Insights from the Global Cyber Policy Dialogue Series
Special Report No. 2
Introduction
In 2020 the Observer Research Foundation America (ORF America), in partnership with the Ministry of Foreign Affairs of the Netherlands, launched a series of regional dialogues to address key cyber challenges, strengthen multistakeholder networks, and increase coordination of regional capacity-building initiatives. These meetings are intended to complement ongoing international cyber processes at the United Nations (UN) aiming to develop a normative framework for cyber stability by engaging stakeholders that have been infrequently involved thus far. The dialogues generate discussion among experts from different sectors and stakeholders and identify concerns and priorities from each region to feed into the UN Open-ended Working Group on the Security of and in the Use of Information and Communications Technologies (OEWG) and the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (Ad Hoc Committee on Cybercrime). In addition, the meetings strengthen regional cyber networks and lay the groundwork for long-term engagement and partnerships among stakeholders working on cyber capacity building.
Increased malicious cyber activities by criminals and state actors undermine the technical security of digital systems and threaten the industrial, social, and economic systems that rely on them. Efforts at the international level are seeking to improve cyber stability, generally understood as the state of cyberspace where there is some level of predictability in state behavior, tensions are resolved in a non-escalatory manner, and for everyday users and infrastructure systems that rely on cyberspace, the availability of information and services are assured, secured, and safe. However, the resulting insecurity and instability from malicious actors threaten economic and social gains developing countries are hoping to make by relying on technology and digital transformation strategies. International cooperation to address these threats requires high levels of trust and robust capacities and policies in every country and region. International processes at the United Nations are setting standards, rules of behavior, common understanding of how international law applies in cyberspace, and frameworks for partnership and cooperation. However, to produce effective cybersecurity and stability globally, these processes must reflect the priorities and voices of all states and stakeholders.
The sections below present the results of ORF America’s virtual cyber policy dialogues, convened in five regions representing much of the developing world and countries that have been less active in the international discussions on information and communications technologies (ICTs). Each meeting offers insight on regional priorities and challenges to enhance cyber capacity, increase stakeholder buy-in by making the economic case for cybersecurity, and work across and inform processes internationally and within governments. In conclusion, the report offers preliminary recommendations for policymakers to improve cyber capacities and ensure international impact. Building on these virtual dialogues, ORF America is now convening in-person meetings in each region and will issue a final report in June 2023 at the conclusion of the full series.
Six Virtual Meetings
ORF America convened six virtual preparatory meetings between 2020 and 2022, focused on five regions: Southeast Asia (August 2020), Southern Africa (October 2020 and October 2021), Western Balkans (April 2021), Latin America and the Caribbean (January 2022), and the Middle East and North Africa (February 2022). Each meeting was co-hosted with the Ministry of Foreign Affairs of the Netherlands and a partner ministry from the respective region, as well as a local civil society organization, and brought together multistakeholder participants and speakers from government, civil society, academia, and the private sector. The meetings have focused on the international normative framework for behavior in cyberspace as outlined through UN Groups of Governmental Experts (GGE) reports from 2010, 2013, and 2015 as well as the OEWG, in the context of regional priorities. They also covered cyber-related topics that are of particular priority to each region. The following sections highlight key themes and takeaways from each meeting.
Southeast Asia
The Southeast Asia regional dialogue was co-hosted with the Cyber Security Agency of Singapore and the S. Rajaratnam School of International Studies in August 2020. The event convened stakeholders from the ten member states of the Association for Southeast Asian Nations (ASEAN). The meeting took place early in the COVID-19 pandemic, and the discussion focused heavily on the ways in which society’s reliance on digital technology had been highlighted by the public health emergency. This context demonstrated the power and solutions offered by technology, as well as the urgent need to ensure its security. Participants stressed that the pandemic impressed upon leaders the importance of investing in cybersecurity and ensuring basic cyber hygiene amid increasing digitalization and enthusiasm for emerging technologies. The meeting also explored how ASEAN countries could inject their own priorities into two ongoing UN processes, the OEWG and GGE, to promote a norms-based order in cyberspace to reduce cyber insecurity. ASEAN is a frontline for geopolitical competition, and it is imperative that Southeast Asian countries can assert their own positions on critical issues in cyberspace governance such as how international law should apply. The character of ASEAN as a region with broad differences in cyber capacity was also a touchpoint for the discussion, as it offers opportunities for inter-regional capacity-building partnerships and cooperation, while highlighting the interconnected nature of cyber threats: the region’s cybersecurity is only as strong as the weakest link.
Southern Africa
Two virtual meetings were held focusing on the Southern Africa region, in October 2020 and October 2021. The meetings were co-hosted with the Department of International Relations and Cooperation of South Africa (DIRCO) and Research ICT Africa. The discussions in the 2020 meeting focused on three pillars critical to stability and growth in the digital age: sustainable development, peace and security, and governance. The second meeting in 2021 addressed the intersection between sustainable development and cyberspace security and stability, through the lens of digital transformation.
Through the course of these virtual meetings, several issues were raised with relevance for the Southern Africa region. First, digital transformation is integral to Southern Africa’s future, and cybersecurity is a necessary component of this revolution. Therefore, it is crucial that development efforts are linked to cybersecurity. Second, with digital transformation comes increased opportunity for misuse of ICTs, and a concerted effort is needed to tackle cybercrime and other threats. This includes building awareness and capacity among users, law enforcement, and policymakers, as well as enacting and enforcing laws that increase accountability for cybercrimes while protecting human rights. Third, international processes to create norms of behavior and mechanisms for improving trust in cyberspace, including confidence-building measures, can support equity and inclusion in digital development and guard against misuse of cyber technologies. Participation by Southern African states in the UN processes is important to ensure that they adequately reflect regional governance models and priorities. Finally, for Southern African countries to reap the benefits of digital transformation and avoid a regime of digital colonialism — where rules are set without their input and digital resources are expropriated by foreign companies and governments — existing capacity gaps in technology, policy, and governance must be addressed.
Western Balkans
A Western Balkans virtual regional dialogue was held in April 2021, in partnership with the Ministry of Defence of North Macedonia and Metamorphosis Foundation. The meeting focused on cyber peace and security, cybercrime, and information disorder. The discussion highlighted several trends. First, Western Balkan countries are integrating ICTs into their governments, defense, infrastructure, and everyday life. However, the capacity to ensure the security and integrity of the technology remains scarce. Second, the region is facing several increasing threats, including cybercrime, disinformation campaigns, and militarization of cyberspace, which threaten stability and trust both among Western Balkan countries and with their neighbors. Third, there is a need for more engagement at the political level in Western Balkan countries on cybersecurity and stability issues. Leaders should act swiftly to prioritize and devote adequate resources to cyberspace security and stability. This highlights an existing capacity gap at the political level that is not unique to this region, but must be addressed by appropriate local, regional, and international efforts. Given the interest of other European countries in the cybersecurity and stability of their neighbors in the Western Balkans, there is ample opportunity for partnerships on capacity building. However, such efforts would benefit from increased coordination among donors and assistance that is targeted and context specific.
Latin America and the Caribbean
In January 2022, ORF America hosted a virtual regional cyber dialogue for the Latin America and Caribbean region, in partnership with the Ministry of Foreign Affairs of Chile and the Centre for Information Technology Law Studies (CEDI). The meeting focused on the links between the cyber stability normative framework, international cooperation to counter cybercrime, and the importance of an open, free, stable, and secure cyberspace to enable digital transformation. Several key themes emerged during the discussion, including the foundational role that capacity building plays in improving international cooperation on cybercrime and in implementing the normative framework. The need for more practical international cooperation on cybercrime was emphasized taking into account conflicting or ambiguous cultural and political norms and laws around criminality, the application of human rights, and the role of the private sector. Practical efforts such as harmonizing terminology or sharing information on domestic law enforcement procedures can help facilitate cooperation and improve coordinated responses. The importance of ensuring respect for human rights and that any criminal statutes include safeguards to protect against overreach and abuse was also of great concern to local civil society groups, particularly in the context of international negotiations on a UN cybercrime treaty. Ambiguous wording and mismatched definitions can lead to broad interpretations and overcriminalization. This uncertainty presents a threat both to activists and journalists who may be unjustly targeted and to security researchers who may get swept up in broad laws criminalizing any “unauthorized” access to a network.
Middle East and North Africa
The dialogue for the Middle East and North Africa region was hosted in February 2022 in partnership with the Jordan National Cyber Security Center and the Information and Communications Technology Association of Jordan (Int@j). The meeting focused on three interrelated topics: norms of state behavior in cyberspace, cybersecurity and critical infrastructure protection, and digital development and transformation. The implementation of relevant national policies, regional cooperation, and capacity building were examined. This meeting focused on the role of coordination to counter cyber threats, on the stabilizing role of the UN processes, and the need to integrate cyber issues into national diplomacy. Cooperation among Computer Emergency Response Teams (CERTs) was another topic, and progress was cited in the financial sector as the Central Bank of Jordan recently established a CERT that will work with international counterparts and networks. In the Middle East, informal networks of technical experts are often the most established and fastest routes for information sharing and incident response. However, official channels are essential, highlighting the need to implement confidence-building measures including establishing official technical and policy points of contact among countries.
Digitalization, digital development, and cybersecurity are also linked in this region, as countries look to technology to advance their prosperity agendas. The importance of ensuring that digital progress enables social mobility, inclusion, and innovation was stressed by speakers. The region also requires greater investment in human capacity to take advantage of emerging technologies and ensure that digitalization is secure, and that digitalized societies are resilient. Addressing the use of technology by radical extremists and terrorist groups is a priority in the region. This has implications not only for cybersecurity and resilience to protect against cyberattacks, but also content regulation, privacy laws, and social initiatives to intervene in younger populations that may be more susceptible to radicalization or recruitment through online tools.
Global Takeaways
Over the initial course of the project, key themes emerged that transcend regional boundaries and offer insights for global efforts to implement the normative framework for cyber stability, address cyber threats, and take advantage of the opportunities created by technology in developing countries.
Capacity Building Is the Foundation
Building cyber capacity is foundational to implementation of international agreements and facilitating international cooperation. Every meeting emphasized that greater capacity is needed at the political, diplomatic, policy, and technical levels to enable stakeholders to participate more fully in international discussions and cooperative mechanisms, as well as to achieve cybersecurity and digitalization goals. Capacity requires investment and buy-in from high-level political decision makers, who must make cybersecurity and stability efforts national priorities. Many countries are preoccupied with other challenges, and political dynamics can make regional cooperation more challenging in certain contexts.
Another aspect of capacity building that is sorely needed in many of the regions is better coordination among donors, implementers, and recipients. The aim here is to ensure that funders are meeting the needs and priorities articulated by recipients, that implementers design projects that are synergistic rather than duplicative, and that recipient countries are involved as equal partners in the efforts.
Digital Transformation and Cybersecurity and Stability are Mutually Reinforcing
While each meeting focused on different topics, one recurring connection was the link between security and digital transformation and economy initiatives. Many countries are looking to ICTs to grow their economies, leapfrog their development forward, and transform their infrastructure. Much of the interest in securing ICTs grows out of these goals, and linking development conversations with cybersecurity and stability enhances success in both areas. This theme was especially present in conversations with stakeholders in Southern Africa and in Latin America, where speakers emphasized the importance of making the economic case for cybersecurity—that is, demonstrating to governments that they will not be able to fully reap the benefits from ICTs if they do not adequately invest in cybersecurity. Cybersecurity and stability also support the sustainable development agenda, which looks to ICTs to accelerate implementation in order to meet Sustainable Development Goals targets. Capacity-building efforts can bridge across these two workstreams, which often take place in different ministries, agencies, and stakeholder networks.
Need to Work Across Silos
Stakeholders in all the regions mentioned silos within governments. The national security, law enforcement, and technical communities within a country are not always aware of what their diplomats have agreed to at the United Nations, or how such agreements could impact their work. This highlights the continued need for raising awareness among various government agencies and bodies concerned with ICT use. These are often the people who will be implementing the UN norms and principles or could benefit from avenues for international cooperation and knowledge sharing. Initiatives that train policymakers on international cybercrime agreements and cooperative mechanisms, for example, are useful in this regard.
Preliminary Recommendations: What Should Policymakers Do?
Cybersecurity and improved stability in the digital domain are not just a “nice to have.” Countries are depending on digital transformation and technology to grow their economies and meet existential challenges including climate change and national security threats. Large powers are using the cyber domain to pursue national geopolitical aims, and many countries find themselves caught in the middle with their own digital goals being co-opted into a larger geopolitical struggle. As such, it is important that all countries work to ensure that they can help shape international agreements on ICTs and implement norms and principles in line with their priorities and cultures. The themes from our regional dialogues can be extrapolated into the following preliminary recommendations for political leaders and decision makers:
Invest in cyber capacity at diplomatic, technical, and policy levels in national government, education, and the private sector. This includes initiatives such as training lawmakers to understand the international processes and dimensions of the issues they are legislating, creating pathways to develop local cyber expertise, raising the baseline digital literacy of the population, and developing incident response capabilities. For example, to improve incident response establishing a national CERT and giving it authority and resources to participate in international and regional technical networks is critical.
Ensure coordination across government agencies. This encompasses: creating clear agreements regarding the roles and responsibilities of the multiple ministries, offices, and agencies that deal with ICT issues; establishing a coordinating body with the authority to convene relevant officials to set policy and respond to crises; and ensuring the effective access of cyber officials to senior leadership.
Engage in the ongoing international processes. These include deliberations at the UN (the OEWG and the Ad Hoc Committee), along with regional efforts such as the ASEAN Regional Forum’s Working Group on ICTs, the OSCE Confidence Building Mechanisms, and the OAS Confidence Building Measures Working Group. Participation in these processes builds trust and helps ensure that perspectives from all countries and stakeholders are reflected in norms and rules of behavior.
Support multistakeholder engagement by creating regulatory and policy environments where meaningful participation by all stakeholders is the default. Allow for innovation and involve civil society and the private sector to contribute valuable expertise, technical abilities, and networks, which will help reach underserved sectors of society and promote equity and inclusiveness in the gains from digitalization.
Mainstream inclusive development approaches and human rights into cybersecurity policies. For cybersecurity laws and policies to provide holistic security for all citizens, they should be grounded in the rule of law, avoid exacerbating existing inequalities, and not enable creeping authoritarianism. To achieve this, principles of human rights and inclusivity must be considered and written into legislation. Cybercrime laws, for example, should be based on clear definition and due process provisions. Cyber hygiene and capacity initiatives should engage vulnerable communities to ensure opportunities are afforded across society.
Mainstream cybersecurity into development initiatives. In order for digitally-enabled development to succeed, digital systems must be secure and cybersecurity maintenance and capacity must be baked into development budgets and digital transformation plans. Policymakers should involve all stakeholders to ensure that security standards and requirements are included in any digital development initiative, and that the necessary resources are allocated that also consider the dynamic nature of technology.