Partner in these consultations was the ICT4Peace Foundation [link: https://ict4peace.org], a policy and action-oriented international foundation whose purpose is to save lives and protect human dignity through Information and Communication Technology. Promoting cybersecurity and a peaceful cyberspace through international negotiations with governments, companies and non-state actors is part of their work.

Consultations as to how to best understand and implement the proposed norms in the UN GGE 2015 report [link: https://www.universiteitleiden.nl/binaries/content/assets/governance-and-global-affairs/isga/2015-un-gge-report.docx] were conducted throughout the summer. We invited recommendations, comments, and guidance from academia, civil society, the corporate world as well as public administration – we invited views on whether the proposed norms can be considered distinct, relevant and justified, further recommendations on responsible behaviour in international cyber security, and advice on what reference materials, such as national and international documents, academic and expert literature, could be considered when implementing the proposed norms.

In creating the commentary and implementation guidelines on the UN GGE 2015 report’s proposed norms, editorial working groups were formed for each of these norms. In addition to comments and contributions, people were also invited to participate in one or several of these working groups.

The full commentary and guidelines were published in April 2018 as part of UNODA’s Civil Society and Disarmament series. The report can be downloaded (freely accessible) from UNODA’s website here.

Background

For two decades, negotiations of a possible cyber security framework have been discussed behind closed doors under the auspices of the UN Disarmament and International Security Committee. Five consecutive Groups of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have worked to settle standards of responsibleState behaviour in cyberspace, amidst strategic contestation in and around the cyber domain. The UN GGE is the only existing intergovernmental expert format to discuss and make recommendations about ways to mitigate international peace and security threats that results from State development and uses of information and communication technologies (ICTs).

The 2015 UN GGE report (U.N. Doc. A/70/174, July 22, 2015 [link: https://www.universiteitleiden.nl/binaries/content/assets/governance-and-global-affairs/isga/2015-un-gge-report.docx]) proposes 11 voluntary non-binding norms on responsible State behaviour, related to cooperation, mutual assistance, information exchange, respect for Human Rights, integrity of the supply chain, and critical infrastructure protection (para 13). The UN General Assembly subsequently called upon Member States to “be guided in their use of information and communications technologies by the 2015 report of the Group of Governmental Experts”, by adopting resolution A/RES/70/237 [link: http://www.un.org/ga/search/viewm_doc.asp?symbol=A/RES/70/237] in December 2015.

In June of this year, the fifth consecutive UN GGE concluded its negotiations without producing a consensus report. In the absence of such a report to offer guidelines on the implementation of the proposed norms contained in the 2015 report, we aimed to support the UN GGE’s work by conducting these open consultations in order to produce a commentary with implementation guidelines that includes a wide variety of relevant views.

Working Groups

General normative considerations

Lead: Dr. Eneken Tikk, Senior Fellow, Institute of Security and Global Affairs, Leiden University

Norm (a) Cooperation

Lead: Zine Homburger, PhD Candidate, Institute of Security and Global Affairs, LeidenUniversity

Norm (b) Consequences

Lead: Dr. Mika Kerttunen, Docent, Finnish National Defence University; Director of Studies, Cyber Policy Institute

Norms (c) and (f) Internationally Wrongful Acts

Lead: Liisi Adamson, PhD Candidate, Institute of Security and Global Affairs, Leiden University

Norm (d) Exchange of Information

Lead: Dr. Els De Busser, Assistant Professor, Institute of Security and Global Affairs, Leiden University

Norm (e) Human Rights

Lead: Dr. Barrie Sander, Visiting Scholar, FGV Direito Rio; Visiting Fellow, Institute of Security and Global Affairs, Leiden University

Norms (g) and (h) Critical Infrastructure Protection

Lead: Michael Berk, Research Fellow, Centre for Cyber Security and International Relations, University of Florence; Managing Director at DR Analytica, and Principal at Alton Corp.

Norm (i) Integrity of the Supply Chain

Lead: Caitríona Heinl, Research Fellow, Cyber Risk Management Project, Nanyang Technological University

Norm (j) Reporting of ICT Vulnerabilities

Lead: Prof. Dr. Nicholas Tsagourias, Professor of International Law, University of Sheffield

Norm (k) Computer Emergency Response

Lead: Dr. Eneken Tikk, Senior Fellow, Institute of Security and Global Affairs, Leiden University

2015 UN GGE report: paragraph 13

The public consultation specifically concerned paragraph 13 of the UN GGE 2015 report [link to download: https://www.universiteitleiden.nl/binaries/content/assets/governance-and-global-affairs/isga/2015-un-gge-report.docx], containing 11 voluntary non-binding norms on responsible State behaviour:

13. Taking into account existing and emerging threats, risks and vulnerabilities, and building upon the assessments and recommendations contained in the 2010 and 2013 reports of the previous Groups, the present Group offers the following recommendations for consideration byStates for voluntary, non-binding norms, rules or principles of responsible behaviour of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment:

(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;

(b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;

(c) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;

(d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

(e) States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;

(f) A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operations of critical infrastructure to provide services to the public;

(g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;

(h) States should respond to appropriate request for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;

(i) States should take reasonable steps to ensure the integrity of the supply chain sothat end users can have confidence in the security of ICT products. Statesshould seek to prevent the proliferation of malicious ICT tools and techniquesand the use of harmful hidden functions;

(j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

(k) States should not conduct or knowingly support activity to harm the information systems of the authorised emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorised emergency response teams to engage in malicious international activity.