Following last year’s worldwide worst cyber-attack that hit nearly 150 countries, the momentum to look for international cybersecurity regulation has been a mind-boggling issue. It is quite noteworthy that there’s no international regulation as well as intergovernmental organisation on cybersecurity. Just a couple of years before 2017, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security of the United Nations (UN GGE) initiated cyber security negotiations, of course, under the auspices of the UN in response to several cyber-attacks which affected very many countries around the world.
The UN GGE, as a group, consisting of representatives of 25 countries, affirmed the applicability of international law to cyberspace. In its report of 2015, it focused specifically on the application of certain principles and norms of international law and proposed a series of rules of responsible behavior of States.
Unfortunately, this UN initiative failed in its cyber security negotiations, hence creating a huge void in international regulation. But, it has shown that action is more urgent than ever. The issue has been whether reflection on standards, good practices and norms should include private sector actors who are often the first victims of cyber-attacks.
It is against that background that the Organisation for Economic Co-operation and Development (OECD) has been considered as being in a better position to drive the solution to the current vacuum in multilateral cybersecurity negotiation.
It is expected that this would create a flexible and inclusive body within the OECD to act as a hub for the various initiatives while promoting close cooperation between States, the private sector and civil society in order to promote standards of responsible conduct in cyberspace.
In recent years, however, States have tackled the problem of cyber security by multiplying initiatives in various intergovernmental organisations, such as the United Nations or the ITU or regional or restricted organisations such as the European Union, the Council of Europe, the African Union (for example, African Union Convention on Cyber Security and Personal Data Protection, which is yet to enter into force) to name but a few. These initiatives are developed in ad hoc frameworks specifically dedicated to cyber-security, where an impressive number of conferences are initiated by States, such as the Global Conference on Cyberspace (GCCS) which has launched the Global Forum on Cyber ??Expertise (GFCE).
While the need for coordination, coherence and rationalisation of initiatives is evident (as is the need to strengthen confidence-building measures and technical assistance to countries that are lagging behind in cyber security), the OECD positions itself to take the lead. A fundamental question is: how will OECD be successful, if also UN initiative failed?
To understand the interest that the OECD presents, it is important to be reminded that the recent years have been marked by significant institutional changes in the context of international governance. The creation of international organisations has often been replaced by the creation of more informal international institutions under variable names such as ‘forum’, ‘groups’ (the G7 or the G20 being the best known), which, perhaps, do not really correspond to the conventional definition of the classical intergovernmental organisations but which fulfill their functions with some effectiveness.
There is much flexibility with regard to the powers of these institutions as opposed to intergovernmental organisations, which often lack normative powers, which does not however prevent them from being fora for discussion and negotiation or from taking initiatives such as the adoption of codes of conduct or even “hard law” instruments.
More importantly, the experience of the OECD seems, therefore, particularly interesting. In fact, the OECD, which is an international intergovernmental organisation of the classical type, comprises of flexible and autonomous institutions that manage different fields and issues concerning international co-operation.
The OECD has experience of bringing private sector on board. Just one example is ‘Corporate Partnership Boards’, which allows the involvement of major private sector players. The OECD also has experience in engaging the civil society through organs such as the Civil Society Information Society Advisory Council.
OECD can play a role of hub and coordination for the various initiatives while allowing States, the private sector and civil society to work closely together for the development of standards of responsible conduct in cyberspace. The OECD has a real legitimacy in the field of cyber security, in which it has already played a pioneering role. In Particular, the OECD adopted Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 23 September 1980 and adopted the recommendation of the Council Concerning Guidelines for the Security of Information Systems and the 24 OECD Member countries adopted the Guidelines for the Security of Information Systems.
On the diplomatic front the negotiations could, perhaps, be less difficult than within the United Nations. Given its mission and nature, the OECD should not focus on sovereign issues such as self-defense or the law of armed conflict that crystallise opposition between States. The OECD may be well suited given its wealth of experience to drive the ‘multi-stakeholder’ approach which is absolutely essential in promoting effectively digital security for economic and social prosperity.
The writer is a law expert.