In conventional land, air, and maritime territories within a state’s borders, governments are the ultimate arbiter of security. Although governments often contract the private sector to provide and maintain equipment and services, state apparatuses control and command the assets and forces tasked with protecting the nation. Though national defense is a public good, decisions pertaining to its deployment are the responsibility of the policy-making elite.
Cyberspace, on the other hand, defies the traditional national security paradigm. The digital realm links public, corporate, and private stakeholders in infrastructure, ownership, utility, governance and impact on an ongoing basis. Cyberspace is not only a domain of defense – and increasingly, offense – it is also one of commerce, finance, public administration, and human rights. From crowd-farming to telehealth, individuals are using cyberspace to transform economies, while governments plan for the coming social, political, cultural, and economic changes that will herald the Fourth Industrial Revolution. However, the digital liberalization of enterprise is increasingly paralleled by the growth of cybercrime and cyber-enabled crime. As debates around data privacy highlight, cyberspace is fast becoming a contentious forum where civil rights and fundamental freedoms are being challenged.
The multiplicity of issues and players means that no single stakeholder can or should lay claim to the governance of cyberspace. Industry pacts such as the Cybersecurity Tech Accord and The Charter of Trust as well as the proposal for the Digital Geneva Convention demonstrate that technology companies are providing leadership in building normative frameworks. Though each initiative varies in definition, scope and accountability, it is clear that innovation and international security in cyberspace must be anchored by three elements: a stable cyber environment, a multi-stakeholder approach to governance, and meaningful capacity-building efforts. Together, these principles enhance the functionality, reliability and stability of cyberspace.
A recent report by the Global Commission on the Stability of Cyberspace (GCSC), a private initiative co-created by two independent think tanks, The Hague Centre for Strategic Studies in the Netherlands and the New York-based EastWest Institute, defined stability as a state in which “everyone can be reasonably confident in their ability to use cyberspace safely and securely, where the availability and integrity of services and information provided in and through cyberspace are generally assured, where change is managed in relative peace, and where tensions are resolved in a non-escalatory manner.” In other words, stability is achieved when information and operations remain trustworthy, available despite ongoing changes.
Moreover, stability in cyberspace depends upon stakeholders upholding a set of collectively agreed principles and norms. As cyberspace transcends borders, it is particularly important for parties to agree on high-level principles that guide collaboration in cyberspace to reduce risks caused by unpredictability and conflict. The GCSC posits that the principles of responsibility, restraint, requirement to act, and respect for human rights are critical for stability in and of cyberspace.
For principles to be actionable, they must be supplemented by accepted norms of conduct. In 2015, the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security proposed 11 non-binding norms of responsible state behavior that were adopted by the 70th session of the UN General Assembly.
The GCSC report complements and expands on these norms by offering an additional eight that are applicable to both state and non-state actors. The inclusion of non-state actors in the GCSC report acknowledges the importance that the private sector plays in assuring stability in cyberspace. For example, while cyber offense operations conducted by states are subject to international law, “hack-backs” by non-state actors could have unintended consequences in cyberspace, potentially impacting uninvolved third parties across borders. Recognizing the authority of governments to legislate and adjudicate, the GCSC calls on states to prevent and respond to cyber offense operations by non-state actors.
Historically, states have remained guarded about involving outside stakeholders in international cyberspace security discussions, but attitudes are shifting. In December 2019, the UN’s Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG) held an informal meeting that convened more than 100 non-state stakeholders in cyberspace – including non-governmental organizations, industry and academia – in the same room as state delegates.
Although it required some gentle persuasion, both state and non-state stakeholders eventually engaged in interactions across a range of topics including rules, norms, principles, confidence-developing measures and capacity-building initiatives. This marked a shift in reception, as previously during the OEWG’s first substantive session in September 2019, panel presentations delivered by individual experts were merely footnoted in the meeting agenda.
When it was established, the OEWG was mandated to build upon the work of the 2015 GGE in a “more democratic, inclusive and transparent” manner. The OEWG process put forward by Russia alongside the newly constituted 25-member GGE (2019-2021), which was proposed by the United States, seemed to pit both UN groups against one another. However, as the chairs of the OEWG and GGE underscored, both processes can complement the work of each other.
In parallel with the OEWG’s inclusive approach, the 2019-2021 GGE will hold two informal consultations with all UN member states in between its sessions. The GGE will also institutionalize regional consultations as part of its ongoing work processes. While the GGE will not hold consultations with non-state stakeholders – as the OEWG has done – members will benefit from having participated in the latter’s informal inter-sessional meeting in December 2019.
Multi-stakeholder participation can result in disorganized deliberations on international security issues in cyberspace. Threat perspectives can veer in diverging directions and the human-centric approaches favored by civil-society groups often conflict with state-centric positions.
Nonetheless, the multi-stakeholder approach can offer states insights into a more complete picture of the challenges, opportunities and programs in cyberspace that otherwise may be left unrecognized. Particularly, non-state stakeholders can help bridge gaps between technical and policy communities, socializing terms of art and science to contribute towards mutual understanding in cyberspace.
In 2015, the United Nations Institute for Disarmament Research (UNIDIR) partnered with the Center for Strategic and International Studies (CSIS) in Washington to organize three expert workshops to broaden the discussion of international norms for responsible state behavior. The workshops brought together experts from academia, the technical community, industry and the policy world.
One of the key strengths of non-state stakeholders is the ability to deliberate more openly than government counterparts and provide honest feedback for consideration and action. Unfettered by government constraints, non-state actors can constructively contribute and complement ongoing debates in cyberspace with state actors. This is particularly beneficial as increasingly large geo-technological divides between states, inward-focusing state perspectives, and strained intergovernmental rhetoric become a global phenomenon.
States must have requisite capacity and resources to implement effectively international norms of cyberspace. Developed countries in Asia, North America and Europe have offered assistance to build capacity at the technical, legal and policy levels in developing countries. Southeast Asia in particular has seen numerous capacity-building initiatives supported by Australia, Japan, South Korea, Singapore and the US. Unfortunately, there have also been other examples of poorly planned and over-generalized cyberspace strategies that ill-fit the needs, context and capacity of host nations.
Power dynamics and political influence permeate all levels of engagement in initiatives as seemingly benign as capacity building. Comprehensive and inclusive consultations between government and non-government stakeholders will help to ensure that capacity building addresses the needs and concerns of the host nation rather than imposing the priorities and desires of the benefactor state. The responsibility lies on parties to clarify intentions and objectives for substantive cyberspace capacity building.
The reality is that though states retain a level of leadership in international security issues in cyberspace, governments no longer enjoy a monopoly on shaping the rules and norms of acceptable behavior. The nature of the digital domain and its inherent risks demand a multi-stakeholder approach to address challenges effectively. Honest and effective capacity-building efforts across a range of cyber-related issues involving state and non-state actors would be the most conducive method toward advancing stability and security in this evolving political, economic and strategic landscape.