The 2015 GGE Report: What Next for Norms in Cyberspace?

By Elaine Korzak
Wednesday, September 23, 2015, 8:32 AM

In late August the UN Secretariat published a consensus report adopted by the fourth Group of Governmental Experts on Information Security (GGE). The highly anticipated report is the result of a year of consultations among 20 countries looking at measures to promote stability and conflict prevention in cyberspace. The General Assembly decided to convene the GGE following the achievements of its predecessor group, which (among other things) had agreed to the applicability of international law to states’ cyber actions.

To build on this, the 2014/2015 Group was specifically tasked with examining “norms, rules or principles for responsible behavior of States” as well as “how international law applies to the use of information and communications technologies by States.” Owing to these issues’ importance, the GGE has morphed into a major focal point for the international discussion of norms for state behavior in cyberspace.

Its most recent report is thus worth noting, both for its contents and because it raises the question of what might be next for the international debate on norms in cyberspace.

The 2015 GGE Report

The Group’s agreement has been characterized as a “breakthrough” and “a strong consensus report.” Given the increased membership of the Group, the diversity of views, and the controversial subjects in play, the fact that the Group was able to agree on recommendations regarding a range of norms, confidence-building measures and capacity-building efforts is remarkable in itself.

In particular, the Group adopted a series of norms proposed by the US. For example, on the question of critical infrastructure protection, the report said that countries should not conduct cyber activity “that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” Similarly, the Group stipulated that states should not harm other states’ authorized computer emergency response teams, known as “CERTs” or “CSIRTs.”

These are important advances. However, a closer look reveals that the Group’s recommendations constitute “voluntary, non-binding norms, rules, or principles” for state behavior. This significantly weakens the impact of the adopted norms. The status of the GGE report, in terms of its norm-setting power, is itself also unclear. Past General Assembly resolutions have merely “taken note” of assessments and recommendations contained in past GGE reports; it remains to be seen how this year´s General Assembly resolution on the matter will treat it. (Other options in this respect are for the General Assembly to “adopt” or “endorse” reports.)

Some key issues also went unresolved. Though it reached consensus as to its recommendations, the Group nevertheless was not able to make significant progress on one of its core taskings, namely the question of how international law applies to the use of information and communication technologies. The US and other Western states had wanted to see advances in this area; yet , the language of this year´s report does not significantly expand upon that of the 2013 report. As Michele Markoff, the US governmental expert in the Group, noted, “[m]ore robust statements on how international law applies were contested by a few key States, and we did not achieve all of the progress we would have liked in this area.”

What Next?

Given the GGE’s most recent pronouncement, what can the international community do next, in order to advance the debate on norms in cyberspace?

The GGE itself recommends the creation of a successor group for 2016 and 2017 that is to continue the study of the issues discussed above. This seems viable: The past three GGEs have proven to be a workable and largely successful format for discussions. States have apparently already begun to register their interest in participating in a new Group—even before the General Assembly has considered this question.

On the other hand, this year´s GGE report suggests that any remaining room for consensus, particularly with regard to the application of international law, has been exhausted. Keep in mind that, so far, the GGE process has involved only twenty states. But building consensus on norms internationally will at some point require the involvement of the broader UN membership in order to ensure legitimacy and universality.

For that reason, states might opt for a different forum, such as the Conference on Disarmament or an Open-Ended Working Group. (The latter are established from time to time by the General Assembly.) The problem, of course, lies in the viability of these mechanisms. The Conference on Disarmament has been largely defunct while the potential for consensus in an Open-Ended Working Group is difficult to determine. Another option would be to move the discussions pertaining to the applicability of international law from the more politically-charged discussions of the First Committee of the General Assembly to its Sixth Committee. The latter deals with international legal questions; the General Assembly´s mandate of encouraging the progressive development of public international law is often realized through its work.

Doubts about the alternatives suggest that, in the end, the international debate on norms in cyberspace is likely to continue in the GGE format. But whatever shape multilateral talks might take eventually, the debate on international law governing state behavior in cyberspace can always be moved forward if individual states more clearly outlined their emerging interpretative approaches in this area. Raising the level of specificity with regard to the application of international law would do a lot in this respect, perhaps even more than a fifth Group of Governmental Experts.