From Multilateral to Multistakeholder? New Developments in UN Processes on Cybersecurity

François Delerue is a research fellow at the Institut de Recherche stratégique de l’École militaire (IRSEM) and adjunct lecturer at Sciences Po Paris. You can follow him @francoisdelerue.

Elaine Korzak is a visiting professor at the Middlebury Institute of International Studies at Monterey (MIIS) and affiliate at the Center for International Security and Cooperation (CISAC), Stanford University. She attended the Intersessional Meeting as Senior Advisor to the ICT4Peace Foundation. 

From December 2-4, 2019, the United Nations hosted the first intersessional consultation session between UN member states and non-governmental actors interested in peace and security in cyberspace. The meeting represented a novelty both in terms of the United Nations’ modus operandi and the international cybersecurity debate. The high level of interest and participation by non-governmental participants illustrated the increasing pressure to open the UN debate to multistakeholder participation.

Background: What is the Intersessional Meeting and Where Does it Come From?

The consultative session encapsulates important changes that have been underway in multilateral cyber diplomacy. Particularly after the collapse of the 2016/2017 Group of Governmental Experts (GGE), the established routine of discussions in the First Committee of the General Assembly had come under increasing pressure, resulting in the creation of two parallel processes under the auspices of the United Nations in 2018: another Group of Governmental Experts (GGE) and an Open-Ended Working Group (OEWG). The intersessional consultative meeting is a part of the OEWG process.

Until 2018, discussions in the United Nations were advanced through the formation of five successive Groups of Governmental Experts (GGEs). While several GGEs have made considerable progress with their reports, most notably in 2013 and 2015, the GGE format has been increasingly criticized for its exclusionary approach. Since the groups have comprised fifteen to twenty-five members so far, the vast majority of UN member states find themselves shut out of in-depth discussions on issues that have swiftly become a major economic and security concern for states around the world.

Furthermore, GGE discussions, along with the broader debate in the United Nations, have been inaccessible for a variety of non-state actors, including civil society, academia, industry and the technical community. At the same time, the non-governmental sector has produced a number of policy initiatives in recent years, including Microsoft’s Tech Accord, Siemens’ Charter of Trust, and the Global Commission on the Stability of Cyberspace. As a result, frustration with the state-centric, GGE-focused format of discussions in the United Nations has been growing.

Capitalizing on this sentiment, the Russian Federation proposed the creation of an Open-Ended Working Group in 2018. While the OEWG opens up discussions to any interested member state of the United Nations, the authorizing resolution also provided for the possibility to hold “intersessional consultative meetings with the interested parties, namely business, non-governmental organizations and academia, to share views on the issues within the group’s mandate.”

The December gathering, chaired by Singapore, presented the first and only such consultative meeting in the OEWG discussions. In contrast, the resolution creating the parallel GGE process does not include provisions for multistakeholder engagement. The novelty of the intersessional multistakeholder meeting was matched by its success: 113 non-state organizations registered to take part, including private companies, NGOs, and universities from all regions of the world.

Substance: What Was Discussed at the Intersessional Meeting?

Conference Room 1 of the UN Headquarters in New York was full during the three-day meeting, with non-governmental entities and UN member states in attendance. The discussion broadly followed the thematic areas under consideration by the OEWG and explored how non-governmental stakeholders could contribute to these topics:

1.  Cyber threat landscape: Existing and emerging cyber threats: A view from Industry and Academia;
2.  Rules, laws and norms: Creating a cyber space based on rules, laws and norms: How can stakeholders support Governments;
3.  Rules, laws and norms: Stakeholders’ commitments to rules, norms and principles: Tech Accord, Charter of Trust, Global Transparency Initiative, Paris Call and beyond;
4.  Confidence building measures and capacity building: Confidence-building between States and between States and the Private Sector;
5.  Confidence building measures and capacity building: Engaging all stakeholders to enhance capacity-building efforts; and
6.  Conclusion: Ways forward on a multi-stakeholder approach.

Substantive contributions were made by non-governmental stakeholders as well as UN members, allowing for at times interesting discussions between the participants. However, most of the time, the discussions were characterized by non-governmental stakeholders articulating their perspectives.

Unsurprisingly, international law, norms, and capacity building were important dimensions of the discussion. On international law and norms, discussions converged around two issues. First was the opportunity to adopt a new binding international legal instrument. Second was how to implement what is already in place, namely the set of norms for responsible state behavior articulated in the 2015 GGE report. Interestingly, contributions did not focus on the actual content of international law obligations, and the Tallinn Manual was mentioned only incidentally.

What’s Next?

With the conclusion of the first multistakeholder consultative meeting, important questions emerge regarding its impact. First, it remains to be seen how the discussions will be reflected in the report of the session’s Chair, David Koh, head of the Cybersecurity Agency of Singapore. Second, it is unclear how these discussions and their outcomes will feed into the work of the OEWG, which will hold its second substantive session in February 2020 and is due to deliver its report by summer 2020. In other words, how will December’s discussions influence the intergovernmental negotiations in the United Nations? Lastly, in light of the high level of interest and quality of substantive contributions by non-governmental participants, the question of regular multistakeholder participation promises to become a pressing issue for states. Institutionalized multistakeholder participation in the international cybersecurity debate might be a genie that will be hard to put back into the bottle.