On November 21, 2019, the EU Cyber Direct Project in cooperation with the Institute for Technology & Society of Rio organized the Brazil-EU Consultations on Preventing Conflict in Cyberspace at the Itamaraty Palace in Rio de Janeiro. Taking place between the first substantive meeting of the United Nations Open-Ended Working Group (OEWG) in September and the first meeting of the sixth United Nations Group of Governmental Experts (UNGGE) in December 2019, the consultations brought together a group of leading governmental and non-governmental experts from Brazil and the European Union (EU) to discuss under Chatham House rules both sides’ positions on cyber resilience, norms, confidence-building measures (CBMs) and capacity building.
Following opening remarks by the Ambassador of the EU to Brazil, H.E. Ignacio Ybáñez, and the keynote by the Chair of the UNGGE, H.E. Guilherme Patriota, panelists in the first panel Building Cyber-resilient Societies and States took stock of how both sides perceive the proliferation of cyber threats to their respective networks, and what legislation and strategies both introduce to build cyber resilience. A draft of Brazil’s new national cybersecurity strategy had just been submitted for public consultation, and participants learned that it sought to streamlining previous doctrines such as the 2010 Green Book on Cybersecurity, the 2015 Information and Communications Security and Cyber Security Strategy of the Federal Public Administration, and the 2018 National Policy of Information Security. Meanwhile, EU member states are in the process of fully implementing the EU’s Network and Information Security Directive (NIS) adopted in 2016 to increase cyber capabilities and enhance EU-level information sharing. Moreover, the EU Cybersecurity Act came into force in June 2019, strengthening the mandate of the EU Cybersecurity Agency (ENISA) and establishing an EU-wide cybersecurity certification framework. Confronted with uncertainty regarding security implications of technologies such as artificial intelligence and risks associated with 5G rollouts, participants highlighted the need to protecting the internet’s public core, finding innovative institutional arrangements and regional solutions, and linking cybersecurity and broader digital development initiatives.
The second panel on Promoting Responsible Behavior in Cyberspace Globally focused on both sides’ positions in the UNGGE and OEWG. Participants acknowledged that Brazil and EU member states contributed significantly to previous UNGGEs’ success of establishing consensus that international law applies to cyberspace and were committed to achieve progress in both groups by further clarifying how specific international legal regimes and rules apply to cyber operations. The discussion examined regimes and rules relevant for peacetime cyber operations such as attribution, countermeasures, non-intervention and sovereignty as well as those relevant for wartime cyber operations such as self-defence and international humanitarian law. Participants highlighted the need to maintain a relatively narrow focus on issues related to international security, involve multiple stakeholders in clarifying and implementing norms, and find synergies between the various international and transnational cybersecurity norms initiatives. It was noted that the evolving practice of governments to publicly state how international law applies increases transparency, and that a collection of these statements could be published, e.g. as an annex to the OEWG final report. Assessments of national and regional state practices could guide global norms discussions. Moreover, UN-level negotiations could help identify what capacities are required to effectively implement cyber norms.
In the third panel on Working Together to Prevent Conflict in Cyberspace, participants exchanged best practices of designing tools to diplomatically prevent, attribute and respond to malicious cyber activities, which form a part of implementing the UNGGE norms, and explored leverage for joint attribution, CBMs and sanctions. For example, the Council adopted the cyber diplomacy toolbox in June 2017, which defined stability, cooperative, preventive and restrictive measures, ranging from political statements and technical assistance to CBMs and targeted sanctions against individuals and entities, a restrictive measure which was developed further in conclusions on a sanctions regime in May 2019. The EU also improved information sharing by setting up its CSIRT Network and the European Cyber Crime Center and developing a blueprint for emergency responses. Similarly, the new Brazilian cybersecurity strategy draft highlights measures Brazil will adopt to further enhance international engagement including regional CBMs, building on Brazil’s previous contributions to regional confidence building activities organized by the Organization of American States. In contrast, the strategy excludes restrictive diplomatic measures such as sanctions. Participants suggested that future Brazil-EU cyber dialogue should continue to exchange best practices, for example on specific norms, increase information sharing, and collaborate on CBMs, certification efforts and cybersecurity awareness campaigns. This broadened dialogue could include multiple stakeholders, run anticipatory scenario training and clearly operationalize its underlying foreign policy goals.
Finally, the fourth panel on Developing Fit-for-purpose Cyber Capacities examined political, technical, institutional and regulatory capacity building initiatives in Brazil and the EU as well as in third countries. Participants widely acknowledged that effective capacity building helps prevent the escalation of conflicts and build resilience in cyberspace, and thus supports the UNGGE framework for responsible state behavior. Both sides are engaged in assisting other states developing national cybersecurity strategies, setting up national CERTs/CSIRTs, and increase critical infrastructure protection and awareness. Participants cautioned that CERT cooperation, a crucial component of capacity building recommended in the 2015 UNGGE report, is often misunderstood as a ‘low hanging fruit’ in international discussions, but in fact is a sensitive, political exercise that requires trust. Both sides shared the lesson that capacity building best operates from bottom up, as high-level cyber defence is dependent on various lower level components of cyber capacity such as basic cyber hygiene and education, and that cybersecurity capacity building should be more structurally linked to broader national development and digital strategies and the protection of human rights, including international projects such as the 2030 Sustainable Development Goals. Brazil and Europe could deepen collaboration by helping the international community to develop a directory mapping demand and supply of capacity building and draft international standards for cybersecurity training.
Overall, the consultations helped to enhance mutual understanding of the quickly evolving cyber diplomacy postures in Brazil and the EU, identify convergences in the diplomatic positions on future negotiations on an open, free, and secure cyberspace, and build bridges between multiple stakeholders by including non-governmental voices in the governmental norms-building processes. More information can be found in the concept note.