Cybersecurity at the UN: Another Year, Another GGE

By Elaine Korzak
Thursday, December 10, 2015, 4:45 PM

This week, the UN General Assembly considered a resolution mandating the creation of a Group of Governmental Experts (GGE) for 2016-2017. The GGE will study existing and potential threats in the sphere of information security, as well as possible cooperative measures to address them. The resolution has already been approved in the First Committee, the General Assembly’s specialized committee dealing with international security and disarmament issues. Pending consideration from the Budgetary Committee for the costs of the GGE, the resolution forwarded by the First Committee will be formally approved by the General Assembly, presumably by the end of this month.

As previously discussed on Lawfare, this outcome was well expected. After all, this is the fifth Group of Governmental Experts that the UN has established since it began considering information security back in 1998. Just this summer, the 2014-2015 (the fourth) GGE concluded year-long discussions with a highly-anticipated consensus report. In the report, experts from 20 states agreed upon an impressive array of recommendations for confidence-building measures, capacity-building efforts, and voluntary, non-binding norms.

Thus, GGEs have become a known mechanism by which the General Assembly advances the international debate on norms, rules, and principles of state behavior in cyberspace. Yet, a host of unanswered questions and unforeseen events face the 2015-2016 GGE and may challenge this continuity.

Business As Usual

Information security has become a standing agenda item for the General Assembly, which has adopted annual resolutions since 1998. In UN parlance, cybersecurity discussions are held under the unwieldy title of “Developments in the field of information and telecommunications in the context of international security.” This year’s resolution was easily adopted without a vote and attracted an impressive 83 sponsors and co-sponsors. Resolution draft text is typically submitted by the Russian Federation and like-minded states such as China. However, this year, the United States, several European countries, and Israel joined as sponsors.

Importantly, the language of this resolution is somewhat stronger than in past years. Whereas prior resolutions have “taken note” of the GGE outcome report, such as in the 2013 resolution, this year the General Assembly “calls upon” member states “to be guided in their use of information and communications technologies by the 2015 report.” This small shift—the consideration of the 2015 report is still non-binding for states—demonstrates the incremental but increasing importance of the GGE process and outcome. Similarly underscoring the increased prominence, the 2015 report was also mentioned in last month’s G20 Communiqué.

GGE #5

The 2016-2017 GGE follows in this tradition. However, if conducting the international debate through the GGE format is to successfully continue, the following questions concerning this Group’s work must be addressed:

  1. What size should the new Group be? The fourth GGE expanded to twenty members, from the previous fifteen. Although the Group is assembled based on equitable geographical distribution, its small size does not provide for a discussion that is seen as inclusive of most of the world’s states. There will likely be calls to add additional states as members. However, any increase in the Group’s size will increase the divergence of views and make it more difficult to achieve a consensus.
  2. Who will chair the fifth GGE? Given the complexities of the topics involved, the chairmanship is often seen as a key element in ensuring the adoption of a consensus report by the Group. Brazil chaired the 2014-2015, and Australia chaired the predecessor 2012-2013 Group. Selecting a chair that can skillfully navigate and unite the different camps represented in the Group will be crucial to its success.
  3. Is there room left for consensus? Following the 2012-2013 landmark report which acknowledged the applicability of international law to state actions in cyberspace, progress—particularly with regard to international law questions—has been limited in the 2014-2015 Group. The 2015 report failed entirely to address the issue of the use of information and communication technologies in conflicts, although the mandate specifically noted it. Perhaps unsurprising, the 2016-2017 mandate no longer includes this question. It is therefore unclear whether any room for consensus among states remains, and how much progress the fifth GGE can feasibly achieve. States invested in this process will have be creative in finding ways to boost its work, perhaps through the facilitation of track 2 discussions to deal with particularly thorny issues.
  4. Finally, two years is a long time. The cybersecurity policy landscape can change rapidly and dramatically, as demonstrated by the Snowden revelations. Thus it is possible, or even likely, that the fifth GGE will have to grapple with questions that we are not even aware of today.