If States cannot agree on legally binding rules, norms are the next best option for shaping State behaviour in cyberspace, but is that enough?
Our societies’ digital transformation is coupled with an ever-expanding attack surface, increasing number of malicious cyber activities, and continuously advancing capabilities of threat actors. Sadly, recent incidents such as SolarWinds and the Colonial Pipeline hacks have proven right the grim predictions that the cybersecurity community has been cautioning us against for years (or decades, to be exact). Indeed, sophisticated cyber attacks which target, for example, the supply chain and/or critical infrastructure, may have very serious consequences in terms of physical, economic, and reputational damage, possibly even endangering national security. Despite these warnings and many unfortunate incidents, both governmental and private systems continue to be vulnerable.
On top of that, we must be realistic about the growing geopolitical concerns in many domains such as privacy, connectivity, supply chain security, and the free flow of information. In a situation where countries are battling for a better standing in both governing technologies as well as being in the forefront of technological innovation, what room is left for cooperation in developing common norms and standards?
One may claim that the domain of new technologies needs more regulation to build trust and offer legal clarity. Or we may argue the complete opposite that too much regulation will only add restraint to the development of innovative solutions and not motivate actors to invest in such technologies. Naturally, there are plenty of options which fall between the laissez faire and over-regulation extremes, and the most suitable regulatory solution will depend on the development and uptake of the technology in question, as well as related policy and legal efforts.
One of the regulatory strategies which plays well with the characteristics of disruptive technologies, such as blockchain, is standardisation. Standardisation has the potential to mature into more concrete policy guidelines and feed into future regulatory efforts. However, two aspects must be underlined. Firstly, increasing international political attention to and participation at standardisation venues is a clear indication of standardisation becoming a strategic tool for governments in improving their standing in governing technologies and enhancing the effectiveness of their policies. Secondly, before any substantial agreement can be reached internationally, the wide range of issues related to technologies must be debated first on the domestic and regional levels, however, this could lead to fragmentation, essentially rendering the process towards a coherent international approach slow and cumbersome.
The domain of new technologies needs more regulation to build trust and offer legal clarity. Or we may argue the complete opposite that too much regulation will only add restraint to the development of innovative solutions and not motivate actors to invest in such technologies.Here, a useful parallel can be drawn with the ongoing work towards a consensus on responsible State behaviour in cyberspace where we can observe similar elements: Strategic relevance and the need to first tackle the domestic and in some cases regional, battles. Notably, the United Nations has recently published two relevant consensus-based documents targeting State behaviour and stability in cyberspace. These discussions focus on the so-called four pillars: International law, norms of State behaviour, confidence building, and capacity building. Firstly, the Open-Ended Working Group adopted its report in March 2021, which set a precedent by reflecting the discussions held amongst all member states of the United Nations and confirmed that the United Nations should continue to play a leading role in promoting dialogue on the use of information and communication technologies by States. The report also offered broad support to the framework for responsible State behaviour, the general applicability of international law as well as norms developed by the previous efforts of the United Nations Group of Governmental Experts (UN GGE). Secondly, the UN GGE released its report in July 2021. The UN GGE process may have received criticism over its lack of transparency and inclusivity, but it has managed to showcase high-level diplomacy in reaching consensus on a range of difficult issues. These include the applicability of International Humanitarian Law (IHL) to State behaviour in cyberspace as well as listing concrete sectors such as healthcare as critical infrastructure, and pleading countries not to conduct and support cyber operations targeting these sectors.
The UN processes have both underscored the value and function, albeit limited, of voluntary non-binding norms. In essence, if States cannot agree on legally binding rules, norms are the next best option for shaping State behaviour in cyberspace.Apart from solving the issue on the applicability of IHL to State behaviour in cyberspace, neither report offered substantial clarity on how international law applies. While such slow progress may be disappointing to some, it accurately reflects the current patchwork of different opinions regarding a number of topics related to international law and general lack of willingness of States in moving forward with more detailed common understanding. While UN member states have been invited to share their domestic views on how international law applies in cyberspace, these insights are not enough to lead to a globally shared interpretation, and it is not likely that an international agreement on State behaviour in cyberspace will be reached any time soon. Leaving international law aside, the UN processes have both underscored the value and function, albeit limited, of voluntary non-binding norms. In essence, if States cannot agree on legally binding rules, norms are the next best option for shaping State behaviour in cyberspace. As reflected in the OEWG report, agreeing upon and following norms can reduce risks to international peace, security, and stability and play an important role in increasing predictability and reducing risks of misperceptions, thereby, contributing to the prevention of conflict. While both the UN GGE and OEWG reports stress the relevance of norms, neither of the reports touched upon the elephant in the room: The enforceability of the agreed upon norms. States and other stakeholders such as NGOs, the private sector, and academia seem willing to discuss the myriad of issues related to cybersecurity, be it focusing on standardisation, responsible State behaviour, or other domains. Yet these discussions are not going to be easy as they often target uncharted territories and are loaded with strategic and political motives. Neither is the most effective format for these discussions clear, as there are several options for going forward, such as the recently proposed “Programme of Action” within the framework of responsible State behaviour. Unfortunately, many countries act as if they are in a “buffet” of norms where one can choose which norm to follow and which to ignore. In a nutshell, given the unlikeliness of achieving a substantial agreement on a global level within the UN processes in the near future, like-minded partnerships will continue to work on their respective approaches, leading to certain fragmentation. In fact, such fragmentation is inevitable, given the increasing activeness of different groups of stakeholders and regional organisations. As suggested by analysts, fragmentation may be seen as hindering the process of consensus on conduct in cyberspace, but at the same time it also allows the specialised communities to use their expertise in suggesting the best way forward. And such input may be exactly what is needed to further drive the discussions on international venues.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Dr Anna-Maria Osula is a senior policy officer at Guardtime a software security company that offers solutions for data governance and real-time detection and mitigation ...
Read More +
PREV
