Back to Square One? The Fifth UN GGE Fails to Submit a Conclusive Report at the UN General Assembly

In 2004, the United Nations established a Group of Governmental Experts (UN GGE) to strengthen the security of global information and telecommunications systems. To date, the UN GGE has held five sessions, two of which (in 2013 and 2015) have resulted in consensus reports. UN GGEs has been lauded for mapping the current state of play in international cyber affairs, and promoting the view that cyberspace is not a digital Wild West where no rules apply. Sceptics, however, have predicted the failure of the UN GGE for reasons such as not being compliant with urgent threats, being unrealistic in its solutions, not taking pressing issues such as online persecution of investigative journalism seriously enough, or most often for its top-down approach. On 17 July, however, a real failure happened, and not for any of the reasons presented above. The UN GGE did not issue its anticipated fifth report.

In 2013 the UN GGE published its third report on confidence building measures which, inter alia, promoted the further study of norms and the pursuit of consensus, and strongly implied that international law applies in cyberspace. The fourth report, published in 2015, contained new norms on state behaviour, stipulating that states ought not to target each other’s critical infrastructure during times of peace; that first responders (such as CERTs) should not be targeted; and that if a state were to suffer a malicious incident from a group in another country and request help from the attacking state, it would not be denied. However, part of the success of the 2015 process might be due to its skilfully veiled phrasing and avoidance of spelling out that the right to self-defence and countermeasures apply to cyber operations. The highly anticipated fifth report was never finalised. The reasons for the failure undermine the very foundations of any meaningful legal debate over international cyber security. The UN GGE did not reach a consensus on whether or not international humanitarian law applies to cyber operations, thereby shaking one of the very cornerstones of the whole discourse of cyber law, something that has been affirmed by the ICJ and was thought to be beyond challenge.

A whole school of legal and government experts have built a well-argued and coherent system of rules based on the premises that international law governs everything virtual just as it does everything tangible. The viewpoint is manifest in the UN GGE reports from 2013 and 2015, OSCE and ASEAN confidence building measures, the G7 Lucca Declaration, and was also unanimously approved by the Tallinn Manual 2.0 international group of experts. The discord did not come without warning, as it was foreshadowed by controversies within the UN following the introduction of the SCO Code of Conduct for Information Security, the split vote on the International Telecommunication Regulations, and the Chinese government’s position on the 2015 UN GGEprocess. This time, however, the 25 UN GGE representatives were not on the same page with regard to the applicability of international humanitarian law to cyber operations, and in particular countermeasures and the right to self-defence; Russia, China and Cuba voiced their opposition. Declaring that Article 51 of the UN Charter applies to cyber was viewed as a pathway to transforming cyberspace into a realm of endless conflict. The UN GGE meetings were hence fruitful just as long as they managed to work their way around the right to self-defence and countermeasures, which arguably are no more than euphemisms for the militarisation of cyberspace.

Exercising the right to self-defence as a response to armed attacks by cyber means does not sit well with the seemingly ultra-pacifist Chinese cyber security strategy, where peace is the ultimate priority followed by sovereignty and only then security. On a similar line, the Cuban representative expressed the concern that the draft report, if ever crafted, would turn cyberspace into a theatre of military operations, because the threshold for making the shift from peace to armed conflict was placed too low. The special representative of the Russian President for international cooperation in the field of information security and envoy of the Russian Foreign Ministry, Andrei Krutskikh, explained the failure to the German pro-Kremlin news site, Russkoe Pole. According to him, the Russian position is that use of force in cyber and real space alike is absolutely inadmissible, and the fifth UN GGE failed due to political polarisation.

The right to self-defence is an exception from the prohibition of the use of force. Therefore, according to the opponents, applying it in cyberspace would form the legal foundation for the emergence of hostile cyber operations of unprecedented intensity and impact, or as the Cuban delegate put it ‘legitimising cyber war’. Krutskikh also made the point that a permissive system of countermeasures and self-defence should not come before reliable technical and legal means of attribution. Ironically, at the same time he advocated recognising cyber attacks as armed attacks, so that states could respond adequately by, inter alia, evoking the right to self-defence as it is prescribed in the UN Charter.1 According to the note explaining the Cuban position, responding to cyber attacks through countermeasures was perceived to put severe cyber attacks on a par with armed attacks in other domains, a step that for some seems to be a mere affirmation of a truism, but apparently for others a little too radical. Again, an earlier quotation from Krutskikh seems reflect a different viewpoint: ‘Let’s draw an equation mark between cyber attacks and armed attacks in other domains, also let’s declare that cyber means including telephones are weapons’.2 From a legal perspective, however, the disagreement is in no way adding to the discourse on the most controversial and complicated matters, rather it is taking us back to square one.

The US delegation would have preferred a complex and deliberate discussion over the grey areas of international cyber law; China, Cuba and Russia signalled that it was too early for that, since even the basics cannot be taken for granted. Norm-based universal consensus has worked for nuclear disarmament but proven to be a rocky road in almost all other fields, and cyber is no exception. An amiable concord on an international level is a lofty goal, given that heated debates over fundamentals can take place within one nation. For instance, the US – pioneer of the norm development process – also sometimes seems to be wavering in its opinion on some of the essential elements of international law (whether cyber or not). An example of this is the US DoD’s recent doubts about whether sovereignty constitutes a primary rule of international law that can be violated.3 Such declarations, regardless of whether they come from the US, Cuba, Russia or, for that matter, Estonia, are attempts to legitimise political ambitions, and the frequency of such attempts is definitely rendering true global consensus an extremely challenging goal. However, there are other emerging measures that regulate state behaviour in cyberspace, such as bilateral treaties akin to this between US and China on limiting industrial cyber espionage and regional instruments such as: the OSCE confidence building measures and Minsk Declaration; the AU Convention on Cyber Security and Personal Data Protection; the EU Cyber Diplomacy Toolbox and Cyber Security Strategy; SCO and CoE initiatives; and the previous UN GGE consensus reports which serve as valuable roadmaps of the current normative framework for state behaviour in cyberspace.

As a somewhat predictable outcome of the UN GGE failure, Moscow has announced its intent to once again raise the issue of information security and present the joint vision of BRICS, SCO and CSTO at the upcoming General Assembly. As a general tendency, the Russian media has remained quiet on the recent UN GGE process and its discouraging results, however the intent to promote the set of norms shared by Russia and its allies has been widely covered. The narrative almost perfectly reflects that presented by the advocates of UN GGE norms, only all the roles have been swapped. The SCO Code of Conduct for Information Security has been depicted as the sole effective tool for legal regulation of state behaviour in cyberspace, which the US and likeminded states are not willing to support for political reasons that have little or no legal basis. At a conference held in Tel Aviv in August 2017, Deputy Secretary of the Russian Security Council Oleg Khramov commented: ‘Russian attempts have been chastised by a number of leading Western states, and politicians have succumbed into years of fruitless discussions in which the objectivity has been replaced by ideological goals’.4 Besides that, he has noted that ‘[t]alks about the need to adopt rules of behaviour in the information space remained mere talk. We all were thrown years back’.5 On the latter at least, both sides seem to agree.


Ann Väljataga

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
  1. ТАСС, Эксперты: кибербезопасность РФ зависит от консолидации информационного сообщества, (in Russian). []
  2. Ibid. []
  3. See also: Michael N Schmitt and Liis Vihul. “Sovereignty in Cyberspace: Lex Lata Vel Non?.” AJIL Unbound 111 (2017): 213-218. Available at: []
  4. []
  5. []