While the failure of cyber security negotiations under the auspices of the UN GGE has created a huge void in international regulation, recent cyber-attacks with global reach have shown that action is more urgent than ever. Reflection on standards, good practices and norms should include private sector actors who are often the first victims of cyber-attacks. We consider that the solution to the current vacuum in multilateral cybersecurity negotiations is the creation of a flexible and inclusive body within the OECD that would act as a hub for the various initiatives while promoting close cooperation between States, the private sector and civil society in order to promote standards of responsible conduct in cyberspace.
In recent years, States have tackled the problem of cyber security by multiplying initiatives in various intergovernmental organizations, be they universal organizations (such as the United Nations or the ITU) or regional or restricted organizations such as the European Union (with, for example, the recent cybersecurity package announced by the EU Commission in September), the Council of Europe, the OSCE, the OECD, the African Union, the Shanghai Cooperation Organization, NATO, ASEAN, the G7 or the G20. These initiatives are also developed in ad hoc frameworks specifically dedicated to cyber-security, where an impressive number of conferences are initiated by States, such as the Global Conference on Cyberspace (GCCS) which has launched the Global Forum on Cyber Expertise (GFCE) – and this without counting academic initiatives such as the process that led to the adoption of the Tallinn Manuals 1 and 2 or the creation of Think Tanks like the Global Commission on the Stability of Cyberspace chaired by Marina Kaljurand (formerly Estonian Foreign Minister).
The failure of the UN GGE
Among the many fora of discussion and negotiation, the most important was undoubtedly the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security of the United Nations (UN GGE). This group, consisting of representatives of 25 countries, affirmed the applicability of international law to cyberspace. Its latest report, published in 2015, focused specifically on the application of certain principles and norms of international law and proposed a series of rules of responsible behavior of States. Following this report, and in accordance with the mandate given to it, the GGE engaged in work aimed at clarifying and deepening these rules, norms and principles. A new report was eagerly expected by the international community. Unfortunately, this report was never published. While significant progress had been made on important subjects, disagreements had emerged on some issues (including the issue of self-defense and the applicability of humanitarian law) and negotiations ultimately failed last summer (for conflicting views of the reasons for this failure compare the statements by the United States and Cuba; for scholars’ comments read for example this, this, this and this). While some proposals have been made in order to “resurrect” in the future the UN GGE, there are good reasons to believe that this would be hard in the short term; and even if this could become possible, the “new” GGE will certainly not fly high (see for example on this the pessimism of France in p.36 of its just published Strategic Cybersecurity Review).
This failure of the GGE leaves the international regulation of cyberspace without a centralized forum and this at a time when the urgency to act is more pressing than ever – as evidenced in particular by the first cyber-attacks with a truly global reach such as Wannacry or NotPetya and several recent studies highlighting that cybersecurity risks “are increasing exponentially” (see for example here, here and here).
Some have proposed the creation of a new international intergovernmental organization specialized in cyber security that could act in a centralized way. However, in the international arena, it is no longer the preferred option to establish heavy structures that must result from time-consuming negotiations of new treaties constituting international organizations – which could also never be ratified by some States. Nor is any more the era of the creation of new universal international organizations with important normative powers. It is therefore difficult to see how States could engage in the creation of an international intergovernmental organization specialized in this field. It is also unclear how States could agree to transfer to such an organization important tasks in cyber security that are widely perceived as falling within the realm of “national security”, the human security of their populations and their sovereign powers.
The OECD Solution
While the need for coordination, coherence and rationalization of initiatives is evident (as is the need to strengthen confidence-building measures and technical assistance to countries that are lagging behind in cyber security), the solution we suggested in the conclusions of a study published several months ago was the establishment of an open, flexible and inclusive platform of multi-stakeholder negotiation. This solution is to be found within the OECD.
To understand the interest that the OECD presents, we must first be reminded that the recent years have been marked by significant institutional changes in the context of international governance. The creation of international organizations has often been replaced by the creation of more informal international institutions under variable names such as “forum”, “network”, “groups” (the G7 or the G20 being the best known), “agencies”, “committees” which, perhaps, do not really correspond to the conventional definition of the classical intergovernmental organizations but which fulfill their functions with some effectiveness.
There are several advantages to these institutions, the most important of which is flexibility.
First of all, there is flexibility in terms of representation and composition. Henceforth, it seems necessary to give private actors a real stand in cybersecurity discussions through a multipartite composition or, at least, the creation of a formal mechanism of integration of the private sector such as a “Corporate Partnership Board”. In this regard, we recall Microsoft’s proposal to create an informal body composed of a G20 and an ICT20 – the 20 largest information and communication technology (ICT) companies. However, this interesting proposal presents some difficulties, including the fact that institutions such as the G7 or the G20 suffer from the lack of a permanent secretariat and of expertise of their own, let alone problems of democratic legitimacy. Nonetheless, the idea of involving private actors and States in an international institution is something that needs to be taken into consideration. The private sector association should not be limited to the major players in ICT, but also include other important players such as insurance companies, or even representatives of SMEs. The G20 could thus give impetus to such an initiative while entrusting the mission of technical realization to the OECD – exactly as it has done with several other ambitious projects, most recently the BEPS project.
Flexibility also exists with regard to the powers of these institutions, which often lack normative powers, which does not however prevent them from being fora for discussion and negotiation or from taking initiatives such as the adoption of codes of conduct or even “hard law” instruments.
The experience of the OECD seems, therefore, particularly interesting. In fact, the OECD, which is an international intergovernmental organization of the classical type, comprises of flexible and autonomous institutions that manage different fields and issues concerning international co-operation. One example is the International Transport Forum in the field of transport; the Financial Action Task Force (FATF) in the field of finance; or the Global Forum on Transparency and Exchange of Information for Tax Purposes. These institutions – and others – operate effectively and have significant regulatory capacity, though often more by soft law than by hard law. They are administratively integrated within the OECD which lends them, inter alia, its legal personality, while being entirely autonomous on the merits. The 35 OECD Member-States are the driving force behind these institutions, but other countries are also participating on equal grounds, including China, Russia, India, Brazil, South Africa and others. Some of them also include “Corporate Partnership Boards”, thus allowing the involvement of major private sector players. The OECD has also experience in engaging the civil society through organs such as the Civil Society Information Society Advisory Council.
Our proposal was thus to establish within the OECD an “International Forum for Digital Security” which would play a role of hub and coordination for the various initiatives while allowing States, the private sector and civil society to work closely together for the development of standards of responsible conduct in cyberspace. The OECD is perfectly suited for the “multi-stakeholder” approach absolutely essential in order to promote effectively digital security for economic and social prosperity.
The OECD has a real legitimacy in the field of cyber security, in which it has already played a pioneering role. It started to work on digital security in the early 1990s and was the first international organization to adopt Guidelines for the security of information systems. In 1996 the OECD created the SPDE (Working Party on Security and Privacy in the Digital Economy) which has worked on several important issues including national digital security strategies, digital security and resilience in critical infrastructures and essential services, malware, cryptography policy, statistical measurement, etc. The dramatic increase in cyber-attacks and their global reach; their impressive cost that could reach, according to some estimates, $6 trillion by 2021; the fact that cyber-attacks have become, according to the most recent reports, the top “external risk factor” for business, indicate the OECD as an almost natural forum to promote standards of cyber-hygiene, cyber-resilience or cyber-diligence.
On the diplomatic front the negotiations could, perhaps, be less difficult than within the United Nations. Given its mission and nature, the OECD should not focus on sovereign issues such as self-defense or the law of armed conflict that crystallize opposition between States. The forum set up within the OECD could, on the other hand, focus on cyber security issues from a more economic and social angle, while closely cooperating with organisations working in other fields such as standards (ISO/IEC; IETF…), international security (UN, OSCE…) or the fight against cybercrime (Council of Europe, UNODC…). Its mission could be, thus, to promote responsible behavior for States and the private sector by developing good practices, codes of conduct, confidence-building measures, notification and cooperation protocols, but also by encouraging the emergence of legal instruments and control mechanisms.