bibo:abstract |
The issue of cybersecurity has been on the UN agenda since 1998 when the Russian Federation introduced a draft resolution on the subject in the First Committee of the UN General Assembly. It was then adopted by the General Assembly as resolution 53/70. In 2004, the UN General Assembly established the Group of Governmental Experts (GGE), and six GGEs have been convened since then. The work of the Groups of Governmental Experts has focused on the following topics: Existing and potential threats; how international law applies in the use of ICTs; rules, norms, and principles for responsible States behavior; confidence-building measures; and capacity building. Its membership was limited, and participating countries were selected based on equitable geographical distribution. Nevertheless, owing to sharply divergent interests of different blocs, the fifth UN GGE was unable to agree on a consensus report, raising doubts about the institutional value of the UN GGE and necessitating the formation of a new process. In 2018, another UN-mandated working group – the Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG) – was established in parallel with the GGE. The OEWG adopted its final report (A/AC.290/2021/CRP.2) by consensus in March 2021. In December 2020, the OEWG was renewed for 2021/2025 (A/RES/75/240). The OEWG will likely become a core UN platform that furthers decades-long conversations on information and communications technologies security.
Given the distinctive characteristics of ICTs, the role of multi-stakeholders is important, and the OEWG promoted openness, inclusiveness, and transparency by facilitating the engagement of multi-stakeholders, namely business, NGOs, and academia as well as all UN member states. This is similar to the GGE on lethal autonomous weapon systems (LAWS) that engage multiple stakeholders in its discussions on issues and governance. With emerging technologies being deployed across the world, engaging multiple stakeholders to increase openness and transparency will likely become a major trend in the coming years. Microsoft and ICRC submitted their position papers at the OEWG meeting, and have shown great interest in and actively participated in discussions on international norms in cyberspace governance. In addition, the resolution that renewed the OEWG for five years includes the establishment of thematic subgroups to fulfill the working group’s mandate. This is to propose a discussion structure in which discussions regarding specific areas such as policies, norms, and technologies can be linked up and combined. But the formation of a subgroup focused on specific themes might expose a gap between countries; financially strained countries may find it difficult to join the newly-formed group.
Advances in science and technology often drive the growth of a nation’s cyber capabilities, but there are dark sides to such advances. Cyber threats are becoming increasingly complicated and diversified, requiring countries around the world to build a common understanding of new types of cyber threats. Despite the broad consensus on the causes of cyber threats, countries have dissonant views on the guiding principles of cybersecurity policies. The U.S. and like-minded countries stressed their concerns are not about cyber capabilities themselves, but of their malicious use, which poses threats to international peace and security. The countries, therefore, suggested that the report should stipulate the notion of “technological neutrality.”China, on the other hand, said the notion of “technological neutrality”is unacceptable even if the country supports the idea of advancing the notion of “technology for good.”
The OEWG process, just like the GGE, revealed the sharp divisions between the two blocs on the application of international law in cyberspace. A key sticking point will be to what extent should the norms recognized in the 2015 GGE report be reaffirmed. The U.S., western groups, and other like-minded countries claim that the UN Charter applies in its entirety in cyberspace, and existing international laws including international humanitarian law, international human rights law, and the law of international responsibility apply in cyberspace. On the other hand, the bloc represented by China and Russia is skeptical about the idea of applying the existing international laws in cyberspace and is in favor of a new legally binding international law governing cyberspace. In particular, China, Iran, Cuba, and others did not accept any draft that contains languages that could justify the use of force in cyberspace and were strongly opposed to the inclusion of international humanitarian law in the main text. A compromise was eventually reached by removing international humanitarian law, the right to self-defense, and state responsibility – the areas in which the two blocs remain sharply divided - from the main text and including them in the annex.
With regards to voluntary norms, the two blocs offered starkly divergent views at the OEWG meeting. The U.S. and its western partners viewed that non-binding voluntary norms were set to supplement existing international laws given the unique features of cyberspace. The bloc led by China and Russia, on the other hand, was eager to write a new set of global rules, including the ones on data security and supply chain security. The U.S. and other like-minded countries maintained their position that non-binding and voluntary norms should supplement existing international law and facilitate responsible state behavior, and stressed the importance of implementing consensus GGE norms. By contrast, China, Russia, and non-alliance members insisted on including a document on the discussion of legally binding norms in the final report, based on the premise that new legally binding norms that reflect unique characteristics of cyberspace are needed. The two sides reached a compromise by affirming that norms do not replace or alter States’obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible state behavior in the use of ICTs.
The establishment of a regular institutional dialogue has emerged as the main sticking point at the recent OEWG meeting, as it is an agenda that offers a path for advancing cybersecurity governance under the auspices of the United Nations. China aligned with Russia insisted on developing the OEWG into the premier consultative body on cybersecurity, while the U.S. and other countries in the West sought to establish a new type of consultative body and proposed the creation of a Programme of Action (PoA) for advancing responsible state behavior in cyberspace. The two blocs were deeply divided on how to establish a relationship between the OEWG and the PoA. The U.S. maintained that creating a linkage or hierarchy between the OEWG and the PoA is unacceptable since the PoA is a comprehensive and independent consultative body. On the other hand, countries like Russia, China, and Iran argued that the PoA is nothing more than an initiative envisioned by few countries and there was insufficient consultation on this matter. They stressed the importance and the crucial role of the next OEWG. China, in particular, had continued efforts to put the PoA in the same category as other initiatives that could be discussed at the future OEWG, such as its initiative labeled as the “Global Data Security”initiative. The final report notes that the PoA should be further elaborated at the new Open-Ended Working Group to be convened from 2021-2025.
The failure of the 2016–2017 GGE to adopt a consensus report as well as different stances between competing blocs of states have deepened skepticism about the effectiveness of cybersecurity-related discussions at the UN. Therefore, the adoption of the final OEWG report on 12 March 2021 despite COVID-19 holds particular significance. The Biden administration’s efforts at restoring multilateralism and growing calls from the international community to reach a compromise have paved the path toward a wider consensus and contributed to the adoption of a final report. Despite its notable progress, the OEWG revealed that the two blocs have sharply divergent views; countries remain fundamentally divided on several issues, namely the application of international law in cyberspace and the establishment of legally binding norms and regular institutional dialogue. The next OEWG 2021-25, which is the product of a Russian proposal, will have to navigate intense competition between the two blocs seeking to wrest control. The new OEWG mandate will likely include determining the future course of the two parallel UN cyber discussion processes. In other words, the OEWG to be convened from 2021-2025 will discuss whether the working group will replace the current dual-track discussions of the GGE/OEWG, or go ahead with the dual-track scenario. If the OEWG becomes the key forum for cybersecurity deliberation that does substantive work, UN discussions on cybersecurity could be brought onto one track. It also remains to be seen how the dual-track scenario will unfold in the coming years; the OEWG could go in parallel with the GGE or pair with the PoA. As there are growing calls for an open-ended process that allows the participation of a broader range of countries, regardless of which bloc they belong to, the OEWG might pair up with the PoA in the years ahead to replace the existing dual-track discussions of the GGE/OEWG.
It is anticipated that countries will engage in heated discussions in the next OEWG meetings on the contour of future UN cyber processes. The forum for consideration of cybersecurity policy could be the OEWG, PoA, or other options. Whichever form it takes, future deliberations will continue and deepen discussions on global cybersecurity norms. Nevertheless, as the U.S. and other countries in the West are opposed to the idea of creating a legally binding treaty, creating a new international law governing cyberspace will not be an easy task.
Discussions on establishing a new regular institutional dialogue will begin in earnest when the new OEWG begins, thus it is imperative that the Korean government actively participate in future discussions to ensure that the future process - be it the OEWG, PoA, or other options – reflects Korea’s position and interests. The new process for cybersecurity discussions is expected to adopt an expert-driven structure to advance discussions on specific areas such as policies, norms, and technologies. Therefore, efforts should be made to create a pool of well-prepared experts or a research consortium to bring together a range of research institutes in Korea to navigate the changing landscape of cybersecurity discussions. Moreover, as multi-stakeholder engagement is expected to be one of the defining features of the new process, Korean companies, research institutes as well as NGOs should be encouraged to participate and further conversations.
* Attached the File
|