The pandemic, UN cyber negotiations and international law and norms

Bright winter sunlight flooded the non-descript conference room in the Palais des Nations, as delegates of the UN Group of Governmental Experts (GGE) on cyber took their seats. It was February 2020, and the 2-year multilateral process was still in its early days, with negotiations scheduled over the course of the next 18 months. While delegations did not then know it, COVID-19 would from that moment fundamentally alter the form and substance of negotiations. For many delegates it would be the last time they would meet face-to-face. And they would soon be discussing a new type of cyber threat, born out of the pandemic; one they would not have contemplated on that cold Geneva morning.  

Notwithstanding these challenges, as well as an uptick in geopolitical tensions over the period, in 2021 the GGE (with its 25 experts appointed by States) and the parallel UN Open Ended Working Group (OEWG) (with diplomats from all UN members) both adopted landmark, consensus reports on responsible State behaviour in cyberspace (see here for GGE and here for OEWG). For the first time since 2015, States were able to agree on vital but contentious issues, including existing and emerging cyber threats to international peace and security, and the application of international law and non-binding norms to States’ use of ICTs (see here for an overview of the GGE and OEWG).

This post will examine how the pandemic influenced both the form and substance of negotiations and outcomes in the GGE and OEWG. The first part explores the impact on negotiations of the move from in-person to virtual and hybrid meetings. It is hoped this will contribute to, and inform, wider debates on the future of virtual diplomacy (see, e.g., here and here). The second part will look at how a new generation of malicious cyber operations targeting healthcare in the pandemic shifted the debate and informed outcomes on norms and international law.

The insights shared here were gained while serving as legal adviser on Australia’s delegations to the GGE and OEWG. But the views offered are my own and do not necessarily reflect the views of the Australian Government.

The shift to virtual diplomacy

Following the GGE meeting in Geneva, every subsequent formal and informal session of the GGE and OEWG was virtual. While the final meeting of the OEWG (in March 2021) adopted a hybrid format – allowing both in-person and virtual attendance – participants overwhelmingly opted to participate virtually.

Without the virtual meetings, it is unlikely the Groups would have been able to complete their respective mandates. Representatives could not have had a substantive exchange of positions and it would have been next to impossible for the Groups’ Chairs and support teams to have drafted reports capable of garnering consensus.

Equally, it is unlikely consensus could have been reached without some in-person participation during the final meetings. In both the GGE and OEWG, as in other multilateral negotiations, small groups of diplomats negotiating in-person, outside the formal meeting, were instrumental to reaching consensus. Representatives were able to agitate for not only their own States’ positions, but also for those of much larger coalitions of similarly minded countries, with whom they were in regular contact. These representatives’ ability to find consensus relied upon an environment and dynamics that, at least with current technology, would have been difficult to re-create virtually: privacy and confidentiality, allowing for candid exchanges and compromises, as well as relationships of trust and mutual understanding, built-up through repeated personal interactions. And so ultimately, it was a mixture of new and old forms of diplomacy – each critical in their own way – that allowed common positions to coalesce and the reports to be agreed.

The Chairs of both Groups took advantage of virtual platforms to hold informal inter-sessional meetings to progress discussions. These meetings minimised costs and lead-times that would have been associated with travel, and the Chairs used them flexibly, calibrating their frequency, duration and agendas based on how negotiations were tracking. This approach afforded the opportunity for more exchanges in both Groups than had been envisaged pre-COVID.

Nevertheless, the ease of holding virtual meetings should be balanced against the risk of them becoming ineffective. In all diplomatic negotiations, there comes a time when discussions need to pivot from an exchange of individual positions to an attempt to find common ground in relation to specific text. Those participating in virtual negotiations should be mindful of when that format makes it difficult to transition beyond circular rehearsals of national positions. 

A further potential disadvantage of virtual multilateral meetings is that they inevitably take place in the middle of the night for some States; in the GGE and OEWG, this was disproportionately the case for Asia-Pacific diplomats. The impact this can have on delegations’ effectiveness should not be underestimated and it would not be surprising if equitable timing of multilateral meetings is an issue that gains increasing attention in coming years.

The focus on malicious cyber activity targeting healthcare

Diplomacy has been far from the only enterprise to rely heavily on digital technologies during the pandemic. As the OEWG report observed ‘[t]he current global health crisis has underscored the fundamental benefits of ICTs and our reliance upon them’ including in respect of provision of government services, accelerating scientific research and ensuring continuity in education (para. 4). Yet the flipside of increased dependency cyberspace has been the heightened risk of malicious activities that interfere with the ICTs on which services or infrastructure rely. Over the course of 2020, it was reported that extensive malicious cyber activities were directed against the healthcare sector (including hospitals and medical companies) with direct impacts on patient care. The World Health Organisation was reportedly targeted. It was also reported that actors conducted cyber operations to steal COVID vaccine research and to interfere with vaccine development, production and rollout.  

Against this backdrop, ICT threats to the healthcare sector became a significant feature of discussions in the GGE and OEWG, with both reports recognising, in identical language, that ‘the COVID-19 pandemic has demonstrated the risks and consequences of malicious activities that seek to exploit vulnerabilities in times when societies are under enormous strain’ (OEWG, para. 4; GGE, para. 10).

Two main consequences emerged from the Groups’ consideration of these issues. The first was acknowledgement that malicious cyber activities against the healthcare sector constituted a threat to international peace and security. This is significant in that it confirms the issue’s place within the UN Charter peace and security framework, including under the mandate of the UN Security Council.

The second was that medical services and facilities were recognised as a category of ‘critical infrastructure’ (OWEG, para. 26; GGE, para. 45) and accordingly protected by the norms of responsible State behaviour in cyberspace. The norms, agreed in 2015, are not legally binding. However, they do represent internationally agreed standards which complement, and in some respects reinforce, international law (OEWG, para. 25). Relevantly, norm 13(f) provides that:

‘A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public’.

Norm 13(g) requires States to ‘take appropriate measures to protect their critical infrastructure from ICT threats’.

The international law sections of both the GGE and OEWG reports are limited to the applicable rules rather than to specific types of cyber activities or effects which could be unlawful. The reports are thus silent on whether and when cyber operations against healthcare could violate international law. States therefore stopped short of accepting the legal conclusions in the May 2020 Call to All Governments: Work Together Now to Stop Cyberattacks on the Healthcare Sector (which stated that ‘cyber operations against health care facilities are unlawful and unacceptable’) or the Oxford Statements on International Law Protections in Cyberspace. The first Oxford Statement specified that ‘international law prohibits cyber operations by States that have serious adverse consequences for essential medical services in other States’. The second statement clarified that the medical services and facilities protected by international law include the ‘research, trial, manufacture, and distribution of a COVID-19 vaccine’.

Even though neither Group agreed on specific international law protections for healthcare, a compendium of national positions on the application of international law was annexed to the GGE’s report. The annex contains detailed positions of 15 of the Group’s members and cumulatively represents a significant contribution to the clarification of international law in cyberspace, including cyber activities impacting healthcare. The US position provides, for instance:

‘…a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population–for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic–could be considered a violation of the rule of non-intervention.’ (p. 140)

The GGE consensus report also broke new ground in at least two areas that could be relevant to the legality of cyber operations against the health sector. The first was a clear articulation of the prohibited intervention rule to cyberspace: ‘In accordance with the principle of non-intervention, States must not intervene directly in the internal affairs of another State, including by means of ICTs’ (GGE, para. 73(c)).

The second development was explicit recognition of the application of international humanitarian law to cyber activities in armed conflict (GGE, para. 71(f)). As Michael Schmitt has recently written, the 2015 GGE report had noted the application of the principles of humanity, necessity, proportionality, and distinction, which ‘could only be interpreted as confirming IHL’s applicability to cyber operations’. Nevertheless, Schmitt wrote that several countries objected to the inclusion of the term ‘international humanitarian law’ in the 2016-17 GGE which was, he said, one of the reasons that GGE failed to agree a report. In this context, the 2021 GGE’s conclusion was no small achievement. It is significant in light of the trend of cyber operations against the healthcare sector because it confirms that IHL protections for medical services and facilities apply in respect of cyber activities during an armed conflict (see an explanation of this by ICRC legal advisers here).

Final reflections

The COVID-19 pandemic had a strong influence on UN cyber discussions. Yet while the innovation and dynamism displayed by these UN groupings should be credited, there remains much room for progress on both the form and substance points addressed in this post. On substance, in particular, States need to continue to work towards agreeing, with greater precision, how particular rules of international law apply in respect of activities in cyberspace. The welcome increase of States publicising national positions on these questions in the past two years – including through the GGE annex – could lead to more areas of common ground being identified and agreed in future UN cyber discussions.

It is difficult to predict the extent to which technology – including virtual meeting spaces – will inform the future conduct of diplomacy. Through multilateral negotiations during the pandemic – including the GGE and OEWG – diplomats have witnessed how technology can be a force multiplier for their trade, and complement traditional, in-person meetings. However, the medium dampens social interaction and interferes with our ability to pick up on social cues. As a result, it makes it more difficult to communicate and build relationships, which are the core building blocks for any diplomatic outcome. Moreover, virtual platforms cannot yet offer a trusted substitute for the confidential conversations that take place “in the margins” of multilateral meetings, which are often where key compromises are brokered. For these reasons, predictions of the end of in-person diplomatic meetings seem, at best, premature.

The views expressed in this blog are solely my own and do not necessarily reflect the views of any institution with which I am or have been affiliated.