As states discuss global cybersecurity at U.N., we must act to protect users

This week, the United Nations (U.N.) Open Ended Working Group (OEWG) on global cybersecurity held its second substantive session at the U.N. headquarters in New York. Access Now continues to follow and actively engage in OEWG meetings since the first substantive session in September last fall. We reported on the December “informal intersessional” meetings (December 2-4, 2019), where civil society, private sector, and academic stakeholders actively contributed to the discussion, rather than only states. Our discussion paper, launched in November 2019, called for states to follow our three principles to global cybersecurity policy:

  • Put users at the center of cybersecurity policy 
  • Apply systemic solutions to systemic problems such as digital security threats
  • Use open and pluralistic processes to develop cybersecurity policy

We provided further specific recommendations to OEWG participants to consider under the following clusters:

  1. Defining the objective of international cybersecurity norms
  2. Developing norms that address all objectives equally
  3. Building a secure cyberspace with humans in mind
  4. Ensuring that OEWG discussions engage with the bottom-up, internationally distributed nature of cybersecurity

We are glad to see these reflected in the strong statement last week by the Freedom Online Coalition (FOC) of 31 governments, which further explains the “human rights based approach to cybersecurity as a basis for strengthening cybersecurity, promoting stability in cyberspace, and promoting emerging technologies.” As we and an increasing number of other stakeholders have said: our rights to expression, association, privacy, and data protection are complementary to cybersecurity, not opposed to it.

This week, delegates from a range of states are referring to the FOC work as well as the excellent norms compiled by the Global Commission on the Stability of Cyberspace. The second substantive session calls on state delegates to deepen discussions from the first substantive session for the OEWG to eventually find areas of convergence and identify issues for further discussion. 

Civil society and technologists denied entrance (again) 

Similar to the September meetings – but unlike the December intersessional – civil society has limited opportunity to participate in the second substantive session. Importantly, Access Now, along with other civil society organizations, was deeply disappointed that non-ECOSOC accredited NGOs were denied access to the second substantive session. The December intersessional with industry, non-governmental organizations, and academia demonstrated the value of NGO stakeholder participation. In fact, many member states formally acknowledged how their participation enriched the discussions. Many, if not most, of those who attended the informal intersessional were not ECOSOC-accredited.

This time, 30 organizations, ranging from policy think-tanks, to technical standard-setting organizations, incident response networks, and others with a wide range of expertise, were denied access to attend this week’s meetings. Access Now nonetheless greatly appreciates the formal comments made this week by state delegates expressing concern over the denial of non-ECOSOC accredited NGOs to access the second substantive session, and the value of all NGO stakeholders to participate in this important U.N. process. 

Gender and cyberspace 

Access Now welcomes the increasing comments made by states and civil society stakeholders thus far on the gender dimensions of cybersecurity. Specifically, the importance of mainstreaming gender perspectives and women’s intersectional diversity in the OEWG report. We believe it is essential to continue to reflect on the specific vulnerabilities and threats women face. 

Access Now statement at the second substantive session 

On Thursday, Raman Jit Singh Chima, our Senior International Counsel and Asia Pacific Policy Director, intervened to deliver a formal statement during a session at the second substantial session. We maintained our position that global global cybersecurity discussions must be user-centric, systemic, and anchored in plural, democratic processes. We stressed the growing consensus and understanding between states, as we did with other stakeholders, throughout these discussions. While the development of international law on the global cybersecurity norms can have several paths, we strongly believe that we all must move forward with what we do agree upon. Simply put, we cannot afford to wait. 

Building on this, we specifically recognize that a failure to continuously build on the efforts of the previous GGEs and the deliberations of this OEWG would place even more users at risk, and increase insecurity in the technologies and online communications mechanisms that are now part of the mainstream, everyday life of so much of the world’s peoples — even as many still remain excluded by the digital divide.

We specifically raised the following: 

  1. The OEWG would benefit if its subsequent meetings and report focused on institutionalizing procedures and structures to share information and update on their national approaches to current international law governing state behavior in cyberspace, and the additional measures and voluntary commitments taken by them. 
  2. A reporting mechanism — with a potential stakeholder input process which the joint civil society statement will further expand on — would be immensely valuable.
  3. International humanitarian law applies online. The recognition of international humanitarian law does not — and should not be allowed to — justify the militarization of cyberspace and an expansion in offensive cyber operations, government hacking, and other state behavior harming international peace and fundamental freedoms. The development of guidance on how international humanitarian law applies and how it can be better enforced should be an objective for the OEWG to include in its report. 
  4. Human rights defenders greatly rely on international humanitarian law. A failure to respect and further cement the application of international humanitarian law to cyberspace and cyber operations jeopardizes the fundamental rights protected under the Universal Declaration of Human Rights, the ICCPR, and other instruments of international law.
  5. The discussions around the OEWG providing guidance regarding — and the value of states affirming their support for — the additional norms that have built on the GGE norms. In particular, those of the Global Commission for the Stability of Cyberspace, and especially the public core norm, a standard to protect against internet shutdowns and similar disruptions. In the December meeting, there was also discussion around the GGE norm concerning the protection of CERTs. There has been less discussion at this meeting, though several state delegations have notably consisted of members of national CERTs. 
  6. The OEWG report should look at the protection and promotion of the security research community as an area complementary to existing global cyber norms. Unfortunately security researchers face challenging disclosure environments, legal uncertainty and harassment, intimidation, and even detention, as we and several other organizations have noted in a joint statement in December.
  7. Governments must come together with industry and civil society to devise solutions befitting the scale of our connected world and economies. This must include transparent processes for the responsible disclosure of vulnerabilities independent security researchers discover — both to private companies as well as public entities — and it is high time we do away with laws that conflate research activity with criminal acts. The entire internet ecosystem stands to benefit if we create incentives for, rather than punish, security research. 
  8. The OEWG report should also note the importance of handling vulnerabilities responsibly. Governments should encourage private and public entities to adopt coordinated disclosure policies (and similar best practices) and consider updating legal frameworks to reflect the nuances of intention and scope against the powers given to prosecutors when dealing with security researchers. Governments should also introduce a transparent process for how they handle and disclose vulnerabilities encountered and/or used by their law enforcement and intelligence agencies.

Access Now looks forward to subsequent discussions of the OEWG and the preparation of the OEWG’s report, due later this year. We hope that space for civil society, the technical community, and other stakeholders to assist the OEWG is expanded in future sessions. Any we remind all OEWG participations to focus on building the agreements and productive discussions witnessed this week, and to take urgent steps to improve global cybersecurity and safeguard users at risk.