The United Nations Secretary-General has called these ‘dangerous times’, stressing the importance of building trust across actors and agendas, including where the use of information and communication technologies (ICTs) and cyberspace are concerned. The latter is particularly important given our dependency on ICTs, their vulnerability to exploitation, and growing evidence of their use by parties directly and indirectly involved in all kinds of conflicts.

Confidence-building measures (CBMs) are increasingly discussed as tools that can help mitigate the kinds of behaviours and effects that make these dangerous times. They were conceived during the Cold War to address military concerns and ease East-West tensions. While avoiding surprise attack and arms control were the aim of some of these earlier efforts, dialogue, transparency and cooperation around technical matters came to be viewed as key to building a basis of trust for broader political agreements, and for keeping channels of communication open.

In the post-Cold War years, CBMs became a popular tool in the conflict management toolbox, edging their way outside the narrow realm of arms control and inter-state relations. Multiple actors began using the frame of CBMs to build trust, lower the risks of misunderstanding and escalation between conflict parties in all kinds of contexts, including armed conflict, and to provide early warning indicators of potential conflict situations. Track 1.5, track two and track three dialogues have also served important confidence-building purposes, building bridges between actors across countries and regions and allowing for frank discussion below the threshold of formal politics and policy.

More recently, CBMs have become a core feature of international and regional security discussions on ICTs/cyberspace, including the work of the UN Groups of Governmental Experts and the Open-Ended Working Groups on ICTs and international security. The CBMs complement other recommendations and measures on international law, norms and capacity building agreed by UN member states that together constitute an emerging framework for responsible state behaviour where ICTs and cyberspace are concerned. One such CBM involves establishing single points of contact (PoC) to enhance information sharing on cyber-related threats and to enable more effective and timely management of ICT/cyber-related incidents. For instance, if the energy or health infrastructure of a given country is hit by a cyberattack and it is suspected that the attack emanated from a certain country, the PoC from the affected state can notify the PoC in the other state and request that it take the necessary measures to bring an end to such activity. PoCs can also request assistance from other states in such circumstances, including to re-establish the affected services. These cooperative measures reflect the spirit of one of the norms agreed at the UN, often referred to as the due diligence norm.

Regional organisations have agreed on similar CBMs. The Organization for Security and Co-operation in Europe (OSCE), for one, has agreed on 16 measures ranging from basic transparency measures (exchanges on policy, doctrine, etc) to the establishment of PoCs and secure and trusted platforms for crisis communications. While under significant strain in recent years, the OSCE informal working group on CBMs continues to use them to build capacity, raise awareness and facilitate exchanges between participating states. Other regional organisations have established similar processes, tailored to their respective contexts. Some states have applied CBMs such as communications ‘hotlines’ at bilateral level, while non-state actors use track two formats to address complex issues such as internet shutdowns, bulk collection and mass surveillance.

Experts are considering how cyber-related CBMs can be applied in non-inter-state contexts. This includes civil conflicts in which the parties rely significantly on cyber and other ICT capabilities to advance their aims, and where their continued use presents harms to the population and risks to a ceasefire arrangement or broader peace negotiations. Within a mediation process, the latter could include working with the parties to agree on a protocol or code of conduct outlining unacceptable social media behaviours (e.g. influence operations); to agree that critical information infrastructure (e.g., telecommunications towers, terrestrial and subsea cables, data centres) should not be targeted through physical or cyber means; and to agree on establishing single PoCs and related protocols to deal with any such incidents, should they emerge.