A surprising turn of events: UN creates two working groups on cyberspace

On 8 November 2018, the United Nations General Assembly First Committee approved two separate proposals for the creation of two working groups aiming at developing rules for states and responsible behaviour in cyberspace. While both Resolutions¹ recognise and adopt the conclusions of the 2013 and 2015 UN Group of Governmental Experts (UN GGE) reports, they also reflect recurrent divergence regarding states’ visions of what needs to be regulated in the global information space, and how. The adoption of two separate Resolutions with a similar mandate displays a dual approach to the regulation of cyberspace: from one side, some states are advocating for the protection of fundamental freedoms in the use of ICTs and promoting the use of legal instruments in response to cyber threats; on the other side, states are more concerned about their capacity to control ICT infrastructures and regulate activities within their domestic online environment.

Previously, on the UNGA First Committee… (The Background)

Twenty years ago, a Russian initiative was pushed forward at the United Nations drawing attention to the challenges and threats posed by the misuse of information and communications technologies (ICTs). Although at first the Resolution ‘Developments in the field of information and telecommunications in the context of international security’ was aimed at negotiating an international cyber arms-control treaty,² the discussions that followed turned the scope towards a general negotiating process for the creation of non-binding norms and confidence-building measures in cyberspace. With several rounds of talks held under the UN GGE format,³ three consensus reports were produced, in 2010, 2013 and 2015. While states have been able to agree on a variety of norms of general behaviour in cyberspace, international law has seen only timid developments: no states have denied the applicability of international law in cyberspace, but they disagree on how international law applies.

As a result, the 2017 UN GGE could not reach consensus, and failed to deliver a final report. The discussion collapsed when the Group could not find common ground over the rights of states to respond to internationally wrongful acts committed through the use of ICTs and the applicability of international humanitarian law in cyberspace (as further demonstrated by the official positions of the United States and the Russian Federation after the conclusion of the 2016/2017 UN GGE). The negative outcome generated general disillusion and many commentators expressed pessimism over the future development of cyber norms. Nevertheless, the result of the 73^rd session of the UNGA First Committee proved to be successful in reviving the ‘undead’ process of negotiating cyber norms.

A new beginning? The Open-Ended Working Group

The twenty-year-old discussion around the promotion and creation of norms of behaviour in cyberspace has been directed using the UN GGE format. For the first time since 2004, Resolution A/C.1/73/L.27/Rev.1 (L.27/Rev 1), tabled by the Russian Federation, proposed a change by convening in 2019 an Open-Ended Working Group (OEWG) that will act on a consensus basis with the scope to further develop the norms and principles of responsible behaviour of states in cyberspace as well as their implementation. According to the Russian delegation speaking during the voting procedure in the UNGA First Committee, the new OEWG will avoid the creation of ‘club agreements’ and, unlike the UN GGE, will encourage an inclusive, open and democratic negotiation process, while fostering the norms-building capacity of every state.

In view of the failure of the 2016/2017 UN GGE round of talks, supporters of the Russian-tabled Resolution might have found the idea of exploring a new way to re-engage the negotiating talks reasonable.⁴ Nonetheless, many delegations expressed their frustration with the creation of a new group for discussion, which they considered as having a similar mandate to the UN GGE. Although the open-ended track would allow access to the discussion from non-governmental actors,⁵ it could result in a waste of resources and be extremely time-consuming. More importantly, focusing the discussion and reaching consensus among 193 States could be something of a challenge.

Human rights vs cyber-sovereignty

Many delegations also expressed their concern with the content of the Russian-led Resolution. In an official explanatory document, the delegation from Canada, speaking on behalf of the Australian, Estonian, Dutch and UK governments, expressed frustration over what they consider a ‘strange turn of events’. The official statement considered Resolution L.27/Rev 1 to be inherently flawed, arguing that it contained a selection of excerpts from the 2013 and 2015 UN GGE reports which deliberately distorted the meaning and undermined the status of the consensus on cyberspace norms that has been reached so far.

This position has also been supported by the US delegation, which accuses Russia of having ‘cherry-picked’ and re-worded selected passages of previous GGE documents. In fact, the 3-page US-led resolution A/C.1/73/L.37 (L.37) does not distance itself from the previous discussion´s format (opting for the traditional UN GGE) and scope, and strongly emphasises the importance and necessity of an open, interoperable, reliable and secure information and communication technology environment, consistent with the need to preserve the free flow of information.

This ‘freedom’ aspect is somewhat missing in the competing Resolution L.27/Rev1, which clearly departs from the online openness promoted within Resolution L.37 which affirms the ‘right and duties of states to combat, within their constitutional prerogatives the dissemination of false and distorted news, which can be interpreted as interference in the internal affairs of other states as being harmful to the promotion of peace, cooperation and friendly relations among states and nations’. Although this language gives a nod towards the Russian ‘Doctrine of Information Security’, it is considered detrimental for specific categories of human rights, since states could be entitled to unilaterally determine and classify what constitutes a threat, in order to justify measures such as online surveillance and censorship.⁶ It is also worth mentioning that the first iteration of the Russian draft Resolution was deemed to contain elements of the debated Shanghai Cooperation Organization Code of Conduct for Information Security, strongly emphasising elements of domestic internet governance.

The way forward: black clouds and silver linings

Two conclusions might be drawn from these recent developments, the first being more on the optimistic side, and the second more attentive to the reality and the limits of the discussions held in the UNGA forum.

• As shown by their adoption, states found the two resolutions complementary rather than mutually exclusive. Therefore, it could be argued that two separate UN Working Groups would be needed: the UN GGE, more restricted and specialised, focused on debated issues such as setting a legal framework for responses to cyber incidents with low thresholds of harm when ICT infrastructures are involved. The OEWG, with wider participation, would consider a framework for governmental control of ICTs while ensuring the protection of human rights in the cyber context.
• Seeing the difficulties observed during the 2016/2017 UN GGE round, two different tracks might endanger the norms negotiating process even further by splitting the UNGA in half and creating confusion over the scope of the two Resolutions. Since both the GGE and the OEWG need resources and require a certain support from states, governments should choose wisely where and how to invest their resources.

Beyond mere assumptions, states currently engaged in the UN discussion on the development of cyber-norms now have a double track to consider. Although, according to Alex Grigsby, despite their differences, both the US and the Russian Federation share a common interest when it comes to improving the stability of cyberspace,⁷ they have failed to merge their views to create a single document. Therefore, while the UN process to create norms regulating the use of ICTs might not be dead yet, from now on it will require a double diplomatic effort to accommodate the different interests among a wider range of actors.

Author: Samuele De Tomas Colatin, NATO CCD COE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

1. A/C.1/73/L.27/Rev.1 and A/C.1/73/L.37. [↩]
2. Alex Grigsby, The End of Cyber Norms, Survival, Vol 59 No 6, 109-122, 2017, 110. [↩]
3. The UN GGE began its work in 2004 and held 5 official meetings. [↩]
4. Resolution A/C.1/73/L.27/Rev.1 was widely supported, with 109 votes in favour, 45 against and 16 abstentions. [↩]
5. Resolution A/C.1/73/L.27/Rev.1 foresees ‘the possibility of holding, from within voluntary contributions, intersessional consultative meetings with the interested parties, namely business, non-governmental organizations and academia, to share views on the issues within the group’s mandate’. [↩]
6. Russia’s internet regulator Roskomnadzor proposed a law to fine search engines that are not complying with filtering measures required by the state. Unwilling to comply with this provision, Google has been fined over 500,000 Roubles by Roskomnadzor, which is also proposing new legislation to block search engines that refuse to filter contents according to the state’s demands. [↩]
7. Alex Grigsby (n. 2), 111. [↩]