Blog 8, of the series ‘Possible impacts of the current pandemic on international negotiation processes’.
By Clara Cotroneo, Frank Lavadoux, Olivia Brown, and Mathias Delmeire
With the security, travel and social distancing restrictions introduced to manage the Covid-19 pandemic, negotiations have moved, wherever possible, online. We know that the physical realm counts in negotiations with gestures, facial expressions, body language, being part of the negotiator’s arsenal of tools. Research also shows that in online negotiations, it is more difficult to keep high levels of trust between participants, compared to face-to-face negotiations. Therefore, the online environment challenges negotiators to change their techniques and styles to achieve their goals. As if this were not enough, the online environment has its own set of threats and dangers. Negotiators have often used digital modes of communication, including text messages and emails. In this blog post, we focus on one particular instrument for online communications:
During the pandemic many companies, international organisations and governmental institutions have resorted to videoconferencing tools to continue – where possible – their work in times of travel restrictions. Breaches in virtual conferences have led to the intrusion of unwanted guests, eavesdropping or unlawful appropriation of sensitive data. During the crisis, online negotiations have become the new normal, while some incidents have made the headlines. To give only one example, in November 2020 an online confidential meeting between EU defence ministers had a brief visit from a Dutch journalist who politely stepped into the meeting, waved and smiled, before leaving. To Josep Borrell, who asked the intruder if he was aware that he had just joined a secret conference, the journalist responded with a smile.
How was it possible for a journalist to breach a highly secure conference between EU defence ministers? Who has the responsibility for preventing such breaches? The objective of this post is to provide a few tips for preventing such breaches and for creating a responsible working environment. This post is intended to create awareness for practitioners, including negotiators and secretariat staff, and does not include tips for IT-specialised personnel who should already run and manage security checks and policies, such as end-to-end encryption, among others.
Guidelines for safe videoconferencing 101
Before the meeting
Meeting login details must be secure: In the case mentioned in our introduction, the Dutch journalist had managed to guess the meeting password. No complicated hacking had been involved. When planning a meeting, make sure you use a unique and complex password. You can also help yourself with protected and certified password-generating software (with prior approval from your IT and cybersecurity response team).
Invite participants carefully: Share the login details only through secure channels, including your institutional calendar and email. Verify the email of the addressees before sending. You can also password-protect your email, for extra safety.
- Never use a personal device.
- Never use a public connection.
- If you are connecting to an online videoconference via your browser, make sure that the website you are joining is secure. You can do this by clicking on the left of the web address, which should always start with ‘https’, and verify whether the connection is ‘secure’ or ‘dangerous’.
If you are connecting via a videoconferencing app, make sure your app is updated. Always download applications from the manufacturer directly and run the newest version only.
During the meeting
Manage participants closely: Ask participants to wait in the virtual lobby and check their unique ID before letting them into the meeting. Regularly monitor the list of participants and block or remove anyone who is not supposed to be in the meeting, or anyone whose identity is not known.
Avoid document and data sharing: Never share any confidential or sensitive document/data through the chat function of the videoconferencing platform you are using.
Lock the virtual room: Once the meeting has started and all participants are there, lock the room. You can also inform participants before the session that no late arrivals will be accepted, for security reasons.
Lay out ground rules with regard to recordings of sessions: You can’t ever be 100% certain one of the meeting’s participants is not recording the meeting on another device and/or that a person is in fact alone in the room. However, explicitly stating that recordings or photos are not allowed during the discussion – even for networking or political communication purposes – remains an important step to take, to establish a true trusting atmosphere in which decisions can be taken.
Jumping back to our initial case, if someone had to identify a culprit – as part of an amelioration exercise – the finger would not point at individual speakers, negotiators, ministers or civil servants. Their job is to be present at the meeting, follow the agenda, participate meaningfully in the discussion, and that is it. But then, who has the responsibility for organising a secure meeting and for keeping the meeting secure? Is it maybe someone from the organisation’s secretariat, at the meeting set-up phase? We would think that the answer to this question is partially ‘yes’. Partially, in the sense that cybersecurity governance is not the responsibility of one person or one department only. It is instead an organisation-wide effort and a shared responsibility. As in every governance system, of course, there are different roles and different responsibilities; not everyone has the same. Nevertheless, every staff member of an organisation should receive and apply clear and understandable guidelines and access regular and relevant training. Every organisation should have a clear cyber governance structure, where roles and responsibilities are predefined and communicated to all employees. Without this structured and collective effort, an organisation increases its vulnerabilities to cyber breaches.
Beside the easy tips given above and which can be useful for individual employees, ultimately, it is organisations that need to step up their efforts by ensuring secure connections, running training and simulations, and putting in place a clear and ad hoc cybersecurity governance structure. Speaking of which, EIPA does offer an introduction to cyber-protection classes and certificates, should your organisation be interested. We also provide tailor-made classes on a variety of topics to help you successfully understand the current EU challenges.
Next month, we’ll discuss how assertiveness and the way to reach a compromise work together in an online negotiation. See you next month!
The views expressed in this blog are those of the authors and not necessarily those of EIPA.