Exclusive: Who decides on responsible state behaviour online?

By Nurfilzah Rohaidi

Interview with Johanna Weaver, Australia’s representative to the UN Group of Experts on Cyber and Special Adviser to the Ambassador for Cyber Affairs, Australia.

“As more and more states are exerting power and influence in cyberspace, we need to make sure that we are very clear about the rules of the road,” warns Johanna Weaver.

Weaver is Australia’s representative to the United Nations’ Group of Governmental Experts on cyber, and believes that there is a contrast between governance of the physical and virtual worlds. The “rules of engagement” for countries in the physical world are very clear, she says, but this is not the case in the cyber world, she says - and her work is trying to change that.

State-sponsored cyber attacks are on the rise, and there is an urgent need to set standards. “We’re seeing an increasing call to promote responsible behavior by countries and companies in this space,” Weaver says. She is working with the UN to provide “clear and practical guidance” to nations on the do’s and don’ts of cyberspace across borders.

Setting the rules of the road

Cyber is tethered to the physical world and should be treated in that way, she says. “What states do in cyberspace will have a flow-on impact on international peace, security and stability”. The devastating impact of a hack of a country’s energy grid, public transport network, or healthcare system is quite clear. At the same time, cyber incidents have been ranked the most important business risk in the APAC region by the Allianz Risk Barometer 2020.

At the time of this December interview, Weaver was in New York for a meeting of UN member states alongside industry, civil society and academia to discuss the responsible use of ICT and cyber tools by states.

This meeting is part of ongoing work to design a framework of responsible state behaviour in cyberspace. In September last year, Australia’s Department of Foreign Affairs and Trade (DFAT) released a joint statement together with 26 other countries, including the UK and US, saying that they would commit to whatever is agreed.

There are four parts to the framework. First, international law applies to states’ conduct in cyberspace. Second, 11 agreed “norms” set clear expectations of responsible state behavior during peacetime. Third, confidence-building measures by nations will help strengthen transparency, predictability and stability. Finally, cyber capacity building will help ensure that all states can lower the risks of increased connectivity, while still benefiting from it.

🎵 Wanna find out which counties have been naughty or nice in cyberspace this year? Which ones have been acting in accordance with the #UN Framework for Responsible Behaviour in #Cyberspace? We are making a list, and checking it twice... 🎶 pic.twitter.com/ZJJjAtrtZo

— Johanna Weaver (@_JohannaWeaver) December 22, 2019
Singapore has been a “driving force” in ASEAN for this space, Weaver says. The New York meeting, which she describes as “historic”, was chaired by Singapore’s Cyber Security Agency. “As usual, Singapore is front and centre in these discussions,” Weaver says, adding that “it's also really important that the ASEAN voices are heard in discussion.”

Her home nation of Australia is playing a key role in ASEAN capacity-building, she says. It is leading a $35 million programme to work with countries to manage cyber incident responses, respond to cybercrimes, and protect human rights and democracy online. “It’s actually working with countries to ensure that they understand international obligations,” Weaver says.

What not to do in cyber

One of the agreed norms says that states should not use ICT to damage the critical infrastructure of another state. Governments can “make public declarations that they are not going to do that”, Weaver says.

How can states respond if other states misbehave? The response cannot be “retaliatory”, she emphasises, as “whether it's in cyberspace or whether it's in the physical world, much of your response to it would be the same”.

So a likely response to another state’s malicious activity could take the form of expelling diplomats; sanctions; law enforcement measures; or a combination of these. “It’s saying, I am responding to this action because it is a violation, and I am responding in accordance with the international rules based order that I'm seeking to uphold,” Weaver explains.

We talk a lot about #cyber norms, but what are they? EVERY country in the world has endorsed the norms in this clip. The #UNCyberGGE & #UNCyberOEWG sld now prioritise clear guidance and practical support to ensure ALL countries implement ALL of these norms ALL the time! pic.twitter.com/TF76BFRjtk

— Johanna Weaver (@_JohannaWeaver) December 3, 2019
Ultimately, the internet cannot function as the Wild West. The UN’s work here is crucial. “What we’re looking at is promoting a peaceful and a stable online environment,” she says, “so that we can all continue to use the internet safely”.