02/2021 - Executive Summary
The second quarter of 2021 with its series of inter-governmental summits has made it obvious that the topic of Internet governance has arrived on the high stage of world politics. Digitisation and cybersecurity have become problems that preoccupy heads of state and government and trigger political controversies between states. Thus, priorities and approaches in the search for solutions to the global challenges associated with the Internet have shifted in recent years.
In terms of priorities, the management of critical Internet resources – once a controversial issue – no longer is the central issue. Today, the main focus is on security and stability in cyberspace and on structuring and shaping a digital global economy. The issue of human rights in the digital age – especially freedom of expression and protection of privacy – remains a perennial political conflict, but is increasingly being pushed to the margins of the Internet debate. New on the agenda are the political implications of the development of artificial intelligence and the future of digital technical standards.
In terms of approach, only a few years ago the focal question was whether the Internet should preferably be governed through multistakeholder arrangements or (inter-governmental) multilateral treaties. The argument that dominated in the 2010s, stating that in principle “multistakeholderism” and “multilateralism” are no contradictions, still holds. However, in the 2010s, the reasoning was that in the complex global Internet governance ecosystem, inter-governmental relations and contractual arrangements between governments were embedded in a “multistakeholder environment”. Today, this argument is increasingly being turned upside down. More and more people are of the opinion that it is the “multistakeholder model” that is embedded in the dominant multilateral system of inter-governmental international relations. Governments are gradually assuming the leading role.
The developments in the second quarter of 2021 confirm this trend. The majority of governments – from the US to China – acknowledge the special role of the private sector, academia, the technical community and civil society in the evolution of the Internet. They also support an “appropriate” involvement of non-governmental stakeholders in searching solutions to Internet-related problems. However, when it comes to concrete inter-governmental negotiations, non-state actors play an increasingly smaller role, whereby there are considerable gradations that go beyond nuances. While China and Russia are very reluctant and keep a great distance from non-state actors, Western states support the “multistakeholder model” in bodies such as the UN, albeit with reservations and emphasising the special role of governments. This applies above all to negotiations on cyber security, but also to discussions on topics such as digital trade and digital taxation. Even in the discussion about future technologies, such as artificial intelligence, cloud computing or new digital technical standards – until recently a field reserved almost exclusively for scientists and technicians – governments are increasingly pushing to the fore. This “powershift” also becomes visible in the fact that more and more governments are considering creating an independent “digital ministry” and establishing the post of “cyber ambassador” in their foreign ministries. The US appointed Chris Painter to the State Department as the first “cyber ambassador” in 2009 under the Obama administration. This appointment became a model for many other governments. Painter is now President of the Global Forum on Cyber Expertise (GFCE) in The Hague.
Summit Diplomacy
In the second quarter of 2021, the powershift between state and non-state players became particularly obvious at a series of summits of the G7, the NATO, the EU and at the meeting of the US and Russian presidents, Joe Biden and Vladimir Putin, in June 2021. The private sector, academia and the civil society were not admitted to these meetings. The change in approach could also be noticed in the initiatives and projects that were announced by the EU Commission in Q2/2021, in particular in the field of governance of artificial intelligence:
The shift is also visible in the negotiations on cyber security at the United Nations. In the UN, the governments play the decisive role, even though serious efforts are being made in the new negotiations in the Open Ended Working Group (OEWG) and in the new Cybercrime Ad Hoc Committee – the two groups are new inter-governmental negotiation strands on cyber war (mandate until 2025) and cyber crime (mandate until 2023) – to find a way to achieve “appropriate” interaction between governments and non-state stakeholders.
The same applies to the economic sphere, where the long-awaited breakthrough regarding the global digital tax was achieved in Q2/2021. In the final rounds of the negotiations, which had been going on for years within the OECD and G20 with companies being involved at expert level, only governments sat at the negotiation table.
At the “highlights” of the summit week in June 2020, non-state players had no voice. But it was there that the decisive course was set for the future evolution of the global Internet governance ecosystem.
- At the G7 meeting, the heads of state and government emphasised that the design and structure of cyber space was of crucial importance for the future of humanity. The governments committed themselves to promoting the development of a digital ecosystem that reflects the values of the Western world. “We commit to preserve an open, interoperable, reliable and secure Internet, one that is unfragmented, supports freedom, innovation and trust which empowers people.”
- At the NATO summit, the heads of state and government reaffirmed the decisions of previous NATO summits that “cyber” is a separate dimension of defence alongside land, air and sea, and that Article 5 of the NATO Treaty, which declares an attack on one NATO country to be considered an attack on all NATO countries, also applies to cyber attacks.
- At the US-EU summit, a uniform policy was agreed despite differing opinions regarding several regulation projects – ranging from data privacy to artificial intelligence – also with a view to China and Russia. The EU-US Trade and Technology Council (TTC) was established as a new vehicle to reach this aim.
- At the summit meeting of US President Joe Biden and the Russian President Vladimir Putin cyber attack was at the top of the agenda. The two sides agreed to start bilateral cyber consultations.
Development of Digital Technical Standards Against The Background Of New Threats
The immense push the Covid-19 pandemic has given to global digitisation (home office, home schooling, online shopping, video conferencing, data trading, etc.) has also increased the vulnerability of digital society. With the soaring use of Internet services, misuse of the Internet grew proportionally. Cyber crime, cyber attacks on state and non-state institutions, cyber espionage and cyber sabotage, disinformation and hate campaigns recorded enormous growth rates last year. In Q2/2021, particularly prominent examples of this development were criminal attacks with ransomware against the Colonial Pipeline and the JBS meat factories. The militarisation of cyberspace has intensified.
Given this background, the degree to which entire societies and economies are depending on a functioning Internet infrastructure is becoming ever more evident. As many of these attacks on companies and public institutions come from outside, the responsibility of governments to combat organised cybercrime within their territory is growing. Assuming that responsibility was one of the core demands of US President Joe Biden at his Geneva summit with Russian President Putin. Biden did not hold the Russian government responsible for individual attacks on American companies, but demanded that Putin take criminal action against cyber gangs operating from Russian territory. The extent to which the temporary disappearance of the REvil gangs operating from Russian territory has to do with the US-Russian agreement in Geneva to begin bilateral cyber consultations is the subject of public international speculation. In this respect, the Geneva agreement could also mark the beginning of a new phase in global cyber diplomacy. Immediately after the summit, experts from both sides – albeit at a low level and behind closed doors – began initial consultations.
The debates about misuse of the Domain Name System for cross-border criminal and political activities will have consequences for the technical management of critical Internet resources in the medium term. The uninterrupted availability of a working Internet infrastructure and non-discriminatory access to critical Internet resources – domain names, IP addresses, root servers – as well as guaranteed integrity of Internet-based communication services, regardless of their content and purpose, is increasingly becoming an essential security issue for a functioning society and economy. In this respect, it is not surprising that the more technical problems of Internet development are once again in the crossfire of political discussions.
The virtual G7 Digital Ministers Meeting on 28 April adopted the first-time-ever separate declaration of the G7 on the development of digital technical standards. The “G7 Digital and Technology Ministerial Declaration” includes an Annex 1 titled “Framework for G7 Collaboration on Digital Technical Standards”. On the one hand, the Declaration supports “industry-led, inclusive multi-stakeholder approaches for the development of digital technical standards in line with our core values”, on the other hand, however, it also emphasizes “that governments play an important role in supporting standardisation that bolsters open societies and democratic values in specific areas of digital technical standards development”. With their Declaration, the G7 respond to multiple initiatives, mainly by authoritarian states like China, Russia, the United Arab Emirates or Saudi-Arabia, within the ITU, where the states plan to develop new Internet standards by means of inter-governmental agreements.
There are numerous study groups in the ITU-T that are preparing standards for things like smart cities, facial recognition, surveillance software and New IP. Proposals from the ITU-T study groups are submitted to the World Telecommunication Standardization Assembly (WTSA), which takes place every four years. The next WTSA is scheduled for February 2022 in Hyderabad. Standards adopted by the WTSA are usually accepted as “world standards”. In particular, China's proposal to negotiate a new Internet protocol in the ITU-T Study Group 13, with the long-term aim to replace the TCP/IP protocol which has been in operation since 1974, caused quite a political stir. China initially submitted its proposal for a new Internet protocol to the IETF, where it was rejected. Via an “ITU Focus Group” (ITU-T-FG), the paper, the authors of which include Huawei and the Chinese Ministry of Technology (MIIT), later found its way to the ITU-T Study Group 13. Although the proposal was rejected by the ITU-T SG 13 in March 2021, it cannot be ruled out that the issue of digital technical standards for the Internet will be brought up again at various levels, including at the WTSA in February 2022.
With their proposal, the G7 obviously want to prevent the ITU and the IETF from being played off against each other. However, the positioning of the G7 countries on digital technical standards issues is a double-edged sword. It may have the unintended side effect of putting governments in a “supervisory role” over autonomously and independently operating technical standardisation organisations (SDOs) such as IETF, IEEE, W3C, 3GPP and others. To avoid this, however, the non-governmental SDOs must deliver excellent results to prove their effectiveness and exclusivity. This is a major challenge for the entire broader “Internet community”, which, at the latest since the IANA transition in September 2016, has an obligation to act and must publicly demonstrate that the multistakeholder processes and procedures work and are flexible enough to be adapted to new challenges, e.g. concerning cyber security or technical excellence. Only if the multistakeholder model for Internet governance can be further developed and solutions can be offered for the constantly emerging problems, will state supervision remain permanently redundant.
Here are the most important events and processes of the second quarter of 2021 in the four core areas of the global Internet governance ecosystem (cyber security, digital economy, human rights, technological development):
Cyber Security
In addition to the results of the various summits in June 2021, also the agreement within the UN on the final report of the 6th UN GGE in May 2021 was of particular importance. The very fact that, unlike in 2017, when the 5th UN GGE report fell through, the major cyber powers were able to reach a consensus is crucial with a view to the growing international tensions in cyber space. While the 2021 GGE report does not contain any new commitments, it opens the door for further negotiations under the expanded mandate of the Open Ended Working Group (OEWG). The new OEWG had its inaugural meeting on 1 June 2021 in New York. It has a mandate until 2025, which means that for the first time there is now a permanent body within the UN framework that deals with cyber security issues. The ambassador of Singapore, Burhan Gafoor, was elected as chair.
Another new beginning in the field of cyber security marks the decision of the 75th UN General Assembly to start drafting a UN Convention against Cybercrime. The new UN convention is planned to be complete by 2023. An “Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes” was created to reach this aim. The new Cybercrime Ad Hoc Committee (CAHC) had its inaugural meeting on 10 May 2021 in New York. Algerian Ambassador Faouzia Boumaiza Mebarki became chair of the group. Western countries had urged for years to strengthen the 2001 Council of Europe Budapest Convention on Cybercrime as a universal instrument in the fight against cyber crime. However, with only 65 ratifications, the Budapest Convention lacked universal support. Countries such as China, Russia, Brazil and India, as well as the majority of developing African countries, have rejected the Convention, arguing that they were not involved in its drafting in 2001. The African Union (AU) had adopted its own African cyber security convention in 2014. However, this AU convention was also only signed by eleven AU members. Therefore, it is not surprising that a new beginning is planned against the background of the soaring increase in international cybercrime. The mandate of the new “Cybercrime Ad Hoc Committee” states that fundamental experiences of the existing “regional agreements” are to be incorporated into the new UN convention. Thus, the Budapest Convention is part of the basis for negotiations. Nevertheless, the agreed timetable to have the new UN Convention ready for signature by 2023 is extremely ambitious.
Digital Economy
The most outstanding event in the second quarter of 2021 in the field of digital economy was the general basic agreement about the introduction of a global digital tax was reached. The G7 Financing Ministers agreed at their meeting on 5 June 2021 in London to support the “BEPS Inclusive Framework” the OECD had worked out after several years of negotiating. At the G7 summit in Carbis Bay on 13 June 2021, the agreement was ratified. This is remarkable in so far as the US had left the negotiations in June 2020 under the Trump administration. The Biden administration did not only return to the negotiation table but fully supports the content of the BEPS concept. The French Minister for Finances, Bruno Le Maire, called the agreement on a global digital tax a “centennial reform”.
The BEPS framework agreement is based on two pillars (Pillar 1 & 2): a global minimum tax and a digital tax. The draft will be discussed in further detail at the G20 Finance Ministers meeting in Venice in early July 2021. It is expected that the negotiation of the final technical details within the OECD can be brought to a close by autumn 2021 and that the new tax system can be adopted before the end of 2021.
As regards the negotiations on a possible WTO agreement on digital trade, there was no progress to report in the 2nd quarter. A WTO workshop on 6 May 2021 discussed the consequences of the Covid-19 pandemic for the future of digital trade. The workshop once again confirmed the urgency of a global agreement on digital data trade. There is general optimism that a positive outcome in the form of a cornerstone agreement for a new digital trade treaty can be expected to be reached at the 13th WTO Ministerial Conference in Geneva in November 2021.
Within the framework of the “UN Decade of Action” (2020 – 2030) for implementing the Sustainable Development Goals (SDGs), the President of the 75th UN General Assembly Vladim Boskic arranged two high-calibre thematic discussions in April and May 2021. In these discussions, the close interconnection of digitisation and sustainable development was emphasised. They also dealt in great detail with the new challenges of the post-Covid-19 era. It was pointed out that the 3.5 billion people who do not yet have access to the Internet suffered in a special way from the effects of the pandemic. To overcome this persistent digital divide by 2030, infrastructure investments of 428 billion US$ were stated to be required.
Human Rights
One important event in the second quarter of 2020 was the RightsCon held from 20 to 27 June 2021, which is one the largest Internet conferences in the world. The RightsCon expressively deals with promoting human rights in the digital age. Particularly worth to be mentioned is the fact that a joint statement of ten UN Special Rapporteurs was published within the framework of the conference. In this document, the UN diplomats explicitly advocate more sustainable respect and protection of human rights, especially freedom of expression and privacy, and warn that measures to combat the Covid-19 crisis are being misused to permanently restrict digital rights. The government of Denmark used RightsCon to announce the launch of a new project called “Technology for Democracy”. A conference is to be held on this topic in Copenhagen in November 2021. The civil society organisation “Access Now”, who organises the RightsCon, launched a campaign on 5 June 2021 to ban biometric facial recognition systems worldwide.
Another important signal was the declaration of the Finish and the US government on 15 May 2021 at a diplomatic network conference at the UN in New York that they were going to strengthen the Freedom Online Coalition (FOC), which also actively supports the protection of human rights in cyberspace. The Finnish government will hold an international conference on this in Helsinki in December 2021.
Technology
Negotiations on artificial intelligence regulation received a significant boost in Q2/2021. The European Commission presented its AI regulatory package on 22 April 2021. The package is the result of years of discussions at various levels within the EU and reflects the recommendations of several independent expert commissions. However, a binding EU directive is not expected to be adopted before 2023. The EU proposal, though, met with a divided response internationally. On the one hand, the pioneering role of the EU Commission was appreciated. The EU's AI package could become a model for other states and regions, similar to the General Data Protection Regulation (GDPR). On the other hand, there were warnings against over-regulation of a topic whose consequences are not yet clear.
Progress was also made in the two major international codification projects within the Council of Europe (CAHAI) and UNESCO (AHEC). The Council of Europe has decided to draft a convention that is binding under international law. A draft text should be available by November 2021. UNESCO has opted for a legally non-binding recommendation. The recommendation shall be adopted by the 41st UNESCO General Conference in Paris in November 2021.
The Global Partnership on Artificial Intelligence (GPAI), which was newly established in 2020, held a virtual mid-year review on 30 June 2021, led by Canadian Minister of Innovation, Science and Industry Francois-Philippe Champagne. The 2nd GPAI Summit is scheduled for 11 and 12 November 2021 in Paris. The GPAI operates on the basis of the OECD Recommendations of May 2019.
Regarding the topic of technical standardisation, the debate was raised to a new level by the statement of the G7 Digital Ministers, as already discussed in detail above.
Inter-governmental Level
At the inter-governmental level, the following activities and events in the second quarter of 2021 are particular worth mentioning:
- At the G7 summit on 13 June 2021 in Carbis Bay, the topics of cyber security and digital economy were discussed in great detail. The summit supported the proposals for a global digital tax (BEPS Inclusive Framework). The proposal of the G7 Digital Ministers for a framework on digital standards of April 2021 was ratified;
- The NATO summit on 14 June 2021 in Brussels confirmed the importance of “cyber” as the fourth dimension of collective defence of the North Atlantic Treaty Organization and repeated that a cyber attack on one NATO country was to be considered an attack on all NATO countries;
- The US-EU summit on 15 June 2021 in Brussels led to the formation of a new technology council (“US-EU Trade and Technology Council”);
- At the summit of US President Joe Biden and Russian President Vladimir Putin on 16 June 2021 in Geneva, it was agreed to start joint consultations on cyber security issues;
- On 12 April the sixth Group of Governmental Experts (6th. UN-GGE), which is operating under the 1st Committee of the United Nations, agreed on a final report;
- On 1 June 2021, the new Open Ended Working Group (OEWG) emerged. With this group, the UN has its first permanent body that deals with cyber security issues. The ambassador of Singapore, Burhan Gafoor, was elected as chair. The mandate of the group is initially limited until 2025;
- On 10 May 2021, the new Cybercrime Ad Hoc Committee (CAHC) had its inaugural meeting. The Committee shall draft a UN convention on countering cyber crime by 2023. Algerian Ambassador Faouzia Boumaiza Mebarki was appointed chair of the group;
- The office of the UN Technology Envoy of UN Secretary-General António Guterres further consolidated its work. The appointment of Fabrizio Hochschild as UN Technology Envoy, however, is still pending. The office is temporarily headed by the Assistant Secretary-General of UNDESA, Maria-Francesca Spatolisano;
- Under the Italian G20 presidency, meetings of the G20 Finance Ministers (originally planned for the start of July 2021 in Venice) and of the G20 Digital Ministers (originally planned for the start of August 2021 in Trieste) were prepared. The G20 summit meeting will be held in October 2021 in Rome;
- Under the Indian BRICS Presidency, a Joint Statement on “Strengthening and Reforming the Multilateral System” was adopted by the BRICS Foreign Ministers on 1 June 2021, calling for greater involvement of the BRICS countries and developing countries in global decision-making processes. This demand also applies to the global management of critical Internet resources;
- The Shanghai Cooperation Organisation (SCO) celebrated its 20th anniversary in Beijing on 16 June 2021 and extended its cooperation agreement with the Chinese Internet group Alibaba to the education sector;
- After the meeting of the G7 Finance Ministers, the OECD presented another progress support on 30 June 2021 for the meeting of the G20 Finance Ministers at the start of July in Venice;
- The European Commission presented its package for governing artificial intelligence. A new Joint Cyber Unit for strengthening cyber security of the EU member states was created;
- On 21 June 2021, the Ad Hoc Committee on Artificial Intelligence (CAHAI) of the Council of Europe presented a report on the results of its multistakeholder consultations and recommended to start drafting a legally binding convention on artificial intelligence;
- The draft of the UNESCO‘s Ad Hoc Expert Group (AHEG) of a legal instrument on the “ethics of artificial intelligence” was completed on 30 June 2021 and has been submitted to the 193 UNESCO member states for commenting. The draft shall be adopted in November 2021 at the 41st Session of the UNESCO General Assembly;
- For the WSIS Forum of ITU in May 2021, about 50,000 attendants had registered. Discussed was the implementation of the WSIS Action Lines;
- In her half-year report to the OSCE Plenary Session in May 2021, the OSCE Representative on Freedom of the Media, Teresa Ribeiro, regretted the increase in disinformation campaigns on the Internet and reported a growing number of attacks on journalists of both online and offline media.
Multistakeholder Level
At the multistakeholder and non-state-level, the following major activities and events in the second quarter of 2021 are particularly worth mentioning:
- At the second round of the IGF-MAG Consultations in June 2021, the program for the 17th session of the IGF in the Polish city of Katowice in December 2021 was adopted;
- At a briefing on 15 June 2021, UNDESA informed that it was preparing the launch of a “Multistakeholder High Level Body” (MHLB). The MHLB was to build bridges within the framework of the IGF reform (IGF+) between the multistakeholder IGF discussions and the multilateral negotiations between governments on digital topics;
- At a meeting in New York in June 2021, the governments of the US and Finland declared that they intended to intensify their commitment to the Freedom Online Coalition (FOC) and to develop the FOC into a more effective instrument for promoting human rights in cyber space. On the occasion of the 10th anniversary of the FOC in December 2021, a ministerial conference is planned to be held in Helsinki;
- The Munich Security Conference (MSC) presented its annual “Munich Security Report” in June 2021. The report states digital disasters and cyber attacks to be one of the seven most severe threats the world will have to face in the coming years;
- At a consultative meeting on 16 June 2021, the Global Forum on Cyber Expertise (GFCE) decided to hold its annual conference at the end of November/start of December 2021.
- The Charter of Trust (COT) initiated by Siemens gathered for a second collaboration week in June 2021. The topic was defending against cyber attacks on global supply chains.
- The Tech Accord initiated by Microsoft presented its annual report on 5 May 2021. The number of members to the Tech Accord has risen from originally 34 to more than 150. The Tech Accord will take over the task of coordinating a working group on cyber security within the scope of the Paris Call for Trust and Security in Cyberspace;
- In June 2021, the tenth RightsCon took place. With more than 10,000 participants from 164 countries it was the largest RightsCon ever. In the margins of the conference, the ten UN Special Rapporteurs adopted a “Joint Statement” in which they advocate the protection of human rights in the times of the pandemic;
- The second anniversary of the adoption of the Christchurch Call was marked by a high-caliber conference, which reported about the progress made in fighting terrorism and extremism on the Internet;
- The Oversight Board appointed by Facebook continues to fight for international acceptance;
- More than 100 internationally acknowledged internal law experts published a statement on international law protections in cyber space (Oxford Statement) on 3 June 2021;
- The Global Partnership on Artificial Intelligence (GPAI) draw a half-year balance at a virtual meeting on 30 June 2021. The 2nd GAIP summit is scheduled for November 2021;
- The CyberPeace Institute in Geneva will participate in the Ransomware Taskforce (RTF). The RTF is going to develop strategies how to destroy the business model of criminal groups in cyber space and help companies affected by their activities;
- The Alliance for Affordable Internet (A4AI) launched a call on 26 April 2021 to bridge the digital divide and bring the remaining 3.5 billion people online by 2030.
Joe Biden, President of the United States of America, Press conference following the meeting with Russian President Vladimir Putin, Geneva, Hôtel du Parc des Eaux-Vives, 16 June 2021I made it clear that we will not tolerate attempts to violate our democratic sovereignty or destabilize our democratic elections, and we would respond. The bottom line is, I told President Putin that we need to have some basic rules of the road that we can all abide by. I also said there are areas where there’s a mutual interest for us to cooperate, for our people — Russian and American people — but also for the benefit of the world and the security of the world. One of those areas is strategic stability. You asked me many times what was I going to discuss with Putin. Before I came, I told you I only negotiate with the individual. And now I can tell you what I was intending to do all along, and that is to discuss and raise the issue of strategic stability and try to set up a mechanism whereby we dealt with it. We discussed in detail the next steps our countries need to take on arms control measures — the steps we need to take to reduce the risk of unintended conflict. And I’m pleased that he agreed today to launch a bilateral strategic stability dialogue — diplomatic speak for saying, get our military experts and our — our diplomats together to work on a mechanism that can lead to control of new and dangerous and sophisticated weapons that are coming on the scene now that reduce the times of response, that raise the prospects of accidental war. And we went into some detail of what those weapons systems were. Another area we spent a great deal of time on was cyber and cybersecurity. I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list, if I’m not mistaken — I don’t have it in front of me — 16 specific entities; 16 defined as critical infrastructure under U.S. policy, from the energy sector to our water systems. Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory. So we agreed to task experts in both our — both our countries to work on specific understandings about what’s off limits and to follow up on specific cases that originate in other countries — either of our countries.