A Statement on the Programme of Action: A standing UN body to uphold international expectations is the best hope for stability in cyberspace

Throughout 2021, the Cybersecurity Tech Accord has served as Chair of Paris Call Working Group #3 on advancing multistakeholder inclusion in cybersecurity dialogues at the United Nations (UN). After a series of workshops, one thing that is clear is that structural changes are needed in how the international system engages on cybersecurity to be both more inclusive and more responsive to a constantly evolving digital domain. With this in mind, we are excited by the proposal by a number of governments for a UN “Programme of Action” on cybersecurity, to serve as a standing body to facilitate greater cooperation and diplomacy for stability in cyberspace.  

It is hard to avoid feeling that international cybersecurity is at an inflection point. On the diplomatic front, two UN working groups tasked with addressing peace and security online recently concluded and released consensus reports that reinforced a common framework of expectations for responsible state behavior online. Meanwhile, however, the SolarWinds, Colonial Pipeline, and Microsoft Exchange server attacks of recent months have set new and indelible high-water marks for sophisticated cyberattacks worldwide. These trends are unmistakably at odds – states are agreeing on what the rules should be while at the same time conflict online continues to escalate, resulting in an unavoidable sense of, “where do we go from here?”

For its part, the UN has established a second iteration of the Open-Ended Working Group on information security (OEWG), to run through 2025. These working group dialogues – including the previous OEWG and successive Groups of Governmental Experts (GGEs) – have previously made significant contributions by establishing an international framework for responsible state behavior online. However, they have unfortunately had limited practical impact and iterative diplomatic progress is cold comfort when conflict between states online continues to increase every year unabated.

The Cybersecurity Tech Accord has long advocated for greater multistakeholder participation in the UN cybersecurity dialogues – especially when it comes to the technology industry. We were excited to provide input to the first OEWG at different times and in different formats – at the 2019 intersessional meeting, during the “Let’s Talk Cyber” consultations in 2020 and 2021, and through written contributions throughout. However, the structure of these ad-hoc working groups is ultimately ill-suited to addressing escalating conflict in cyberspace. It is time for the UN to rethink its approach, and to build on its framework of norms and international law in cyberspace in a new format designed to address the unique challenge of upholding a rules-based order online.

We are not the only ones to take note of this need for fresh tactics. Last year the French government, along with Egypt and 40 other governments, introduced a proposal calling for a “Programme of Action for advancing responsible State behaviour in cyberspace” at the UN. And while the Programme of Action (PoA) remains just a proposal for the time being, with many details still to be decided, it has the potential to structure a more impactful and consequential dialogue moving forward.

In September, as Chair of the Paris Call Working Group #3 on facilitating greater multistakeholder inclusion at the UN, the Cybersecurity Tech Accord hosted a workshop to explore the PoA proposal further. While the working group will be releasing a comprehensive final report on its work next month, at the Paris Peace Forum, following this most recent session, we wanted to share the Cybersecurity Tech Accord’s thoughts and recommendations specifically for how the PoA could help implement, uphold, and evolve expectations set by previous UN working groups in cyberspace and facilitate more regularized multistakeholder inclusion.

Recommendations from the Cybersecurity Tech Accord

The PoA’s potential to advance security, stability and human rights online with a robust multistakeholder model will depend in large part on its mandate and structure. To that end the Cybersecurity Tech Accord has several recommendations for how it might i) implement, uphold and set expectations for responsible behavior online and ii) structure itself to support a necessarily inclusive dialogue.

Implement, uphold, and set expectations

The UN GGE and OEWG dialogues have made significant contributions over the years by getting all UN member states to agree upon a shared framework of expectations for responsible state behavior online. This includes, primarily, the recognition that international law applies in cyberspace and the adoption of the 11 voluntary norms for states to follow. To reinforce and uphold these expectations, the PoA should aim to accomplish the following:

  • Support Capacity building – Given the differing capacities of nations around the globe, many states would benefit from continued support and guidance regarding how to implement the UN norms. Norms that encourage states to “take steps” to ensure the integrity of ICT supply chains or the security of critical infrastructure, for example, have helped to identify issues but they don’t do much to support concrete action on them. While the most recent GGE report goes a long way to provide implementation guidance, more still must be done to support practical implementation efforts on an ongoing basis. A major benefit of having a standing body will also be its ability to both produce and then update such guidance as needed.
  • Monitor progress and build consensus – Many of the UN norms for cyberspace call on states to take action without any mechanism for tracking progress. The PoA could go a long way to encourage states to implement norms simply by cataloguing those that do and how they are doing so. This would both prompt governments to pursue implementation in order to be counted, and create a valuable resource hub of examples in the process to serve as reference points for other states. In tracking implementation efforts, the PoA could also help drive greater international consensus. Especially when it comes to matters like how states understand international law governs behavior online, prompting states to state their own opinions and then tracking these contributions will help to recognize where consensus exists and, as important, where is does not.
  • Update norms – A key benefit of the PoA would be its ability to respond rapidly to an evolving threat environment as a standing deliberative body. As cyber threats change alongside technological innovation, the PoA would be well positioned to provide updates on how it impacts the meaning and implementation of existing norms. Considerations of what constitutes critical infrastructure, emerging threats such as ransomware, and vulnerability handling are all examples of important expectations that may need to evolve to keep pace with changes in technology that we cannot predict right now.
  • Set new norms – Finally, it is hubristic to assume that the existing 11 UN norms for responsible state behavior online are exhaustive and sufficient to address the scope of irresponsible state behavior online, both now and in the future. While these norms should serve as an immutable foundation, the PoA should also include an avenue by which new norms could be negotiated and established. While we can already think of some additional norms that would be beneficial – such as a norm to protect the software update process as part of the ICT supply chain – we should all be more concerned about eventualities we cannot envision and build a process for quickly addressing gaps as they inevitably arise.

Supporting inclusive dialogue

Much of the success of the PoA will hinge on its ability to facilitate multistakeholder inclusion in building and maintaining a rules-based order online. The internet itself is a global network of smaller networks, most of which are privately owned and operated, and the technology and infrastructure itself is largely developed and maintained by private companies as well. This unique nature of the digital domain requires cooperation across stakeholder groups to both set meaningful expectations and then implement and uphold them. To this end, the PoA should create space for the following:

  • Guaranteed consultations – To begin with, the PoA would need to ensure that there are minimum opportunities for both in-person and written consultations with non-governmental stakeholders at various points throughout a deliberation cycle. Such consultations would need to be open to a wide range of stakeholders and across the breadth of topics in the PoA’s mandate. These opportunities for inclusion – to have multistakeholder voices heard – would also need to be structured so that they could not be foregone or diminished at the request of a single or small number of states.
  • Regional and sector-based consultations – To further support inclusion, the PoA could deliberately engage more directly in regional and sector-specific forums. Different regions and sectors have different needs, priorities and approaches when it comes to matters of cybersecurity, which should help broaden and influence the agenda of the PoA. Moreover, reaching out to and engaging with regional forums in particular will support greater participation from emerging economies and smaller entities that may not be resourced to engage directly in a UN forum.  
  • Maximize transparency – A dialogue cannot be inclusive if it is not transparent. The PoA should seek to be as transparent as possible in both its products and planning. This means making official reports and other materials, including even notes from respective meetings, public as soon as possible to ensure other stakeholders are equipped to engage with the PoA moving forward. It also means providing sufficient advance notice regarding when meetings will take place and what they will discuss, as well as when and how states and other stakeholders will be able to provide input.
  • Points of contact – Maintaining an up-to-date list of points of contact for the PoA – for both the secretariat and respective states – would be an important way to maintain pathways for engagement with non-governmental stakeholders.

This is not intended to be an exhaustive list of the work the PoA could or should support, which would also likely include activities surrounding cybersecurity capacity building and specific confidence building measures (CBMs) in cyberspace. However, at this stage of the PoA’s development, we hope that these considerations and priorities will be top of mind for states in deliberating how best to move forward with the concept. By creating space for multistakeholder cooperation and a standing body for ongoing deliberations on a constantly changing domain, the initiative has the potential to fundamentally restructure how the international community advances security, stability and rights online. And with the scale and sophistication of attacks continuing to escalate every year, these fresh tactics are desperately needed and long overdue.