This article was originally published by the European Council on Foreign Relations (ECFR).
The top down UN GGE process appears dead in the water. International norms and laws for responding to cyber attacks must now be built from the bottom up.
Rules must be binding, violations must be punished, and words must mean something. The UN GGE failed on all three accounts.
In 2004, the United Nations established a Group of Governmental Experts with the aim of strengthening the security of global information and telecommunications systems (UN GGE). To date the UN GGE has held five sessions, which are widely credited for successfully outlining the global cybersecurity agenda and introducing the applicability of international law to state behaviour in cyberspace.
However, during the UN GGE’s fifth session in June 2017, fundamental disagreements emerged between the Group’s 25 members, particularly on the right to self-defence and the applicability of international humanitarian law to cyber conflicts. In the end, the fifth and possibly last session concluded without the release of a consensus report. With no plans to pick up the pieces, the question now is, where do we go from here?