High-Level Seminar
“Cybersecurity: Global responses to a Global Challenge”
Madrid, 21 March 2014
Multilateral Approaches to Cyber Security
Theresa Hitchens, Director, UNIDIR
Your Excellencies, Colleagues, Ladies and Gentlemen, I’d first like to thank the Government of
Spain for inviting me to present at this necessary and timely high-level conference. I first
must note that I do not speak for the United Nations nor for UNIDIR, rather my remarks are
made in my own personal capacity.
As we all know, issues related to the use of cyberspace are becoming more and more salient
for the international community. We have mostly been discussing cyber crime here today, and
while a very important subject it is not my area of expertise. Rather, I am going to discuss
issues relating to how activities in the cybersphere touch on issues of national and
international security.
With the emergence of the Internet as a global infrastructure for economic, social and
business-related development -- in addition to being a new tool for politics, espionage and
military activities -- there is growing international concern regarding the potential use of
information and communication technologies (ICT) in conflict, as well as the possibility that
traditional conflict may be spurred by cyber activities. The 2011 and 2013 Reports of the UN
Group of Governmental Experts (GGE) on Developments in the Field of Information and
Telecommunications in the Context of International Security recommended steps to reduce
the risk of misperceptions resulting from ICT disruptions, including the consideration of
“Confidence-building, stability, and risk reduction measures to address the implications of
State use of ICTs...”
The well-known technical difficulty in attributing identity to the perpetrators of cyber
malfeasance raises the risk for misperception in times of crisis, and with that, the potential for
conflict. Meanwhile, some 40 states are developing cyber tools explicitly for offensive uses as
part of their military strategies. The possibility of state-on-state conflict utilizing ICTs could
contribute to strategic instability in times of crisis, and loss of escalation control during
conflict. Because military and civil users rely on the same infrastructures, the potential
negative impacts on civil society could be severe.
Against this backdrop, the need is evident for the development of mechanisms for discussion,
education and constructive engagement on how to improve cyber security in the multilateral
environment. Additionally there is a need for the international security community to be
aware of ongoing conversations in the internet governance arena, as developments in that
field may have very tangible impacts on the creation of international security parameters in
the cyber domain.
UNIDIR, under its mandate from the General Assembly to provide research and analysis on
emerging challenges to international security, has been for the past several years heavily
vested in exploring questions related to cyber stability and security.
The focus of our cyber work, under our Emerging Security Threats Programme, is twofold –
first, how to prevent conflict in other traditional security domains from spreading to the
cybersphere, and second, working to avoid cyber activities being a trigger for wider conflict.
Cyber is very different in nature to many of threats to peace and security that the
international community is accustomed to address through diplomacy and arms control. The
lack of a mutual understanding of what amounts to offensive action in the cyber domain, the
difficulties of clearly attributing cyber attacks, and a lack of an established methodology for
cyber strategic messaging are all hurdles that complicate the application of traditional
security concepts such as sovereignty or warfare to the cyber domain. Thus, there are many
gaps that need to be filled as the international community works to build an enduring cyber
stability regime.
UNIDIR has held several major conferences on cyber stability and security issues, and
produced in 2013 a “Cyber Index” that attempted to provide a “snapshot” of cyber activities
underway by nation states as well as elucidate issues related to confidence building.
In my brief remarks, I am going to discuss some of the ongoing efforts at a multilateral level to
address these issues, as well as to lay out some of the challenges to the international
community in doing so.
To start off, it is necessary to understand that there is no “one stop shop” for addressing cyber
issues at the multilateral level. A number of organizations, including but not limited to the UN
General Assembly, have been seized of the issue and are undertaking different, and at the
same time, overlapping efforts. As we have heard, there is activity on cyber crime and security
in the General Assembly’s Third Committee, as well as activity to address the international
security issues related to the cyber domain in the First Committee. These two Committees
have no formal interaction, and indeed representatives from one do not necessarily know
what is going on in the other. This lack of a “focal point” for addressing the multi-faceted
issues related to securing the cyber domain is indeed one of the challenges we face in
developing multilateral approaches. I am going to address three major “streams” of ongoing
multilateral debate and work: at the United Nations, at the Organization for Security and
Cooperation in Europe (OSCE) and at the International Telecommunication Union (ITU.)
First, at the United Nations. Since 2010, starting with GA Resolution A/65/154, states have
been providing on a regular basis national views on the question of cyber security to the
Secretary-General so that the Secretary-General may report to the General Assembly. The
reports are designed to provide information exchange among states about activities and
concerns – although taken alone, do not provide a basis for any concrete action. The latest,
A/68/156 and A/68/156 add 1, were transmitted to the General Assembly in 2013.
In addition, there have been up to now two GGEs on information security: in 2010-2011
(which failed to issue a consensus report) and in 2012-2013 (which did issue a report in June
2013, A/68/98). The 2012-2013 GGE, chaired by Australia, recognized the application of state
sovereignty and international norms and principles in cyberspace, as well as respect for
human rights. In particular, the GGE report noted the need for more international cooperation
in preventing the “wrongful and unlawful” use of state information and communication
technologies. However, the terms “wrongful and unlawful” were not defined.
The GGE also agreed that there is a need for confidence building measures in the cybersphere,
including the development of new multilateral consultative groups; improved information
sharing about security incidents, national policies and processes; and improved cooperation
on incident response and law enforcement issues. The question of capacity building was also
addressed as a necessary foundation stone to ensuring cyber security.
Beginning in July 2014, a follow-on GGE will commence its work. The first meeting will take
place 21-25 July, the second 12-16 January 2015, the third 13-17 April, and the final meeting
22-26 June 2015. No chairman has yet been announced for the GGE – which is expected to be
more political challenging than its predecessor, especially in the wake of revelations by
former US NSA whistleblower Edward Snowden.
A key problem faced by the GGEs has been that there is little international agreement on
fundamental questions regarding activities in the cybersphere. There is no agreed definition
of “cyber security” – indeed you will note that the GGEs use in their title and mandate a
different term, “information security,” which is interpreted differently by different nation
states. There is little agreement on how, or even IF, international law – the Laws of Armed
Combat, International Humanitarian Law and International Human Rights Law – apply in the
cyber domain. There further is no agreed definition of what might constitute a “cyber attack”
that could warrant a diplomatic or even military response under Article 51 of the UN Charter.
The bottom line is that while many, if not all, nation states agree that protecting the cyber
domain and avoiding conflict and warfare in the cybersphere are good things, there is little, if
any, consensus on just what that means and how to go about making it happen.
Meanwhile, Russia, China, Kyrgyzstan, Kazakhstan, Tajikistan, and Uzbekistan put forward a
letter to the Secretary-General (A/66/359) in 2011 suggesting the need for states to consider
a code of conduct on information security. According to Shen Jian, Counselor at the Chinese
Mission to the UN in Genva, speaking at UNIDIR’s Cyber Stability Seminar in February 2014,
the idea of a code stems from the fact that there are no real “traffic rules” in cyberspace
governing state activities. Proponents of the code concept are quick to note that their letter
did not constitute a GA resolution, rather a sort of “food for thought” paper to be considered
regarding the potential for a UN framework to govern state behavior. According the preamble
of the proposed code concept, there is a need to prevent the use of ICTs in a manner that
would undercut national and international security, as well as to capacity build to close the
digital divide. The code, according to supporters, is designed to identify the rights and
responsibilities in the “information sphere” – a term used by Russia and China but not by
many Western states, which in and of itself suggests the split in the international community
about the very nature of the problem.
The proposed code is seen by its proponents as being a legally-binding instrument, and a
complement to voluntary TCBMs. In particular, proponents of the code are concerned bout
the use of the Internet and social media to foster societal unrest and instability. These
countries adhere to the concept that information itself can be a weapon.
However, the political viability of the code proposal is somewhat in doubt, as the concept has
been rather vehemently rejected by the United States and most Western states, who see the
effort as aimed at establishing a strict national sovereignty model over content flow over the
Internet and potentially a tool of oppressive regimes.
In the absence of international consensus about the specific problems and solutions,
particularly any legal measures, there has been much discussion and debate about the need
for transparency and confidence-building in the cyber domain. On that front, there has been
some progress at the regional level – in particular at the OSCE. On 3 December 2013, the 57
member states of the OSCE adopted Permanent Council Decision 1106, elaborating an initial
set of confidence and security building measures regarding the use of Information and
Communications Technologies. The recommendations have a focus on transparency measures
through improved information exchange, communications and cooperation, including:
1. Exchange of information on national views on threats in the use of information and
communications technologies
2. Exchange of information on measures being taken by states to ensure an open and
reliable Internet
3. Exchange of information on strategies, policies, and programs regarding cyber security
4. Consultations to reduce misunderstandings and misperceptions
5. Cooperation between state bodies responsible for establishing best practices
6. Exchange of information on national incident response policies and practices
7. Establishment of methods of rapid communication at senior policy levels regarding
national security concerns, and
8. Exchange of information and dialogue on terms of reference used nationally in order to
diminish misunderstandings.
Of course, all of these suggested measures would be voluntary. The hope is that all states
would see the benefit of such measures, at a minimum as an expression of goodwill – and that
the elaboration of such possible measures could feed into other processes. The OSCE sees the
effort as one of a rolling nature; that is, that the recommendations might be updated and
become more ambitious as time goes on.
However, given the OSCE’s limited membership and the vague mandate regarding
implementation of the proposed measures by OSCE member states themselves, it remains
unclear exactly how this initiative could be taken forward by the international community
writ large.
There has also been some activity on transparency and confidence-building measures in the
ASEAN Regional Forum, where China sponsored the first ARF workshop in cyber security in
2013; and as we heard from Adam Blackwell, efforts in the Organization of American States
around capacity building and cyber protection. That work, however, has yet to be really
translated into the wider international arena.
The ITU is the intergovernmental body that manages, under a treaty regime, access to the
radio-frequency spectrum for electronic transmission as well as to orbital slots for satellites.
It also sets standards to ensure against radio-frequency interference and maximize efficiency
of communications networks. The organization comprises 193 nations and more than 700
corporate entities and academic institutions as non-voting members.
The relationship and mandate of the ITU with regard to cyber security is the subject of not
inconsiderable debate.
The ITU’s website states:
“A fundamental role of ITU, following the World Summit on the Information Society (WSIS)
and the 2010 ITU Plenipotentiary Conference, is to build confidence and security in the use of
Information and Communication Technologies (ICTs). At WSIS, Heads of States and world
leaders entrusted ITU to take the lead in coordinating international efforts in the field of
cybersecurity as the sole Facilitator of ‘Action Line C5,’ ‘Building confidence and security in
the use of ICTs. In response, ITU Secretary-General Dr. Hamadoun I Touré launched the Global
Cybersecurity Agenda (GCA), which is a framework for international cooperation aimed at
enhancing confidence and security in the information society.”
This implied mandate is, however, disputed by many Western governments.
Nonetheless, issues of cyber governance – that is rule setting and management of the
operational functions of the Internet – has become a contentious issue within the ITU. At its
most basic level, the debate pits the United States and many Western governments who
uphold the so-called “multi-stakeholder” model of Internet governance against Russia, China,
Iran and many in the developing world who champion the concept of “national sovereignty” in
the cybersphere, which includes the right to monitor and control incoming and outgoing data.
While the two “sides” are hardly monolithic in their concerns and suggested approaches,
particularly in the wake of the revelations made by former National Security Agency
contractor Edward Snowden, the debate is fundamentally one of ideology.
In addition, a number of nations are clamoring for the current system of Internet governance
– based around the Internet Cooperation for Assigned Names and Numbers (ICANN) and the
Internet Engineering Task Force (IETF) that together set the technical protocols and
standards for operation of the network and manage the assignment of names in the
cyberspace address directory (domain names) – to be transferred to the ITU. The arguments
for doing so are that Internet governance is primarily controlled by the United States (a
contention for which there is some truth) and Western interests, and that governance needs
to be more equitable. With the Snowden revelations regarding NSA activities in the
cybersphere, the role of the United States in Internet governance has become an even more
heated debate. Indeed, many see the recent announcement by the US government that the
Department of Commerce would not renew its contract with ICANN when it expires next year,
instead transitioning ICANN to a multilateral support structure, as a “preemptive” strike
designed to head off a push for ITU control.
While the issue of Internet governance is complicated in the extreme, it does impact both
cyber security and international security because of its fundamental nature.
The “multistakeholder vs. sovereignty” divide was a centerpiece of the December 2012 Dubai
World Conference of International Telecommunications (WC-IT-12). After protracted
debated, the conference established new International Telecommunication Regulations (ITRs)
but not by consensus – opening the road for divisions in practice as those nations who do not
accept the changes are not obliged to implement them. This suggests a potential problem of
contradictory rules and regulations. One of the most controversial of the new ITRs was a
measure designed to prevent spam that was rejected by most Western states because it
implied a right for governments to examine all content.
The next forum to address these issues is the World Telecommunication Policy Forum in May
in Geneva, and then the ITU Plenipotentiary Conference in Bussan, South Korea in NovemberDecember 2014. The latter meeting is likely to be fraught with tension and controversy as
states once again tackle the governance question.
As apparent from my brief remarks, the international community faces some serious hurdles
in addressing the issues related to cyber security, including fundamental disagreement on
what should and could be done to avoid increased conflict and ensuring a stable, predictable
environment for cyber communications and commerce. Lack of an multilateral forum with a
cross-cutting mandate only exacerbates those hurdles – but the primary issues are of a basic
nature, i.e. lack of agreement about what actually constitutes security in the cyber domain and
how to stabilize the environment. Thus, for the moment, the most feasible path for
multilateral actions is to continue to pursue transparency and confidence building, in order to
establish a less shaky foundation for serious discussions about threat perceptions and how to
cooperatively diminish risks.