// HIGHLIGHT //
OEWG wraps up its sixth substantive session
The sixth substantive session of the UN Open-Ended Working Group (OEWG) on security of and the use of information and communications technologies 2021–2025 was held last week. The OEWG is tasked with the study of existing and potential threats to information security, as well as possible confidence-building measures and capacity building. It should also further develop rules, norms, and principles of responsible behaviour of states, discuss ways of implementing them, and explore the possibility of establishing regular open-ended institutional dialogue under the auspices of the UN.
Here is a quick snapshot of the discussions. A more detailed follow-up will be published this week: Keep an eye out for it on our dedicated OEWG page.
Threats. The risks and challenges associated with emerging technologies, such as AI, quantum computing, and the internet of things (IoT), were highlighted by several countries. Numerous nations expressed concerns about the increasing frequency and impact of ransomware attacks on various entities, including critical infrastructure, local governments, health institutions, and democratic institutions. Many countries emphasised the importance of international cooperation and information sharing to effectively address cybersecurity challenges. The idea of a global repository of cyber threats, as advanced by Kenya, enjoys much support in this regard.
Rules, norms and principles. Many countries mentioned that they have already begun implementing norms at the national level and regional levels through their own national and regional strategies. At the same time, many of them have also signalled that clarifying the norms and providing implementation guidance is necessary. This includes norms implementation checklists, a concept that received widespread acknowledgement and support. There was also interest in delving deeper into discussions surrounding norms related to critical infrastructure (CI) and critical information infrastructure (CII). Yet again, delegations expressed different views on whether new norms are needed: While some states favoured this proposal, other states strongly opposed the creation of new norms and instead called delegates to focus on implementing existing ones.
International law. There is general agreement that the discussion on the application of international law must be deepened. There’s also a difference of view on whether the ICT domain is so unique as to warrant different treatment. The elephant in the room is the question of whether a new treaty and new binding norms are needed. Law about state responsibility, the principle of due diligence, international humanitarian law, and international human rights law are also areas without consensus.
Confidence-building measures (CBMs). There’s widespread support for the global Points of Contact (PoC) directory as a valuable CBM. The OEWG members will focus on the implementation and operationalisation of the directory. Many countries prefer an incremental approach to its operationalisation, considering the diversity of regional practices.
The next steps include: A notification from the Secretariat from UNODA, as the manager of the Global POC directory, will go out very early in the year to all member states, asking them to nominate a point of contact to be included in the PoC directory. An informal online information session on the PoC directory will likely be held sometime in February. The chair noted a need for a space to continue sharing national approaches and national strategies for implementing CBMs. The OEWG will also discuss potential new global CBMs that can be added to the list.
Capacity building. Consensus exists that capacity building is a cross-cutting and urgent issue, enabling countries to identify and address threats while implementing international law and norms for responsible behaviour in cyberspace. Foundational capacities were consistently highlighted as crucial elements in ensuring cybersecurity. This includes legal frameworks, the establishment of dedicated agencies, and mechanisms for incident response, with a special focus on computer emergency response teams (CERTs) and CERT cooperation. However, delegations also stressed the importance of national contexts and how there is no one-size-fits-all answer on building foundational capacities. Eefforts should be tailored to the specific needs, legal landscape and infrastructure of individual countries.
Delegations expressed support for the voluntary cybersecurity capacity-building checklist proposed by Singapore. The checklist aims to guide countries in enhancing their cyber capabilities, fostering international collaboration, and ensuring a comprehensive approach to cybersecurity. Multiple delegations expressed support for the Accra Call for Cyber Resilience Development set forth during the Global Conference on Cyber Capacity Building (GC3B), which seeks to strengthen cyber resilience as a vital enabler for sustainable development.
A mapping exercise in March 2024 will comprehensively survey global cybersecurity capacity building initiatives, aiming to identify gaps and avoid the duplication of efforts. It is anticipated that the results of the exercise will inform the global roundtable on capacity building scheduled for May 2024. The roundtable will serve as an opportunity to involve a range of non-state cybersecurity stakeholders to showcase ongoing initiatives, create partnerships, and facilitate a dynamic exchange of needs and solutions.
Regular institutional dialogue. The discussions on what the future regular institutional dialogue will look like can be summarised as Programme of Action (PoA) vs OEWG. There have been some novel approaches expressed, though.
Since the initial proposal of the PoA, there have been several changes. Supporters of the PoA suggest using the review mechanism to identify gaps in existing international law and recognise that such gaps can be filled with new norms. States underlined the action-oriented nature of the PoA, highlighting its capacity building focus. Regarding inclusivity, the PoA should allow multistakeholder participation, especially of the private sector. However, the PoA would be led by states, while stakeholders would be responsible for implementation. Another novelty includes other initiatives like a PoC directory and threat repository and an UNIDIR implementation survey within the future PoA architecture.
On the other hand, a group of countries submitted a working paper on a permanent OEWG, which they believe should be established right after the end of the current OEWG’s mandate. The permanent OEWG’s focus would be on the development of legally binding rules as elements of a future universal treaty on information security. The working paper suggests several principles, proposing that all decisions of the permanent OEWG should be made by consensus (a crucial difference from a PoA) and stricter rules for stakeholder participation.
The midway point. The OEWG’s mandate spans 2021-2025, with 11 substantive sessions planned during this period. However, the discussions on international security at the UN span 25 years, and some of the disagreements we are seeing today are just as old. Can the OEWG 2021-2025 agree on everything (or anything)? And should it, in order to be deemed successful? We leave you with a quote from the chair himself, Amb. Burhan Gafoor: ‘Because we are midway in this process we also have to think about what is success for the OEWG and for our work. If we define our success in a New York-centric way, then I think we will not have succeeded at all. Our success as a working group will depend on whether we are able to make a difference to the situation on the ground, in capitals in different countries, small countries, developing countries, countries that need help, to deal with the challenge of ICT security.’
// DIGITAL POLICY ROUNDUP (11–18 DECEMBER) //
// READING CORNER //
MIT’s group of leaders and scholars, representing various disciplines, has presented a set of policy briefs with the goal of assisting policymakers in effectively managing AI in society.
The OECD Digital Education Outlook for 2023 report assesses the current status of countries and potential future directions in leveraging digital transformation in education. It highlights opportunities, guidelines, and precautions for the effective and fair integration of AI in education. It includes data from a broad range of OECD countries and select partner nations.
