals and organisations.
Consultative meetings with states, the private sector, civil society, academia, and others help to build trust and confidence in cyberspace, Ecuador reiterated. Civil society could help bring communities and experts together in order to increase trust in cyberspace. When cyber incidents occur, the private sector and academia could give governments reality checks to avoid escalation. The Nanyang Technological University suggested that the private sector could also offer the research community data and other enterprise resources which could help shed light on emerging threats that undermine trust and confidence. Research institutes already have a positive track record in facilitating trust-building amongst experts, Azure Forum noted. The Shanghai Institute for International Studies noted that states should establish a policy communication mechanism and exchange major cybersecurity concerns, cyber policies, and response plans for major cyber-attacks incidents to develop an understanding of their commonalities and differences. States should also co-operate in protecting the global shared critical infrastructure. States could hold national cyber conflict exercises, and establish practical co-operation of government agencies, the tech industry, and academia, as was outlined by the Republic of Korea.
Another point raised by the University of Waterloo and echoed by the R Street Institute was resisting the damaging effect two-tier encryption (legalising a backdoor into encrypted software application) can have on trust between users, ICT platforms, and governments.
The issue of the security of the supply chain was raised by Hitachi, with Huawei noting that having standards and independent testing of products can help provide an objective and transparent basis for trust. The NEC Corporation called for increased efforts to develop internationally recognised best practices and norms to distinguish between well intended and favourable functionalities and practices that vendors include in ICTs and those that are easily misused and dangerous; and for building the capability of stakeholders to conduct such assessments on their own. The Shanghai Institute for International Studies suggested that state and non-state actors can work together with the World Trade Organization (WTO) to improve the standards of the global supply chain of ICT products and to restrict the international trade in unsafe or low standard technology and products.
On the stakeholders’ contribution to implementing CBMs, the University of Waterloo noted that first, it must be determined what kind of ICT infrastructure is required to ensure that stakeholders can participate in political discussion. Confidence built between stakeholders and states is a prerequisite for stakeholders’ contribution to the implementation of CBMs. States should invite the private sector, civil society, and academia into the process, which is traditionally state-driven, the Nanyang Technological University underlined. The necessity to increase the inclusiveness of CBMs in development, implementation, and measurement discussions was also put forward by the Strathmore Law School. The Nanyang Technological University is of the opinion that the private sector, civil society, and academia can help to implement CBMs, like information sharing, through existing channels.
Three proposals for co-ordinating capacity building globally were put forward. The Center for Technology and Society suggested that the UN should create an online platform for governments, civil society, and education institutions, to directly match the funding with the expertise and the need with the offering of cyber capacity building. This platform would ensure multistakeholder cross border co-operation, as well as local ownership of capacity building efforts. The R Street Institute suggested two models on new global independent organisations to co-ordinate capacity building and CBMs. The first model is based on the International Atomic Energy Agency (IAEA). This cyber IAEA-style organisation would be staffed by technologists and by tech legal experts focused on risk reduction. It would have the authority to do three things: 1) encourage the development of peaceful cyber technology and co-ordinate capacity building for efforts among states and regional bodies; 2) provide international safeguards against misuse of the technology based on the norms from either the UN GGE reports or the paper that OEWG will publish in the future; 3) and, promote safety standards and their implementation through independent reports and when necessary, conduct investigations to ensure that compliance with universally agreed to norms and guidelines. The second model is based on the structure of the United States's National Transportation Safety Board (NTSB). A cyber NSTB-style organisation could, in the case of a significant breach, be called upon to conduct an independent third party investigation report, which can assist with transparency and confidence building. An additional goal the new global independent organisation could have is setting up computer emergency response teams (CERTs) or computer security incident response teams CSIRTs. This would build the capacity of individual member states to eventually handle investigations independently and domestically.
By Andrijana Gavrilović