SETTING CYBERSPACE CONDUCT
Asean should articulate its views and contribute to how these norms are formed, writes EUGENE E.G. TAN
MEDIA reports have termed the failure to produce a consensus report on setting norms of behaviour in cyberspace as a “collapse” of the process led by an international core of experts in cybersecurity. They are known as the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunication in the context of International Security (UNGGE). Prominent thinkers lamented the group’s inability to build on the progress made in the previous rounds of the UNGGE in the governance of cyberspace: in 2012/13, agreeing that international law applies in cyberspace; and, in 2014/15, proposing a set of 11 voluntary, but non-binding norms that states should adopt as best practice.
UNGGE chair Karsten Geier insists that it was no failure. Geier said the experts at UNGGE had broad agreement on points, including capacity-building measures, confidence-building measures, raising awareness among senior decision-makers, conducting exercises, defining protocols for notifications about incidents, warnings when critical infrastructure is attacked, and preventing non-state actors from conducting cyber-attacks. The experts also agreed that there was space for further negotiation and there were options for compromise.
Geier’s comments show that for the most part, states are in agreement, but there are issues that are currently unresolvable. Some observers suggest that the political motives of Russia and China were behind the failure to reach consensus and, by extension, hindering the development of international law in cyberspace. These political motives include promoting other international norms, or testing the limits of influence.
There have also been legal objections to how international law applies in cyberspace. Statements from the American and Cuban representatives are indicative of how divergent the views are in the applicability of international law.
The American representative, Michele Markoff, expressed her dissatisfaction at some states seeking to “walk back progress” made at previous UNGGEs. She, therefore, could not support the draft report because it fell short of the mandate given to UNGGE, which was to explore how international law applied vis-à-vis cyberspace.
Cuba objected to the proposed draft on grounds that the malicious use of information and communications technology (ICT) can be considered an equivalent to armed attack, which would give states the right to selfdefence under Article 51 of the UN Charter. This, to Cuba, puts small states at a disadvantage as they do not have the capability to retaliate. Cuba also claims that subjecting ICT to the principles of International Humanitarian Law legitimises warfare in ICT.
The inability to reach consensus does not mark the end of the road for the development of norms or international law. International law often takes years, even decades, to formalise and for differences among states to be ironed out. It may well be that the common ground for agreement is exhausted for now. Attention should, therefore, be paid to other initiatives led by international organisations and nongovernment organisations, often with state backing, to promote norms and shape normative behaviour among states.
These initiatives include the “Hague Process”, which facilitated input of states into the Tallinn Manual 2.0 project. The Tallinn Manual 2.0 is a handbook on the applicability of international law in cyber operations, and was formulated by legal experts from all over the world. The Netherlands is sponsoring a global training programme and consultation process on the Hague Process, including a workshop for Asean, conducted in Singapore in August.
Other worldwide initiatives include the Global Commission on the Stability of Cyberspace (where Singapore is represented by its former police commissioner Khoo Boon Hui), the Global Conference on Cyberspace, and workshops conducted by the United Nations Institute for Disarmament Research (UNIDIR). These capacity-building initiatives are especially important to bring more states to an understanding of how internationally agreed norms can benefit them.
Norms are especially important to small states like Singapore, as norms set out their rights, including the protection of critical infrastructure from malicious attacks, non-interference in political processes and the illegality of economic espionage. When pressed for his opinion on what should states do in the wake of the UNGGE impasse, Michael Schmitt, editor of the Tallinn Manuals, strongly recommended that individual states and regional organisations like Asean should set out their own positions on norms, in order to build greater international momentum for their adoption.
To avoid being served with a fait accompli, Asean should articulate its views and contribute to how these norms are formed.
The ambiguity of China’s position on how international norms apply in cyberspace may, however, create a divergence in views among Asean states, especially those with pro-China sentiments. There is hence a delicate balance when dealing with norms that could antagonise Singapore’s Asean neighbours, especially if the republic wants to push for the adoption of the norms mooted in 2015, including using its position as Asean Chair next year to do so. Capacitybuilding and promotion of norms are thus even more important now, to persuade more states that norms in cyberspace are in the common interest of all.
Some observers suggest that the political motives of Russia and China were behind the failure to reach consensus and, by extension, hindering the development of international law in cyberspace.