Strengthening global capacities to address the challenges in the field of cyber diplomacy has lately attracted the attention of the cyber capacity building community. Even though the scope and size of such projects remains underreported, the number of institutions and organisations funding, implementing and receiving support for such projects is growing. But how can we ensure that the burgeoning field of cyber capacity building develops on sound methodological and conceptual foundations?
Capacity building in and for cyber diplomacy
Capacity building in cyber diplomacy has evolved over the past decade. The concept of cyber capacity building in the context of international security was first introduced in the report of the UN Group of Governmental Experts (GGE) in 2010 as a mechanism to ensure global ICT security, enhance the security of critical national information infrastructure, and bridge the divide in ICT security. Consequently, capacity building became a vital pillar of cyber diplomacy with concretely defined goals such as strengthening national legal frameworks, creating and strengthening accident response capabilities, training, and awareness raising.
However, with growing geopolitical tensions, the use of cyber capacity building as a mechanism for pursuing political interests – rather than purely developmental goals – has become increasingly apparent. The instrumentalisation of cyber capacity building has followed. Capacity building was a cornerstone of the 2017 Russia-led resolution establishing the Open-ended Working Group (OEWG). An absentee in the international cyber capacity building community, it can be argued that Russia’s interest in pursuing this avenue laid not in strengthening the developmental dimension of the discussions in the First Committee, but rather in broadening the support base for its agenda among the developing countries.
The growing complexity of the debates and policy processes concerning cyberspace as well as the multiplication of venues in which these debates occurred – including within the United Nations system – have brought to the fore the need to close the gap in the capacities for conducting cyber diplomacy. Two streams of capacity building actions became particularly important: one stream aimed at building up the human and institutional capacities among the stakeholders to enable their engagement in cyber diplomacy (capacity to engage) and the other aimed at supporting the implementation of the commitments in the UN framework through adequate national and regional regulatory, institutional, and human capacities (capacity to implement).
During the OEWG discussions, it became clear that certain countries simply do not have sufficient capacities or resources to engage meaningfully in cyber diplomacy debates. This exacerbated the risk that limited participation or even absence of certain countries and regions in these processes may be used to question the universality and legitimacy of their outcomes. As a result, the first wave of cyber diplomacy capacity building projects focused on strengthening the capacity to engage in cyber diplomacy through building knowledge, raising awareness and facilitating participation in the UN meetings. Noteworthy examples include the Women in Cyber Fellowship funded by the governments of Australia, Canada, the United Kingdom and the United States and the EU Engagement Support Programme in 2019 to support participation of countries from the Global South in the OEWG sessions. At the same time, several training courses were designed with a specific focus on cyber diplomacy or one of its dimensions, including the UNODA’s training course on cyber diplomacy. Similarly, in the context of the negotiations for a new treaty on cybercrime and the work conducted at the UN Ad Hoc Committee, Chatham House developed an online training programme for civil society to ensure more inclusive policymaking in this domain.
At the same time, delivering on the commitments made in the OEWG and GGE processes calls for enhanced efforts to address basic capacity needs (e.g. establishing a CERT in order to promote cooperation among CERTs) and to develop new capacities specific to the field of cyber diplomacy (e.g. strengthening the understanding of international law). Consequently, the second wave of cyber diplomacy capacity building projects focuses on capacities to implement norms or confidence-building measures in order to assist governments in meeting their international commitments. As an example, in March 2022 the Australian Strategic Policy Institute produced a report entitled “The UN norms of responsible state behaviour in cyberspace. Guidance on implementation for Member States of ASEAN”.
Strategies for meaningful cyber diplomacy actions
Many cyber diplomacy capacity building efforts to date have taken the form of ad hoc initiatives rather than properly designed actions undertaken as part of a broader engagement between donors and partner countries. This raises legitimate concerns about the impact of such initiatives on funding in other priority areas closely connected to the Sustainable Development Goals such as closing the digital divide and traditional cybersecurity projects focused on building CERTs, developing strategies, or regulatory adaptation. In approaching cyber diplomacy capacity building, governments can choose among three possible strategies: blending, bridging or consolidating.
The first approach focuses on strengthening the capacity to engage internationally and meet commitments by including cyber diplomacy objectives as an element in the design and implementation of broader cyber capacity building actions. This means embedding cyber diplomacy within other pillars of cyber capacity building at different levels (e.g. individual and organizational) and across all layers of capacity building (i.e. vision and policies, laws and regulation, institutions and resources, partnerships and cooperation). The biggest advantage of this approach is the focus on sustainability and ownership. For example, norms and principles concerning the protection of critical infrastructure articulated in the UN framework of responsible state behaviour can be addressed in the development of national security strategies or incident management pillars. That way, they ideally become part of a larger whole-of-government and whole-of-society effort that ensures buy-in of a larger stakeholder community. In a similar vein, cyber capacity building efforts focused on developing laws and regulation can translate concrete commitments made at the international level into national legislation or regional instruments turning the voluntary commitments into legally enforceable provisions. Finally, initiatives aimed at strengthening individual capacities through trainings can expands their scope to include elements of cyber diplomacy.
An alternative approach is to focus primarily on strengthening capacity to engage internationally and meet commitments by including cyber diplomacy objectives as an element of existing projects. This means embedding cyber diplomacy within projects with objectives linked to one or more specific pillars of cyber capacity building (i.e. national strategic framework, incident management, criminal justice, and cyber hygiene and awareness). This approach is different from blending in that cyber diplomacy is not included in the design of projects from the beginning but is incorporated at a later stage. For instance, projects focused on strengthening capacities to fight cybercrime or boost cyber resilience may incorporate certain aspects of cyber diplomacy in their activities with the aim to raise awareness, create a suitable external environment for cyber diplomacy projects, including by strengthening commitment to the application of the existing international law in cyberspace. In practice, this means that EU funded projects such as the GLACY+, Cyber4Dev, CyberSouth, CyberEast, iPROCEEDS2, or OCWAR-C could support cyber diplomacy objectives. While such approach may allow for quick gains and respond to urgent needs, it also has certain disadvantages when it comes to monitoring of the results or other risks linked to the delivery of the core objectives of the projects that are asked to integrate cyber diplomacy on board. This approach requires from donors, implementors and partner countries a clear recognition that such approach does not guarantee lasting results but also raises questions with regards to transparency and accountability for the outcomes.
The final possible approach is to treat cyber diplomacy as a distinct pillar of cyber capacity building aimed at strengthening governments’ capacities to engage and shape international cyber diplomacy policies, as well as implement international commitments focused on application of the existing international law in cyberspace or implementation of norms and confidence-building measures. To date, such projects have been funded and coordinated primarily by the ministries of foreign affairs with expertise in cyber diplomacy. For instance, Ministries of Foreign Affairs in The Netherlands and Australia have provided funding for training courses devoted specifically to international law. To further professionalise debates about the application of international law, several donors have also supported development of an interactive toolkit. However, this also means that in the absence of engagement from the agencies specialised in development, some of the basic principles and methods developed over decades are not necessarily followed. The EU Cyber Diplomacy Initiative – EU Cyber Direct is another example of initiative that approaches cyber diplomacy as a separate pillar of capacity building, although the objectives of the project are much broader than cyber diplomacy capacity building only.
Cyber diplomacy in international partnerships
With the field of cyber diplomacy capacity building expected to grow in the coming years, it is critical that these projects are methodologically and conceptually sound. The blending and bridging approaches are particularly useful in cases where donors and partners acknowledge the urgency of engagement on cyber diplomacy and could be used as intermediary steps before actions focusing on cyber diplomacy are properly designed. However, to minimise any potential risks in design of such projects and increase the chances of a meaningful impact, cyber diplomacy capacity building through blending, bridging, and consolidating may be the best guarantee to ensure that good practices and principles of development cooperation (i.e. ownership, sustainability, inclusive partnerships, shared responsibility, transparency and accountability) are taken on board from the beginning. Independently on which approach is adopted, it is clear that a closer partnership between development agencies and ministries of foreign affairs is necessary to ensure both coherence between the projects and to minimise the risk of conflicting objectives.
About the Author
Patryk Pawlak heads the Brussels office of the EU Institute for Security Studies and runs the Institute’s cyber-related activities. His work focuses on cyber, digital and tech policies of the European Union and other regional organisations. Since June 2016, he is a member of the Advisory Board of the Global Forum on Cyber Expertise.