Pandemic-fuelled cyberattacks on civilians and civil society organisations (CSOs) underline the trend of digital authoritarianism and serve as a reminder that civilians remain the weakest stakeholder in cyberspace, given their limited resources compared to their private and public sector counterparts.

While cybersecurity is crucial for the whole of society, discussions about international peace and security have long been centred around the state – instead of the citizenry – as the stakeholder which defines what counts as a cybersecurity threat and as the subject that needs protection.

China says the US is an ‘empire of hacking’ following NSA advisory

The result has been the neglect of citizen security issues in global cybersecurity dialogues. Linked with this has been the transformation of all activities in cyberspace into a matter of national security. This has normalised arbitrary surveillance, internet restrictions, and censorship under the pretence of ensuring national security.

The UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) represent some of the UN’s efforts aimed at developing norms, principles, confidence-building measures and capacity building to advance responsible state behaviour in cyberspace - along with discussions about how international law can be applied.

While only selected member states – and recently regional organisations – can participate in the GGE, the OEWG is open to the participation of all interested member states, the private sector, academia, and United Nations Economic and Social Council-registered non-governmental organisations.

In 2015, the GGE formulated eleven “non-binding rules for responsible state behaviour”. While the GGE cyber norms signify progress in outlining the global cybersecurity agenda and measures to increase stability in cyberspace, it is critical that these norms and related instruments look beyond the narrow state-centric security dimension. There are at least two gaps in the GGE norms that need to be addressed.

First, the lack of a holistic approach to the scope and implications of cyber threats, particularly in terms of including citizen cybersecurity issues. Although one of the 11 GGE norms directly references human rights and the right to privacy in ensuring the secure use of information and communication technologies, the GGE norms generally do not address the diverse range of cyber threats encountered by civilians and the implications for their security.

China’s biggest cybersecurity company wants to shape 5G security standards

The norms, for example, lack of clarity in terms of recognising how pervasive and invasive the surveillance technologies have become and how states must balance national security with their obligations under international human rights law. When communications surveillance is needed to ensure public and national interests, decisions must take into consideration principles such as legality, legitimacy, necessity and proportionality.

Equally important, critical civilian infrastructure, such as health care and water facilities, and the infrastructure supporting the food supply chain needs to be protected. Such infrastructure is essential for citizens yet increasingly under cyber threat. Currently, this kind of framing is not included in GGE norms.

Where the state’s capacity to provide security for all is limited, enhancing citizens’ cyber capabilities to deal with day-to-day adverse cyber threats and supporting civil society’s engagement in cybersecurity can strengthen cyber resilience.

Having a state-run incident response team (CERT/CSIRT) which operates in a multi-stakeholder setting, that can accept and respond to cyber incident reports from civilians, and that can engage with CSOs in the sharing of cyber threats information, can better mitigate the risks of cyberattacks targeting larger institutions that use civilians and CSOs as proxies.

In this regard, the GGE norms need to oblige states to also protect CSO-run CERTs, which assume the role of frontline responders in providing cyber incident response assistance to civilians.

Coronavirus pandemic exposing internet users to new cybersecurity risks

Another problem with the GGE norms lies in the lack of clarity over who is responsible for what - and how the norms should be implemented. This ambiguity means they are open to interpretation, which could have adverse results. There must be clear lines of accountability and broad directions for the state and/or corporate actors to take action against misuse of ICTs and private and personal data.

In this regard, the GGE norms should clearly oblige states to hold corporate actors accountable for offences that violate people’s rights to privacy, information, and freedom of expression.

These include failure to responsibly report flaws in the design, implementation or management of their ICT products and services. Weakening citizen’s security will weaken security for all because any vulnerabilities in the ICT products used by citizens can be exploited by any third-party, including criminals.

The ambiguous language of the GGE norms, however, increases the risk that they will not be effectively enforced and that offences could go unpunished.

Alongside GGE, the OEWG has made progress in terms of facilitating non-state actors’ contributions to cyber norms-building. While greater engagement of stakeholders beyond state actors in multilateral discussions can benefit international commitments, how the recommendations of OEWG will be included in GGE discussions and outcomes remains to be seen.