Cybersecurity and the United Nations

In the second instalment of the FOC Working Group 1 (WG 1) blog series, Tim Maurer – a research fellow at New America’s Open Technology Institute and a WG 1 member – introduces the notion of cybersecurity within the context of the United Nations.

In 2013, Secretary General of the United Nations (UN), Ban Ki-moon, presciently stated that “Cyberattacks have the potential to destabilize on a global scale. Cybersecurity must therefore be a matter of global concern. The United Nations is promoting dialogue and cooperation among Member States to ensure an open, secure, peaceful and accessible ICT environment.”[1] Fast forward only slightly to December 2014 in the wake of the Sony hack and some experts are calling for the issue to be taken up by the UN Security Council. The issue has not yet reached the UN’s ultimate authority when it comes to matters of international peace and security[2], but it is slowly elevating itself as a topic of top concern within the global organization. In fact, the UN General Assembly has been quietly active discussing cybersecurity for over a decade.[3] The UN remains a key authority and source of legitimacy with the decisions of its member states guiding the international community. It is therefore worth taking a closer look at the UN’s activities regarding cybersecurity and their implications for human rights.

The most important effort has been carried forward by a group of governmental experts – so-called “GGEs” – created by the UN General Assembly’s First Committee focusing on Disarmament and International Security. To date, four GGEs have been convened and its experts have been discussing and negotiating international cybersecurity norms. Each of the first three GGEs was made up of representatives from 15 countries. The fourth GGE, chaired by the Brazilian government, is currently carrying out its mandate and has been enlarged to 20 UN member states. Each GGE meets over the course of several months with the goal of developing a negotiated joint outcome document summarizing the group’s views. These reports are then usually referenced in General Assembly resolutions where the full membership can express their position (which in the UN’s lingo is expressed in the nuances between words such as “acknowledge” and “welcome” ). The report of the fourth GGE can be expected to be published in the latter half of 2015.

The 2013 report of the third GGE[4] was a milestone in this norm setting process. For years, one of the most contentious issues among states was over whether existing international law applies to cyberspace or not. While the UN Human Rights Council affirmed in 2012 that human rights apply online as well as offline[5], it was not until the 2013 GGE report that the international community agreed that international humanitarian law also applied online as well as offline. (For a description of the difference and inter-linkage between international humanitarian law and human rights law, see this article by the International Committee of the Red Cross. [6]) The report of the third GGE states that “international law and in particular the United Nations Charter, is applicable.” It also affirmed that “State sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory” and that “States must meet their international obligations regarding internationally wrongful acts attributable to them.” The document also explicitly mentions human rights highlighting that “State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments” and that “States should encourage the private sector and civil society to play an appropriate role to improve security of and in the use of ICTs.”

The publication of a report by a GGE is not given. In fact, the first GGE established in 2004 was not able to come to a consensus and did not produce a report. Specifically, “there was particular disagreement regarding the claim that trans-border information content should be controlled as a matter of national security.”[7] The second group eventually concluded jointly that “existing and potential threats in the sphere of information security are among the most serious challenges of the twenty-first century.”[8] The tension over content continues to this day with some countries wanting to control information and others supporting the free flow of data across international boundaries – reflected in the formers’ use of the term “information security” and the latters’ preference to use the term “cybersecurity” instead.[9]

In fact, this difference in terminology highlights the human rights dimension of this international debate including at the United Nations. The Russian and Chinese governments, among others, use the term information security in their proposed International Code of Conduct for Information Security which calls for international cooperation to curb “the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.” In other words, this language could be interpreted to allow states to cooperate to restrict content deemed to undermine a country’s “social stability.” This proposal is clearly at odds with international human rights. The dangers of abuse that this notion of information security entails are why many other governments use the term ‘cybersecurity’ in fora like the United Nations and why the Russian and Chinese initiative has been criticized from cybersecurity experts and human rights advocates alike.[10] The GGE is therefore an important process to follow also from a human rights perspective but it is not the only process at the UN relating to cybersecurity with human rights and humanitarian implications.

History of cybersecurity at the UN

The UN’s activities relating to cybersecurity began in the early 1990s, with a focus on the criminal use of emerging technologies.[11] The exponential growth of the Internet in the mid-1990s also eventually raised concerns about the implications of the security of information systems for international peace and security. Of the six General Assembly committees, three have focused on cybersecurity related issues —the Disarmament and International Security Committee (First Committee), the Economic and Financial Committee (Second Committee), and the Social, Humanitarian and Cultural Committee (Third Committee).

In 1998, the Russian government introduced a draft resolution entitled ‘Developments in the field of information and telecommunications in the context of security’ in the Disarmament and International Security Committee.[12] Sergey Ivanov, who later served as the Russian Minister of Defense, described the draft resolution as an initiative “to develop international law regimes for preventing the use of information technologies for purposes incompatible with missions of ensuring international stability and security.” [13] However, other countries perceived the draft resolution to be disingenuous. As reporter Tom Gjelten writes, “the idea of a cyber-arms accord has been interpreted in some countries as justifying expanded governmental control over the Internet.”[14] For a decade, this discussion simmered in the First Committee until the end of the last decade when it gained more political traction as evidenced in GGE reports’ findings.

Two years after the Russian Federation introduced the resolution in the First Committee, the Third – Social, Humanitarian, and Cultural – Committee discussed ‘Combating the criminal misuse of information technologies’ as part of its work on crime prevention and criminal justice. A few years later, the focus of the substantive cyber-crime related discussion moved from the General Assembly to the Commission on Crime Prevention and Criminal Justice. The Second Committee, the Economic and Financial Committee, has also adopted resolutions related to cybersecurity namely those focused on the ‘Creation of a global culture of cyber-security’ dating back to a draft resolution introduced by the U.S. government in 2002. This series of resolutions has emphasized protection of critical information infrastructures linking the process at the UN to the discussions at the G8.[15]

In addition to the UN General Assembly, cybersecurity was on the agenda of the Economic and Social Council (ECOSOC) in 2011, which held a special event on the impact of cyber attacks on development.[16] The UN’s Counter-Terrorism Implementation Task Force includes a Working Group on countering the Use of the Internet for Terrorist Purposes.[17] In a report published in February 2009, the working group concluded that “there is not yet an obvious terrorist threat in the area” and that “it is not obvious that it is a matter for action within the counterterrorism remit of the United Nations.”[18] Other parts of the UN system have also focused on cybersecurity including the UN Office on Drugs and Crime[19] and the International Telecommunication Union.[20] It is also worth mentioning that Brazil and Germany introduced a draft resolution on privacy in the digital age in the Third Committee in 2013. This initiated a new, related process with a new resolution[21] adopted in December 2014 referencing the potential creation of a “special procedure” with the goal of “identifying and clarifying principles, standards and best practices regarding the promotion and protection of the right to privacy.[22]

In short, over the past two decades the UN has been quietly active discussing cybersecurity and has emerged as an important node in the network of international debates at the regional and global level. The UN General Assembly’s activities focused on ‘Developments in the field of information and telecommunications in the context of international security’, in particular, have become a key vehicle to advance the development of international cybersecurity norms. The results of the fourth GGE in 2015 will show whether the pace of these efforts among governments can keep up with the growing threats, deteriorating security, and increasing instability.

The views expressed in this blog represent the views of individual authors, and do not represent the views of the Freedom Online Coalition or its members.