Cyber Security Cyber Security Negotiating meanings for security in the cyberspace Roxana Radu Abstract Purpose – This paper aims to review the current d

Cyber Security Cyber Security Negotiating meanings for security in the
cyberspace

Roxana Radu

Abstract

Purpose – This paper aims to review the current d

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

Cyber Security 

Negotiating meanings for security in the
cyberspace

Roxana Radu

Abstract

Purpose – This paper aims to review the current debates regarding the role of the state in securing the

cyberspace, with a particular focus on the negotiations taking place in the UN General Assembly

(UNGA).

Design/methodology/approach – This paper reflects on the evolution of the UNGA discourse on the

role of the state in protecting the cyberspace, based on the textual analysis of all UNGA resolutions

pertaining to the politico-military aspects of internet security.

Findings – The paper finds that the lack of an officially adopted definition for internet security in the

UNGA discussions led to agreement solely on informative, best practice sharing or voluntary activities

addressing other states, rather than providing an integrated vision for protecting the cyberspace.

Research limitations/implications – The analysis is limited to the negotiations taking place in one

institutional venue, namely the UNGA between 1998 and 2011, complemented by three resolutions

issued by the ITU in 2010; activities conducted in other institutional venues might influence or determine

the overall discourse noted in the resolutions under investigation here.

Originality/value – This represents the most comprehensive account of the discourse on the role of the

state in securing the cyberspace as presented in the UNGA and ITU resolutions and its evolution over

time.

Keywords Internet, Cybersecurity, General Assembly, ITU, States, United Nations

Paper type Research paper

Introduction

The security of the cyberspace has become one of the major global policy areas of the

twenty-first century (Deibert and Rohozinski, 2010, p. 29), and an arena for intense political

contestation (Singh, 2011, p. 232; Deibert, 2012)[1]. The dangers posed by the virtual

environment are disputed, with journalists and researchers highlighting either the menace of

a ‘‘digital Pearl Harbor’’ (Sterner, 1996; Bendrath, 2003) or the ‘‘unsubstantiated nature of

cyber threats’’ (Dunn Cavelty and Rolofs, 2010). The debate over ensuring protection online

has also underlined that the current infrastructure of the internet does not contain embedded

security guarantees, as it was primarily designed to facilitate access and open sharing of

information (Talbot, 2006; Markoff, 2012).

While a transnational comprehensive approach in this field has yet to emerge, the increasing

attention paid to cyber security in policy work represents a cumulative process and sets the

foundation for future action (Harknett and Stever, 2011). Such work also faces a series of

(new) cross-sector regulatory challenges, due to the size and magnitude of the protection

endeavor (Chertoff, 2008). Along these lines, this contribution investigates the discourse on

the role on the state in one of the most active institutional venues within the UN, the General

Assembly. In this ambit, the discussions started in 1998 with a draft resolution proposed by

Russia on ‘‘information security’’ with yearly iterations, followed by the 2002 ‘‘culture of cyber

security’’ resolution sponsored by the USA; additionally, following the second phase of the

PAGE 32 j info j VOL. 15 NO. 6 2013, pp. 32-41, Q Emerald Group Publishing Limited, ISSN 1463-6697 DOI 10.1108/info-04-2013-0018

Roxana Radu is a PhD

candidate at the

International

Relations/Political Science

Graduate Institute of

International and

Development Studies,

Geneva, Switzerland.

The author is grateful for
inspiring discussions and
valuable feedback received at
the 7th Annual GigaNet
Symposium (Baku, November
5, 2012).

Received 20 April 2013
Revised 2 July 2013
Accepted 11 July 2013

World Summit on the Information Society (WSIS), the International Telecommunications

Union (ITU) was entrusted to work towards Action Line C5 for building confidence and

security in the use of ICTs.

This article aims to unveil how security in the cyberspace is defined in the UN system and

what implications that has for shaping the entitlement to participation in its governance for

different types of actors. Given the current stalemate in the UN negotiations concerning the

politico-military aspects of cyber security, the definition of issues to be covered and of the

agents that could or should get involved becomes crucial for understanding the broader

roles assigned in the regulation of one of the newest issue domains. The investigations

presented in this contribution focus on decision-making bodies for the politico-military

aspects of security in the cyberspace, leaving aside cyber-crime. While in practice it is

sometimes difficult to disentangle the two types of activities (as in the case of cyber

espionage), cyber-crimes are perceived to be a non-state sponsored action deemed illegal

at the national or international level (Hathaway et al., 2012).

Here, the underlying premise is that the definition of security concerns, as well as of the roles

assigned to different political bodies in such global deliberation processes may serve for

setting precedents and guiding action even in non-binding decision exercises. This article

offers the first systematic analysis of the implications of the wording used in UNGA and ITU

resolutions over time, based on the textual analysis of relevant documents. It starts by

reviewing the internet security debates around the role of states, followed by a discussion of

the activities pertaining to this new issue domain within the UN. The methodological aspects

are addressed in the third section, detailing the textual analysis procedure. The subsequent

part investigates the implications of the way in which security in the cyberspace is defined

throughout time in the UNGA and ITU resolutions from 1998 to 2011, pointing out the lack of

shared definitions and the way in which stakeholders are defined. The final section

concludes by assessing the internet security developments in the UNGA and ITU and their

implications.

Evolution of internet security concerns

Internet security poses a series of tensions at the intersection between national security,

human security, and private security (Buckland et al., 2010), juxtaposing not only state and

private interests in preserving a safe environment, but also concerns over regulation that

might restrict privacy and freedom of expression at the individual level. Computer

security-related concerns attracted public attention in the early 1980s, when the first cyber

viruses were developed (Nye, 2010, p. 3); by the mid-1990s, these concerns become much

more widespread with the emergence of the so-called ‘‘recreational hackers’’ (Sommer and

Brown, 2011). Yet, cyber-security discussions have only been placed on global agendas in

the post-Cold War context (Hansen and Nissenbaum, 2009), taking prominence in the late

1990s.

The official acknowledgement of cyber-security as a ‘‘high-priority’’ (ITU Resolution 45 of

2010) points to the growing importance of creating multilateral instruments for tackling

potential cyber-risks. The creation of regional and global institutional venues for internet

security negotiations reflects the understanding of the transnational nature of online security.

Cyber-threats can target the availability of data and information, its integrity and/or its

confidentiality; the purpose of such actions can range from probing the limits of

cyber-defense in other countries to signaling power positions and finally to inflicting

damage. So far, responses have come primarily under the form of ad hoc security

governance networks, or public-private cooperation (Mueller et al., 2013).

Currently, all major formal and informal international organizations host meetings to discuss

cooperation regarding security in the cyberspace, including specialized working groups

within regional bodies such as Asia-Pacific Economic Cooperation (APEC), the European

Union (EU), the Group of 8 (G8), the Organization of American States (OAS), the

Organization for Economic Cooperation and Development (OECD), the Association of

Southeastern Asian Nations (ASEAN), and the Shanghai Cooperation Organization (SCO).

VOL. 15 NO. 6 2013 j infoj PAGE 33

While no new entity has been empowered to regulate internet security at the international

level, different technical aspects likely to have an impact on it are tackled outside of

inter-governmental organizations, in fora such as IETF, W3C, ICANN, ISO, etc. At the national

level, a series of reforms have prioritized cyber-security, including the creation of new

agencies or the re-tasking of existing ones to work on cyber-defense.

Originally, the threats posed to internet security were solved informally, without making

appeal to other institutions; this was, in part, due to the localized nature of risks, which

remained confined and relatively low in the early years of the internet. This led to highly

specialized expertise built within firms and rarely shared across businesses, which partially

explains the lack of intra-sectoral coordination that prevails today. However, while the private

sector handles the daily operation of networks and owns them, it lacks the authority to

pursue perpetrators legally. To date, the most important legal source for our international law

system remains the UN Charter, designed as a sovereign-centric system.

Security has been the key pillar for the legitimacy of nation-states, and new technologies

have historically been linked to national interest soon after their invention. For the internet,

governments exert authority and control over both physical infrastructure providing access

to the internet and the online content. While the rationales for such intervention differ, the

practice of restricting access to content in the name of public interest is just as common in

liberal democracies as it is in authoritarian regimes (Deibert, 2012). Yet, governments

around the world come under considerable pressure nowadays from non-state actors, better

equipped to challenge their position (Nye, 2011). As a new domain of power, the

cyberspace is a realm of contestation for states, private actors and civil society groups,

which may work together or against each other, in a global space so far lacking built-in

mechanisms for accountability (Radu, 2012).

For analytical purposes, Deibert and Rohozinski (2010) introduce the distinction between

‘‘risks to cyberspace’’ (to critical infrastructure and communication networks) and ‘‘risks

through cyberspace’’, generated or articulated using ICT, but not purposefully directed

against the physical structures. As they show, there are contradictory movements in the

actions taken by government to address these problems: on the one hand, measures are

taken to achieve greater cooperation at the international level for the protection of critical

infrastructure, underlying the preservation of a free and open internet; on the other hand,

increasing divergence can be noticed in the national efforts against risks through

cyberspace, as governments tend to impose – within their national boundaries – measures

that limit the potential of global connectivity by filtering, blocking, surveilling content, etc. In

spite of the different forms taken, cyber concerns have been securitized at the highest level

(Hansen and Nissenbaum, 2009).

The lack of shared definitions across the world has led to a relatively slow negotiation

process for security in the cyberspace, in which interpretation differentials play a major role.

The subject remains relatively difficult to study, primarily due to its complexity and volatility

(Dunn Cavelty and Mauer, 2007, p. 151). So far, limited agreement has been reached for

advancing discussion on adapting existent international legal commitments or establishing

new ones to tackle cyber security (Hathaway et al., 2012). Additional impediments come

from the overlap with private property rights, since many resources necessary for the

cyberspace are not in the public domain. For the purpose of this contribution, I focus

exclusively on discussions about security in the cyberspace at the level of global

decision-making public bodies (regarding legislation, consensus building, norms, etc.) in

UNGA, as distinct from implementation or technical bodies (such as Computer Emergency

Response Teams, private firms, etc.).

Methodological delineations

Previous efforts to decipher the power dynamics involved in the drafting of UNGA and ITU

resolutions on security in the cyberspace have been scarce and unsystematic. They have

either scrutinized the militarization of cyberspace (Yannakogeorgos, 2009) or the extent to

which the UN plays a key role in introducing and shaping norms for the cyberspace (Maurer,

PAGE 34j infoj VOL. 15 NO. 6 2013

2011). The present analysis relies on the textual analysis of UN documents, a method

extensively used in dealing with UN proceedings. It included, among others, an analysis of

the emotive and instructive wording in the UN Security Council resolutions with regards to

equal treatment of member states (Gruenberg, 2009) or the role of ‘‘key word strategies’’ as

constitutive of the WSIS as a process and as a policy practice (Franklin, 2007). Allowing a

detailed investigation of changes over time, textual analysis can shed light on definitional

issues negotiated in the UN ambit and assigned roles for Internet security. in line with

George’s (1994) assertion, this will be used to ‘‘illustrate how [. . .] textual and social

processes are intrinsically connected, and to describe, in specific contexts, the implication

of this connection for the way we think and act in the contemporary world’’ (p. 191).

The UN has contributed to norm creation and norm diffusion in many issue domains, such as

the human rights regime and sustainable development (Karns and Mingst, 2004). This was

primarily done via resolutions, whose number exceeded 1,100 in the last two decades

(Gruenberg, 2009). Internet security has been addressed at different levels within the UN,

including the UN Institute for Disarmament Research (UNIDIR), the UN Global Alliance for

ICT and Development (UN-GAID) and the Internet Governance Forum (IGF). However, the

most consistent work on this was done in the framework of the UNGA and the ITU. Apart from

mentioning the related use of the internet for terrorist purposes, none of the Security

Council’s resolutions have so far referred to internet security. While UNGA resolutions remain

largely non-binding, they are the only ones voted on by all members of the UN. The ITU is

responsible for carrying out the WSIS Action Plan C5 on ‘‘Building confidence and security in

the use of ICTs’’; it comprises all 193 UN member states and over 700 private companies

and organizations.

For this study, I analyzed all UNGA resolutions on internet security issued between

December 1998 and November 2011, excluding those on cyber-crime. Additionally, I

included the 2010 report of the Group of Governmental Experts (GGE) and three ITU

resolutions, as well as the latest draft resolution submitted to the UNGA Secretary General on

‘‘International code of conduct for information society’’ in 2011[2]. In the focused coding, I

recorded two aspects:

1. wording used with reference to security in cyberspace; and

2. implication(s) for the participants, i.e. who they are, and what roles they are assigned.

The UNGA resolutions follow a (semi-)standardized format, consisting, in the first part, of

broader motivations for issuing the resolution, and in the second part of recommendations

for member states. Structured along these lines, the coding process entailed an analysis of

what has been included and excluded at different points in time in regard with the primary

objects (the issue discussed) and subjects (the actors) of the resolutions.

Cyber security on the UNGA agenda – in search of a definition

The UNGA initiatives in the area of internet security have remained rather loose and did not

succeed in fostering agreement over common definitions or middle ground for consistent

international cooperation. Up to 2011, the UNGA discussed three resolutions regarding

security in the cyberspace, yet none of them contained a definition of what is meant by

security in the cyberspace. The first resolution in this regard — i.e. ‘‘Developments in the

field of information and telecommunications in the context of international security’’ (53/70)

—was introduced by the Russian Federation in the First Committee of the GA in 1998 and

different versions of it were discussed every year thereafter, with the most recent iteration in

November 2011. In the Second Committee of the GA, the resolution on ‘‘Creation of a global

culture of cyber security and the protection of critical information infrastructures’’ (57/239)

was introduced by the USA in 2002 and adopted in 2005, calling for ‘‘prioritizing cyber

security planning and management’’ and for the adoption of nine elements for creating a

global culture of cyber security. The USA also sponsored the introduction of a follow-up

resolution: ‘‘Creation of a global culture of cyber security and taking stock of national efforts

to protect critical informational infrastructures’’ (64/211), adopted in 2010.

VOL. 15 NO. 6 2013 j infoj PAGE 35

The slightly modified text of the 1998 resolution was adopted without a vote every year until

2005, when a formal vote was cast at the 60th session of the UNGA. The voting results

displayed a situation which came very close to consensus, with 177 states in favor, no

abstentions, and one vote against (the USA). The form of the resolution voted on contained

an important change vis-à-vis its iterations up to that point. What has previously been an

invitation addressed to member states to inform the Secretary General of their views and

assessments on ‘‘the definition of basic notions related to information security [. . .] and

information resources’’ was changed to ‘‘efforts taken at the national level to strengthen

information security and promote international cooperation in this field’’, thus lowering the

incentives to agree on basic terms and pushing back the discussion to a rather vague

common denominator.

The support for this resolution varied over time. While Russia was its only sponsor up to 2005,

in 2006 it gained 13 additional sponsors in Armenia, Belarus, Chile, China, Ethiopia,

Kazakhstan, Kyrgyzstan, Madagascar, Mali, Myanmar, Tajikistan, Turkmenistan and

Uzbekistan; in 2007, Turkmenistan, Cuba, Japan and Nicaragua were its co-sponsors,

together with the Russian Federation; in 2008, there were 24 sponsors and three new

co-sponsors in Brazil, Vietnam and Fiji. Notably, in 2010, the resolution had 36 sponsors,

including – for the first time – the USA, Canada, Germany and Australia. In 2011, some of

the countries withdrew their support and the sponsorship went down to 32. Notably, some of

the participant countries eagerly backing the resolution – such as Russia, China,

Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan – have also been pursuing

cyber-cooperation in other institutional venues. In the framework of the Shanghai

Cooperation Organization (SCO), there is an agreement on international information

security dating back to 2009. This agreement includes a glossary of terms used, and sets

the common ground for coordinating positions in other international fora.

The second resolution, proposed by the USA in 2002 and adopted without a vote by the

General Assembly in January 2005, aimed at creating a ‘‘culture of cyber security’’ and

proposed a number of baseline principles. Its sponsorship initially included Australia,

Japan, and Norway, but later revisions of the draft text added other 36 supportive member

states. The version of the resolution introduced in 2003 added the protection of critical

information infrastructure (CII) to its text, and an invitation to member states to develop

strategies to protect CII. The most important modification in this resolution concerns the

replacement of ‘‘principles’’ with ‘‘elements’’ for a global culture of cyber-security, thus

diminishing its strength. The nine elements it puts forward are:

1. awareness;

2. responsibility;

3. response;

4. ethics;

5. democracy;

6. risk assessment;

7. security design and implementation;

8. security management; and

9. reassessment.

Of particular interest is the framing of two of these elements, namely ethics and democracy.

The first upholds that ‘‘participants need to respect the legitimate interests of others and

recognize that their action or inaction may harm others’’, while the later asserts that ‘‘security

should be implemented in a manner consistent with the values recognized by democratic

societies, including the freedom to exchange thoughts and ideas, the free flow of

information, the confidentiality of information and communication, the appropriate protection

of personal information, openness and transparency’’.

PAGE 36j infoj VOL. 15 NO. 6 2013

These two types of resolutions reflect a deeply rooted distinction between the way in which

the USA and Russia have conceived internet security, and the fundamental disagreement

over a common definition; on the one hand, the USA, Canada and the EU have favored open

communication principles, whereas Russia has more strongly asserted sovereignty and

territorial controls, pushing for a greater role of the UN in cyber-governance (Deibert, 2012).

This tendency is also visible in a new proposal made to the UN Secretary General in

September 2011 for the introduction of an ‘‘International code of conduct for information

security’’ (66/359) by the representatives of Russia, China, Tajikistan and Uzbekistan. The

most controversial part of the document states that the signatories of the code:

. . . endeavor [. . .] to prevent other States from using their resources, critical infrastructures, core

technologies and other advantages to undermine the right of the countries, which accepted this

Code of Conduct, to independent control of information and communications technologies or to

threaten the political, economic and social security of other countries.

While this resembles a reassessment of the non-interference principle in the cyberspace, by

redefining the responsibilities of the international community and of individual member

states, it also draws a clear distinction between the positions of different influential regional

blocks.

In contrast, a recent US shift in national policy emphasized the need for global norms and

policies for internet security, with the 2009 Cyberspace Policy Review concluding that

‘‘international norms are critical to establishing a secure and thriving digital infrastructure’’

(p. IV) and that different national and regional laws and practices represent an obstacle in

securing the cyberspace. A similar acknowledgement of the nature of the global internet is

provided in the Department of Defense Strategy for Operating in Cyberspace (July 2011),

which mentions that ‘‘cyberspace is a network of networks that includes thousands of

internet service providers across the globe; no single state or organization can maintain

effective cyber defenses on its own’’. Consequently, the positions of the USA and Russia –

the two most active states in the UNGA on internet security — seem difficult to reconcile,

both for agreeing on a common approach and for adopting an official definition of what is to

be understood by security in the cyberspace.

The UNGA discussions have so far been conducted in the absence of any definition for

internet security, with the exception of a definition put forward by the ITU, which may serve to

guide action also in other institutional venues, given the overlapping state membership. The

‘‘Overview of cybersecurity’’, which was approved on 18 April 2008 by ITU-T Study Group

17, contains a taxonomy of the security threats from an organization point-of-view.

Accordingly, cyber-security was understood as ‘‘the collection of tools, policies, security

concepts, security safeguards, guidelines, risk management approaches, actions, training,

best practices, assurance and technologies that can be used to protect the cyber

environment and organization and user’s assets’’[3], and this was officially acknowledged

for further incorporation in activities pertaining to building confidence and security in the use

of ICTs in the Resolution 181 of 2010. The same document recognizes that ‘‘the definition of

cyber security may need to be modified from time to time to reflect changes in policy’’, thus

emphasizing a dynamic stance taken by the UN agency.

In their analysis of the stalemate in forming a global governance regime for the internet,

Mueller et al. (2007) identify the absence of an agreed-upon set of basic principles and

norms for internet governance as the main obstacle in proceeding further. This also

concerns the lack of common definitions that could represent the foundations of discussions

for the establishment of a ‘‘framework convention’’ similar to the climate change convention

under the UN umbrella. In the case of the UNGA, this also appears to be the case for the past

decade of internet security negotiations, in spite of the reaffirmation of urgency of actions

needed.

In the different UNGA resolutions up to 2011, the preferred wording for the vulnerabilities and

dangers posed by the advent of ICTs is ‘‘threats’’. Notably, resolution 64/211, adopted in

2010, emphasized the ‘‘increasingly transnational nature’’ of cyber-threats. This contrasts

sharply with the much more frequent employment of ‘‘risks’’ rather than ‘‘threats’’ in the

VOL. 15 NO. 6 2013 j infoj PAGE 37

wording of ITU resolutions. The difference between the two implies a differentiated course of

action, as threats as understood as direct and imminent, whereas risks are indirect, more

distant, unintended (Rasmussen, 2001) and, as such, are prone to the elaboration of

long-term risk management strategies rather than to the implementation of security

measures under extraordinary conditions.

The most comprehensive reference to this type of insecurity is to be found in the ITU 181

Resolution cautiously mentioning the ‘‘potential emergence of new and unforeseeable risks

and vulnerabilities in relation to confidence and security in the use of ICTs’’. The focus on

risks in the ITU framework can be inscribed in the redefinition of the role of this specialized

body of the UN after the WSIS process. In this direction, it is worth noting a subsequent

modification occurring in 2010 in the wording of the UNGA resolution 53/70: the phrase

‘‘possible measures to limit the threats emerging in this field’’ is changed to ‘‘possible

strategies to address the threats emerging in this field’’. This reveals two underlying

considerations: first, that it is not enough to limit threats, and a comprehensive approach

might be needed; second, that strategies would be preferred to measures, which tend to be

more punctual and require less long-term planning.

Entitlement to participation

Over time, there has been a gradual recognition that states are not the only participants in

securing the cyberspace. In 2000, the ‘‘need for cooperation between states and private

industry to combat misuse of ICTs’’ was acknowledged in resolution 55/63, but this was not

included in the recommendations made to member states at that point. Two years later,

participants in the cyberspace are explicitly identified and mentioned in the following order:

‘‘Governments, businesses, other organizations and individual users who develop, own,

provide, manage, service and use information systems and networks (‘participants’)’’ in

UNGA resolution 57/239. Once identified, the participants are also attributed responsibility;

according to the same 2002 resolution, the participants ‘‘must assume responsibility for and

take steps to enhance the security of these information technologies, in a manner

appropriate to their roles’’. At the same time, each state is empowered to ‘‘determine its own

critical information infrastructure’’ and the resolutions are intended to address first and

foremost other states, rather than contributing to creating global norms reflecting a global

vision for preventing and combating cyber-risks.

In UNGA resolution 58/199 of 2003, the term ‘‘stakeholders’’ is used for the first time,

implying more …

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality