The sixth meeting of the OEWG started with an informal multi-stakeholder session, where representatives of NGOs and international organisations shared their views on the agenda with the delegates.
Access Now took the floor and stressed that global cybersecurity and its norms policies at the international level must be more human-centric. Many people's everyday lives are driven by ICTs, even with the growing digital divide, and the failure to continuously build on the efforts of the previous GGEs and this OEWG would place even more users at risk. Access Now reiterated that international humanitarian law (IHL) applies online, but it should not be allowed to justify the militarisation of cyberspace and the increase in offensive cyber operations like governmental hacks or state behaviours that harm international peace and fundamental freedom. They expressed their hope that the OEWG report will have a dedicated recommendation on that. Additionally, they welcomed the discussions on norms proposed by Global Commission on Stability in Cyberspace (GCSC) about the public, core, and electoral infrastructure of the Internet, and noted that this should also be included in the report. Regarding the existing norms on the protection of Computer Emergency Response Teams (CERTs), Access Now paid special attention to the protection of the security researchers community since they are facing challenges regarding disclosure, as well as , legal uncertainty, harassment, intimidation, and even detention in some places. ‘If as a rule governments should punish the people with the expertise to disclose this information, then we are all at a security risk’. Therefore, states together with industry and civil society must elaborate transparent processes for the responsible disclosure of vulnerabilities both to private companies as well as public entities, and do away with laws that often conflate research activity with criminal acts.
Representative from the Media Foundation for West Africa stressed that concerns about terrorism, fundamentalism, cybercrime, hate speech, and disinformation must not be used to violate human rights of individuals in cyberspace. Threats from cyberspace should be seen from a rights-based approach, and measures to counter these threats should focus on ensuring accountable state behavior in cyberspace in line with international law. The Media Foundation for West Africa called OEWG participants to cease the arbitrary arrests and detentions of journalists, citizens, and activists and eliminate the cybercrime charges against them. Therefore, governments should ensure that violations against human rights online by both state and non-state actors in cyberspace are monitored, thoroughly investigated, and properly addressed.
The Association for Progressive Communications (APC) also highlighted the importance of a human-centric approach to cybersecurity and the emerging problem of the criminalisation of technical expertise, as well as the persecution of journalists and security researchers. Because all stakeholders play a valuable role in the implementation of norms, it is essential that all are able to contribute to the implementation of a dedicated review mechanism, using the universal periodic review of The Human Rights Council as a model. APC claimed that both international human rights law and international humanitarian law apply to cyberspace. International human rights law extends beyond the duties of states to include the responsibility of businesses to respect human rights and to institute proper due diligence to ensure that their products and services are not used to violate human rights. In line with UN guiding principles, states should be willing to share information about human rights abuses by private actors and should hold private actors accountable.
Geneva-based ICT4Peace noted that the OEWG should focus on steps to maintain peace in cyberspace at a time of rising geopolitical tensions and of expanding offensive cyber capabilities by several states. ICT4Peace would welcome the recognition of legally-binding prohibitions on some offensive cyber actions; however, adherence to politically-binding measures, such as the 2015 GGE framework, is probably a more feasible goal for now. In addition, they called on governments to publicly confirm that they will refrain from offensive cyber operations that target critical infrastructure. Proper attribution is critical in achieving accountability for state conduct in cyberspace. For this purpose, ICT4Peace reminded delegates of its peer review attribution process that is rooted in collecting information about cyber incidents and drawing upon the expertise that resides in the the private and civil sectors. This process would complement an eventual peer review mechanism that could serve as an intergovernmental forum that holds states to account over for their cyber actions. ICT4Peace also noted the relevance of the Human Rights Council (HRC) universal periodic review model for the peer review mechanism that would provide for interactive discussion of State conduct in cyberspace. Finally, they put forward their idea to establish a new office dedicated to cyber affairs within the UN.
The Women's International League for Peace and Freedom spoke out against the militarisation of cyberspace. They expressed strong concern about the statements of several states which expressed that they thought it is acceptable to develop offensive cyber capabilities because the process is already underway. ‘Every conscious and deliberately made decision to use digital technologies as a tool or a medium for harm or for violence is another step forward along a path toward a greater weaponisation of technology’. To the Women’s International League, it sounds like many states have already given up on not militarising cyberspace and now just want to work out the acceptable rules for collateral damage.
Finally, the International Chamber of Commerce deemed it essential that businesses and governments have a shared understanding of how to conceptualise cybersecurity risks, targets, impacts, and responses. While governments and businesses have different roles in addressing cybersecurity, they are mutually reinforcing. Today cybercrime impacts all businesses regardless of their size or industry, with around 50% of all cyber-attacks being committed against small- and medium-sized enterprises. Therefore, the ICC considers it beneficial for the UN member states to produce official positions on how international law applies in cyberspace in order to bring forth more clarity. This step will assist in providing much-needed certainty and predictability regarding future behavior in cyberspace and could provide the foundation for commonly agreed-upon global norms under the auspice of the UN.
By Ilona Stadnik