Which multilateralism for Cyber Norms?

Which multilateralism for Cyber Norms? Group photo of the Estonia’s UNSC Presidency: Cyber Stability, Conflict Prevention and Capacity Building. Photo: Estonian Foreign Ministry (CC BY 2.0). Elcan Blog
Group photo of the Estonia’s UNSC Presidency: Cyber Stability, Conflict Prevention and Capacity Building. Photo: Estonian Foreign Ministry (CC BY 2.0)
Which multilateralism for Cyber Norms? Group photo of the Estonia’s UNSC Presidency: Cyber Stability, Conflict Prevention and Capacity Building. Photo: Estonian Foreign Ministry (CC BY 2.0). Elcan Blog
Group photo of the Estonia’s UNSC Presidency: Cyber Stability, Conflict Prevention and Capacity Building. Photo: Estonian Foreign Ministry (CC BY 2.0)

Making a virtue out of necessity. In a crisis situation such as the current pandemic in which the United Nations Secretary-General called for a global ceasefire of armed conflicts as common responsibility, cyberspace –one of the greatest forgotten topics in global negotiations– appears to be at present –more than ever– a countercyclical issue. As vulnerability source for some cases and as attack tool for others, the current crisis seems to have roused the urgency of ensuring a peaceful and stable cyberspace, in which cyber threats are addressed by the peace and international security framework, through mechanisms and regulations aimed at conflict prevention –these conflicts being either cybernetic or physical, but affected by cyber tools.

Governance of global change must go hand in hand with digital transformations. This is reason why Estonia, which chairs the UN Security Council throughout May 2020, used the Arria- Formula to hold an Informal Meeting on cyber stability and conflict prevention. It is not by chance that Estonia is the country which has set the stage to bring this topic to light at the highest level of international negotiation. In 2007, following a disputed relocation of the Soviet-era Bronze Soldier monument, Estonia faced significant cyber attacks: fifty-eight websites were offline at once, including links from the government, newspapers and banks.

This created a turn in the global geopolitical scenario, it has been widely acknowledged as the world’s first cyber war. Since then, Estonia has become a global heavyweight in cyber security, thus being a “norm entrepreneur” at the international level over an issue which, prior to the incident, was never conceived as an imminent threat to the State or its citizens, nor embraced by codes of conduct, agreements or by the Article 5 from the NATO Treaty. Hence, Estonia has seized the opportunity of chairing the UN Security Council, and at a time in which it is still more visible due to current cyber attacks to healthcare systems, to bring to the table three aspects. First, the need to establish mechanisms which regulate responsible State behaviour on cyber attacks at the global, regional, and national levels. Second, the application of existing international law –public and humanitarian– to cyberspace and the requisite for cyber norms. Third, the opportunities that regional cooperation entails.

Shortcomings, gaps, and silences

Cyberspace requires international norms, but also the recognition and acceptance of State behaviour. Existing international law applies to cyberspace, and it has served as comprehensive guidance until now. However, not all countries have done so and they have not been transparent either. The very International Humanitarian Law is not still able to define at what extent civilian harms produced by cyber-attacks –for instance, to a hospital or an electric grid in a war zone– are intentionally direct targets or are not. Additionally, when binding international standards are not applied, another layer of action –linked to public policies, such as CBMs or Confidence-Building Measures, and capacity building– has not either paid off this misbalance, with the exception of some regional cooperation systems, such as in the African Union.

The first step is awareness, recognition and acceptance of this problem, as the UN Under-Secretary General and High Representative for Disarmament Affairs, Ms. Izumi Nakamitsu, pointed out. However, this is not as simple as it seems. This gap is clearly shown when it comes down to the existence of two different Working Groups at the United Nations, addressing cyber norms negotiations: the UN-GGE (the UN Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, mainly led by the United States), and the Open-Ended Working Group (proposed by the Russian Federation in order to avoid “club agreements”, even if this group has been criticized due its main focus on cyber-sovereignty rather than States’ responsibility).

There is a range of stances with regards to moving forward global norms for cyberspace which regulate this State behaviour. The problem does not lie, indeed, in “what” and “how” these norms should be, but rather in the will for dialogues. United States remarked in this informal meeting that “even though certain states appear willing to undermine this framework, universalizing it is in all member states’ interests”, and encouraged its likeminded partners to join U.S. efforts. On the other hand, China put the focus onto the idea that “some countries see cyber as a battlefield (…); a cyberwar can never be won and must never be fought. Cyber force must be avoided by force, deterrence and pressure”, so this does not affect assets in the global supply chains and its national security.

Translating discourses on foreign policy vs. protectionism from one and another into the domain of cyberspace increasingly hinders effectiveness and success of negotiation tables. Added to all this is the differing priority lists from each geographical region over the world: Latin American and the Caribbean countries remark the lack of experience and resources on cyber security; countries from Southeast Asia see as a peril the uses of cyberspace for transnational illicit activities, such as drug trafficking among others; and African countries pointed out the use of cyberspace to achieve objectives related to political issues or topics related to terrorism. For instance, Niger stated its fear related to the use of cyberspace to enhance “protest and revolution”. However, the African continent embraces a large set of differing positions on this issue. Meanwhile, the European Union keeps away of these positions and shifts the focus onto due diligence and diplomatic means as the regulatory principles to achieve resilience and response measures.

Why multilateralism is the appropriate gathering spot?

Which conclusions may be extracted from this informal meeting in which more than 40 countries, the International Committee of the Red Cross, and INTERPOL participated in? First, that cyberspace continues to be a domain of Working Groups and of meetings which have still an informal nature. This is this way indeed because it is an evolving issue which needs to be developed in order to get to know its major and minor shortcomings –cybercrime, cyber-attacks, humanitarian, military, public-private partnerships, civilian critical infrastructures, foreign policy, terrorism. However, it is an area that, despite its early age, has already entailed significant risks and dilemmas, such as blockage of essential services, disruption of information systems from town halls, and disinformation campaigns with sever effects in the global geopolitical balance. These examples justify themselves the need to move cyberspace forward a negotiation framework of first-level priority. Second, because cyberspace is a domain which affects in exponential ways to developing countries, actors which do not have cyber security protection capabilities at their disposal nor acknowledge cyberspace as a priority in their political agendas. A forward-looking advancement on this is the very first effort by the African continent to enhance this issue through the African Union Convention on Cyber security and Personal Data Protection. Third, because for now cyberspace cooperation has been mainly led bilaterally, when the key to success relies on multilateralism and new approaches of regional cooperation and collaboration –both actions: operating and elaborating jointly.

Cyberspace is nothing new. Multilateralism is not either. However, they are co-workers which have a “back to back” stance. And the phenomenon of fragmentation, polarisation and hybridity which have clear effects in the global order tangentially and transversally cannot be solved bilaterally: digital sovereignty discourses, the creation of partitioned “national infospheres”, the proposal by China of a new Internet Protocol decoupled from the current one, the absence of international State’s responsibility frameworks, the low degree of participation of civil society and the private sector in this issue, and the blurring of the traditional separation between the civil and the military, as well as the overt and the covert, are many of the expressions which require to be approached. In conclusion: if cyberspace continues to be the forgotten issue in multilateralism, current global order will increase risks and shortcomings it is facing. The space, the arena to do it, exists; what is missing is the responsibility towards what is common to all of us, and the sense of urgency upon an issue which needs to be addressed at the regional level and the multilateralism approach.