The United Nations (UN) is an intergovernmental organisation established in 1945 to promote international co-operation. The organisation is committed to maintaining international peace and security, developing friendly relations among nations and endorsing social progress, better living standards and human rights. The UN provides a global forum for its 193 Member States to express their views and tackle a wide range of issues.
The UN’s activities regarding cyber security can be seen as highly fragmented, as the subject is addressed in many of its different intergovernmental bodies and organisational platforms.1 Many entities in the UN can issue resolutions, but in practice most are passed by the UN General Assembly (UNGA) or the Security Council (UNSC). Almost all resolutions, with the exception of those adopted by the UNSC, are recommendatory and legally non-binding on the Member States. Up until now, no resolutions concerning cyber security issues have been adopted by the UNSC.
Draft resolutions on different aspects of cyber security have been forwarded to the UNGA by three of its six main committees (the Disarmament and International Security Committee; the Economic and Financial Committee; and the Social, Humanitarian and Cultural Committee).
Perhaps the most noteworthy developments have been taken place in the Disarmament and International Security Committee, which can be regarded as a unique forum for key players such as the U.S., China and Russia to discuss the ‘high end’ of information security threats.2 Since 1998, the Russian government has annually introduced a draft resolution in the First Committee on ‘Developments in the field of information and telecommunication in the context of security’. With gradual changes, the non-binding resolution has been adopted by the UN General Assembly (UNGA) each year.
In the resolution of 2001, Russia requested the establishment of a group of governmental experts (GGE), consisting of experts from 15 states, chosen on the basis of equitable geographical distribution, for a study to consider existing and potential threats in the sphere of information security and possible cooperation measures to address them. The first GGE, convened in 2004, failed to adopt a consensus report due to significant differences on key aspects of international information security.3 Nevertheless, a formation of a second GGE to be assembled in 2009 was proposed. The second GGE was able to produce a consensus report which mainly highlighted the need to continue discussing further norms to address existing and potential threats in the sphere of information security.
A third GGE was called for in 2011. The group convened in 2012-2013 and successfully produced a consensus report which is regarded as a substantial development in the context of international cooperation on cyber security norms. Perhaps the most significant outcome was that the report affirmed the applicability of international law, especially the UN Charter, to cyberspace. The report expressed a common understanding and the need to cooperate by offering several recommendations to promote peace and security in state use of ICTs (e.g., developing confidence- and capacity-building measures and engaging in the exchange of information). A fourth GGE was established in 2014 and finished its work in July 2015. For a comprehensive overview of the report, see the INCYDER article.
Although the aforementioned annual resolutions and the reports by the GGE can be viewed as signs of growing consensus, there is no common understanding on how exactly the existing international law should apply to cyberspace, and development of new global cyber norms has been limited. For example, in 2011, a group of SCO states proposed a controversial International Code of Conduct for Information Security (2011)4 which has not put forward to the General Assembly. In January 2015, an updated version of the document was submitted to the General Assembly. As presented in this INCYDER news item, the updated Code of Conduct contains only minor changes.
The Economic and Financial Committee has also put forward three cyber-related resolutions to the General Assembly. All the resolutions (adopted in 2002, 2003 and 2009) deal with the ‘creation of a global culture of cybersecurity’. While the first resolution is a broader document, the last two are expanded to include the issue of protecting critical information infrastructures.
The Social, Cultural, and Humanitarian Committee has mainly addressed the questions of cybercrime and privacy rights. Two resolutions (adopted in 2000 and 2001), can be highlighted as having a specific focus on combating the criminal misuse of information technologies. In 2013, and partly as a result of the Snowden revelations, the UNGA adopted the resolution ‘The right to privacy in the digital age’, which was first drafted by Brazil and Germany. The resolution emphasised the responsibility of states to respect and protect privacy, and, for the first time, affirmed that the same rights that people have offline must be protected online. The resolution also requested the High Commissioner for Human Rights to prepare a report on the subject.
The concerns for the fundamental human rights in the digital age have been reiterated many times by the UN (see INCYDER news). In March 2015, the General Assembly decided to establish a new Special Rapporteur on the Right to Privacy in order to better address such issues and to create a safer digital environment.
The Economic and Social Council (ECOSOC), one of the principal organs of the UN, has been increasingly dealing with cybercrime. Cybercrime has also been addressed in the UN Congress on Crime Prevention and Criminal Justice (UNCPCJ), which takes place every five years and plays a major role in international standard-setting and policy-making in crime prevention and criminal justice. For example, the Twelfth UNCPCJ (2010) resulted in a UNGA resolution (A/RES/65/232) that called for an open-ended intergovernmental expert group to study the problem of cybercrime and international responses to it. The report was produced by the UN Office on Drugs and Crime (UNODC) in 2013.
In addition to the UNODC report, cyber-related research and initiatives are carried out by many other UN organisational platforms such as the UN Institute for Disarmament Research (UNIDIR) and the UN Interregional Crime and Justice Research Institute (UNICRI). Additionally, the broader cyber security debate is dealt with in the Working Group on Countering the Use of the Internet for Terrorist Purposes which operates under the UN Counter-Terrorism Implementation Task Force.
The separate INCYDER page for the International Telecommunications Union, a specialised agency of the UN dealing with issues concerning ICT. For a description on the Internet Governance Forum (IGF), established by the UN Secretary-General in 2006.
- Read more on cyber norm emergence in the UN in: Maurer, T. (2011) “Cyber Norm Emergence at the United Nations – An Analysis of the UN’s Activities Regarding Cyber-security?,” Discussion Paper 2011-11, Cambridge, Mass.: Belfer Center for Science and International Affairs, Harvard Kennedy School, pp. 47. Available online: http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-f…
- Read more on the First Committee and cyber security in Tikk-Ringas, E. “Developments in the Field of Information and Telecommunication in the Context of International Security: Work of the UN First Committee 1998-2012,” ICT4Peace Foundation, pp. 8, 2012. http://www.ict4peace.org/wp-content/uploads/2012/08/Eneken-GGE-2012-Brie…
- Tikk-Ringas, E. “Developments in the Field of Information and Telecommunication in the Context of International Security: Work of the UN First Committee 1998-2012,” ICT4Peace Foundation, pp. 8, 2012. http://www.ict4peace.org/wp-content/uploads/2012/08/Eneken-GGE-2012-Brie…
- Proposed by China, Russia, Tajikistan, Uzbekistan, Kazakhstan, and Kyrgyzstan (see also INCYDER SCO page