Cyber Security

CyberSter

Negotiatingmeaningsforsecurityinthe.pdf

Home >Information Systems homework help >Cyber Security

Negotiating meanings for security in the cyberspace

Roxana Radu

Abstract

Purpose – This paper aims to review the current debates regarding the role of the state in securing the

cyberspace, with a particular focus on the negotiations taking place in the UN General Assembly

(UNGA).

Design/methodology/approach – This paper reflects on the evolution of the UNGA discourse on the

role of the state in protecting the cyberspace, based on the textual analysis of all UNGA resolutions

pertaining to the politico-military aspects of internet security.

Findings – The paper finds that the lack of an officially adopted definition for internet security in the

UNGA discussions led to agreement solely on informative, best practice sharing or voluntary activities

addressing other states, rather than providing an integrated vision for protecting the cyberspace.

Research limitations/implications – The analysis is limited to the negotiations taking place in one

institutional venue, namely the UNGA between 1998 and 2011, complemented by three resolutions

issued by the ITU in 2010; activities conducted in other institutional venues might influence or determine

the overall discourse noted in the resolutions under investigation here.

Originality/value – This represents the most comprehensive account of the discourse on the role of the

state in securing the cyberspace as presented in the UNGA and ITU resolutions and its evolution over

time.

Keywords Internet, Cybersecurity, General Assembly, ITU, States, United Nations

Paper type Research paper

Introduction

The security of the cyberspace has become one of the major global policy areas of the

twenty-first century (Deibert and Rohozinski, 2010, p. 29), and an arena for intense political

contestation (Singh, 2011, p. 232; Deibert, 2012)[1]. The dangers posed by the virtual

environment are disputed, with journalists and researchers highlighting either the menace of

a ‘‘digital Pearl Harbor’’ (Sterner, 1996; Bendrath, 2003) or the ‘‘unsubstantiated nature of

cyber threats’’ (Dunn Cavelty and Rolofs, 2010). The debate over ensuring protection online

has also underlined that the current infrastructure of the internet does not contain embedded

security guarantees, as it was primarily designed to facilitate access and open sharing of

information (Talbot, 2006; Markoff, 2012).

While a transnational comprehensive approach in this field has yet to emerge, the increasing

attention paid to cyber security in policy work represents a cumulative process and sets the

foundation for future action (Harknett and Stever, 2011). Such work also faces a series of

(new) cross-sector regulatory challenges, due to the size and magnitude of the protection

endeavor (Chertoff, 2008). Along these lines, this contribution investigates the discourse on

the role on the state in one of the most active institutional venues within the UN, the General

Assembly. In this ambit, the discussions started in 1998 with a draft resolution proposed by

Russia on ‘‘information security’’ with yearly iterations, followed by the 2002 ‘‘culture of cyber

security’’ resolution sponsored by the USA; additionally, following the second phase of the

PAGE 32 j info j VOL. 15 NO. 6 2013, pp. 32-41, Q Emerald Group Publishing Limited, ISSN 1463-6697 DOI 10.1108/info-04-2013-0018

Roxana Radu is a PhD

candidate at the

International

Relations/Political Science

Graduate Institute of

International and

Development Studies,

Geneva, Switzerland.

The author is grateful for inspiring discussions and valuable feedback received at the 7th Annual GigaNet Symposium (Baku, November 5, 2012).

Received 20 April 2013 Revised 2 July 2013 Accepted 11 July 2013

World Summit on the Information Society (WSIS), the International Telecommunications

Union (ITU) was entrusted to work towards Action Line C5 for building confidence and

security in the use of ICTs.

This article aims to unveil how security in the cyberspace is defined in the UN system and

what implications that has for shaping the entitlement to participation in its governance for

different types of actors. Given the current stalemate in the UN negotiations concerning the

politico-military aspects of cyber security, the definition of issues to be covered and of the

agents that could or should get involved becomes crucial for understanding the broader

roles assigned in the regulation of one of the newest issue domains. The investigations

presented in this contribution focus on decision-making bodies for the politico-military

aspects of security in the cyberspace, leaving aside cyber-crime. While in practice it is

sometimes difficult to disentangle the two types of activities (as in the case of cyber

espionage), cyber-crimes are perceived to be a non-state sponsored action deemed illegal

at the national or international level (Hathaway et al., 2012).

Here, the underlying premise is that the definition of security concerns, as well as of the roles

assigned to different political bodies in such global deliberation processes may serve for

setting precedents and guiding action even in non-binding decision exercises. This article

offers the first systematic analysis of the implications of the wording used in UNGA and ITU

resolutions over time, based on the textual analysis of relevant documents. It starts by

reviewing the internet security debates around the role of states, followed by a discussion of

the activities pertaining to this new issue domain within the UN. The methodological aspects

are addressed in the third section, detailing the textual analysis procedure. The subsequent

part investigates the implications of the way in which security in the cyberspace is defined

throughout time in the UNGA and ITU resolutions from 1998 to 2011, pointing out the lack of

shared definitions and the way in which stakeholders are defined. The final section

concludes by assessing the internet security developments in the UNGA and ITU and their

implications.

Evolution of internet security concerns

Internet security poses a series of tensions at the intersection between national security,

human security, and private security (Buckland et al., 2010), juxtaposing not only state and

private interests in preserving a safe environment, but also concerns over regulation that

might restrict privacy and freedom of expression at the individual level. Computer

security-related concerns attracted public attention in the early 1980s, when the first cyber

viruses were developed (Nye, 2010, p. 3); by the mid-1990s, these concerns become much

more widespread with the emergence of the so-called ‘‘recreational hackers’’ (Sommer and

Brown, 2011). Yet, cyber-security discussions have only been placed on global agendas in

the post-Cold War context (Hansen and Nissenbaum, 2009), taking prominence in the late

1990s.

The official acknowledgement of cyber-security as a ‘‘high-priority’’ (ITU Resolution 45 of

2010) points to the growing importance of creating multilateral instruments for tackling

potential cyber-risks. The creation of regional and global institutional venues for internet

security negotiations reflects the understanding of the transnational nature of online security.

Cyber-threats can target the availability of data and information, its integrity and/or its

confidentiality; the purpose of such actions can range from probing the limits of

cyber-defense in other countries to signaling power positions and finally to inflicting

damage. So far, responses have come primarily under the form of ad hoc security

governance networks, or public-private cooperation (Mueller et al., 2013).

Currently, all major formal and informal international organizations host meetings to discuss

cooperation regarding security in the cyberspace, including specialized working groups

within regional bodies such as Asia-Pacific Economic Cooperation (APEC), the European

Union (EU), the Group of 8 (G8), the Organization of American States (OAS), the

Organization for Economic Cooperation and Development (OECD), the Association of

Southeastern Asian Nations (ASEAN), and the Shanghai Cooperation Organization (SCO).

VOL. 15 NO. 6 2013 j infoj PAGE 33

While no new entity has been empowered to regulate internet security at the international

level, different technical aspects likely to have an impact on it are tackled outside of

inter-governmental organizations, in fora such as IETF, W3C, ICANN, ISO, etc. At the national

level, a series of reforms have prioritized cyber-security, including the creation of new

agencies or the re-tasking of existing ones to work on cyber-defense.

Originally, the threats posed to internet security were solved informally, without making

appeal to other institutions; this was, in part, due to the localized nature of risks, which

remained confined and relatively low in the early years of the internet. This led to highly

specialized expertise built within firms and rarely shared across businesses, which partially

explains the lack of intra-sectoral coordination that prevails today. However, while the private

sector handles the daily operation of networks and owns them, it lacks the authority to

pursue perpetrators legally. To date, the most important legal source for our international law

system remains the UN Charter, designed as a sovereign-centric system.

Security has been the key pillar for the legitimacy of nation-states, and new technologies

have historically been linked to national interest soon after their invention. For the internet,

governments exert authority and control over both physical infrastructure providing access

to the internet and the online content. While the rationales for such intervention differ, the

practice of restricting access to content in the name of public interest is just as common in

liberal democracies as it is in authoritarian regimes (Deibert, 2012). Yet, governments

around the world come under considerable pressure nowadays from non-state actors, better

equipped to challenge their position (Nye, 2011). As a new domain of power, the

cyberspace is a realm of contestation for states, private actors and civil society groups,

which may work together or against each other, in a global space so far lacking built-in

mechanisms for accountability (Radu, 2012).

For analytical purposes, Deibert and Rohozinski (2010) introduce the distinction between

‘‘risks to cyberspace’’ (to critical infrastructure and communication networks) and ‘‘risks

through cyberspace’’, generated or articulated using ICT, but not purposefully directed

against the physical structures. As they show, there are contradictory movements in the

actions taken by government to address these problems: on the one hand, measures are

taken to achieve greater cooperation at the international level for the protection of critical

infrastructure, underlying the preservation of a free and open internet; on the other hand,

increasing divergence can be noticed in the national efforts against risks through

cyberspace, as governments tend to impose – within their national boundaries – measures

that limit the potential of global connectivity by filtering, blocking, surveilling content, etc. In

spite of the different forms taken, cyber concerns have been securitized at the highest level

(Hansen and Nissenbaum, 2009).

The lack of shared definitions across the world has led to a relatively slow negotiation

process for security in the cyberspace, in which interpretation differentials play a major role.

The subject remains relatively difficult to study, primarily due to its complexity and volatility

(Dunn Cavelty and Mauer, 2007, p. 151). So far, limited agreement has been reached for

advancing discussion on adapting existent international legal commitments or establishing

new ones to tackle cyber security (Hathaway et al., 2012). Additional impediments come

from the overlap with private property rights, since many resources necessary for the

cyberspace are not in the public domain. For the purpose of this contribution, I focus

exclusively on discussions about security in the cyberspace at the level of global

decision-making public bodies (regarding legislation, consensus building, norms, etc.) in

UNGA, as distinct from implementation or technical bodies (such as Computer Emergency

Response Teams, private firms, etc.).

Methodological delineations

Previous efforts to decipher the power dynamics involved in the drafting of UNGA and ITU

resolutions on security in the cyberspace have been scarce and unsystematic. They have

either scrutinized the militarization of cyberspace (Yannakogeorgos, 2009) or the extent to

which the UN plays a key role in introducing and shaping norms for the cyberspace (Maurer,

PAGE 34j infoj VOL. 15 NO. 6 2013

2011). The present analysis relies on the textual analysis of UN documents, a method

extensively used in dealing with UN proceedings. It included, among others, an analysis of

the emotive and instructive wording in the UN Security Council resolutions with regards to

equal treatment of member states (Gruenberg, 2009) or the role of ‘‘key word strategies’’ as

constitutive of the WSIS as a process and as a policy practice (Franklin, 2007). Allowing a

detailed investigation of changes over time, textual analysis can shed light on definitional

issues negotiated in the UN ambit and assigned roles for Internet security. in line with

George’s (1994) assertion, this will be used to ‘‘illustrate how [. . .] textual and social

processes are intrinsically connected, and to describe, in specific contexts, the implication

of this connection for the way we think and act in the contemporary world’’ (p. 191).

The UN has contributed to norm creation and norm diffusion in many issue domains, such as

the human rights regime and sustainable development (Karns and Mingst, 2004). This was

primarily done via resolutions, whose number exceeded 1,100 in the last two decades

(Gruenberg, 2009). Internet security has been addressed at different levels within the UN,

including the UN Institute for Disarmament Research (UNIDIR), the UN Global Alliance for

ICT and Development (UN-GAID) and the Internet Governance Forum (IGF). However, the

most consistent work on this was done in the framework of the UNGA and the ITU. Apart from

mentioning the related use of the internet for terrorist purposes, none of the Security

Council’s resolutions have so far referred to internet security. While UNGA resolutions remain

largely non-binding, they are the only ones voted on by all members of the UN. The ITU is

responsible for carrying out the WSIS Action Plan C5 on ‘‘Building confidence and security in

the use of ICTs’’; it comprises all 193 UN member states and over 700 private companies

and organizations.

For this study, I analyzed all UNGA resolutions on internet security issued between

December 1998 and November 2011, excluding those on cyber-crime. Additionally, I

included the 2010 report of the Group of Governmental Experts (GGE) and three ITU

resolutions, as well as the latest draft resolution submitted to the UNGA Secretary General on

‘‘International code of conduct for information society’’ in 2011[2]. In the focused coding, I

recorded two aspects:

1. wording used with reference to security in cyberspace; and

2. implication(s) for the participants, i.e. who they are, and what roles they are assigned.

The UNGA resolutions follow a (semi-)standardized format, consisting, in the first part, of

broader motivations for issuing the resolution, and in the second part of recommendations

for member states. Structured along these lines, the coding process entailed an analysis of

what has been included and excluded at different points in time in regard with the primary

objects (the issue discussed) and subjects (the actors) of the resolutions.

Cyber security on the UNGA agenda – in search of a definition

The UNGA initiatives in the area of internet security have remained rather loose and did not

succeed in fostering agreement over common definitions or middle ground for consistent

international cooperation. Up to 2011, the UNGA discussed three resolutions regarding

security in the cyberspace, yet none of them contained a definition of what is meant by

security in the cyberspace. The first resolution in this regard — i.e. ‘‘Developments in the

field of information and telecommunications in the context of international security’’ (53/70)

—was introduced by the Russian Federation in the First Committee of the GA in 1998 and

different versions of it were discussed every year thereafter, with the most recent iteration in

November 2011. In the Second Committee of the GA, the resolution on ‘‘Creation of a global

culture of cyber security and the protection of critical information infrastructures’’ (57/239)

was introduced by the USA in 2002 and adopted in 2005, calling for ‘‘prioritizing cyber

security planning and management’’ and for the adoption of nine elements for creating a

global culture of cyber security. The USA also sponsored the introduction of a follow-up

resolution: ‘‘Creation of a global culture of cyber security and taking stock of national efforts

to protect critical informational infrastructures’’ (64/211), adopted in 2010.

VOL. 15 NO. 6 2013 j infoj PAGE 35

The slightly modified text of the 1998 resolution was adopted without a vote every year until

2005, when a formal vote was cast at the 60th session of the UNGA. The voting results

displayed a situation which came very close to consensus, with 177 states in favor, no

abstentions, and one vote against (the USA). The form of the resolution voted on contained

an important change vis-à-vis its iterations up to that point. What has previously been an

invitation addressed to member states to inform the Secretary General of their views and

assessments on ‘‘the definition of basic notions related to information security [. . .] and

information resources’’ was changed to ‘‘efforts taken at the national level to strengthen

information security and promote international cooperation in this field’’, thus lowering the

incentives to agree on basic terms and pushing back the discussion to a rather vague

common denominator.

The support for this resolution varied over time. While Russia was its only sponsor up to 2005,

in 2006 it gained 13 additional sponsors in Armenia, Belarus, Chile, China, Ethiopia,

Kazakhstan, Kyrgyzstan, Madagascar, Mali, Myanmar, Tajikistan, Turkmenistan and

Uzbekistan; in 2007, Turkmenistan, Cuba, Japan and Nicaragua were its co-sponsors,

together with the Russian Federation; in 2008, there were 24 sponsors and three new

co-sponsors in Brazil, Vietnam and Fiji. Notably, in 2010, the resolution had 36 sponsors,

including – for the first time – the USA, Canada, Germany and Australia. In 2011, some of

the countries withdrew their support and the sponsorship went down to 32. Notably, some of

the participant countries eagerly backing the resolution – such as Russia, China,

Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan – have also been pursuing

cyber-cooperation in other institutional venues. In the framework of the Shanghai

Cooperation Organization (SCO), there is an agreement on international information

security dating back to 2009. This agreement includes a glossary of terms used, and sets

the common ground for coordinating positions in other international fora.

The second resolution, proposed by the USA in 2002 and adopted without a vote by the

General Assembly in January 2005, aimed at creating a ‘‘culture of cyber security’’ and

proposed a number of baseline principles. Its sponsorship initially included Australia,

Japan, and Norway, but later revisions of the draft text added other 36 supportive member

states. The version of the resolution introduced in 2003 added the protection of critical

information infrastructure (CII) to its text, and an invitation to member states to develop

strategies to protect CII. The most important modification in this resolution concerns the

replacement of ‘‘principles’’ with ‘‘elements’’ for a global culture of cyber-security, thus

diminishing its strength. The nine elements it puts forward are:

1. awareness;

2. responsibility;

3. response;

4. ethics;

5. democracy;

6. risk assessment;

7. security design and implementation;

8. security management; and

9. reassessment.

Of particular interest is the framing of two of these elements, namely ethics and democracy.

The first upholds that ‘‘participants need to respect the legitimate interests of others and

recognize that their action or inaction may harm others’’, while the later asserts that ‘‘security

should be implemented in a manner consistent with the values recognized by democratic

societies, including the freedom to exchange thoughts and ideas, the free flow of

information, the confidentiality of information and communication, the appropriate protection

of personal information, openness and transparency’’.

PAGE 36j infoj VOL. 15 NO. 6 2013

These two types of resolutions reflect a deeply rooted distinction between the way in which

the USA and Russia have conceived internet security, and the fundamental disagreement

over a common definition; on the one hand, the USA, Canada and the EU have favored open

communication principles, whereas Russia has more strongly asserted sovereignty and

territorial controls, pushing for a greater role of the UN in cyber-governance (Deibert, 2012).

This tendency is also visible in a new proposal made to the UN Secretary General in

September 2011 for the introduction of an ‘‘International code of conduct for information

security’’ (66/359) by the representatives of Russia, China, Tajikistan and Uzbekistan. The

most controversial part of the document states that the signatories of the code:

. . . endeavor [. . .] to prevent other States from using their resources, critical infrastructures, core

technologies and other advantages to undermine the right of the countries, which accepted this

Code of Conduct, to independent control of information and communications technologies or to

threaten the political, economic and social security of other countries.

While this resembles a reassessment of the non-interference principle in the cyberspace, by

redefining the responsibilities of the international community and of individual member

states, it also draws a clear distinction between the positions of different influential regional

blocks.

In contrast, a recent US shift in national policy emphasized the need for global norms and

policies for internet security, with the 2009 Cyberspace Policy Review concluding that

‘‘international norms are critical to establishing a secure and thriving digital infrastructure’’

(p. IV) and that different national and regional laws and practices represent an obstacle in

securing the cyberspace. A similar acknowledgement of the nature of the global internet is

provided in the Department of Defense Strategy for Operating in Cyberspace (July 2011),

which mentions that ‘‘cyberspace is a network of networks that includes thousands of

internet service providers across the globe; no single state or organization can maintain

effective cyber defenses on its own’’. Consequently, the positions of the USA and Russia –

the two most active states in the UNGA on internet security — seem difficult to reconcile,

both for agreeing on a common approach and for adopting an official definition of what is to

be understood by security in the cyberspace.

The UNGA discussions have so far been conducted in the absence of any definition for

internet security, with the exception of a definition put forward by the ITU, which may serve to

guide action also in other institutional venues, given the overlapping state membership. The

‘‘Overview of cybersecurity’’, which was approved on 18 April 2008 by ITU-T Study Group

17, contains a taxonomy of the security threats from an organization point-of-view.

Accordingly, cyber-security was understood as ‘‘the collection of tools, policies, security

concepts, security safeguards, guidelines, risk management approaches, actions, training,

best practices, assurance and technologies that can be used to protect the cyber

environment and organization and user’s assets’’[3], and this was officially acknowledged

for further incorporation in activities pertaining to building confidence and security in the use

of ICTs in the Resolution 181 of 2010. The same document recognizes that ‘‘the definition of

cyber security may need to be modified from time to time to reflect changes in policy’’, thus

emphasizing a dynamic stance taken by the UN agency.

In their analysis of the stalemate in forming a global governance regime for the internet,

Mueller et al. (2007) identify the absence of an agreed-upon set of basic principles and

norms for internet governance as the main obstacle in proceeding further. This also

concerns the lack of common definitions that could represent the foundations of discussions

for the establishment of a ‘‘framework convention’’ similar to the climate change convention

under the UN umbrella. In the case of the UNGA, this also appears to be the case for the past

decade of internet security negotiations, in spite of the reaffirmation of urgency of actions

needed.

In the different UNGA resolutions up to 2011, the preferred wording for the vulnerabilities and

dangers posed by the advent of ICTs is ‘‘threats’’. Notably, resolution 64/211, adopted in

2010, emphasized the ‘‘increasingly transnational nature’’ of cyber-threats. This contrasts

sharply with the much more frequent employment of ‘‘risks’’ rather than ‘‘threats’’ in the

VOL. 15 NO. 6 2013 j infoj PAGE 37

wording of ITU resolutions. The difference between the two implies a differentiated course of

action, as threats as understood as direct and imminent, whereas risks are indirect, more

distant, unintended (Rasmussen, 2001) and, as such, are prone to the elaboration of

long-term risk management strategies rather than to the implementation of security

measures under extraordinary conditions.

The most comprehensive reference to this type of insecurity is to be found in the ITU 181

Resolution cautiously mentioning the ‘‘potential emergence of new and unforeseeable risks

and vulnerabilities in relation to confidence and security in the use of ICTs’’. The focus on

risks in the ITU framework can be inscribed in the redefinition of the role of this specialized

body of the UN after the WSIS process. In this direction, it is worth noting a subsequent

modification occurring in 2010 in the wording of the UNGA resolution 53/70: the phrase

‘‘possible measures to limit the threats emerging in this field’’ is changed to ‘‘possible

strategies to address the threats emerging in this field’’. This reveals two underlying

considerations: first, that it is not enough to limit threats, and a comprehensive approach

might be needed; second, that strategies would be preferred to measures, which tend to be

more punctual and require less long-term planning.

Entitlement to participation

Over time, there has been a gradual recognition that states are not the only participants in

securing the cyberspace. In 2000, the ‘‘need for cooperation between states and private

industry to combat misuse of ICTs’’ was acknowledged in resolution 55/63, but this was not

included in the recommendations made to member states at that point. Two years later,

participants in the cyberspace are explicitly identified and mentioned in the following order:

‘‘Governments, businesses, other organizations and individual users who develop, own,

provide, manage, service and use information systems and networks (‘participants’)’’ in

UNGA resolution 57/239. Once identified, the participants are also attributed responsibility;

according to the same 2002 resolution, the participants ‘‘must assume responsibility for and

take steps to enhance the security of these information technologies, in a manner

appropriate to their roles’’. At the same time, each state is empowered to ‘‘determine its own

critical information infrastructure’’ and the resolutions are intended to address first and

foremost other states, rather than contributing to creating global norms reflecting a global

vision for preventing and combating cyber-risks.

In UNGA resolution 58/199 of 2003, the term ‘‘stakeholders’’ is used for the first time,

implying more leverage for inclusion in the decision-making processes. ITU Resolution 174

from 2010 extends this further, to ‘‘Member States and relevant ICT stakeholders, including

geospatial and information service providers’’. Resolution 64/211 of 2010 acknowledges the

mandate of the IGF, ‘‘reiterating that all Governments should have an equal role and

responsibility for international Internet governance’’. The 2010 report of the GGE brings up

‘‘cooperation between states, and between states, the private sector and civil society’’,

making a first explicit reference to civil society as an equal player in the global governance of

security in the cyber-environment. The report also talks about ‘‘threat actors’’, pointing out

that ‘‘of increased concern are individual, groups or organizations, including criminal

organizations, that engage as proxies in disruptive online activities on behalf of others’’. In

that sense, the security concerns are distanced from the logic of linear threats and

vulnerabilities originating by default outside the state, as it was the case in the traditional

understanding of security (Buzan, 1991).

The report takes a state-centric perspective, and its recommendations are focused primarily

on national views regarding ICT security, national legislation and best practices exchange.

The report also invites member states to ‘‘discuss norms pertaining to State use of

information and communication technologies, to reduce collective risk and protect critical

national and international infrastructures’’ as well as ‘‘finding possibilities to elaborate

common terms and definitions relevant to United National General Assembly resolution

64/25’’. In the foreword to the 2010 GGE report, the UN Secretary General hints at an

important role being played by intergovernmental fora such as the UNGA in ‘‘making

information technology and telecommunications more secure, both nationally and

PAGE 38j infoj VOL. 15 NO. 6 2013

internationally’’. The GGE comprises representatives of 15 countries, selected based on

geographical considerations: the USA, Russia, China, the UK, France, Belarus, Brazil,

Estonia, India, Israel, Italy, Qatar, the Republic of Korea and South Africa. The group was

convened with the mandate ‘‘to continue to study existing and potential threats in the sphere

of information security and possible cooperative measures to address them, as well as

concepts aimed at strengthening the security of global information and telecommunications

systems’’ and will hold its last meeting in June 2013 in New York.

Conclusions

Over the years, internet security has evolved from a local concern to a national security

interest and more recently, a foreign policy priority. By now, all important regional and global

organizations have held meetings to discuss and propose actions towards enhancing the

protection of the cyberspace, in recognition of the transnational nature of internet-related

threats. More recently, cyber-attacks like Stuxnet, Duqu or Flame have made the headlines

as ‘‘use of force instances’’ based on weaponized computer codes (Farwell and Rohozinski,

2012, p. 107), thus spotlighting the need for multilateral actions in this field. While the

literature on the topic is considerably skewed towards assessing the role of the state, the

way in which cyber-protection is handled reflects much more a networked governance

approach, both in terms of regular operations and in times of crisis (Mueller et al., 2013).

Moreover, the concept of sovereignty and domestic approaches have come into question in

light of cloud computing developments.

The present analysis has unveiled the embryonic state for international cyber security

cooperation within two institutional fora, the UNGA and ITU. In the UNGA agenda, internet

security has been primarily approached from a national perspective, rather than as an

international issue to build consensus around. This analysis has revealed that, in the initial

phase, only limited efforts have been made to provide a shared understanding of what

security in the cyberspace means, and who is entitled to participate in its governance.

The stalemate in current negotiations has stemmed from different visions regarding internet

security, in particular between two of the most active states on internet security in the UNGA,

the USA and Russia. As a new issue domain, cyber security is still an arena of contestation,

in which power is asserted not only by states, but also by specialized bodies such as the

ITU, which is increasingly involved in securing the cyberspace. An officially adopted

definition was not agreed on in the UNGA due to differentials in country positioning, and the

strength of the resolutions adopted has been decreased to the minimum common

denominator, as seen in the shift from discussing definitional matters to informing about

country-level measures for cyber defense. A broad definition only came from the ITU in 2008,

recognizing the need for revision at a later point in accordance with changes in policy.

The common actions agreed on between 1998 and 2011 in the UNGA did not involve any

strong commitments from member states, but rather relied on information and best-practice

sharing, or voluntary self-assessment tools. In the discussions, the focus shifted from

defining key terms and concepts and setting the foundations for international negotiations to

reasserting sovereignty and territoriality. A strong role for governments is emphasized in

resolutions, as they address primarily other states; more recently, there is an

acknowledgement that nation-states are not the only stakeholders in this issue domain. At

the same time, the discourse on the role of states in securing the cyberspace has only

gradually evolved to recognize and to assign responsibilities to other actors, such as the

private sector, international organizations or civil society. The parallel processes of building

confidence and consensus have taken divergent paths, being focused on reasserting

sovereignty at the detriment of elaborating an integrated vision for global negotiation

processes.

Notes

1. For this study, ‘‘security in the cyberspace’’ will be used to refer to both information security and

cyber-security (used with differentiated meaning in the UN resolutions).

VOL. 15 NO. 6 2013 j infoj PAGE 39

2. So far, the UNGA has requested the establishment of a Group of Governmental Experts (GGE) in

three instances: in 2004, with the requirement of delivering a report in 2005 (not publicly available);

in 2009, with the request of submitting a report in 2010 following three expert meetings (taken into

account in the present study); and in 2012, pursuant to Resolution 65/41 from December 8, 2010.

3. The complete definition reads as follows: ‘‘Cybersecurity is the collection of tools, policies, security

concepts, security safeguards, guidelines, risk management approaches, actions, training, best

practices, assurance and technologies that can be used to protect the cyber environment and

organization and user’s assets. Organization and user’s assets include connected computing

devices, personnel, infrastructure, applications, services, telecommunications systems, and the

totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to

ensure the attainment and maintenance of the security properties of the organization and user’s

assets against relevant security risks in the cyber environment. The general security objectives

comprise the following: availability; integrity, which may include authenticity and non-repudiation;

confidentiality’’ (ITU-T X.1205, 2007, p. 2).

References

Bendrath, R. (2003), ‘‘The America cyber-angst and the real world – any link?’’, in Latham, R. (Ed.),

Bombs and Bandwidth: The Emerging Relationship Between Information Technology and Security,

The New Press, New York, NY.

Buckland, B., Schreier, F. and Winkler, T. (2010), ‘‘Democratic governance challenges of cybersecurity’’,

DCAF Horizon 2015 Working Paper No. 1, available at: www.dcaf.ch/Publications/Democratic-

Governance-Challenges-of-Cyber-Security

Buzan, B. (1991), People, States, and Fear: An Agenda for International Security in the Post-Cold War

Era, 2nd ed., Harvester Wheatsheaf, London.

Chertoff, M. (2008), ‘‘The cybersecurity challenge’’, Regulation & Governance, Vol. 2 No. 4, pp. 480-484.

Deibert, R. (2012), ‘‘Distributed security as cyber strategy: outlining a comprehensive approach for

Canada in the cyberspace’’, research paper, Canadian Defense & Foreign Affairs Institute, Calgary.

Deibert, R. and Rohozinski, R. (2010), ‘‘Risking security: policies and paradoxes of cyberspace

security’’, International Political Sociology, Vol. 4 No. 1, pp. 15-32.

Dunn Cavelty, M. and Mauer, V. (2007), ‘‘The role of the state in securing the information age –

challenges and prospects’’, in Dunn Cavelty, M., Mauer, V. and Krishna-Hensel, S.F. (Eds), Power and

Security in the Information Age: Investigating the Role of the State in Cyberspace, Ashgate, Burlington,

VT.

Dunn Cavelty, M. and Rolofs, O. (2010), ‘‘From cyberwar to cybersecurity: proportionality of fear and

countermeasures’’, paper presented at the Munich Security Conference, February 5, available at: www.

securityconference.de/Program.638 þ M5183285721d.0.html (accessed June 20, 2012).

Farwell, J. and Rohozinski, R. (2012), ‘‘The new reality of cyber war’’, Survival: Global Politics and

Strategy, Vol. 54 No. 4, pp. 107-120.

Franklin, M.I. (2007), ‘‘NGOs and the ‘information society’: grassroots advocacy at the UN – a cautionary

tale’’, Review of Policy Research, Vol. 24 No. 4, pp. 309-330.

George, J. (1994), Discourses of Global Politics: A Critical (Re)Introduction to International Relations,

Lynne Rienner Publishers, Boulder, CO.

Gruenberg, J.S. (2009), ‘‘An analysis of the United Nations Security Council Resolutions: are all

countries treated equally?’’, Case Western Reserve Journal of International Law, Vol. 41 Nos 2/3,

pp. 469-511.

Hansen, L. and Nissenbaum, H. (2009), ‘‘Digital disaster, cyber security, and the Copenhagen School’’,

International Studies Quarterly, Vol. 53, pp. 1155-1175.

Harknett, R.J. and Stever, J.A. (2011), ‘‘The new policy world of cybersecurity’’, Public Administration

Review, Vol. 71 No. 3, pp. 455-460.

Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. (2012), ‘‘The law of

cyber-attack’’, California Law Review, Vol. 100 No. 4, pp. 817-886.

PAGE 40j infoj VOL. 15 NO. 6 2013

Karns, M. and Mingst, K. (2004), International Organizations: The Politics and Processes of Global

Governance, Lynne Rienner Publishers, Boulder, CO.

Markoff, J. (2012), ‘‘Killing the computer to save it’’, New York Times, October, Vol. 30, p. D1.

Maurer, T. (2011), ‘‘Cyber norm emergence at the United Nations – an analysis of the activities at the UN

regarding cyber-security’’, Discussion Paper 2011, Belfer Center for Science and International Affairs,

John F. Kennedy School of Government, Harvard University, Cambridge, MA.

Mueller, M., Mathiason, J. and Klein, H. (2007), ‘‘The internet and global governance: principles and

norms for a new regime’’, Global Governance, Vol. 13, pp. 237-254.

Mueller, M., Schmidt, A. and Kuerbis, B. (2013), ‘‘Internet security and networked governance in

international relations’’, International Studies Review, Vol. 15 No. 1, pp. 86-104.

Nye, J. (2010), ‘‘Cyber power’’, discussion paper, Belfer Center for Science and International Affairs,

John F. Kennedy School of Government, Harvard University, Cambridge, MA.

Nye, J. (2011), The Future of Power, Public Affairs, New York, NY.

Radu, R. (2012), ‘‘The monopoly of violence in the cyberspace: challenges of cybersecurity’’, in Fels, E.,

Kremer, J.-F. and Kronenberg, K. (Eds), Power in the 21st Century: International Security and

International Political Economy in a Changing World, Springer, New York, NY, pp. 137-150.

Rasmussen, M.V. (2001), ‘‘Reflexive security: NATO and International Risk Society’’, Millennium: Journal

of International Studies, Vol. 30 No. 2, pp. 285-309.

Singh, J.P. (2011), ‘‘Negotiating internet governance: security implications of multilateral approaches’’,

in Clunan, A. and Trinkunas, H.A. (Eds), Ungoverned Spaces: Alternatives to State Authority in an Era of

Softened Sovereignty, Stanford University Press, Stanford, CA.

Sommer, P. and Brown, I. (2011), Reducing Systemic Cybersecurity Risk, Organisation for Economic

Co-operation and Development, Paris.

Sterner, E. (1996), ‘‘Digital Pearl Harbor: national security in the information age’’, National Security

Studies Quarterly, Summer, Georgetown School of Foreign Service, Washington, DC.

Talbot, D. (2006), ‘‘The internet is broken’’, Technology Review, available at:

www.technologyreview.com/news/405318/the-internet-is-broken (accessed 20 October 2012).

Yannakogeorgos, P. (2009), ‘‘Technogeopolitics of militarization and security in cyberspace’’,

PhD dissertation, Rutgers University, New Brunswick, NJ.

Corresponding author

Roxana Radu can be contacted at: roxana.radu@graduateinstitute.ch

VOL. 15 NO. 6 2013 j infoj PAGE 41

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.