After more than one year of intensive research, the Cyber Program is excited to test the draft findings of a forthcoming report on cyber accountability. The cyber accountability project has examined the experiences of the international community in seeking to address diverse international threats to identify lessons learned in accountability that may be instructive for, or applicable to, cyber security.
In doing so, we have investigated how states and private industries have attempted to regulate or mitigate risks in various other domains and issue areas such as conventional weapons, environmental security, and space.
These non-cyber mechanisms are examined through several case studies that will be featured in the report, leading to several overarching conclusions and considerations for policymakers. The report does not seek to identify or recommend one pathway or model as the “best” option, but rather sets out a range of approaches and considerations for policymakers and seeks to identify accountability mechanisms with the greatest potential value and relevance to addressing cyber gaps and challenges.
Cyber Program staff Allison Pytlak and James Siebens recently returned from a trip to Switzerland, where they led two workshops on the forthcoming report. They met with various UN agencies, government representatives, and non-governmental stakeholders to discuss the concept of accountability and how it might be applied to malicious activity in cyberspace to create more positive incentive structures and better deter dangerous, disruptive, and destructive behaviors. The first workshop, which was hosted by the Canadian Mission to the United Nations in Geneva, focused on the spectrum of “accountability models” identified in the draft report, from legally binding international treaties to voluntary non-binding norms, standards, and market incentives.
As emphasized in the draft report, accountability can take both positive and negative forms: actors may make affirmative commitments to certain policies, norms, and values that can be used to create accountability by evaluating compliance and consistency with prescribed standards of behavior; and binding regimes can be designed to reliably impose costs or penalties for proscribed actions.
Among the workshop participants were two contributors to the report: Moliehi Makumani and Anne-Marie Buzatu, who discussed their case studies on the African Peer Review Mechanism and the International Code of Conduct for Private Security Service Providers (ICoC), respectively. Peer review, including models from the human rights community, was discussed in some depth as a potentially impactful approach to benchmarking international progress toward the implementation of voluntary non-binding norms of responsible state behavior in cyberspace, emphasizing the opportunities for mutual support and cooperation that can come from this type of shared accountability among states. Other prevalent themes included the gaps between international commitments and national capacity; the importance of buy-in and political commitment; challenges within certain frameworks; and about positive versus negative accountability.
The second workshop was hosted by the International Security Division of the Swiss Federation’s Department of Foreign Affairs in Bern, where Pytlak and Siebens also briefed representatives from the Swiss Federal Department of Justice and Police, the Federal Department of Defence, Civil Protection and Sport, and the Swiss Federal Nuclear Safety Inspectorate. In addition to sharing the initial findings from the report, Pytlak and Siebens presented summaries of report case studies dealing with arms control instruments such as the Arms Trade Treaty (ATT) and the Wassenaar Arrangement. The experience of the ATT and Wassenaar Arrangement offer unique insights, including about how to integrate human rights considerations within arms export risk assessment procedures; focusing on use, intentionality, and behavior more than on specific items or technologies; and in relation to confidence-building, information-sharing and engaging with non-governmental stakeholders.
They also highlighted the case study focusing on the Montreux Document, the ICoC, and the International Code of Conduct Association (ICoCA). The key implication of the Montreux Document for cyber is that it reaffirms State responsibility under existing international law for the actions of the private military and security firms they employ, and those based in or operating from their territories. As such, it seeks to reinforce common understandings around key legal obligations for states. The ICoCA offers a natural corollary for the private firms themselves, as ICoCA members also explicitly affirm and acknowledge their obligations to abide by relevant laws and regulations, including international humanitarian law. While they do not constitute binding treaties, in combination the Montreux Document and the ICoCA work together to create accountability by clarifying the international legal obligations of both public and private actors and reaffirming their respective commitments to upholding standards of conduct.
While in Europe, Pytlak participated in the European Cyber Agora in which she moderated a panel on the future of multistakeholder approaches in cyber diplomacy.
A final validation workshop took place in Washington, D.C. on May 3 and was similarly attended by a diverse group of experts from government, research, civil society, and industry. Here, Pytlak and Siebens were joined by Stimson Senior Advisor Debra Decker, Nonresident Fellow Kathryn Rauhut, Research Assistant Shreya Lad, and case study author Zhanna Malekos Smith. Decker and Rauhut spoke to their case studies on UN Security Council Resolution (UNSCR) 1540 and the Montreal Protocol of the Vienna Convention; Malekos Smith presented findings from her research on outer space governance. Participants at this final workshop offered nuance to many of the draft report’s overarching findings, such as on the role of independent monitoring and evaluation; regional initiatives and working in like-minded coalitions; and on attribution.
The report will be released in early July. Details on launch events will be posted on the Cyber Accountability project page when available.
