Discussions on cyberspace security need to be more inclusive, says Paris Call Working Group

Earlier this year, the Cybersecurity Tech Accord was honored to accept an invitation to lead one of the working groups established to advance the principles of the Paris Call for Trust and Security in Cyberspace. Working Group 3 (WG3) was tasked with enhancing multistakeholder participation in the discussions on international ICT security at the United Nations. Beginning with its first meeting in March, WG3 has facilitated an inclusive dialogue on an important issue, sparking the interest of numerous organizations in the process. The participation of over 80 entities – including representatives from governments, industry and civil society organizations from around the world – has sent a clear message. Cyberspace is a complex domain where overlapping roles and responsibilities are shared across stakeholder groups and we must find ways to work together to advance trust and security in a new domain of human activity.

To date, discussions on international ICT security at the UN have been largely exclusive to a small group of governments, despite the UN’s long history of multistakeholder participation in other dialogues, and the tradition of a multistakeholder model in internet governance. The now six iterations of the UN Group of Governmental Experts (GGE) dialogues on information security have not allowed for the inclusion of nongovernmental stakeholders and indeed have included experts from 15 to 25 States. And while the parallel UN Open Ended Working Group (OEWG) on information security, established in 2018, opened up the discussion to all member states for the first time, it did little to facilitate greater multistakeholder inclusion. After a single consultation session in 2019, the OEWG scuttled further multistakeholder participation going forward. Both the most recent GGE and OEWG dialogues concluded earlier this year and released final reports that made limited progress in setting new expectations or strengthening existing ones for states. Meanwhile, nation-state cyberattacks continue to escalate year over year with greater impact.

Against this backdrop, the work of the Paris Call WG3 is especially timely and important. The next chapter of cyber diplomacy at the UN must be more ambitious to turn the tide against rising threats, and this will require a more expansive view of how to facilitate multistakeholder cooperation. With this in mind, it was encouraging to witness the great interest demonstrated in the first substantive session of WG3 that took place this past May, which welcomed over 80 representatives from the public, private and civil society sectors. Chaired by ICT4Peace, the meeting started with an examination of the multistakeholder process that led to the development of the International Code of Conduct for Private Security Service Providers (ICoC).  An initiative launched by the Swiss government and including the private sector along with other states and civil society, the Code articulates the responsibilities of private security companies under human rights and international humanitarian law to ensure the responsible provision of private security services. The Code was developed following growing concerns that commercial security provisions did not meet minimum standards of accountability. The challenges that surrounded ICoC share similarities with the ones dominating the debate on a framework for peace and security in cyberspace today, including:

  • Challenges related to State attribution,
  • Difficulty in applying international law to a particular domain,
  • Perception of widespread impunity, and
  • Lack of effective dialogue and collaboration between stakeholders.

However, the success of multistakeholder initiatives such as ICoC demonstrates that finding common ground on complex issues is possible and bringing all relevant entities to the table is part of the solution.

As several participants in the WG3 meeting highlighted, the journey to meaningful multistakeholder participation starts from clarifying and recognizing the roles, responsibilities and values that different stakeholders bring to the table. In cybersecurity, this is particularly important as the private sector owns and manages most of the global internet infrastructure. Meanwhile, civil society organizations have become increasingly important in helping identify and mitigate the impact of cyberattacks on different parts of society, especially the vulnerable. Including these voices in the cybersecurity discussions at the UN is vital and many states are starting to recognize the importance of multistakeholder involvement. Participants in the WG3 meeting stressed the need to translate this growing recognition into concrete mechanisms for consultation and exchange of information at the UN. Non-restrictive accreditation for stakeholders to participate in UN meetings, clear timetables for the sharing of relevant documentation, and setting up channels for private and civil society entities to provide input are a few of the key aspects that WG3 is discussing.

As the UN OEWG on information security starts its new 2021-2025 mandate to make further progress on issues, including cybersecurity norms development and implementation, there is momentum toward bringing the issue of multistakeholder inclusion to the attention of UN member states. Besides the new OEWG, the proposal for a “Programme of Action” (PoA) is promoted by 53 co-sponsor States to establish a permanent, inclusive, consensus-based and action-oriented international instrument to support concrete capacity-building efforts and advance responsible state behavior in cyberspace. WG3 will discuss the PoA and give stakeholders the opportunity to comment on its proposed objectives and structure at its next meeting, which will take place in September, before the group deliberates on its final recommendations on multistakeholder governance.

To engage and stay informed on the proceedings of WG3, please contact [email protected]