Don't let UN, OSCE cyber norm-setting efforts sputter

May 31, 2018 | Theresa Hitchens

Concerns that the increasing lack of security in the cybersphere could lead to conflict among states have been growing since the late 1990s. Russia introduced the first United Nations (UN) resolution on this topic in 1998. Since that time, there have been several multilateral efforts to build norms for use of the cybersphere. The two most important and most successful to date have been the UN Group of Governmental Experts (GGE) process and the development by the Organisation for Security and Cooperation in Europe (OSCE) of a set of confidence-building measures (CBMs) aimed at improving security in the cybersphere. Both groups have established some voluntary baseline norms and CBMs that, if implemented, could lay a foundation for better cyber risk management. While both processes have hit impasses over the last year due to tense geopolitical relations between Russia and the United States, there are good reasons to believe that these efforts can be built upon by states—either individually or via multilateral fora—to improve cybersecurity for all. 

The two efforts share a number of themes. Both explicitly address the need for national contact points to smooth information sharing, classification systems for cyber events, and methods for assessing the severity of cyber incidents. Both also identify the need for cooperative protection of national and transnational critical infrastructure and for capacity building in nations lagging behind in the digital revolution. And, unfortunately, both have stalled in efforts to flesh out these baseline agreements with more specific actions. 

States involved in both efforts are now stepping back from further norm development to instead focus on how to avoid losing ground and ensure implementation of existing agreements. Neither the members of the UN nor the OSCE have fully implemented these efforts’ recommendations.  For the most part, there are no compliance measures to encourage individual states to implement the agreements, although the OSCE has some institutional means to help ensure compliance with its decisions. 

Parties to these efforts could show their commitment to implementation by working to develop a standardized process to classify cyber incidents and assess their severity. This would serve a number of purposes, including clarifying which cyber events are comparable in scale and effect to an armed attack and which would have relatively minor disruptive effects or are intended for espionage or criminal theft of information. CISSM has developed a framework for categorizing cyber incidents and their impacts. It has also defined a taxonomy for assessing the effects of cyber incidents, based on the type of sector involved. These tools could be used by nation-states and regional organizations as “standard” baseline methodologies that can be easily understood by policy-makers without deep technical training. 

Another area where NGOs and Track 1.5 efforts would be useful is addressing critical infrastructure protection. States have been reluctant to share information about critical infrastructure vulnerabilities for fear that such information could be exploited by others. However, focusing on transnational infrastructure—for example, identifying types of incidents on certain trans-border infrastructure that could have widespread regional or even global consequences with negative effects on civil populations—would be in the mutual interest of states. The University of Maryland’s School for Public Policy is undertaking such a project to help states understand the benefits of cooperative protection efforts for such infrastructure. 

A third area where further international discussion could be productive is clarifying which types of information states should be willing to share to prevent or respond to cyber attacks by criminals, terrorists, or other non-state actors. While states have recognized the need for such information sharing (a 2017 CISSM study found public domain information on 196 bilateral or multilateral information sharing agreements), the depth of actual cooperative work varies, and more work is needed to make such agreements effective. 

Now is not the time to lose heart in cooperative efforts in the cybersphere, despite the political difficulties. Individual states have the capacity to implement some of the GGE and OSCE recommendations at the national level. Regional and multilateral organizations, as well as NGOs and academics, have opportunities to flesh out the already agreed-upon norms and CBMs by identifying processes and detailed approaches to implementation challenges. Given the nature of the cybersphere—where security is only as good as the weakest links—cooperation is required to achieve improvements in security and stability.