The creation of a Programme of Action for advancing responsible state behaviour in cyberspace offers a path forward for the elaboration, implementation and monitoring of a framework of responsible state behaviour. It constitutes an interesting evolution and opportunity, borrowing from the advantages of both the GGE and the OEWG without taking on their historical legacies.
On 1 October 2020, 40 states and the European Union proposed the creation of a Programme of Action for advancing responsible state behaviour in cyberspace. A few days before the official announcement, Henri Verdier, the French ambassador for digital affairs, presented the initiative during the United Nations Institute for Disarmament Research (UNIDIR)’s 2020 Cyber Stability Conference: Exploring the Future of Institutional Dialogue. France is spearheading the new initiative as a possible evolution of current UN-led discussions on the matter. In addition to signalling France’s willingness to be a leader in the cyber domain – following the Paris Call for Trust and Security in 2018 – the new initiative represents a departure from current approaches (i.e. the existing UN Group of Governmental Experts or UNGGE and Open-ended Working Group or OEWG).
What is a Programme of Action?
In international politics, a Programme of Action (PoA) is usually the outcome document of an inter-governmental conference. It is not a legally binding instrument, but it is considered as politically binding. It signals participating states’ intent to work on a global issue in an inclusive and thorough manner. There are currently seven Programmes (or Plans) of Action: on disabled persons, illicit trade in small arms and light weapons, racism, ageing, the least developed countries, prohibition of incitement to violence and hate speech.
Usually, a Programme of Action comprises two sets of provisions: objectives and recommendations and rules for monitoring their implementation. There is no strict working method, and each Programme of Action establishes its own rules. Nonetheless, they generally tend to be organised in two types of meetings: working-level and review conferences. The former are regular technical meetings focused primarily on implementation and secondarily on new ideas. Review conferences are then usually held every five years to evaluate the efficiency of the Programme of Action and decide if any additional commitments are needed. Such recommendations can then be directly incorporated into the outcome document or lead to a recommendation that the UN General Assembly establishes a new process (i.e. a group of governmental experts or an ad hoc group) to elaborate a specific document. Consultations with other stakeholders and regional organisations can also occur alongside these meetings.
Potential Added Value
Having both an OEWG and a GGE focused on cyber has proven to be time consuming and, as for now, has not demonstrated full complementarity. As the Food for Thoughts (FFT) paper highlights, although both processes have their own merits, they “create redundancies and, at times, can be counter-productive”. It is also no secret that both are the result of strategic competition between Russia and the United States. Under these circumstances, diplomatic efforts to see one process succeed over the other are likely to lead both to fail. Likewise, there is little chance that only one of the two processes will be re-established. Putting in place the Programme of Action on cyber issues is a third option – one that can create a more open and inclusive negotiation process without falling into the trap of the existing duopoly.
The Programme of Action promises certain advantages. First, it offers a process that is inclusive and open to all UN member states, unlike the UNGGE. While the OEWG is more inclusive, it is slower to deliver substantial results, notably due to the diversity of capacities and maturities among the participating states. A PoA, by contrast, allows for concrete discussions and progress within working groups devoted to specific issues. In that sense, a PoA on Cyber could actually combine the best of two words.
Another advantage of the PoA is the possibility of dissociating different subjects. Two GGEs have failed partly due to lack of progress on international law, even though consensus was achieved on other subjects. Dissociating different subjects under different priorities of the new Programme of Action would make it so that a lack of consensus on one issue can’t jeopardise the entirety of the negotiations.
Finally, a Programme of Action has no ending date: the process does not end simply because the participating states fail to reach a consensus during the review conference or over the final outcome document. This relieves pressures associated with the GGE and OEWG and alleviates the risk of failures, which send the wrong message to the international community. The absence of an ending date also ensures that the debate about cyber stability continues within the United Nations.
Creation and Function of a PoA
The creation of a PoA on Cyber could be recommended by the GGE and the OEWG final reports, as proposed by the FFT Paper. However, they could also decide to start drafting the PoA now. Should the idea of the PoA be picked up, it will be very likely discussed during the next UN General Assembly, which could either adopt the PoA (if it has been drafted by then) or call for the organisation of a specific conference to discuss and adopt the PoA.
The FFT Paper offers some details on the potential functioning of this new process. It states that review conferences would “make sure that the PoA is still fully adapted to needs and threats in a rapidly evolving technological landscape” and that they “could consider if additional norms could be developed over time”. Thus, the proposal does not close the door to the elaboration of new norms or to confidence-building measures to implement these norms. And because it is silent on the issue, it could also leave room for the elaboration, in the future, of a treaty. In that sense, the proposal may receive support from states that have called for a treaty in the past.
On the mandate and functioning of the working-level meetings, the FFT Paper states that the working-level meetings would take place once a year and would focus on implementation. It is not established whether the discussion of new ideas and even the adoption of new proposals would fall within the mandate of such meetings. It is important that this mandate is clarified before the creation of the PoA; this will help to avoid future disagreements, such as the one that occurred during the first biennial conference of the PoA on the Illicit Trade in Small Arms and Light Weapons.
An important question for both the working-level meetings and review conferences is whether and how non-state actors would be involved. The FFT Paper states the sponsors’ intent “to maintain regular institutional dialogue with broad participation under the auspices of the United Nations”. On one hand, it recognises the primary right and responsibility of states to decide on such issues and rules out the possibility of some kind of multi-stakeholder negotiation process. This could be perceived as reassurance for states that oppose such negotiation processes and are attached to the role of the United Nations. On the other hand, it insists on the importance of multi-stakeholder engagement, stating that a PoA would create opportunities to “organize consultations with other stakeholders (private companies, NGOs, civil society…) and regional organizations, representatives of other UN processes, and relevant multi-stakeholder initiatives dealing with cyber-related issue in the context of international security”. Recognising the role of the private sector, civil society and academia, it thus looks to secure their participation in the discussion through dedicated consultations. However, it remains silent on how this engagement would proceed, simply mentioning “consultations”. This leaves room for disagreements, especially about the nature of the consultations: would they be informal or should non-state actors play a more active role in the implementation and review of the PoA?
Finally, since it is an ad doc mechanism, the parties benefit from an important level of freedom in designing the structure and function of the PoA. Of course, that raises important institutional questions, such as whether the PoA should have a permanent secretariat, who it should be (e.g., the UN Office for Disarmament Affairs – UNODA -, UNIDIR or another UN body).
Content of the PoA
The proposed PoA on Cyber has the aim of advancing responsible state behaviour in cyberspace by building “upon the acquis”. In that sense, it represents a continuation of existing processes. The temptation to reinvent the wheel should be avoided at all costs. Indeed, three consensus reports adopted by the 2010, 2013 and 2015 GGEs have been endorsed by the UNGA in resolutions 65/41, 68/243 and 70/237, and several UNGA resolutions on the “creation of a global culture of cybersecurity” and on human rights online have been adopted. These reports and resolutions contain recommendations related to norms of responsible behaviour, confidence-building measures and capacity-building measures. They also recognise the applicability of international law in cyberspace. These recommendations, as well as those adopted by the OEWG and the sixth GGE, could, as recommended by the FFT Paper, constitute the first part of the PoA.
The second part of a PoA is usually dedicated to monitoring the implementation of and reviewing the PoA. According to many states, what is at stake today is the implementation of the previously-agreed-upon recommendations. Monitoring this implementation is fundamental for three reasons. First, it is necessary for identifying what capacity-building programmes are needed to help states to implement the recommendations. Second, monitoring existing recommendations helps to identify best practices, thus strengthening the security and stability of cyberspace. Finally, monitoring strengthens the obligatory nature of the recommendations, thus reinforcing the global framework of state responsible behaviour.
Such a monitoring mechanism could, admittedly, also be created by the GGE or the OEWG, even without the creation of a PoA. Notably, they could build on the joint Mexico-Australia proposal of a National Survey of Implementation of UNGA resolution 70/237. However, neither the GGE nor the OEWG appear well-suited to organise this monitoring and act accordingly. While the collection and analysis of national reports would probably be conducted in a similar manner (with reports being collected by the UN Secretary General and analysed by the United Nations Office for Disarmament Affairs (UNODA) or UNIDIR), a PoA would ensure continuous discussion as well.
The creation of a PoA on Cyber offers a path forward for the elaboration, implementation and monitoring of a framework of responsible state behaviour. It would constitute an interesting evolution and opportunity, borrowing from the advantages of both the GGE and the OEWG without taking on their historical legacies.
However, despite significant support from UN member states, leading cyber powers such as China, Russia and the United States have not sponsored the initiative. This makes the success of the proposed PoA both more challenging and higher-risk; these countries have been the driving forces at the UN on these matters for the past two decades.
Three observations must be made: First, it is not the PoA that is at stake here but a proposal to initiate the discussion about creating a PoA. Second, the fact that they didn’t sponsor this initiative doesn’t mean the cyber powers are opposed to it or will refuse to take an active part in the creation of the PoA. Their lack of support for the FFT Paper may stem from other factors, such a the desire to see a more concrete proposal before engaging. Third, having none of them on board may help avoid polarisation during the debate on the proposal.
While most of its sponsors may be European states (illustrating the unity of the European Union on this matter), countries from all over the world are sponsoring the initiative, raising hopes for the success of the proposal. A few months from the ends of the OEWG and GGE, it is now up to the states to collectively advance towards a more efficient diplomatic process to ensure the security and stability of cyberspace.
 The countries proposing the creation of a Programme of Action are France, Egypt, Ecuador, Gabon, Japan, Norway, Salvador, Singapore, the Republic of Korea, the Republic of Moldova, the United Kingdom, Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Colombia, the Republic of North Macedonia, Georgia.
About the Author
Aude Géry is a post-doctoral researcher at GEODE, a multisciplinary research and teaching center on the geopolitics of the datasphere. Her PhD was on international law and the counter-proliferation of cyberweapons. She works on the international regulation of information and communication technologies both from a legal and geopolitical aspect. Her work includes the study of States' legal strategies, international negotiations and international cooperation on these issues.