The Leiden University’s Program for Cyber Norms, a research platform to investigate the development and implementation of law and policy applicable to uses of ICTs, invites you to participate in a global open consultation on how to implement the UN Group of Governmental Experts’ (GGE) recommendations on responsible State behavior in cyberspace. Partner in these consultations is the ICT4Peace Foundation, a policy and action-oriented international foundation whose purpose is to save lives and protect human dignity through Information and Communication Technology. Promoting cybersecurity and a peaceful cyberspace through international negotiations with governments, companies and non-state actors is part of their work.

Consultations as to how to best understand and implement the proposed norms in the UN GGE 2015 report will be conducted throughout the summer with the view to publish a thorough and balanced commentary together with guidelines for implementation in the early fall of this year.

We invite recommendations, comments, and guidance from academia, civil society, the corporate world as well as public administration. We are keen to receive views on whether the proposed norms can be considered distinct, relevant and justified. Additionally, we are looking forward to further recommendations on responsible behaviour in international cyber security. We highly appreciate your advise on what reference materials, such as national and international documents; academic and expert literature, could be considered when implementing the proposed norms.

In creating the commentary and implementation guidelines on the UN GGE 2015 report’s proposed norms we will form an editorial working group for each of these norms. An overview of the norms and their respective working groups is listed on our website, accompanied by selected commentary collected during the consultations. In addition to comments and contributions, we welcome your participation in one or several of these working groups.  In case you are interested in joining the team of authors and editors creating the final implementation guidelines, please let us know.

Please contact Mr. Walle Bos, our Project Coordinator, if you have any questions pertaining to the program and this specific initiative, or have an interest to be involved and wish to send your questions, comments, and  recommendations.

• 1st phase: consultations with academic experts linked to the work of the UN GGE (Completed)
  Timeframe: June 2016-June 2017
  Conducted with, among others: Dr Anatoly Streltsov, Professor, Information Security Institute, Moscow State University; Dr Nohyoung Park, Professor of Law of the College of Law, Korea University; and Dr Mika Kerttunen, Docent, Finnish National Defence University, and Director of Studies, Cyber Policy Institute.
   
• 2nd phase: consultations with all interested parties and targeted experts
  Timeframe: June 2017-Early October 2017
  Leading think thanks, academia and corporations are approached. Conducted in partnership with Daniel Stauffacher, President of the ICT4Peace Foundation.
   
• 3rd phase: editorial interest-based working groups
  Timeframe: July 2017-November 2017
  Conducted in partnership with the ICT4Peace Foundation.
   
• Workshop
  Timeframe: October 2017
   
• Publish Commentary and Guidelines
  Timeframe: January 2018
  Publish a thorough and balanced commentary together with guidelines for implementation of UN GGE norms, as part of UNODA’s Civil Society and Disarmament series.

For two decades, negotiations of a possible cyber security framework have been discussed behind closed doors under the auspices of the UN Disarmament and International Security Committee. Five consecutive Groups of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have worked to settle standards of responsible State behaviour in cyberspace, amidst strategic contestation in and around the cyber domain. The UN GGE is the only existing intergovernmental expert format to discuss and make recommendations about ways to mitigate international peace and security threats that result from State development and uses of information and communication technologies (ICTs).

UN GGE 2015 report (U.N. Doc. A/70/174, July 22, 2015) proposes 11 voluntary non-binding norms on responsible State behaviour, related to cooperation, mutual assistance, information exchange, respect for Human Rights, integrity of the supply chain, and critical infrastructure protection (para 13). The UN General Assembly subsequently called upon Member States to “be guided in their use of information and communications technologies by the 2015 report of the Group of Governmental Experts”, by adopting resolution A/RES/70/237 in December 2015.

In June of this year, the fifth consecutive UN GGE concluded its negotiations without producing a consensus report. In the absence of such a report to offer guidelines on the implementation of the proposed norms contained in the 2015 report, we aim to support the UN GGE’s work by conducting open consultations in order to produce a commentary with implementation guidelines that includes a wide variety of relevant views.

In case you are interested in joining the team of authors and editors creating the final implementation guidelines, or wish to contribute to this process by sending in your comments, please let us know and contact Mr. Walle Bos, our Project Coordinator.

Working Groups:

1. General normative considerations
   Lead: Dr. Eneken Tikk, Senior Fellow, Institute of Security and Global Affairs, Leiden University
2. Norm (a) – Cooperation
   Lead: Zine Homburger, PhD-candidate, Institute of Security and Global Affairs, Leiden University
3. Norm (b) – Consequences
   Lead: Dr. Mika Kerttunen, Docent, Finnish National Defence University; Director of Studies, Cyber Policy Institute
4. Norms (c) and (f) – Internationally Wrongful Acts
   Lead: Liisi Adamson, PhD-candidate, Institute of Security and Global Affairs, Leiden University
5. Norm (d) – Exchange of Information
   Lead: Dr. Els de Busser, Assistant Professor, Institute of Security and Global Affairs, Leiden University
6. Norm (e) – Human Rights
   Lead: Dr. Barrie Sander, Visiting Scholar, FGV Direito Rio; Visiting Fellow, Institute of Security and Global Affairs, Leiden University
7. Norms (g) and (h) – Critical Infrastructure Protection
   Lead: Michael Berk, Research Fellow, Centre for Cyber Security and International Relations, University of Florence; Managing Director at DR Analytica, and Principal at Alton Corp.
8. Norm (i) – Integrity of the Supply Chain
   Lead: Caitríona Heinl, Research Fellow, Cyber Risk Management Project, Nanyang Technological University
9. Norm (j) – Reporting of ICT Vulnerabilities
   Lead: Prof. Dr. Nicholas Tsagourias, Professor of International Law, University of Sheffield
10. Norm (k) – Computer Emergency Response
    Lead: Dr. Eneken Tikk, Senior Fellow, Institute of Security and Global Affairs, Leiden University

You can download the complete UN GGE 2015 report.

The public consultation will specifically concern paragraph 13 of the UN GGE 2015 report, containing 11 voluntary non-binding norms on responsible State behaviour:

13.     Taking into account existing and emerging threats, risks and vulnerabilities, and building upon the assessments and recommendations contained in the 2010 and 2013 reports of the previous Groups, the present Group offers the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment:

           (a)      Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;

           (b)      In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;

           (c)      States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;

           (d)      States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

           (e)      States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;

           (f)      A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

           (g)      States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;

           (h)      States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;

           (i)       States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

           (j)       States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

           (k)      States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.