Summary

• GCC states seek to be leaders in digital innovation, but this leaves them vulnerable to an increasing range of cyberthreats. Governments have invested significantly in cybersecurity but these measures have been unevenly implemented, makingit difficult for these states to be resilient against a large-scale cyber incident.
• Strategies, structures and processes (‘approaches’) for achieving cyber resilience can be conceptualized along a scale from centralized to distributed: centralized approaches maintain decision-making power in a single body, while distributed ones disperse power over many sites.
• Centralized approaches provide more resilience against unwanted influence, while distributed approaches provide more resilience against intrusions into infrastructure. The GCC states have so far prioritized centralized over distributed cyber resilience, seeking internet and social media control over sustainable network recovery.
• GCC governments should make a sustainable commitment to cyber resilience that provides clear guidance to organizations and makes best use of emerging cybersecurity structures. This may involve further engagement with international initiatives and partners to increase cyber resilience.
• Given limited resources, GCC governments should rebalance their efforts from centralized towards distributed approaches to resilience.
• GCC governments should examine the impact of relevant new technologies, discussing openly the risks of these technologies and appropriate solutions.

Fifteen years ago it would be unthinkable for cyber security to top the list of priorities at the annual US-China Security and Economic Dialogue, as it did last week. But, in the intervening years, cyber technologies and the internet have become fundamental tools for everything from running critical infrastructure such as energy grids and satellite systems, to political, economic and social interactions. Given the pace of change, it should not surprise us that we have barely started to understand how to govern this new order and manage the global internet in ways that both empower and protect us.

In response, Chatham House and Routledge (part of the Taylor & Francis Group) are launching the Journal of Cyber Policy, addressing a rapidly changing situation and connecting creative, technical and policy experts.

Informing the growing security challenges of an interconnected digital world, this new peer-reviewed journal will provide a valuable resource to decision-makers in the public and private sectors grappling with the challenges of cyber security, online privacy, surveillance and internet access. The journal will offer informed and rigorous thinking, supported by the journal’s internationally renowned editorial board.

'The Journal of Cyber Policy will empower experts with new thinking and diverse ideas delivered in a way which is practically relevant as well as academically rigorous,' Dr Patricia Lewis, research director, International Security Department at Chatham House and co-editor of the journal, said. 'It will change the game for those working on cyber issues.' 

'As the preferred publisher for think tanks around the world, we are proud to be Chatham House’s partner on this new journal, which seeks to address issues that touch upon all our lives on a daily basis,' said Leon Heward-Mills, Global Publishing Director (Journals) at Taylor & Francis Group.

The Journal of Cyber Policy launches on the evening of 2 July at a reception at Chatham House.

The risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, according to a major new report from Chatham House.

Cyber Security at Civil Nuclear Facilities: Understanding the Risks is the result of an 18-month study that draws on in-depth interviews with 30 leading industry practitioners based in more than eight countries. It found that the trend to digitization, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realize the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks. 

Specific findings include:                

• The conventional belief that all nuclear facilities are ‘air gapped’ (isolated from the public internet) is a myth. The commercial benefits of internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.
• Search engines can readily identify critical infrastructure components with such connections.
• Even where facilities are air gapped, this safeguard can be breached with nothing more than a flash drive.
• Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.
• A lack of training, combined with communication breakdowns between engineers and security personnel, means that nuclear plant personnel often lack an understanding of key cyber security procedures.
• Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.

In the light of these risks, the report outlines a blend of policy and technical measures that will be required to counter the threats and meet the challenges. 

Recommendations include:

• Developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account.
• Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorized internet connections.
• Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist.
• Improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Team).
• Encouraging universal adoption of regulatory standards.

The COVID-19 pandemic is having a profound impact on the cybersecurity landscape - both amplifying already-existing cyber threats and creating new vulnerabilities for state and non-state actors. The crisis has highlighted the importance of protecting key national and international infrastructures, with the World Health Organization, US Department of Health and Human Services and hospitals across Europe suffering cyber-attacks, undermining their ability to tackle the coronavirus outbreak. Changing patterns of work resulting from widespread lockdowns are also creating new vulnerabilities for organizations with many employees now working from home and using personal devices to work remotely.

In light of these developments, the panellists will discuss the evolving cyber threats resulting from the pandemic. How are they impacting ongoing conversations around cybersecurity? How can governments, private sector and civil society organizations work together to effectively mitigate and respond to them? And what could the implications of such cooperation be beyond the crisis? 

This event is part of a fortnightly series of 'Business in Focus' webinars reflecting on the impact of COVID-19 on areas of particular professional interest for our corporate members and giving circles.

Not a corporate member? Find out more.

In April 2018, the Commonwealth Heads of Government Meeting (CHOGM), held in London, saw the creation and the adoption of the Commonwealth Cyber Declaration. The declaration outlines the framework for a concerted effort to advance cybersecurity practices to promote a safe and prosperous cyberspace for Commonwealth citizens, businesses and societies. 

The conference will aim to provide an overview on the progress made on cybersecurity in the Commonwealth since the declaration was announced in 2018. In addition, it will examine future challenges and potential solutions going forward.

This conference is part of the International Security Programme's project on Implementing the Commonwealth Cybersecurity Agenda and will convene a range of senior Commonwealth representatives as well as a selection of civil society and industry stakeholders. This project aims to develop a pan-Commonwealth platform to take the Commonwealth Cyber Declaration forward by means of a holistic, inclusive and representative approach.

Please see below meeting summaries from previous events on Cybersecurity in the Commonwealth:  

• A cyberspace that supports economic and social rights online (London)
• Build the foundations of an effective national cybersecurity response (Barbados)
• Promote stability in cyberspace through international cooperation (Addis Ababa)

Attendance at this event is by invitation only. 

The GCC states have invested significantly in cybersecurity and have made large strides in protecting governments, businesses and individuals from cyber threats, with the aim of delivering on their ambitious national strategies and future visions. However, several challenges to cybersecurity and cyber resilience in the region persist, putting those ambitious plans at risk.

These challenges include the uneven nature of cybersecurity protections, the incomplete implementation of cybersecurity strategies and regulations, and the issues around international cooperation. Such challenges mean that GCC states need to focus on the more difficult task of cyber resilience, in addition to the simpler initial stages of cybersecurity capacity-building, to ensure they harness the true potential of digital technologies and mitigate associated threats.

Set against this background, this workshop will explore opportunities and challenges to cyber resilience in the GCC focusing on four main pillars:

1. Cyber resilience: in concept and in practice
2. Building an effective cybersecurity capacity
3. The potential of regional and international cooperation to cyber resilience
4. Deterrence and disruption: different approaches

This event will be held in collaboration with the Arab Regional Cybersecurity Centre (ARCC) and OMAN CERT.

PLEASE NOTE THIS EVENT IS POSTPONED UNTIL FURTHER NOTICE. 

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.

The COVID-19 pandemic is having a profound impact on the cybersecurity landscape - both amplifying already-existing cyber threats and creating new vulnerabilities for state and non-state actors. The crisis has highlighted the importance of protecting key national and international infrastructures, with the World Health Organization, US Department of Health and Human Services and hospitals across Europe suffering cyber-attacks, undermining their ability to tackle the coronavirus outbreak. Changing patterns of work resulting from widespread lockdowns are also creating new vulnerabilities for organizations with many employees now working from home and using personal devices to work remotely.

In light of these developments, the panellists will discuss the evolving cyber threats resulting from the pandemic. How are they impacting ongoing conversations around cybersecurity? How can governments, private sector and civil society organizations work together to effectively mitigate and respond to them? And what could the implications of such cooperation be beyond the crisis? 

This event is part of a fortnightly series of 'Business in Focus' webinars reflecting on the impact of COVID-19 on areas of particular professional interest for our corporate members and giving circles.

Not a corporate member? Find out more.

Over the past couple of decades, cyberspace has evolved to become a truly global digital communication space. Managed by a multitude of state and non-state actors, it has enabled a huge range of positive innovations and developments. However, it has also become an arena of intense international competition and rivalry – a reflection of its increasing economic and political importance and broader geopolitical tensions. Despite a number of efforts and some progress in the United Nations and other forums, there are still disagreements on key issues between major powers on how to achieve responsible behaviour in cyberspace.

In light of this, the panel will explore how state and non-state actors can work together to encourage responsible behaviour in cyberspace. What challenges do various actors face in implementing agreed upon norms and principles? Is the existing global model for reaching an agreement a non-starter? What are the remaining challenges around attribution, accountability and enforcement? And what is the role for civil society, the private sector and NGOs in this debate?

This event is for Chatham House members only. Not a member? Find out more.

It is becoming widely accepted that we have transitioned, or are now transitioning, from an international liberal order to a different reality. Whether that reality is different solely in terms of power dynamics, or also in terms of values and institutions, is up for discussion. The growing body of literature on ‘post-liberalism’ is used as an entry-point for this article, which aims to explore how the post-liberal transition applies to cyberspace. We explore how power dynamics are evolving in cyberspace, as well as how established norms, values and institutions are contested. The article then looks at the emergence of cyber diplomacy as a consequence and response to the post-liberal transition. As it will be argued, if cyberspace was a creation of the liberal order, cyber-diplomacy is a post-liberal world practice. What role it plays in shaping a new order or building bridges between different political visions, and what it means for the future of cyberspace, will constitute key points of discussion.

The COVID-19 pandemic is having a profound impact on the cybersecurity landscape - both amplifying already-existing cyber threats and creating new vulnerabilities for state and non-state actors. The crisis has highlighted the importance of protecting key national and international infrastructures, with the World Health Organization, US Department of Health and Human Services and hospitals across Europe suffering cyber-attacks, undermining their ability to tackle the coronavirus outbreak. Changing patterns of work resulting from widespread lockdowns are also creating new vulnerabilities for organizations with many employees now working from home and using personal devices to work remotely.

In light of these developments, the panellists will discuss the evolving cyber threats resulting from the pandemic. How are they impacting ongoing conversations around cybersecurity? How can governments, private sector and civil society organizations work together to effectively mitigate and respond to them? And what could the implications of such cooperation be beyond the crisis? 

This event is part of a fortnightly series of 'Business in Focus' webinars reflecting on the impact of COVID-19 on areas of particular professional interest for our corporate members and giving circles.

Not a corporate member? Find out more.

Over the past couple of decades, cyberspace has evolved to become a truly global digital communication space. Managed by a multitude of state and non-state actors, it has enabled a huge range of positive innovations and developments. However, it has also become an arena of intense international competition and rivalry – a reflection of its increasing economic and political importance and broader geopolitical tensions. Despite a number of efforts and some progress in the United Nations and other forums, there are still disagreements on key issues between major powers on how to achieve responsible behaviour in cyberspace.

In light of this, the panel will explore how state and non-state actors can work together to encourage responsible behaviour in cyberspace. What challenges do various actors face in implementing agreed upon norms and principles? Is the existing global model for reaching an agreement a non-starter? What are the remaining challenges around attribution, accountability and enforcement? And what is the role for civil society, the private sector and NGOs in this debate?

This event is for Chatham House members only. Not a member? Find out more.

Over the past couple of decades, cyberspace has evolved to become a truly global digital communication space. Managed by a multitude of state and non-state actors, it has enabled a huge range of positive innovations and developments. However, it has also become an arena of intense international competition and rivalry – a reflection of its increasing economic and political importance and broader geopolitical tensions. Despite a number of efforts and some progress in the United Nations and other forums, there are still disagreements on key issues between major powers on how to achieve responsible behaviour in cyberspace.

In light of this, the panel will explore how state and non-state actors can work together to encourage responsible behaviour in cyberspace. What challenges do various actors face in implementing agreed upon norms and principles? Is the existing global model for reaching an agreement a non-starter? What are the remaining challenges around attribution, accountability and enforcement? And what is the role for civil society, the private sector and NGOs in this debate?

This event is for Chatham House members only. Not a member? Find out more.

It is becoming widely accepted that we have transitioned, or are now transitioning, from an international liberal order to a different reality. Whether that reality is different solely in terms of power dynamics, or also in terms of values and institutions, is up for discussion. The growing body of literature on ‘post-liberalism’ is used as an entry-point for this article, which aims to explore how the post-liberal transition applies to cyberspace. We explore how power dynamics are evolving in cyberspace, as well as how established norms, values and institutions are contested. The article then looks at the emergence of cyber diplomacy as a consequence and response to the post-liberal transition. As it will be argued, if cyberspace was a creation of the liberal order, cyber-diplomacy is a post-liberal world practice. What role it plays in shaping a new order or building bridges between different political visions, and what it means for the future of cyberspace, will constitute key points of discussion.

Cyber intrusions do not respect international borders. At this event, the attorney general will discuss how to apply and shape international law in order to ensure the rules-based international system can adapt to the threats – and opportunities – posed by cyber into the future.

 

Rapid technological change raises urgent questions around equity, transparency, privacy and security. 

We are looking at the human rights dividend from new technologies as well as how international human rights law standards, for example on freedom of thought, expression and privacy, guide the use of digital technology in the electoral context.

International law applies to cyber operations – but views differ on exactly how. Does state-sponsored interference in another state's affairs using cyber means – for example,  disinformation campaigns in elections, disabling government websites, or disrupting transport systems – breach international law? If so, on what basis and how are the principles of sovereignty and non-intervention relevant? States are increasingly attributing cyber operations to other states and engaging in the debate on how international law applies, including circumstances that would justify countermeasures.

As states meet to debate these issues at the UN, the panel will explore how international law regulates cyberoperations by states, consider the prospects of progress at the UN, and assess the value of other initiatives.

This event coincides with the launch of a Chatham House research paper which analyses how the principles of sovereignty and intervention apply in the context of cyberoperations, and considers a way forward for agreeing a common understanding of cyber norms.

This event will bring together a broad group of actors, including policymakers, the private sector, legal experts and civil society, and will be followed by a drinks reception.

 

Summary

• The vast majority of state-to-state cyberattacks consist of persistent, low-level intrusions that take place below the threshold of use of force. International law, including the principle of non-intervention in another state’s internal affairs and the principle of sovereignty, applies to these cyber operations.
• It is not clear whether any unauthorized cyber intrusion would violate the target state’s sovereignty, or whether there is a threshold in operation. While some would like to set limits by reference to effects of the cyber activity, at this time such limits are not reflected in customary international law. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
• In due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.
• Before a principle of due diligence can be invoked in the cyber context, further work is needed by states to agree upon rules as to what might be expected of a state in this context.
• The principle of non-intervention applies to a state’s cyber operations as it does to other state activities. It consists of coercive behaviour by one state that deprives the target state of its free will in relation to the exercise of its sovereign functions in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
• In practice, activities that contravene the non-intervention principle and activities that violates sovereignty will often overlap.
• In order to reach agreement on how international law applies to states’ cyber operations below the level of use of force, states should put their views on record, where possible giving examples of when they consider that an obligation may be breached, as states such as the UK, Australia, France and the Netherlands have done.
• Further discussion between states should focus on how the rules apply to practical examples of state-sponsored cyber operations. There is likely to be more commonality about specific applications of the law than there is about abstract principles.
• The prospects of a general treaty in this area are still far off. In due course, there may be benefit in considering limited rules, for example on due diligence and a prohibition on attacking critical infrastructure, before tackling broad principles.

In discussions to date about how international law applies in cyberspace, commentators have tended to focus their attention on how the rules on the use of force, or the law of armed conflict, apply to cyber activities conducted by states that give rise to physical damage, injury or death.

But in practice, the vast majority of state cyberattacks fall below this threshold. Far more common are persistent, low-level attacks that may leave no physical trace but that are capable of doing significant damage to a state’s ability to control its systems, often at serious economic cost.

Such cyber incursions might include network disruptions in the operation of another government’s websites; tampering with electoral infrastructure to change or undermine the result; or using cyber means to destabilize another state’s financial sector.

For these kinds of cyber operation, the principle of sovereignty, and the principle of non-intervention in another state’s internal affairs, are the starting point.

A UN Group of Government Experts (GGE) agreed in 2013 and 2015 that the principles in the UN Charter, including sovereignty and the prohibition on intervention in another state’s affairs, apply to states’ activities in cyberspace. The 2015 GGE also recommended eleven (non-binding) norms of responsible state behaviour in cyberspace.

However, states have not yet reached agreement on how to apply these principles. Until recently, there has also been very little knowledge of what states actually do in cyberspace, as they usually conduct cyber operations covertly and have been reluctant to put their views on record.

A new Chatham House research paper analyses the application of the principles of sovereignty and non-intervention to state cyberattacks that fall below the principle of use of force. As well as analysing the application of the law in this area, the paper also makes recommendations to governments on how they might best make progress in reaching agreement in this area.

Existing rules or new rules?

As the research paper makes clear, there is currently some debate, principally between countries in the West, about the extent to which sovereignty is a legally binding rule in the context of cyberspace and, if so, how it and the principle of non-intervention might apply in practice.

In the last few years, certain states have put on record how they consider international law to apply to states’ activities in cyberspace, namely the UK, Australia, France and the Netherlands. While there may be some differences in their approaches, which are discussed in the paper, there also remains important common ground: namely, that existing international law already provides a solid framework for regulating states’ cyber activities, as it regulates every other domain of state-to-state activity.

There is also an emerging trend for states to work together when attributing cyberattacks to hostile states, enabling them to call out malign cyber activity when it violates international law. (See, for example, the joint statements made in relation to the NotPetya cyber attack and malicious cyber activity attributed to the Russian government).

However, other countries have questioned whether existing international law as it stands is capable of regulating states’ cyber interactions and have called for ‘new legal instruments’ in this area.

This includes a proposal by the Shanghai Cooperation Organization (led by Russia and China) for an International Code of Conduct on Information Security, a draft of which was submitted to the UN in 2011 and 2015, without success. The UN has also formed a new Open-Ended Working Group (OEWG) under a resolution proposed by Russia to consider how international law applies to states’ activities in cyberspace.

The resolution establishing the OEWG, which began work earlier this year, includes the possibility of the group ‘introducing changes to the rules, norms and principles of responsible behaviour of States’ agreed in the 2013 and 2015 GGE reports. In the OEWG discussions at the UN in September, several countries claimed that a new legal instrument was needed to fill the ‘legal vacuum’ (Cuba) or ‘the gap of ungoverned areas’ (Indonesia).

It would be concerning if the hard-won consensus on the application of international law to cyberspace that has been reached at past GGEs started to unravel. In contrast to 2013 and 2015, the 2017 meeting failed to reach an agreement.

On 9 December, a renewed GGE will meet in New York, but the existence of the OEWG exploring the same issues in a separate process reflects the fact that cyber norms have become an area of geopolitical rivalry.

Aside from the application of international law, states are also adopting divergent approaches to the domestic regulation of cyberspace within their own territory. The emerging trend towards a ‘splinternet’ – i.e. between states that believe the internet should be global and open on the hand, and those that favour a ‘sovereignty and control’ model on the other  – is also likely to make discussions at the GGE more challenging.

Distinct from the international law concept of sovereignty is the notion of ‘cybersovereignty’, a term coined by China to describe the wide-ranging powers it assumes under domestic law to regulate its citizens’ access to the internet and personal data within its territory. This approach is catching on (as reflected in Russia’s recently enacted ‘Sovereign Internet Law’), with other authoritarian states likely to follow suit.

The importance of non-state actors

In parallel with regional and UN discussions on how international law applies, a number of initiatives by non-state actors have also sought to establish voluntary principles about responsible state behaviour in cyberspace.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder body that has proposed principles, norms and recommendations to guide responsible behaviour by all parties in cyberspace, recently published its final report. The Cybersecurity Tech Accord  aims to promote collaboration between tech companies on stability and resilience in cyberspace. President Macron’s ‘Paris Call for Trust and Security in Cyberspace’ has to date received the backing of 67 states, 139 international and civil society organizations, and 358 private-sector organizations.

It remains to be seen in the long term whether the parallel processes at the UN will work constructively together or be competitive. But notwithstanding the challenging geopolitical backdrop, the UN GGE meeting next week at the least offers states the opportunity to consolidate and build on the results of past meetings; to increase knowledge and discussion about how international law might apply; and to encourage more states to put their own views of these issues on the record.