Global Rules in Cyberspace

Pursuant to the United Nations General Assembly resolution, a Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) bringing together experts from 20 nations including the US, Russia and China, presented its report to the UN Secretary General.

The Secretary General will in turn present it to the General Assembly. The report is seen as an important part of creating international legal infrastructure for information security.

It is hard to overestimate the importance of information security. For most modern industries, information technology is a crucially important enabler and its disruption may lead to disastrous consequences. There is extensive scholarly and industry research demonstrating, for example, that a large scale cyber attack against the US energy system can cause USD 1 trillion damage while even minor attacks can decelerate technological development and have a cumulative negative economic impact of up to USD 3 trillion over the next five years . Needless to say what can happen if a cyber attack is staged against a passenger airplane or, for example, a nuclear facility.

For that reason, in recent years, information security has increasingly become an interdisciplinary field bringing together not just technical and legal experts but also business leaders and public officials. Cyber security is booming. Three years ago World Economic Forum launched a Partnership for Cyber Resilience initiative aimed at fostering best practices exchange and collaboration framework for government and private sector in information security . There is a growing demand for information security knowledge and skills. According to Coursalytics executive education selection service, there are at least a dozen courses on the topic for business and public sector executives at top schools including Harvard, Oxford, MIT, Carnegie Mellon, Georgetown, Dartmouth and Brown. However, there is still no universal international legal framework to embrace information security.

Russia has long been working on information security in the United Nations and it sponsored the first UN resolution on the matter adopted by the General Assembly without a vote in 1999 . Despite significant progress achieved on the matter since then, there is still no universal international approach towards information security.

In order to reach understanding, countries need extensive dialogue to get a shared view on the issues discussed. The very term information security and what it embraces is still understood differently. Russia’s current information security doctrine was approved in 2000 and it included protecting information technology infrastructure and lists deteriorating museums and libraries as an “information security threat in the spiritual domain”. The new doctrine is currently being developed and its exact wording is yet to be seen but there are reasons to expect certain continuity as Russia has focused on similar aspects of information security in more recent documents. For example, Russia included similar concerns in a recent bilateral agreement with China on international security cooperation. Involvement in internal affairs, destabilizing political and social situation as well as spread of information that damages stability of other countries’ political, socioeconomic, cultural and spiritual systems are all listed there as information security threats. That is of course a relatively broad definition of information security .

Another issue that may still be understood differently is what constitutes, for example, an attack and what nations should and should not do in responding to it. As one of the trendsetters in the field, the US took an approach that Russia and China considered an overstretch: If a cyber attack can cause as much loss of lives and other damage as an armed attack, how is it different from an armed attack? And the next question it raises is what kind of response it should get. In 2011, the US issued an International Strategy for Cyber Security , stating that, among other things, military means can be used in response to an armed attack. According to Elena Chernenko, the US tried including a provision on enacting Article 51 of the UN Charter (the right of self-defense in case of an armed attack) in the report but the wording was softened in the discussion to say that all UN charter provisions are applicable to cyber space.

The report suggests avoiding using ICT as a means of war and also criticizes ungrounded accusations by states against each other.

A new joint GGE report is yet another step towards a comprehensive international treaty in the field of information security. We are probably still very far from reaching an agreement on an actual convention, but continuing the dialogue between key actors in the field despite numerous disagreements over other policy issues is the only way to move forward.

Views expressed are of individual Members and Contributors, rather than the Club's, unless explicitly stated otherwise.