Australia to keep playing the UN cyberspace norms game

The United Nations now has not one but two separate forums for discussing international rules of behaviour in the cyber realm, and Australia will be supporting them both.
Written by Stilgherrian , Contributor

Director of cyber policy Johanna Weaver and Australia's Ambassador for Cyber Affairs, Dr Tobias Feakin

(Image: Australian Department of Foreign Affairs and Trade)

The United Nations has restarted its process for setting rules on "responsible state behaviour in cyberspace" with two separate forums, and Australia intends to continue being a key player.

On Friday, Australia's Ambassador for Cyber Affairs Dr Tobias Feakin, announced that his senior policy adviser Johanna Weaver would be the nation's representative on the sixth United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE).

Weaver is the director of cyber policy at the Australian Department of Foreign Affairs and Trade (DFAT).

She holds a Masters of Laws specialising in strategic cyber policy, as well as a Bachelor of Laws and a Bachelor of Political and International Studies. She also sat through the previous round of GGE meetings as an adviser.

"Never has it been more important to be clear about responsible state behaviour in cyberspace," Feakin said.

His comment reinforced the recent assessment by Australia's Foreign Minister Marise Payne that 2019 will be a "pivotal year in the development of the rules of the road in cyberspace".

"Over the past three years, we have we have seen an increase in the willingness of states and non-state actors to use the internet for malicious and indiscriminate ends," Payne said in a speech to the Lowy Institute in March.

"Certainly, in the past three years, more countries have developed cyber capabilities and demonstrated a willingness to use them."

Analysts believe that 30 or more nation-states either have or are working on an offensive military cyber capability.

The GGE's progress stalled, but will restart again soon

Previous rounds of GGE meetings, which began in 2004, made significant diplomatic progress, at least in comparison to recent years.

In the 2013 UN GGE Report, when the meetings were chaired by Australia, nations agreed that the UN Charter and international law applied in cyberspace, avoiding the need for the UN to create a new global legal framework.

It was agreed that nations' efforts to improve cybersecurity would have to include "respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments", and intensify cooperation against criminal or terrorist use of ICTs, among other high-level aims.

In their 2015 UN GGE Report, nations agreed to a set of 11 international norms in cyberspace.

Those norms included that nations must not "knowingly allow their territory to be used for internationally wrongful acts"; not conduct or knowingly support activity that intentionally damages critical infrastructure; take "reasonable" steps to ensure the integrity of the supply chain for ICT products; and "not conduct or knowingly support activity to harm the information systems of the authorised emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams)".

After that however, the GGE process began to falter.

In August 2016, Brandon Valeriano and Allison Pytlak from the Washington-based think tank the Niskanen Center wrote a sharp critique, Cyber Security and the Coming Failure of the UN's Group of Governmental Experts.

"Since the GGE meetings are closed to non-members -- including technical experts -- it's difficult to understand the practice of the group's reports and outlooks. Even if the group did have an open dialogue, what real-world impact is the group having? What obligations do other countries have to act on the GGE's recommendations? In theory, this could be some useful fora [sic] to discuss these matters, particularly norms of behaviour, but the group's impact is limited by lack of inclusivity and its limited mandate," they wrote.

"The rate at which technology and cyber conflict evolves easily outpaces that of diplomacy and the institutions that seek to engage such issues, but if the GGE continues to merely 'examine' and 'study', it will struggle to remain relevant."

The UN's procedures demanded that expert groups agree unanimously on all their discussion points in order to issue a report. The cyberspace GGE failed to do so in 2017.

ZDNet understands that there was good progress on how the 11 norms might be implemented, but there was less progress on clarifying how international law would apply.

The Diplomat reported that the US had demanded "clear and direct statements" on how international law applied, including "international humanitarian law, the right to self defence, as well as international law of state responsibility and countermeasures".

"Other countries, however, balked at the inclusion of such provisions," they wrote. Cuba argued that it would lead to a "militarisation of cyberspace" and legitimise "unilateral punitive force actions".

"Although only the Cuban statement is publicly available, it is safe to assume that both Russia and China shared this position during the GGE's discussions," The Diplomat wrote.

Two ways forward is unprecedented, but is it better than only one?

In December 2018, the UN General Assembly restarted the debate, establishing not one but two processes to discuss cyberspace norms. The situation is unprecedented.

One is the sixth round of GGE meetings, proposed by the US, which will start in 2019.

Four weeks of meetings will be spread over 18 months to allow for consultation and diplomacy to take place in between.

As with previous GGE rounds, these will be closed meetings comprised of 25 member nations. Its chair will hold two informal consultations with all UN Member States in between its sessions, as well as consultations with regional organisations.

The GGE will submit its final report to the General Assembly in 2021.

The other is a new Open Ended Working Group (OEWG), based on a Russian proposal, and is open to all UN members.

It intends to look at the existing 11 norms, identify new norms, and look at "establishing regular institutional dialogue" on cyberspace issues.

The OEWG will report to the General Assembly in 2020.

Some critics have seen this two-forum plan as doubling the UN workload.

"Having two separate groups is likely to split the General Assembly's attention on the issue. Only the countries with the largest staff at their UN missions in New York will have the dedicated manpower to adequately monitor the work of the two new groups," wrote Alex Grigsby from the Council on Foreign Relations in a detailed analysis.

"While having more member states participate in the cybersecurity conversation should be applauded, reaching consensus among 193 member states in an OEWG format is much more daunting than getting agreement among 15 or 25 in a GGE setting."

Grigsby also noted that Russia "tried to position itself as an advocate of democratic participation and inclusivity".

"In essence, Russia framed itself as a defender of the rules-based international order, committed to multilateral solutions to international challenges," he wrote.

It should also be noted, however, that Russia has supported the GGE process since its inception.

Australia, like the majority of the General Assembly, sees these two processes as being complementary, having gone on public record as a supporter to both of them.

"We are urging like-minded nations to throw their support and resources behind these international efforts that will build trust and transparency," Payne said in March.

Related Coverage

86% of Australia's top websites can't detect bot attacks: Research

Automated credential stuffing attacks give the bad guys a great return on investment, according to security firm Kasada, but most organisations can't spot them.

Remove yourself from the internet, hide your identity, and erase your online presence

Here is a step-by-step guide to reducing your digital footprint online, whether you want to lock down data or vanish entirely.

A hacker has dumped nearly one billion user records over the past two months

Hacker Gnosticplayers has stolen over 932 million user records from 44 companies.

RMIT partners with NAB and Palo Alto Networks for new cybersecurity course

The course will cover the fundamentals of cybersecurity and offer students a professional pathway to working in technology.

Windows 10 security: A guide for business leaders

Protecting Windows 10 PCs from common security problems requires ongoing vigilance and effort. This ebook explains what steps to take and what risks you should watch out for. From the ebook: It is...

Editorial standards