05 January 2023
Peer review mechanisms are widely used to facilitate the implementation of regulations and guidelines in various policy areas, including for example cybersecurity certification or ICT risk assessment. However, such mechanisms might also offer a new approach to the challenges of implementing the UN norms of responsible state behaviour in cyberspace. In this short two part article, we reflect on the potential benefits and limitations of peer reviews to advance UN cyber norms, taking lessons from other areas of global governance into consideration.
State behaviour is often inconsistent with, or even in violation of, UN cyber norms. For example, some states turn a blind eye to ransomware groups operating from within their territory. In other cases, states are unable to prevent ICT misuse and resulting effects across borders due to a lack of administrative and technical resources. Russia’s war of aggression against Ukraine seems to have cast further doubts on the viability of UN cyber norms given frequent attacks on critical ICT infrastructures or the open endorsement of private hackers. In short, norm implementation suffers from both geopolitical tensions and unequal access to resources.
Against this backdrop, it has become even more important that future norm implementation is credible, reassuring, and impartial, to counter any allegations of injustice and politicisation. Furthermore, implementation efforts should encompass, or at least facilitate, international capacity building efforts. Finally, technology evolves constantly and so do opportunities for malicious cyber operations, providing an additional challenge to regulatory efforts. Therefore, norm implementation mechanisms need to allow feedback loops to identify and address regulatory gaps, loopholes, or unforeseen consequences derived from the rapidly changing cybersecurity landscape.
The OECD defines peer review as a "systematic examination and assessment of the performance of a State by other States, with the ultimate goal of helping the reviewed State improve its policy-making, adopt best practices, and comply with established standards and principles." Such mechanisms follow a similar structure: states share information about compliance with norms in a specific policy field, and the information is then assessed by other states on the basis of commonly agreed procedures. For example, the Anti-Corruption Convention deploys a peer review among OECD states creating transparency. In the field of trade policy, the “Trade Policy Review Mechanism” is used by the WTO as a pivotal instrument to monitor the implementation of agreed trade policy principles by member states. Further, the African Union (AU) heavily incorporates a peer review mechanism to address national and transnational problems across policy areas. How could such a process be applied to cybersecurity, particularly among non-like-minded countries and beyond the regional level? What procedures could realistically be expected to advance UN cyber norms under most unfavourable geopolitical conditions?
Ideally, a peer review mechanism should be based on undisputed standards and indicators for measuring degrees of compliance. This is no easy task when it comes to international cybersecurity. The differentiation between actions (offensive and defensive) and capacities, as well as the attribution of malicious behaviour is fraught with difficulties given the nature of cyberspace. Yet, while this complicates the task of monitoring compliance with some cyber norms, for example the pledge not to target critical infrastructures, it does not make it unsurmountable in every aspect. In fact, civil society and academic efforts to provide indicators of state compliance with each of the 11 UN cyber norms are already underway, for example in the context of creating a Cyber Peace Index. It is also worth recalling that norm implementation processes almost always face challenges of measuring and monitoring compliance – from arms control verification to limits on the use of natural resources. Even if states might not agree on standards and indicators, peer review mechanisms - by their very iterative nature - can facilitate the gradual development and acceptance of monitoring and assessment framework over time. For example, the so-called Universal Periodic Review (UPR), monitoring human rights compliance by UN member states, was established well after the conclusion of the foundational international human rights treaties.