As a group of international policymakers at the United Nations has worked to define and shape consensus on fundamental cybersecurity norms over the past year, one of the most controversial areas of debate has centered around the extent which those discussions should include non-state actors and members of private industry alongside sovereign nations.
This week, the Cybersecurity Tech Accord — a coalition representing more than 150 tech companies, including Microsoft, Dell, Meta, Oracle and others — announced that unnamed member states from the U.N. working group on cybersecurity norms had vetoed their request and the request of dozens of other non-state organizations to be accredited members in future meetings.
Accreditation would have allowed organizations to speak during meetings alongside state stakeholders as they are discussing issues and submit formal comments for the working group website. Non-accredited members may speak but only afterwards and usually when representatives from many countries have already left the room.
“We, the undersigned organizations, are writing to express deep regret with the recent decision of a few member states to exclude over 30 members of industry and civil society from the workings of the United Nations Open-Ended Working Group on cybersecurity,” the Accord wrote to U.N. ambassador and working group chair Burhan Gafoor in a letter signed by dozens of other private companies and trade groups. “This exclusion applies to many in the technology industry, including the 150 technology companies represented by the Cybersecurity Tech Accord, the incident responders and security professionals represented by the Forum of Incident Response and Security Teams, as well as many more relevant organizations in civil society and academia.”
In their letter to Gafoor, the companies blame their exclusion from the working group on “political considerations,” claiming that the decision goes against previous working group reports that emphasized the important role of industry and that the use of a veto did not meet the U.N.’s standard which encourage members to use it “carefully” and in the spirit of inclusivity.
While the Cybersecurity Tech Accord and other organizations were denied accreditation, at least 71 other organizations had their accreditation accepted, mostly nonprofits and academic institutions. Alexandra Paulus, an international cybersecurity policy fellow at Stifung Neue Verantwortung (SNV), a tech policy think tank based in Berlin told SC Media that her organization was one of 32 that had its accreditation request rejected this week.
She said two nations — Ukraine and Russia — were primarily responsible for most of the vetoes, and rules of the working group require only a single member-state to object in order to reject an organization’s request. Russia’s objections were mostly directed at U.S. and Western-based entities — including SNV — while Ukraine largely moved to rule out organizations based in or aligned with Russia.
“The fact that it was used by two states … along sort of expected lines is maybe not really surprising, but it’s of course a big disappointment for nongovernmental organizations like ours,” said Paulus in an interview.
That being said, Paulus said one positive side effect of the rejections may be greater participation shaping global cyber norms from organizations based in the Global South — Africa, Latin America and parts of Asia and the Middle East, who have traditionally been crowded out of the conversation. Though even here, she noted that working group meetings are held in-person and usually aren't live-streamed, so some non-governmental organizations simply may not have the money or resources to travel and attend on a regular basis.
Decision a blow to industry ambitions in UN cyber talks
The decision represents a major blow to the ambitions of the private tech industry and companies, in particular Microsoft. The Redmond, Washington-based software giant has taken steps in recent years to more aggressively engage in international negotiations around responsible behavior in cyberspace and went so far as to set up an office at the U.N. in New York. Traditionally, discussions around cyber norms have been largely restricted to nations, but Microsoft and others have argued in recent years that they, too, have an important role to play as they produce almost all the underlying technology and will be subject to the legal restrictions or limitations that may flow out of those talks.
But that idea of countries and non-state actors participating in these discussions on a more or less equal footing with governments has always made some countries nervous. As Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative told SC Media last year, companies are not countries who represent the will of their citizens and shouldn’t be treated as such, though any agreement reached by governments will nevertheless require significant buy-in from the private sector to be effective. In previous international discussions around the Paris Call for Trust and Security in Cyberspace, several countries expressed “the view … that an appropriate balance needs to be found between multi-stakeholder inclusion and the central role of states in negotiations dealing with matters pertaining to international security.”
Still, the fact that many of the vetoes were levied by two countries currently at war with each other underscores the inherent challenges around international efforts to reach consensus around cyber norms while keeping larger political considerations at bay.
Taylor Grossman, a senior cyber defense researcher at the Center for Security Studies at ETH Zurich, told SC Media the development was “unsurprising, yet still concerning” and represents “another deterioration in trust” among international stakeholders.
“The two-track system in the UN has led to a series of fairly conservative consensus agreements (when it hasn't broken down altogether); one of the advantages of the creation of the OEWG was its expanded membership, particularly its inclusion of non-governmental actors. As we've discussed, tech companies and related consortiums certainly have a role to play in creating rules of the road for cyberspace. Their exclusion from these meetings doesn't bode well for the future utility of any resulting actions.”
Paulus also highlighted the exclusion of organizations like FIRST as particularly worrying, because they are a policy non-profit that represents incident responders and have no obvious political bent.
That concern was echoed in the letter from the Cybersecurity Tech Accord, which wrote that it’s “hard to imagine … future deliberations on safeguarding CERT/CSIRT teams from targeting or on securing critical infrastructure would not benefit greatly from the meaningful inclusion of the technology industry and incident response communities.”
Paulus agreed: “The incident response community is seen as this apolitical, very technical community. Being vetoed implies a very [worrying] tendency of politicization of the incident response community,” she said.