Why the United Nations Is Chasing Its Tail on Cybersecurity

Commentary by James Andrew Lewis

Published July 16, 2024

Sometime in late October 1963, the United States and the Soviet Union reached the brink of nuclear war. Fortunately, war was averted, but the experience of the near miss led both sides to negotiate seriously on how to reduce the risk of nuclear war and how to manage the horrific consequences of new weapons. The threat of nuclear war in 1963 was the starting point of a long series of talks between opponents that ultimately produced meaningful agreements on weapons of mass destruction and on measures to promote stability and reduce the risk of armed conflict While that edifice of agreements has recently begun to crumble as Russia and the United States reconsider concessions and as the older, bipolar arrangement is pressed by the emergence of China (which was never party to these agreements), 1963 still provides a vantage point for assessing cybersecurity negotiations.

The nuclear experience shaped cybersecurity agreements-for example, the 2015 consensus report of the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security used language on confidence-building measures from Cold War agreements-and still offers lessons. First, opponents must want to negotiate. They are more likely to do so if they perceive serious, even existential, risk. Cyber actions do not create that kind of risk. No one has died from a cyberattack, and economic losses are easily absorbed. Hostile cyber actions, particularly espionage, produce a steady erosion of security, but this has not reached the point where it is unacceptable. There is apparently no desire for serious negotiation (i.e., negotiations leading to concessions by those who possess advanced cyber capabilities).

Serious negotiations can only take place between major opponents, not in the UN General Assembly (although the General Assembly can be used to stake out positions, score points, and perhaps float proposals). The secretary general can play a helpful role as a facilitator, and the UN First Committee on Disarmament and International Security provides a useful venue, but the United Nations' role is limited. While internet rhetoric argues that cyberspace is a global community in which states are only one actor, only agreement among the major powers and their allies will improve the situation. Smaller states, civil society, or corporations cannot make meaningful commitments to limit destabilizing actions, as they lack the ability of major states to inflict harm. Risk is created by the actions and decisions of a few powerful countries.

Negotiation requires at least one side to have considered how to engage with opponents to address serious risks and weigh possible concessions. At present, no country has done this. Proposals to "implement" norms do not count, as they do not involve discussion where opponents offer to trade concessions on destabilizing capabilities. Neither set of opponents is currently willing to make such concessions. This means that the UN Open Ended Working Group (OEWG) is condemned to be feckless.

The OEWG is not the right venue for cybersecurity negotiations. It has too many participants and it lacks ideas on how to move past the agreement reached in the 2015 GGE report. Its work is subsumed by the larger international security contest. The OEWG's only important success was in 2021, when its members were able to endorse and make binding the measures identified and agreed in the 2015 GGE report. The 2015 effort almost failed, and agreement was reached only through the heroic efforts of the Brazilian chair, who brought unwilling opponents together and persuaded the Russian and Chinese negotiators to accept, with emendations, the draft GGE report. Since 2015, the opposing sides have been unwilling to engage with each other, so no agreement that will improve stability and reduce risk is possible.

Who are the rivals? With some blurring at the margins, they are the same as in the Cold War. China has replaced Russia (to Russia's chagrin) as a major opponent. There is an ideological component to the contest, but it is less clear cut than during the Cold War, despite U.S. efforts to cast it as a Manichean battle pitting good against evil. Both opponents have supporting states with varying degrees of capability, independence, and cohesion. The United States with its alliances has an advantage that China lacks, but not enough of an advantage to compel China to change its behavior in cyberspace. There are emerging powers, such as India, whose involvement may be required in the future, but a simple question serves as a test of their importance: If the United States and China were able to reach binding agreement on serious constraints on dangerous cyber capabilities or to limit destabilizing actions, would other nations' agreement be necessary other than as endorsements? Russia might play the role of spoiler, and France might seek to assert European sovereignty, but these are problems of alliance management, not impediments to agreement between the two powers where the risk of cyber conflict is now greatest.

Explaining why the United States has not put forward a compelling engagement proposal or why China does not feel impelled to negotiate requires a longer discussion, but one possibility is that neither side now believes there is benefit from engagement or concession. For example, for China to consider a commitment to not attack civilian critical infrastructure, this would need to be accompanied by an American offer to observe some equivalent measure of restraint, and China might ask for concessions involving technology or trade that go beyond cybersecurity.

Many in the United States believe it is futile to negotiate with China, and China also shows little inclination to engage. Russia likes cyber negotiations, as it believes they reaffirm its great power status. Before 2015, Russia's long experience of negotiation made it an easier counterpart for negotiation, but desperation over its decline now creates a reluctance to engage, and the Ukraine war is a major obstacle to any talks. In this context of hostility and distrust, the ability of the OEWG to break new ground in building cyber stability is negligible.

What could usefully be done in the OEWG? It could agree on a single permanent process for the regular discussion of steps to improve international cybersecurity. The Programme of Action (POA) proposed by France and Egypt is the best vehicle for this, as experience with other POAs suggests it could ultimately lead to meaningful agreement. OEWG discussions could begin to frame the measures needed to increase stability that would go beyond the 2015 GGE report. This could start with a serious discussion of confidence-building measures and norms that address the new challenges of cybersecurity in an expanded digital environment. Finally, the OEWG could link member state discussion of cybersecurity to other UN digital initiatives with the goal of assembling an international framework for a digital world. These are ambitious tasks, and we cannot expect immediate results; but a more interconnected world populated by newly important countries will require these steps, and the OEWG is a platform that could begin to take them.

James A. Lewis is senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects