Solving the verification conundrum is the key
Digital peace has been on the agenda at the United Nations since 1998, and UN member states have made some progress. At least one critical reality, however, stands in the way of meaningful advancement: Currently, not all UN member states are committed to advancing digital peace.
Differing from the approach to many conventional weapons, digital disarmament is not considered a precondition of digital peace. UN member states recognized early that digital technologies’ intangible and multiuse nature defied traditional arms control. Rather than seeking to “control” specific technology, considered neither technically feasible nor economically desirable, countries strove to advance digital peace by defining “responsible use” of technology.
While glacial compared to technology’s evolution, a UN framework for Responsible State Behavior in Cyberspace has developed over the past two decades. The framework recognizes that existing international law applies to the activities of states in cyberspace, sets out 11 voluntary norms of responsible behavior, and identifies confidence-building measures and capacity-building principles.
This year, the final reports of two landmark UN negotiations fully endorsed the framework: the inaugural Open-Ended Working Group (OEWG) on development in the field of information and communication technologies in the context of international security, and the sixth Group of Governmental Experts (GGE) on responsible state behavior in cyberspace.
Unlike the previous reports, the OEWG report was negotiated among all UN member states so countries can no longer claim they were not party to the negotiations as an excuse for exemption. The GGE report deepened the framework, including specific recognition that international humanitarian law applies to cyber operations during armed conflict.
These developments, however, occurred amid increasing malicious cyber activity conducted or condoned by countries. Considering this, many countries are now prioritizing implementation of the framework and development of accountability mechanisms for when countries violate their commitments.
Yet even if implemented and enforced, some argue that the existing framework will not deliver digital peace. This raises some obvious — but little discussed — realities.
All UN member states would need to agree upon any additional commitments, but not all countries share the same motivations. Liberal democracies do not hold the balance of power; while they may want meaningful progress, they will not accept new commitments that undermine the framework, or legitimize authoritarian behaviors. Given these negotiating realities, simply preserving the status quo is often a victory.
The UN is replete with examples of agreements struck in politically polarized times. In each case, despite differing national interests, member states shared a common objective. However, on this issue, not all countries share the objective of advancing digital peace, especially if it means asymmetrically losing their cyber edge.
A growing number of countries possess offensive cyber capabilities. And the blunt reality is that those countries will not accept meaningful restraints on their own offensive cyber capabilities unless they can verify reciprocity by their adversaries.
Herein lies the conundrum. Verification of the scale and sophistication needed to underwrite digital peace does not yet exist. If a critical pipeline is not secured against ransomware, how can we expect to reliably verify that an adversary is not prepositioned on that pipeline for future attack? In this geo-strategic environment “trust me” does not cut it.
Inspection regimes are often touted as a solution. Putting aside questions of technical feasibility, no proposal to date has adequately addressed the private sector’s role, nor the sensitive, sovereign nature of the networks most in need of verification.
This article is a call to action to industry, civil society and academia as well as to governments. If we want digital peace, we must unite behind it as a shared objective. Solving the verification conundrum will be key to unlocking digital peace.
Johanna Weaver is director of the Tech Policy Design Centre at the Australian National University. The design centre is reimagining how to use governance as a tool to shape technology to maximize its positive impacts. In partnership with industry, government, civil society and academia, the centre’s mission is to co-design a new generation of best practice governance frameworks that are fit for purpose in our digital age.
Weaver is a former Australian diplomat, a reformed commercial litigator and an unapologetic international law nerd. In June 2021, she completed her term as Australia’s independent expert and lead cyber negotiator at the United Nations. Earlier, Weaver led the Cyber Affairs Branch at the Australian Department of Foreign Affairs and Trade, working closely with Australia’s inaugural ambassador for cyber affairs.
Weaver is a member of the International Committee of the Red Cross (ICRC) Global Advisory Board on digital threats during conflict. She is a regular guest lecturer at the Australian National Security College. Weaver is also the managing principal of CDT Capacity Building, a boutique not-for-profit focused on cyber, digital and technology capacity building that promotes sustainable international development.