2015 UN GGE Report: Major Players Recommending Norms of Behaviour, Highlighting Aspects of International Law

The consensus report of the United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, adopted in July 2015, shows progress: it proposes norms of responsible behaviour and includes comments on how international law applies. The next UN GGE is likely to be formed as soon as 2016.

The UN General Assembly convened the group after the third UN GGE had completed its work in 2013 (see INCYDER news brief). The new report is regarded as representative of global views on state use of cyber capabilities, as the group comprises 20 countries,1 based on ‘equitable geographical distribution’ and including key ‘cyber powers’ such as the US, China, Russia, France, the UK and Germany. The most highlighted aspect of the previous UN GGE’s report (2013) was its affirmation that international law applies in cyberspace. Despite some speculations that the 2014-15 group might be unable to uphold this view, it has succeeded in further specifying the normative framework for state use of cyber capabilities.

The 2015 report focusses on (1) existing and emerging threats; (2) norms, rules, and principles for the responsible behaviour of states; (3) confidence-building measures (CBMs); (4) international cooperation and capacity-building; (5) the applicability of international law, and (6) recommendations for future work. Unsurprisingly, as the report represents a diplomatic consensus, it remains rather general. This INCYDER brief looks at the new and noteworthy aspects compared to the previous UN GGE’s findings.

Regarding existing and emerging threats, the report does not signal any remarkable changes in thought and continues to reflect the status quo quite accurately. The experts note a ‘dramatic increase in incidents’ that ‘create risks for all States’. They further acknowledge the fact that ‘States are developing military capabilities for military purposes’ and that the use of cyber in future conflicts is becoming ‘more likely’. The report puts a special emphasis on the dangers stemming from attacks against critical infrastructure systems, which constitute a reoccurring threat that is addressed throughout the report.

Endorsing new cyber ‘norms of behaviour’

The section focussing on ‘norms, rules and principles for the responsible behaviour of States’ is more interesting in terms of content. First, the report is clearer than the previous one when discussing these ‘norms and principles’, as states were able to agree on a more specific explanation: ‘norms reflect the international community’s expectations, set standards for responsible State behaviour and allow the international community to assess the activities and intentions of States.’

Altogether, the report lists 11 recommendations for new norms and principles. A summarised version of these is presented below. In order to understand the function of these proposals better, we have divided these into (1) norms that have a limiting character and (2) principles that state good practices and positive duties for the purposes of international security.

Limiting norms:

  1. states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
  2. states should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure;
  3. states should take steps to ensure supply chain security, and should seek to prevent the proliferation of malicious ICT and the use of harmful hidden functions;
  4. states should not conduct or knowingly support activity to harm the information systems of another state’s emergency response teams (CERT/CSIRTS) and should not use their own teams for malicious international activity;
  5. states should respect the UN resolutions that are linked to human rights on the internet and to the right to privacy in the digital age.2

Good practices and positive duties:

  1. states should cooperate to increase stability and security in the use of ICTs and to prevent harmful practices;
  2. states should consider all relevant information in case of ICT incidents;
  3. states should consider how best to cooperate to exchange information, to assist each other, and to prosecute terrorist and criminal use of ICTs;
  4. states should take appropriate measures to protect their critical infrastructure;
  5. states should respond to appropriate requests for assistance by other states whose critical infrastructure is subject to malicious ICT acts;
  6. states should encourage responsible reporting of ICT vulnerabilities and should share remedies to these.

As the initial coverage of the report suggests, the agreed norms are seen as a ‘breakthrough’ for US cyber diplomacy, as three of the peacetime principles it had been promoting were adopted in the final report (those addressing international cybercrime cooperation and the activities related to the protection of critical infrastructure and CERT/CSIRTS). In the view of the US, since most cyber incidents occur below the ‘use of force’ threshold (and hence do not permit responses in self-defence3 ), states need to agree on basic ‘measures of self-restraint’ during peacetime.

The US strategy to develop such voluntary measures contrasts to a certain extent to Russia’s view, according to which agreement on these ‘moral obligations’ is seen as a first step for the international community in a process for developing legally binding norms. Indeed, the report suggests that ‘given the unique attributes of ICTs, additional norms could be developed over time.’ In this context, the Group did briefly ‘note’ the Sino-Russian proposal for an International Code of Conduct for Information Security (see INCYDER overview). The fact that the code did not gain any detailed attention signals its continued lack of support from the global community.

Confidence-building measures, international cooperation and capacity-building

With the aim of enhancing trust and cooperation, the Group additionally recommends a list of voluntary confidence-building measures (CBMs). CBMs have their roots in Cold War efforts to limit the risk of nuclear disaster, and the general purpose of these instruments has traditionally been to prevent the outbreak of conflict by establishing practical cooperation measures between states.

The CBMs in the report largely correspond to those already adopted under the auspices of the OSCE in 2013 (see INCYDER news brief). The key difference, however, is that, unlike the OSCE, the report does not establish or propose concrete cooperation channels. (E.g. OSCE members agreed to exchange information yearly via platforms such as the OSCE Communications Network, see measures no. 10 and 11: https://ccdcoe.org/sites/default/files/documents/OSCE-131203-Confidenceb… ) The measures proposed in the report mainly relate to information exchange and developing international cooperation mechanisms between national entities dealing with ICT security. For example, the report asks states to identify points of contact on the policy and technical level; to share national legal and policy views as well as information on vulnerabilities; and to develop bi- or multilateral cooperation mechanisms to investigate ICT-related crime or terrorist activities.

Regarding capacity-building, the report highlights the need to develop measures such as developing cooperative mechanisms for CERTs, providing ICT-related assistance and training to developing countries, and prioritising ICT security awareness.

Comments on how international law applies

In the context of international law, the 2015 report draws heavily on the 2013 report , taking as its starting point the earlier statement that international law applies to the ‘use of ICTs’. It repeats that state sovereignty and related principles apply to state conduct of ICT-related activities and that states enjoy jurisdiction over ICT infrastructure within their territory. The references to human rights law are also not new, nor are the mentions of internationally wrongful acts, proxies, and non-state actors.

Nevertheless, a few additions compared to the 2013 report have made it to the final text. The list of applicable international law principles includes:4

  • state sovereignty;
  • sovereign equality;
  • the settlement of disputes by peaceful means;
  • refraining from the threat or use of force in international relations;
  • non-intervention in the internal affairs of other states;
  • respect for human rights and fundamental freedoms.

The list can be seen as signalling worries on the part of some GGE members about possible interventions in their internal affairs and breaches of sovereignty via cyberspace; in this context, for example, Russia and China have been strongly emphasising the principle of information sovereignty in their diplomatic efforts (see also INCYDER page for the Shanghai Cooperation Organisation).

In the context of the law governing self-defence, the report refers to the ‘inherent right of states to take measures consistent with international law and as recognized in the UN Charter.’ This language sounds familiar (compare Article 51 of the UN Charter), and it implicitly refers to self-defence. The conspicuous absence of the word ‘self-defence’ is perhaps due to the aversion of certain GGE members to the idea of ‘militarisation of cyberspace’.

The same comment goes for the ‘international legal principles [of] humanity, necessity, proportionality and distinction’, as the report puts it.5 International law scholars can easily recognise that these are found in international humanitarian law (or law of armed conflict). Again, the obvious failure to cite them in the context of international humanitarian law alludes to the reluctance of some states to include any direct reference to possible military activities in cyberspace. Nevertheless, by affirming that the principles and rules that regulate state activities in armed conflicts also apply to cyber activities, the twenty states have implicitly acknowledged that, should cyber operations occur in armed conflicts, they are subject to the same rules as kinetic warfare.

Concerning attribution, the report notes that ‘[…] the indication that an ICT activity was launched or otherwise originates from a State’s territory or from its ICT infrastructure may be insufficient in itself to attribute the activity to that State.’6 This corresponds to the Tallinn Manual (compare Rule 7, page 34) and may be seen as one of the few non-contentious rules in the 2015 report that were not copied straight from the 2013 report.

The Group also newly noted that ‘the accusations of organizing and implementing wrongful acts brought against States should be substantiated’. This is probably a reaction of certain states to the growing number of recent cases when the victim state of a high-profile cyberattack was able to single out the originating state with a high enough probability to blame it officially (e.g., Sony HacksUnit 61398 indictments).

All in all, the 2015 report is not a major breakthrough from the international law perspective – but neither is it a step back from the past achievements, which is still a remarkable result taking into consideration the countries involved in agreeing on the text. For instance, Andrei Krutskikh, the Russian Presidential Special Envoy for International Cooperation in Information Security and one of the co-authors of the document, stated that ‘in […] view of emerging risks in this regard, we [Russia] and a number of other countries were against singling out the Article 51. […] The report reflects the position of Russia and its partners in the SCO [Shanghai Cooperation Organization] and BRICS, that the main goal is not to legalize and not to regulate conflicts in the information space, but to prevent using […] ICT [information and communication technologies] in the political and military purposes.’

Considering the mandate of the GGE was to study how international law applies in cyberspace (after agreeing if and when it applies), the results are modest, but they show the willingness of the GGE members to discuss and agree on the applicability of particular rules of international law. If any further progress is to be made, the next GGE should come up with a longer list of such rules, as its envisaged mandate7 provides sufficient room for discussion.

A new GGE likely to be formed in 2016

In its conclusions and recommendations, the report suggests that the UN ‘should play a leading role in promoting dialogue’ and notes that the UN General Assembly (UNGA) should consider convening a fifth GGE in 2016 with the same mandate.8

In 2013, the number of states involved was raised from 15 to 20 and there will be considerations regarding the size of the next group. Although involving a larger number of countries would increase the representativeness of the process, a bigger group would be less likely to achieve a substantive agreement.

Growth in the size of the group is hence unlikely, but there will be states competing to be part of the group, as there are governments that are active in cyber diplomacy who probably seek a seat behind the table. For example, the Netherlands – host of the fourth Global Conference on Cyberspace (see INCYDER news brief) – was not part of the 2015 group. In this regard, finding consensus and making substantial progress (e.g., on how international law applies) will certainly become more difficult as more and more states are actively developing their views on cyber security as part of their foreign policy agenda.

The report will be presented to the UNGA for a vote in October 2015.

Henry Rõigas and Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

  1.  Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, Israel, Japan, Kenya, Malaysia, Mexico, Pakistan, the Russian Federation, Spain, the United Kingdom and the United States of America; for more, see: http://www.un.org/disarmament/topics/informationsecurity/ and INCYDER page for the UN. []
  2. The report references four resolutions: A/HRC/RES/20/8, A/HRC/RES/26/13, A/RES/68/167, A/RES/69/166. []
  3.  Note that in the US view, it may engage in acts of self-defence when a cyber operation amounts to an unlawful ‘use of force’ as set forth in Article 2(4) of the UN Charter, as opposed to an ‘armed attack’ pursuant to Article 51. See, e.g., discussion in Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare: Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (Cambridge ; New York: Cambridge University Press, 2013), pp. 47 and 55. []
  4.  As listed in paragraphs 26 and 28b of the 2015 report. []
  5.  Paragraph 28c of the 2015 report. []
  6.  Paragraph 28f of the 2015 report. []
  7.  Paragraph 34 of the 2015 states the next GGE’s mandate: ‘[…] to continue to study, with a view to promoting common understandings on existing and potential threats in the sphere of information security and possible cooperative measures to address them, as well as how international law applies to the use of ICTs by States, including norms, rules and principles of responsible behaviour of States, confidence-building measures and capacity-building.’ []
  8. Ibid., note 8. []