Information and communication technology present new challenges to international affairs. With more and more states and non-state actors developing and using cyber-capabilities, what rules should regulate state behavior in cyberspace?
Karsten Geier, Head of the Cyber Policy Coordination Staff in the German Federal Foreign Office, visited NUPI's Centre for Cyber Security Studies on 25 April to talk about these issues in a seminar titled The International Cyber Diplomacy Agenda, with contributions from Tim Stevens (King’s College London), Lilly Pijnenburg Muller (Research Fellow, NUPI) and Niels Nagelhus Schia (Senior Research Fellow and coordinator of NUPI’s Centre for Cyber Security Studies).

Tune in to NUPI podcast to listen to Geier’s talk:

The idealism of the Internet

‘The creators of the Internet – the engineers, the users, the political decisionmakers involved – were full of idealism,’ Geier said, and noting documents from as recently as the turn of the millennium that show this idealism.

‘There was this idea of a people-centered, inclusive and development-oriented information society where everyone could create access, utilize and share information and knowledge, enabling individuals, communities and peoples to achieve their full potential, he explained.

New vulnerabilities

However, the positive applications of information and communication technology are not the whole story.

‘In fact, the Internet has made our states, our economies, our societies, vulnerable to new attack vectors. And it’s not only critical infrastructures, from electricity to water supply and transport and finance, that can be targeted. In the past few years we’ve seen how the very heart of a country’s democracy and political system can be attacked using electronic means.’

These threats require efforts to involve all countries in at least helping to establish and uphold a minimum standard of cybersecurity, with a shared understanding of what is acceptable and what is not.

Failed past attempts

Geier summed up a range of earlier attempts to find common ground through various Groups of Governmental Experts (GGE). The 2016/2017 GGE on Information Security broke down last year due to lack of consensus.

‘So where do we go from here? The two extremes are either to say: “Let’s continue as we did before, let’s just have another one of these groups of government experts”. It’s a tried format, it’s small and it can be handled, it involves experts, and the experts can build on what’s gone before.’

Geier continued: ‘The other extreme is a proposal from the Group of 77 and China, basically saying: “Actually, this whole thing doesn't make sense anymore. We need universal negotiations on an international code of conduct on states’ use of information technology. Let's have an open-ended working group to this end”.’

See also:

Not mature enough?

‘I would say that of those two extremes, having another GGE… Well, my British colleague has put it very well. She says: “Continuing to do the same thing and expecting a different outcome is a sign of madness.” Unless the external circumstances change, how can we expect another GGE to have a different outcome from that of the group who met in 2016/2017?’ Geier said, stressing the lack of grounds for consensus.

Could the situation take a different route in 2019? Geier admitted that he personally didn’t feel that the international community has become much more attuned to compromise.

‘The other extreme proposal, which is to have an open-ended working group or even a conference of states, also involves challenges. I'm wondering if the issue is mature enough, if enough states really are familiar with the issues, so that they could engage in substantial discussions. I also believe that the disagreement, even in the small group of 25 experts in 2016/2017, indicates that we're not clear about the actual issues. What is it that we're really fighting about? ‘

Something in-between

According to Geier, the best solution today may lie somewhere in between these two extremes. Germany, among others, has proposed such a solution.

‘The idea is to have a small group, like a GGE, that meets for a limited period. We're not talking about establishing any new permanent structures. And between its meetings, this group would consult with the wider UN membership and other stakeholders. So, you have an element of transparency, of openness, you get new get input from outside the group, and then you go back and discuss within the smaller setting. Basically, it becomes a drafting committee. Within the smaller group you can dig more deeply into the issues’, Geier summed up.

You can watch Geier’s talk and the ensuing discussion between the panel of cyber-experts on YouTube: