On 9th January 2015, six members of the Shanghai Cooperation Organization (SCO) (China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan) proposed an updated version of the international Code of Conduct for Information Security to the United Nations. The document was submitted to the UN’s Secretary-General Ban Ki-moon with a request that it be circulated as a formal document during the 69th session of the UN General Assembly. The previous draft of the Code of Conduct was submitted to the UN by China, Russia, Tajikistan and Uzbekistan in September 2011.
Although the letter accompanying the draft states that the revised text takes account of the comments and suggestions received after the initial document was released, the new draft only includes minor modifications and additions, and the general ideas and nature of the document have remained the same. Nevertheless, the INCYDER team will highlight the noteworthy changes.
Context and the previous draft
The initial draft, proposed in 2011, sought to identify the rights and responsibilities of states in the information space by, inter alia, calling on them:
– to comply with the Charter of the UN by highlighting the respect for sovereignty and territorial integrity;
– not to use ICT for hostile activities and aggression and not to proliferate information weapons or related technologies;
– to cooperate in combating criminal and terrorist activities that use ICT;
– to promote the establishment of a democratic and multilateral internet management system; and
– to promote the ‘important role of the United Nations in formulating international norms’.
The original proposal did not find global support as it contained a number of controversial aspects. First, the Code was seen as a step towards formalising new rules governing cyberspace and the use of information technology, a notion generally opposed by the US and other liberal democracies which have mostly adopted the stance that existing international law is sufficient and that new rules would, for example, limit technological innovation and growth.1 The Code emphasises that a ‘multilateral’ (intergovernmental) system for Internet governance should be developed – a construct inconsistent with the current ‘multi-stakeholder’ system that is viewed as being dominated by the US.2 The Code also highlighted the principle of sovereignty in cyberspace which is seen by some specialists as a way to legitimise censorship and state control over Internet.3 The original Code has also been criticised for neglecting cooperation on cross-border law enforcement by putting a strong emphasis on combating terrorism, secessionism or extremism.4
So, what has changed?
Omitting ‘information weapon’
The revised draft has omitted the somewhat controversial term ‘information weapon’. Many have seen the use of the terms ‘information security’ and ‘information weapon’ as responses to events such as the Arab Spring to classify applications such as Twitter and Facebook as falling under the provisions of the Code, a view not supported by many nations which advocate freedom of expression and the free flow of information in cyberspace.5 That the phrase ‘proliferate information weapons’ is omitted might be an indication of a desire to gather more support for the Code. However, the new wording is consistently very broad, allowing that any use of ‘information and communications technologies’ could be classified as inconsistent with ‘maintaining international peace and security’. For example, the 2011 draft stated, in section b, that ‘each state voluntarily subscribing to the Code pledges’:
‘Not to use information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate information weapons or related technologies;’ [Emphasis added.]
The 2015 draft reads:
‘Not to use information and communications technologies and information and communications networks to carry out activities which run counter to the task of maintaining international peace and security;’
Reference to the use of a ‘dominant position in the sphere of IT’
The updated document includes new wording by mentioning the use of a ‘dominant position’. Section 5 of the revised version of the Code calls on signatories:
‘To endeavour to ensure the supply chain security of ICT products and services, especially not to take advantage of its dominant position in the sphere of information technology, including inter alia, dominance in basic resources, critical infrastructures, core technologies, products and services of ICTs and information and communications networks, to undermine other countries’ right of independent control of ICT products and services, or to threaten other countries’ political, economic and social security.’ [Emphasis added.]
This addition could be viewed as being intended to limit Western dominance6 in the development of ICT, and one could draw a connection between the debate over current Internet governance and the possible destabilising impact of social media platforms.
Offline rights equal online rights
The new Code of Conduct features an entirely new section (Section 7) including a general principle that is gaining wide support globally (e.g., see the Cybersecurity Strategy of the European Union ) by calling on states to recognise ‘that the rights of an individual in the offline environment must also be protected in the online environment.’ However, the section also includes references to certain restrictions, based on the International Covenant on Political and Civil Rights:
‘To fully respect rights and freedoms in the information space, including the right and freedom to seek, receive and impart information, taking into account the fact that the International Covenant on Civil and Political Rights (article 19) attaches to that right special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
(a) for respect of the rights or reputations of others;
(b) for the protection of national security or of public order (ordre public), or of public health or morals;’
It is perhaps surprising that, in light of the mass surveillance scandals and other developments in the UN (for more, see this INCYDER update), the Code does not explicitly mention the issue of privacy in the context of human rights.
Other changes – CBMs and highlighting the role of States in Internet governance
There has been a slight change of wording that reiterates opposition to the current ‘multi-stakeholder’ model by highlighting the role of governments in Internet governance. Section 8 of the updated Code now sees the addition of the words ‘all states’ to the language:
‘All States must play the same role in, and carry equal responsibility for, international governance of the Internet , its security, continuity and stability of operation, and its development in a way which promotes the establishment of multilateral, transparent and democratic international Internet governance mechanisms which ensure an equitable distribution of resources, facilitate access for all and ensure the stable and secure functioning of the Internet;’ [Emphasis added.]
The updated document also includes a new section (Section 10) referring to the development of ‘practical confidence building measures’, signalling a continuous effort and the need to develop politically binding norms of behaviour to limit cyber threats. In fact, the developments made in the context of cyber-related confidence building measures (CBMs) could be seen as one of the few areas where major world powers have been able to find consensus.7
As the revised Code does not include major changes, it is unlikely that the updated version will find global support due to the aforementioned ideological differences. Nevertheless, it is a clear sign of a continuous effort by states such as the SCO members to promote new international agreements and norms regulating (or limiting) state behaviour in the use of information technologies. This aspect is also evident as the updated Code does not mention a global consensus that existing international law applies to cyberspace, expressed in a 2013 UN report by a Group of Governmental Experts (UN GGE) which included all major powers.8 At the moment, the fourth UN GGE is holding its meetings, and, if consensus is achieved, a report will be published by the end of 2015.
As global agreement is unlikely, it is possible that the principles outlined in the updated Code will be implemented regionally or among like-minded states. For example, Russia is reportedly proposing ‘a special information security convention’ in a summit gathering both members of the BRICS9 and SCO.10
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- See, e.g.: James A. Lewis, Liberty, Equality, Connectivity: Transatlantic Cybersecurity Norms, Strategic Technologies Program (Center For Strategic and International Studies, 2014). [↩]
- See, e.g.: ‘In Search Of A Governance. Who Will Win The Battle For The Internet?,’ Forbes, accessed February 4, 2015, http://www.forbes.com/sites/federicoguerrini/2014/10/24/in-search-of-a-g…. [↩]
- See, e.g.: Jeffrey Carr, ‘Digital Dao: 4 Problems with China and Russia’s International Code of Conduct for Information Security,’ Digital Dao, September 22, 2011, http://jeffreycarr.blogspot.com/2011/09/4-problems-with-china-and-russia… Keir Giles, ‘Russia’s Public Stance on Cyberspace Issues,’ in Christian Czosseck, Rain Ottis, and Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict, 2012, https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicS…. [↩]
- Ibid. [↩]
- See, e.g.: Wolter Detlev, ‘The UN Takes a Big Step Forward on Cybersecurity,’ Arms Control Today, September 4, 2013, http://www.armscontrol.org/act/2013_09/The-UN-Takes-a-Big-Step-Forward-o… Timothy Farnshworth, ‘China and Russia Submit Cyber Proposal,’ Arms Control Today, November 2, 2011, http://www.armscontrol.org/act/2011_11/China_and_Russia_Submit_Cyber_Pro…. [↩]
- See, e.g.: Cortez A. Cooper, China and Cybersecurity: Political, Economic, and Strategic Dimensions. Report from Workshops Held at the University of California, San Diego April 2012 (University of California Institute on Global Conflict and Cooperation, April 2012), http://igcc.ucsd.edu/assets/001/503568.pdf. [↩]
- See, e.g.: Katharina Ziolkowski, Confidence Building Measures for Cyberspace – Legal Implications, Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, 2013, https://ccdcoe.org/publications/CBMs.pdf. [↩]
- Kristen Eichensehr, ‘International Cyber Governance: Engagement Without Agreement?,’ Just Security, February 2, 2015, http://justsecurity.org/19599/international-cyber-governance-engagement-…. [↩]
- Brazil, Russia, India, China, South Africa [↩]
- Wolfgang Kleinwächter, ‘Internet Governance Outlook 2015: Two Processes, Many Venues, Four Baskets,’ CircleID Internet Infrastructure, January 3, 2014, http://www.circleid.com/posts/20150103_internet_governance_outlook_2015_…. [↩]