Statement by the Association for Progressive Communications (APC)
First Substantive Session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security
New York, 10 September 2019
Thank you Chair, colleagues,
The Association for Progressive Communications (APC) welcomes this opportunity to address the Open-ended Working Group (OEWG) and to participate in this informal dialogue with stakeholders. APC is a global NGO and network of members working in 72 countries to advance an open, secure, stable, and rights-based internet.
Security and stability in cyberspace underpin the UN’s three pillars – peace and security, human rights, and sustainable development. While the mandate of the OEWG relates to matters of international security, the interconnected nature of the internet and its central role for the enjoyment of human rights and development necessitates taking a holistic approach and resisting the militarisation of cyberspace. APC is seeing increasing concern from our members about state security-centric approaches to cybersecurity policy and the exclusion of civil society from cybersecurity efforts.
APC underlines that the internet is a global public good, and the stewardship of this public good is the responsibility of all states and all actors. It should be managed in the public interest, governed in a multistakeholder manner, consistent with international humanitarian law and international human rights law, and with accountability for both states and the private sector.
The topic addressed by this OEWG is of utmost importance. People are increasingly relying on the availability, integrity and confidentiality of information and its underlying infrastructure for many aspects of their daily lives. This will only increase as more people and devices are connected. Recent cyberattacks have resulted in the closure of hospitals, electrical grids and large industries, and even affected the integrity of democratic processes. These incidents – which directly affect the lives of ordinary citizens – show that the discussion of responsible state behaviour is closely linked to people’s everyday lives, since institutional changes as the result of elections can have profound lasting effects.
Cyber threats is not experienced evenly by everyone. Human rights defenders, journalists, and people in positions of marginalisation or vulnerability because of their religion, ethnicity, sexual orientation or gender identity experience particular risk. For example, they are more likely to be targeted by surveillance or malicious hackers, and the consequences of broad threats like data breaches or network shutdowns are often more severe for them because of their positions in society. People for whom connectivity is still a challenge also suffer from cyber threats, as they too rely on secure digital infrastructure for provision of public services.
It is critical to also consider the gender dimensions of cybersecurity. From over a decade of work on online gender-based violence, we know that people face differential threats, which affect their ability to use and benefit from ICTs, and which spill over to their offline lives, because of their gender.
With regard to the issues on the agenda of the OEWG, APC offers the following reflections.
A secure and stable cyberspace must be grounded in both international human rights law and international humanitarian law. Previous Groups of Governmental Experts on developments in the field of information and telecommunications in the context of international security (GGEs) have recognised the applicability of international law to cyberspace; however, oftentimes human rights are framed as an impediment to cybersecurity. This is misguided and dangerous. Cybersecurity is in fact inexorably linked to human security, which is a fundamental human right. Cybersecurity and human rights are complementary, mutually reinforcing and interdependent. Both need to be pursued together to effectively promote freedom and security.
Numerous resolutions from the UN General Assembly’s Third Committee and the Human Rights Council, as well as reports from UN Special Procedures and treaty bodies, address how international human rights law applies in digital contexts, adding valuable guidance on the safeguarding of the rights to privacy, freedom of expression, assembly and association.
International human rights law, through the UN Guiding Principles on Business and Human Rights, also provides guidance for both states and the private sector on how to mitigate adverse effects of actions by private companies. Technology companies should not be profiting off of the sale of hardware and software used for launching cyberattacks. International law provides the framework for restricting the sale of cyber weapons and technologies that are used for malicious attacks.
In our view, the OEWG should not be setting human rights standards, or interpreting international human rights law, given that this is best done by other UN and regional bodies with that mandate and expertise; however, we encourage the OEWG to draw on this extensive work, given how closely intertwined security and human rights issues are in the context of digital technologies.
We view the OEWG as a valuable opportunity for advancing the 11 voluntary non-binding norms that were agreed to following the 2015 GGE report. For these norms to be most effective, they must be implemented and adhered to. A precondition for implementing norms is capacity. Civil society can help build the capacity of states (and relevant institutions), and also participate in the monitoring that is essential for norms to be complied with and adapted and extended as needed.
Existing international mechanisms provide useful examples of how monitoring and implementation can be facilitated by the UN system. The Universal Periodic Review of the Human Rights Council, which essentially is a peer review led by states with input from non-state actors, is an example of a successful, universal, peer review mechanism through which all member states are assessed on the extent to which they respect their human rights obligations under the UN Charter, human rights instruments, international humanitarian law, as well as voluntary pledges and commitments. The Voluntary National Review, established as a follow-up mechanism to implement the 2030 Agenda for Sustainable Development, is a state-led review process, involving multiple stakeholders, to facilitate the sharing of experiences, including successes, challenges and lessons learned in achieving the Sustainable Development Goals (SDGs). In the context of cybersecurity and stability, we would propose a peer review mechanism that is fully inclusive of the input of non-state actors. We do not believe that a treaty is necessary for the UN to establish a mechanism to monitor compliance with norms agreed in First Committee processes.
APC also encourages the OEWG to consider norms developed since the 2015 norms, including those from the Global Commission on the Stability of Cyberspace (GCSC). The eight norms developed by the GCSC, complementary to the GGE norms, are intended to help foster responsible state and non-state behavior in cyberspace, including by calling for the protection of the public core of the internet. These norms have been endorsed or otherwise supported by the several states who are signatories to the Paris Call for Trust and Security in Cyberspace. The EU agreed to adopt the GCSC's concept of the protection of the public core of the global internet in its cybersecurity legislation.
Resolution A/RES/73/27, which set up the OEWG “with a view to making the United Nations negotiation process on security in the use of ICTs more democratic, inclusive and transparent,” specifically stresses that "while States have a primary responsibility for maintaining a secure and peaceful ICT environment, effective international cooperation would benefit from identifying mechanisms for the participation, as appropriate, of the private sector, academia and civil society organizations."
APC expresses our regret that many of our colleagues in civil society, academia and the technical community, which do not enjoy ECOSOC status, were unable to obtain accreditation for this first substantive session of the OEWG. These non-governmental stakeholders play valuable roles in the documentation and verification of cyberattacks, in research, in monitoring implementation of norms, and in responding to victims of cyberattacks. These discussions would benefit from their participation and we hope that they will be included in subsequent sessions. This statement is endorsed by the organisations listed below.
Research ICT Africa