The top down UN GGE process appears dead in the water. International norms and laws for responding to cyber attacks must now be built from the bottom up.
Rules must be binding, violations must be punished, and words must mean something. The UN GGE failed on all three accounts.
In 2004, the United Nations established a Group of Governmental Experts with the aim of strengthening the security of global information and telecommunications systems (UN GGE). To date the UN GGE has held five sessions, which are widely credited for successfully outlining the global cybersecurity agenda and introducing the applicability of international law to state behaviour in cyberspace.
However, during the UN GGE’s fifth session in June 2017, fundamental disagreements emerged between the Group’s 25 members, particularly on the right to self-defence and the applicability of international humanitarian law to cyber conflicts. In the end, the fifth and possibly last session concluded without the release of a consensus report. With no plans to pick up the pieces, the question now is, where do we go from here?
Where not to go
As it is currently being practiced, the cyber norms-building process is firmly grounded in the belief that diplomatic consensus can shape state behaviour in cyberspace. Proponents of the norms approach regularly point to the 1968 Treaty on the Non-Proliferation of Nuclear Weapons (NPT) and the 1972 Chemical Weapons Convention (CWC) as evidence that normative taboos can influence international perceptions and ultimately affect national decision-making processes.
Granted, norms are a powerful tool, but their creation is contingent upon a history of transnational interaction, moral interpretation, and legal internalization. Only through this tedious multi-pronged process is there any hope for national interests to be reframed and national identities to be reconstructed. The UN GGE process has tried and failed to create new norms through top-down diplomacy without these critical building blocks. Instead, governments should pay more attention to creating a body of customary international law by developing their own behaviour and practices in cyberspace.
The problem with self-defence in cyberspace
According to international law, states can legitimately use force in self-defence in response to ‘a significant armed attack’ and in proportion to the injury suffered. But applying these criteria to cyberspace is notoriously difficult.
The most comprehensive attempt to clarify these legal issues to date is found outside the UN GGE process. According to the Tallinn Manual on the International Law Applicable to Cyber Warfare, whose creation was supported by the NATO CCDCOE, a cyberattack is “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Yet this definition would exclude some of the most high profile cyber incidents of recent years, such as the Distributed Denial-of-Service (DDoS) attack against Estonia in 2007; the 2015 hack of the US Office of Personal Management (OPM), which stole personal information belonging to 21.5 million current, former, and prospective US government employees; and the hack into the Democratic National Convention (DNC) to influence the 2016 US Presidential Election.
The Tallinn Manual clearly shows that the right to self-defence is applicable to cyberspace. The only real question is where to exactly put the threshold for the use-of-force. The UN GGE entirely failed to tackle this issue, because the member states could not agree on whether self-defence should apply to cyberspace at all.
The problem of International Humanitarian Law in cyberspace
In the real world, the distinction between combatants and civilians are core elements of International Humanitarian Law (IHL), which exists to govern conventional warfare and balance military necessity with humanitarian consideration. But in cyberspace this distinction is extremely difficult, because cyberattacks can have serious impacts on national security without either the perpetrator or the target being a conventional military actor.
Discord on the applicability of international humanitarian law to cyberspace first came to the fore during deliberations on the 2015 UN GGE consensus report, with the Chinese and Russian delegations objecting to the explicit mentioning of IHL in the document. As a result, the final language only made reference to the applicability of the principles of “humanity, necessity, proportionality and distinction.”
At the UN GGE’s 5th session the disagreement on IHL proved unbridgeable. The Cuban delegation refused to accept the applicability of IHL “since it would legitimize a scenario of war and military actions in the context of ICT”, while the Americans accused them of trying “to walk back progress made in previous GGE reports.”
In response to this deadlock, the Cuban, Russian and Chinese delegations pushed for the creation of an entirely new set of international laws and the establishment of “a Working Group of the General Assembly open to all States, to ensure full transparency and inclusiveness and participation in equal rights in discussions and decision-making.”
On the way forward
In principle, creating new international law is a commendable suggestion, if only to tackle the existing legal grey areas such as espionage and intelligence collection. In practice, however, any newly suggested laws will most likely fail in achieving consensus where they pertain to issues as contentious as national security and defence.
The Cuban suggestion might nonetheless be worth more public attention simply for the sake of pushing the global norms discussion forward. The Shanghai Cooperation Organisation, for instance, whose members include China and Russia, developed a ‘Code of Conduct for Information Security’ back in 2015. When it went public, the code was immediately criticised as an attempt to legitimise greater state control and censorship online. But this critical response helped shed light on the key areas of disagreement and thus moved the debate forward, even though the code itself was rejected. Governments should embrace this kind of open exchange and discussion of new thinking. Progress, not perfection, should be the overarching goal.
The second priority should be to address how to tackle cyber incidents that fall below the Tallinn Manual threshold on the use-of-force, such as those mentioned above. Opening up this discussion at the UN General Assembly would help shift the focus of debate from trying to achieve universal consensus on theoretical future cyberattacks, towards addressing more immediate practical concerns. Deliberations in the UN GA would also naturally feed into the creation of opinio juris, and as a result could trigger policy responses and changes in state behaviour.
In contrast, cyber operations that do cross the threshold for the use-of-force are best tackled through the creation of national red lines, military doctrines, and diplomatic response frameworks, which could in time become the building blocks of future bi- and multilateral agreements.
US Homeland Security Advisor Tom Bossart hinted at such an approach by noting after the collapse of UN GGE talks in June that, “it’s time to consider other approaches. We will also work with smaller groups of likeminded partners to call out bad behavior and impose costs on our adversaries. We will also pursue bilateral agreements when needed.”
Only time will tell whether governments are able to ‘fall forward’ in this way. For now, whether the collapse of the UN GGE is a blessing in disguise or a major setback in the development of norms and international law in cyberspace remains anyone’s best guess.
 Michael N. Schmitt. 2013. Tallinn Manual on the International Law applicable to Cyber Warfare. Cambridge Univ. Press, p. 106.