Cyber Behavior for Digital Bangladesh: UN GGE Perspective

Bangladesh sets its vision for “Digital Bangladesh” in 2009. Digital Bangladesh based on four pillars named: Digital Government, Human Resource Development, IT Industry Promotion and Connecting Citizen. With this vision, Bangladesh already developed strategies, acts, policies, procedures for governance towards Digital Bangladesh. Moreover, Bangladesh emphasizes on cooperation in cyberspace security by strengthening ties with global bodies and organization. United Nation formulates two groups to develop norms, rules and guidelines for responsible state behavior. These norms intended to all UN member states and Bangladesh will move in preparing towards adopting and practicing.     

Objective

In 2018 United Nation (UN) general assembly (GA), member states urged to formulate some consensus for responsible state behavior for securing use of information technology, so malicious and abuse of this evolving technology can not undermine the UN mission. The growing need of ICT in critical infrastructure, the people’s service dependency upon ICT and some country developing military capacity in ICT, there is growing concern that, ICT will be utilized for military purposes, terrorist group, state or non-state actor can utilize this ultimate ICT revolution to destabilize any country’s critical information infrastructure (CII). So in 28^th May 2021, GGE published its advance copy of consensus report consisting of 11 norms, rules and principles, that are voluntary, non-binding, but responsible state should deploy as guiding principles.    

What is GGE?

Since 1998, in UN agenda, information security issues incorporated, as Russian Federation first discussed a drafted note on information security in the UN GA First Committee. Then in 2004, five GGE studied ICT threats in international security context and the identified threats counter and mitigation process. In 2018, UN general assembly (GA) resolution 73/266, secretary general formed two processes to discuss information security issues and formulate responsible state behavior. One, a Group of Governmental Expert (GGE) and another Open-ended Working Group (OEWG). This was on a request from GA participants to ensure in context for ICT security and risk on internal peace, security, stability and human rights.

The GGE working team focused on the below topics:

• The ICT existing and upcoming threats.
• How to apply existing international law in ICT use and building framework.
• Norms, Principles and Rules for responsible states behavior.
• Measures for Confidence-building.
• Capacity building

Existing and Potential Threats:

World is being increasingly digitalized using ICT and being connected. ICT brings enormous blessings and opportunities for nations around the globe. But GGE noted in previous report that, severe persistent threats identified in ICT including ICT’s malicious use by States and non-State actors. Moreover, attacks in ICT have excelled in scale, scope, sophistication and severity. ICT threats appears may differently in regions, but their impacts can be global.

GGE also reported that, some states enhancing their ICT capabilities in military purposes, that might be utilized in conflicts between states. In addition, malicious activities of ICT by state and non-state actors poses significant risks for national and international peace, stability, safety and security. State actors may use ICT enabled covert information campaign against another country which impacts process and stability of that country.

During the COVID-19 situation, while dramatic increase in ICT dependent services, so risk and consequences at ICT attack also boosting. New technologies are appearing day by day with advanced, ever evolving characteristics, so their attack surfaces and attack vectors also increasing. ICT protection capacities also differ worldwide. People’s awareness, equip themselves with ICT attack mitigation laws, regulation, tools and technologies, reaction to cyber

incident management also varies. GGE added that, ICT can be used for terrorist purposes from recruitment, training, financing and incitement, pose’s another threats to CII and ICT enabled services.   

GGE Principles and Norms: (From GGE advance copy)

1. Norm 13 (a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security.
2. Norm 13 (b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment, and the nature and extent of the consequences.
3. Norm 13 (c) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
4. Norm 13 (d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect.
5. Norm 13 (e) States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression.
6. Norm 13 (f) A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.
7. Norm 13 (g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199.
8. Norm 13 (h) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.
9. Norm 13 (i) States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.
10. Norm 13 (j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.
11. Norm 13 (k) States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

International Laws:

GGE states that, international law is the key to prevent conflict and sustaining peace and security. It will also bring confidence among states. International laws and in particular UN charter requires continuous assessment and recommendations. While developing and capacity building in ICT, adherence to international laws and UN charter, can ensure an open, stable, secure, peaceful and accessible ICT environment.

Bangladesh Acts, Policies towards secure cyberspace

Bangladesh already employed several acts and policies for its securing crime in cyber space. The renowned Digital Security Act 2018 is a milestone. Its objectives are to mitigate cybercrime in critical information infrastructure (CII) of governments, along with individual attacks, strengthening national and international collaboration. It includes controlling cyber terrorism in digital media, espionage, offensive crime, electronic transaction fraud, forgery, publication of defamatory information, hurting religious sentiment and many more cybercrime area addressed. Bangladesh government also planned for national ICT and cyber security strategy based on four pillars. Digital privacy act is being developed. So aligning with GGE requirements and UN basic goals, Bangladesh moving towards a secure digital space.   

Confidence Building Measures:

GGE Group states that, confidence-building measures (CBMs) can promote stability and reduce among states misunderstanding, tension escalation and conflict through building and enhancing cooperation among states, transparency, enhancing trust and predictability. It’s a long term commitment and requires UN, regional and sub-regional bodies can contribute to institutionalizing and operationalizing for effective CBM.

GGE outlines two types of CBM activities such as cooperative measures and transparency measures. Cooperative measures such as establishing points of contact (POC) and continuous dialogue and consultation. Transparency measures on the other hand through exchange of national views, make publicly available ICT practice, guidance, procedures. This will reduce misinterpretation, misunderstanding and help organization take good risk management decision.

International Cooperation and Assistance in IT security and Capacity Building:

In this sector, GGE emphasize the importance of international cooperation in ICT knowledge and capacity building that can enhance to sustain ICT development. This cooperation involves other sectors such as academia, private sectors, civil society and technical experts can help states to practice responsible state behavior. GGE also noted international cooperation on following areas:

1. Formulating and implementing national ICT policies, strategies, and programs.
2. Developing computer incident response team (CIRT/ CSIRT/ CERT) and enhancing capacity of CIRT.
3. Boosting capacity, resilience and security of CII.
4. Enhancing technical, legal and procedural capacity of state to detect, investigate and recovery from cyber incident.
5. Building solid understanding on how international laws applies to ICT by exchange views, cooperation and dialogue.
6. Implementing voluntary, non-binding and responsible state behavior.

Conclusion and Recommendation:

The GGE group acknowledges that, with the increasing ICT demand and continuous evolving, international laws and regulation also should be continuing to reevaluate as future challenges and problems arises in ICT arena to cope with. So that the ultimate goal of United Nation, international peace, human rights, security, stability and prosperity are maintained and people get benefited with growing ICT facilities.

For the above mentioned purposes, GGE, with a view to build common understanding and effective implementation of its formerly identified and prescribed recommendation, the group can further approach with greater clarity, so that cooperative measures can address potential and existing threats in cyberspace. The GGE recommendations are: Norms Rules and Principles of responsible state behavior, International Laws, confidence building and International Cooperation and capacity building.