The past year has been a busy one for cyber and digital diplomacy. Discussions by the UN Ad Hoc Committee on Cybercrime and the UN Open-ended Working Group on responsible state behaviour in cyberspace have advanced global debate on these issues and have included much more participation from the Global South. However, decisions about the participation of non-governmental stakeholders left a bitter taste in some mouths. The war in Ukraine has foregrounded old and new questions about the role of cyber operations in conflict, as well as the suitability of existing tools and mechanisms to deal with malicious actors in cyberspace. Below, five of our Directions Blog contributing editors recommend their essential reads of 2022.
The editorial board’s March 2022 post on the implications of the war in Ukraine on cyber diplomacy is very intriguing. Russia’s unprovoked and unjustified invasion of Ukraine has focused attention on kinetic warfare, and the use of cyber operations in the context of armed conflict has received much less consideration. Even if the cyber cannons have not been as actively fired as some predicted, we’ve seen clearly how cyber operations have become an integral part of modern warfare.
For example, in May 2022, the EU and its partners strongly condemned malicious Russian cyber activity targeting the KA-SAT satellite network, owned by Viasat. Not only did the cyber operation result in indiscriminate communication outages and disruptions across a variety of sectors, it also caused a spillover effect into other EU countries.
The cyber operations against KA-SAT and other targets highlight many topics touched upon in the editorial board’s post, including the role of the cyber stability framework in dealing with such an escalated situation. While the United Nations Open Ended Working Group is viewed as the only game in town in terms of discussing and agreeing globally on responsible norms of state behaviour in cyberspace, the Ukrainian crisis provides an on-the-ground laboratory teaching important lessons about the potential of cyber diplomacy.
The war in Ukraine made it crystal clear that one of the key questions for the EU to answer in the coming years is what role cyber forces will play in protecting European – and only European – citizens. How do these forces fit within the broader defence posture adopted by the states in cyberspace, and what does it mean to be a responsible cyber power?
The Directions article Andreas Kuehn and Sven Herpig penned on active cyber defence offers two valuable contributions to this debate. First, the authors highlight the importance of adopting a clear definition of active cyber defence, which will impact the level of support among the Member States. According to Kuehn and Herpig, it’s unlikely that the EU would opt for intrusive measures at odds with EU values and the cyber norms of restraint that the EU has been advocating at the international level. Second, the authors stress the need for principles, assessment criteria and safeguards that will allow the EU and its Member States to implement active cyber defence operations in an informed and responsible way.
The text by Kuehn and Herpig is an important read for anyone interested in the future of the EU’s cyber defence policy, how it fits within its overall cyber posture and how the decisions taken today might impact the perception of the EU as a responsible cyber player. The recently adopted EU Policy on Cyber Defence calls upon the Member States to commit ‘with urgency and priority’ to increase investment in full-spectrum cyber defence capabilities, including active cyber defence. Kuehn and Herpig’s article provides a quick guide to advancing this objective in 2023.
Rogier Creemers’ March 2022 commentary on Data Protection in China provides a helpful backgrounder on the historical context behind recent legislative developments on data protection in China, including the link that the country draws to national security. In short, the piece explains how certain forcing functions acted as drivers to prioritise data protection issues in China. These drivers included the rapid digitisation of Chinese society and, notably, the prominence of AI and big data as engines for economic growth. Other drivers included the growing awareness and revelation of China’s vulnerability to ‘moves by foreign corporations over which it had little control’.
The piece brings us up to the present-day introduction of the 2021 Chinese Data Security Law (DSL) and Personal Information Protection Law (PIPL). The author makes it clear that Europe should pay attention, for reasons including uncertainty surrounding the impact on European companies through legislative extraterritoriality. He also notes that the definition of ‘important data’ is still to be determined, as it will likely take several years for China’s ministries to compile data classification categories within their policy areas, as required by the law. Most notably, while Europe now often touts the potential of the EU’s GDPR as a model the world over – as well as an example of the bloc’s general global regulatory prowess – Creemers draws our attention to the possibility that, if successful, the Chinese approach through the DSL could lead to a ‘Beijing effect’.
In other words, China’s relatively new data framework creates a new model that might be replicated in other jurisdictions, especially when it comes to the DSL. A final notable observation is the likely emulation of practical steps taken to ban certain smart car products from military facilities and government compounds on account of national security concerns. This is surely a sign of future trends.
For the first time in the history of the UN, countries are negotiating a legally binding instrument on a cyber issue – specifically, cybercrime – in what is known as the AHC process (the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes). The data brief by Christian Dietrich and Patryk Pawlak on tracking UN voting patterns on cybercrime helps us better understand the dynamics behind this process.
According to the UN resolution that established this process, the convention should take into account the progress that has been achieved to date in fighting cybercrime at various levels, national, regional and international. This progress is significant, so it’s important that the outcome from this process complements rather than competes with or contradicts it. Achieving such complementarity will increase the possibility of garnering support from a larger number of states around the convention and increase the likelihood of creating a global and inclusive instrument that makes a difference in the global fight against cybercrime.
In their data brief, Dietrich and Pawlak track voting by UN member states in relation to the process – from the vote on the resolution that established it to the different votes on its modalities – to try and identify the main drivers of cooperation and conflict in this domain. As states prepare to negotiate the first part of the convention text in January 2023 in Vienna, this brief – compared with states’ written and oral submissions throughout the process – can help readers better gauge states’ trajectories so far and identify potential areas for convergence and divergence on this important issue.
Global governance of the digital world remains a central, unresolved and much-debated challenge. What are the roles of governments, industry and other stakeholders? And is it feasible at all to realise, in this ever more geo-politicised world, global governance even in a limited way?
Anna-Maria Osula and Charles Mok’s opinion piece on multi-stakeholder cooperation offers a unique insight into this debate. The authors take us through two cases: internet governance and the UN’s work on norms of responsible state behaviour in cyberspace. Don’t hold your breath for a happy ending. The piece sounds the alarm bell. The authors’ account of authoritarian geopolitical efforts (notably from China) to control internet governance and destroy the dream of an open, global and free internet is enlightening, as is their explanation of how non-governmental stakeholders are being pushed out by state actors at the UN.
The authors argue – convincingly – that we should not give up on multi-stakeholderism (ugly as the word may sound). Instead, we must work to improve the open participation of the widest range of voices. We should and we can. The alternative is a future where digital governance is in the hands of states and global big tech alone, where ‘everyone will get less of what the internet has promised, and what each of us deserves’.