Late last month, the 2016/2017 Group of Governmental Experts on Information Security (GGE), convened under the auspices of the United Nations, concluded its last round of deliberations. As has been widely reported, the Group appears to have failed to arrive at a consensus outcome report. This marks a potentially sharp departure from the work of three prior GGEs that had established and carried forward an international conversation on cybersecurity since 2010, particularly on norms and confidence-building measures in cyberspace. The format of GGEs had turned into the main international vehicle for discussions on rules of behavior for states in cyberspace. With the apparent failure of the 2016/2017 GGE, one is left wondering whether and how this crucial conversation is going to continue.
What Happened?
The 2016/2017 Group was tasked by the UN General Assembly with the study of “existing and potential threats in the sphere of information security” and measures to address them, including “norms, rules, and principles of responsible behavior of states, confidence-building measures, and capacity-building.” Over the course of one year, experts from 25 countries met under the chairmanship of the German representative.
More importantly, the Group was also to study “how international law applies to the use of information and communications technologies by states.” It appears that exactly this issue — international law and its application — comprised the critical sticking point in the Group’s deliberations. An unusually explicit statement issued by the American representative Michele Markoff indicates as much. Markoff submits that “the reluctance of a few participants to seriously engage on the mandate on international legal issues” has ultimately prevented the conclusion of a consensus report. The United States expected “clear and direct statements on how certain international law applies to states’ use of ICTs,” including international humanitarian law, the right to self defense, as well as international law of state responsibility and countermeasures.
Other countries, however, balked at the inclusion of such provisions. The Cuban representative argued that they would lead to a militarization of cyberspace that would “legitimize… unilateral punitive force actions, including the application of sanctions and even military action by states claiming to be victims of illicit uses of ICTs.” Instead, the Group should be emphasizing the peaceful settlement of disputes and conflict prevention. Although only the Cuban statement is publicly available, it is safe to assume that both Russia and China shared this position during the GGE’s discussions — both have maintained similar views in the past. Western countries have countered that clear affirmations of international legal frameworks precisely “help reduce the risk of conflict by creating stable expectations of how states may and may not respond to cyber incidents they face.”
The Issue of International Law
In the end, these clashing viewpoints appear to have sealed the fate of the 2016/2017 GGE. To some extent, this is not surprising as the question of international law and its application has been a source of contention since the beginning of UN discussions in 1998. Back then, the Russian initiative in the General Assembly was geared toward the negotiation of an international treaty – an idea that has been vigorously opposed by Western states but still finds appeal almost 20 years later with the Cuban representative calling for an “international legally binding instrument.”
Still, previous GGEs had managed to mediate these viewpoints to arrive at consensus reports that moved the debate more or less forward. The 2012/2013 Group of Governmental Experts had been widely heralded for its simple statement that international law is applicable to cyberspace, as this was the first time Russia and China had publicly shared this position. And while the following GGE in 2014/2015 made a lot of waves with the concept of norms, its very modest progress on international law aptly reflected the deeply diverging views among states. The final language, for instance, noted the “inherent right” of a state to take measures consistent with international law and the UN Charter without expressly mentioning the right to self defense or Article 51 of the Charter. The same unresolved issues continued to play out in this year’s GGE but it seems that it was not possible to achieve any kind of compromise, even one as superficial as last time.
Where Does This Leave Us?
First, it leaves us with an unresolved international legal debate where the viewpoints seem to be diverging and solidifying rather than converging. Second, and perhaps more disconcertingly, the outcome of the 2016/2017 GGE raises the question of whether and how this legal debate, as well as the broader discussion of the GGE, is going to be continued. Even though the interest of states in participating in a GGE has dramatically increased over the years, many had noted the low appetite for a follow-on Group even prior to the start of the 2016/2017 GGE. One of the questions expected to be discussed by the current Group was ways and mechanisms to take the international debate beyond the current GGE format. With the lack of agreement on international law and its application, this and many other aspects (including norms, confidence-building measures, and capacity-building) remain up in the air. This could mark an end to years of slow, yet steady progress – something that is going to be more than desperately needed in light of the differences that led to the outcome of the current GGE.
Elaine Korzak is a Visiting Assistant Professor of Cybersecurity at the Middlebury Institute of International Studies at Monterey. She was previously a fellow at Stanford’s Center for International Security and Cooperation and the Hoover Institution. Her research focuses on international law and norms in cyberspace, export control regulations, and cyber capacity-building.