OEWG’s seventh substantive session: the highlights
The UN Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies 2021–2025 held its seventh substantive session in March 2024. The group discussed threats, norms, international law, confidence building measures, capacity building, and regular institutional dialogue.
The OEWG held its 7th substantive session on 4-8 March. With 18 months until the end of the group’s mandate, a sense of urgency can be felt in the discussions, particularly on the mechanism that will follow the OEWG.
Some of the main takeaways from this session are:
- AI is increasingly prevalent in the discussion on threats, with ransomware and election interference rounding up the top 3 threats.
- There is still no agreement on whether new norms are needed.
- Agreement is also elusive on whether and how international law and international humanitarian law apply to cyberspace.
- The operationalisation of the POC directory, the most important confidence building measure (CBM) to result from the OEWG, is in full swing ahead of its launch on 9 May.
- Bolstering capacity building efforts and funding for them are necessary actions.
- The mechanism for regular institutional dialogue on ICT security must be single-track and consensus-based. Whether it will take the shape of the Programme of Action (PoA) or another OEWG is still up in the air.
Interested in more OEWG? Visit our dedicated OEWG process page.
Threats: AI, elections and ransomware at the forefront
The widespread availability of AI tools for different purposes led to delegations focusing on AI-enabled threats. AI tools may exacerbate malicious cyber activity, for example, by faster searching for ICT vulnerabilities, developing malware, and boosting social engineering and phishing tactics.
France, the Netherlands, and Australia spoke about the security of AI itself, pointing to the vulnerability of algorithms and platforms and the risk of poisoning models.
2024 is the year of elections on different levels in many states. Large language models (LLMs) and generative AI spur the fake creation process and the proliferation of disinformation and manipulation of public opinion, especially during significant political and social processes. Belgium, Italy, Germany, Canada, and Denmark expressed concern that cyber operations are used to interfere in democratic processes. Malicious use of cyber capabilities can influence political outcomes and threaten the process by targeting voters, politicians, political parties, and election infrastructure, thus undermining trust in democratic institutions.
Another prevalent threat highlighted by the delegations was ransomware. Cybercriminals target critical infrastructure and life-sustaining systems, but states noted that the most suffering sector is healthcare. Belgium stressed that such attacks eventually lead to human casualties because of the disruption in providing medical assistance. The USA and Greece highlighted the increase in ransomware attacks because some states allow criminal actors to act from their territories with impunity. Also, now AI is an excellent leverage for malicious threat actors, providing unsophisticated operators of ransomware-as-service with a new degree of possibilities and allowing rogue states to exploit this technology for offensive cyber activities.
Ransomware attacks go hand in hand with IP theft, data breaches, violation of privacy, and cryptocurrency theft. The Republic of Korea, Japan, the Czech Republic, Mexico, Australia and Kenya connected such heists with the proliferation of WMDs.
Delegations expressed concerns about a growing commercial market of cyber intrusion capabilities, 0-day vulnerabilities and hacking-as-service. The UK, Belgium, Australia, and Cuba considered this market capable of increasing instability in cyberspace. The Pall Mall process launched by France and the UK aimed at addressing the proliferation of commercially available cyber intrusion tools was upheld by Switzerland and Germany.
The growing IoT landscape expands the surfaces of cyberattacks, Mauritius, India, and Kazakhstan mentioned. Quantum computing may break the existing encryption methods, leading to strategic advantages for those who control this technology, Brazil added. It could also be used to develop armaments, other military equipment, and offensive operations.
Russia once again drew attention to the use of information space as an arena of geopolitical confrontation and militarisation of ICTs. Russia, China, and Iran have also highlighted certain states’ monopolisation of the ICT market and internet governance as threats to cyber stability. Syria and Iran pointed to practices of technological embargo and politicised ICT supply chain issues that weaken the cyber resilience of States and impose barriers to trade and tech development.
Norms: new norms vs. norms’ implementation
Reflections of the several delegations have highlighted the existing binary dilemma: should there be new norms or not?
Iran, China and Russia highlighted once again that new norms are needed. Russia also suggested four new norms to strengthen the sovereignty, territorial integrity and independence of states; to suggest the inadmissibility of unsubstantiated accusations against states; and to promote the settlement of interstate conflicts through negotiations, mediation, reconciliation or other peaceful means. Brazil noted that additional norms will become necessary as technology evolves and stressed that any efforts to develop new norms must occur within the UN OEWG. South Africa expressed that they could support a new norm to protect against AI-powered cyber operations and attacks on AI systems. Vietnam strongly supported the development of technical standards regarding electronic evidence to facilitate the verification of the origins of cybersecurity incidents.
However, some delegations insist that implementing already existing norms comes before elaborating new ones. Bangladesh urged states to collaborate more to translate norms into concrete actions and focus on providing guidance on their interpretation and implementation. The UK, in particular, suggested four steps to improve the implementation of the norms by addressing the growing commercial market for intrusive ICT capabilities. The delegate called states to prevent commercially available cyber intrusion capabilities from being used irresponsibly, to ensure that governments take the appropriate regulatory steps within their domestic jurisdictions, to conduct procurement responsibly, and to use cyber capabilities responsibly and lawfully.
Several delegations mentioned the accountability and due diligence issues in implementing the agreed norms. New Zealand, in particular, shared that the OEWG could usefully examine what to do when agreed norms are willfully ignored. France mentioned that it continues its work on the due diligence norm C with other countries. Italy called for dedicated efforts to set up accountability mechanisms to ‘increase mutual responsibility among states’ and proposed national measures to detect, defend and respond to and recover from ICT incidents, which may include the establishment at the national level of a centre or a responsible agency that leads on ICT matters.
The Chair issued a draft of the norms implementation checklist before the start of the session. According to Egypt, this checklist must be simplified because it includes duplicate measures and detailed actions beyond states’ capabilities. The checklist, Egypt continued, should acknowledge technological gaps among states and their diverse national legal systems, thus respecting regions’ specifics. Many delegations have strongly supported the checklist and made recommendations. For example, the Netherlands suggested that the checklist includes the consensus notion that state practices, such as mass arbitrary or unlawful mass surveillance, may negatively impact human rights, particularly the right to privacy.
Some delegations addressed the Chair’s questions on implementing critical infrastructure protection (CIP) and supply chain security-related norms. The EU reminded us that it is necessary to look into existing cybersecurity best practices in this regard and gave an example of the Geneva Manual as a multistakeholder initiative to clarify the roles and responsibilities of non-state actors in implementing the norms. Italy encouraged the adoption of specific frameworks for assessing the supply chain security of ICT products based on guidelines, best practices, and international standards. Practically, it could include establishing national evaluation and security certification centres for cyber certification schemes. The Republic of Korea suggested building institutional and normative foundations to provide security guidelines starting from the development stage of software products, which can be used in the public sector to protect public service or critical infrastructure from being targeted by cyberattacks. Japan suggested adopting the Software Bill of Materials (SBOM) and discussing how ICT manufacturers can achieve security by design.
International law: applicability to use of ICTs in cyberspace
The member states have held their previous positions on the applicability of international law. Most states have confirmed the applicability of international law to cyberspace, including the UN Charter, international human rights law and international humanitarian law. However, Russia and Iran stated that existing international law does not apply to cyberspace, while Syria noted how international law applies in cyberspace is unclear. However, China and Russia pointed out that the principles of international law apply. These states, as well as Pakistan, Burkina Faso, and Belarus, support the development of a new legally binding treaty.
Of note was the contribution by Colombia on behalf of Australia, El Salvador, Estonia, and Uruguay that reflected on the continued engagement of a cross-regional group of 13 states based on a working paper from July 2023. The contribution highlighted the emerging convergence of views that:
- states must respect and protect human rights and fundamental freedoms, both online and offline, by their respective obligations;
- states must meet their international obligations regarding internationally wrongful acts attributable to them under international law, which includes reparation for the injury caused; and
- International humanitarian law applies to cyber activities in situations of armed conflict, including, where applicable, the established international legal principles of humanity, necessity, proportionality and distinction.
Many states echoed the Colombian statement, including Germany, Australia, Czechia, Switzerland, Italy, Canada, the USA, the UK, Spain and others.
The discussions have also progressed on the applicability of international humanitarian law (IHL) to the use of ICT in situations of armed conflicts.
Senegal presented a working paper on the application of international humanitarian law on behalf of Brazil, Canada, Chile, Colombia, the Czech Republic, Estonia, Germany, the Netherlands, Mexico, the Republic of Korea, Sweden, and Switzerland. This working paper shows convergence on the applicability of IHL in situations of armed conflict. It delves deeper into the principles and rules of IHL governing the use of ICTs, notably military necessity, humanity, distinction, and proportionality. Other states welcomed with working paper, including Italy, Australia, South Africa, Austria, the United Kingdom, the USA, France, Spain, Uruguay and others.
On the other hand, Sri Lanka, Pakistan, and China have called for additional efforts to develop an understanding of the applicability of IHL and its gaps.
In its statement on IHL, the ICRC has pointed out the differences between the definitions of armed attack under the UN Charter and under IHL, the need to discuss how IHL limits cyber operations, and the need to interpret the existing rules of IHL as not to undermine the protective function of IHL in the ICT environment.
The discussion on international law greatly benefited from the recent submission to the OEWG by the Peace and Security Council of the African Union on the Application of international law in the use of ICTs in cyberspace (Common African Position). Reflecting the views of 55 states, it represents a significant contribution to the work of the OEWG and an example of valuable input by regional forums. This comprehensive position paper addresses issues of applicability of international law in cyberspace, including human rights and IHL, principles of sovereignty, due diligence, prohibition of intervention in the affairs of states in cyberspace, peaceful settlement of disputes, prohibition of the threat or use of force in cyberspace, rules of attribution, and capacity building and international cooperation. The majority of the delegations welcomed the Common African Position.
The Chair has also pointed out that, as of date, 23 states have shared their national positions, and many others are preparing their positions on the applicability of international law in cyberspace.
Most states supported scenario-based exercises to enhance the understanding between states on the applicability of international law. They would like to have the opportunity to conduct such exercises and have a more in-depth discussion on international law in the May intersessional meeting. China firmly opposes this.
Several states, such as Japan, Canada, Czechia, the EU, Ireland and others, would like to see future discussions on international law embedded in the Programme of Action (PoA). Read more about the talks on the PoA below.
CBMs: operationalising the POC directory
The official launch of the Points of Contact (PoC) directory is scheduled for 9 May, which led to the discussion revolving around the operationalisation of the POC directory. At the time of the session, 25 countries had appointed their POCs. Most delegations reiterated their support for the directory and either confirmed their appointments or that the process was ongoing. Some states nevertheless suggested adjustments to the POC directory. Ghana, Canada, and Colombia commented that communication protocols may be helpful, while Czechia and Switzerland recommended that the POC shouldn’t be overburdened with these procedures yet. Argentina also brought up the potential participation of non-state actors in the POC directory.
To further facilitate communication, several states advanced the usefulness of building a common terminology (Kazakhstan, Mauritius, Iran, Pakistan), while Brazil mentioned that Mercosur was effectively working on this kind of taxonomy.
While Czechia, Switzerland and Japan underlined the necessity to focus first on the implementation and consolidation of existing CBMs, many states nevertheless were in favour of additional CBMs: protection of critical infrastructure (Switzerland, Colombia, Malaysia, Pakistan, Fiji, Netherlands, Singapore and Czechia) as well as coordinated vulnerability disclosure (Singapore, Netherlands, Switzerland, Mauritius, Colombia, Malaysia and Czechia). The integration of multi-stakeholders to the development of CBMs was also considered by some states and organisations (the EU, Chile, Albania, Argentina) while adding public-private partnerships as a CBM received broad support from Kazakhstan, Qatar, Switzerland, South Africa, Mauritius, Colombia, Malaysia, Pakistan, South Korea, Netherlands, and Singapore.
All states recalled and praised the significance of regional and subregional cooperation in the implementation of CBMs regionally and how it can contribute to the development of CBMs globally. In that respect, most states highlighted enriching initiatives at a cross-regional level, such as a recent side event at the German House. Work within the OAS, the OSCE, the ASEAN, the Pacific region, and the African Union was underlined. Interventions were enriched explicitly by sharing national experiences, most notably Kazakhstan’s and France’s recent use of the OSCE community portal for POC.Finally, states highlighted the link between CBMs and capacity-building, Ghana, Djibouti, and Fiji sharing their national experiences in closing the digital divide. In that vein, Argentina, Iran, Pakistan, Djibouti, Botswana, Fiji, Chile, Thailand, Ethiopia, Mauritius, and Colombia support creating a specific CBM on capacity-building.
Capacity building: bolstering efforts and funding
Several noteworthy proposals were put forth by different countries, each aiming to bolster capacity building efforts. The Philippines introduced a comprehensive ‘Needs-Based Capacity Building Catalogue,’ designed to help member states identify their specific capacity needs, connect with relevant providers, and access application guidance for capacity building programmes.
Kuwait proposed an expansion of the Global Cybersecurity Cooperation Portal (GCSE), suggesting adding a module dedicated to housing both established and proposed norms, thus facilitating collaboration among member states and tracking the implementation progress of these norms. India‘s CERT expressed willingness to develop an awareness booklet on ICT and best practices with the contribution of other delegations, intending to post it on the proposed GCSE for widespread dissemination.
The crucial issue of funding for capacity building received substantial attention during the discussions, with multiple delegations bringing to the fore the need for additional resources to sustainably support such efforts. Uganda advocated establishing a UN voluntary fund targeting countries and regions most in need. In contrast, others stressed the imperative of exploring structured avenues within the UN framework for resource mobilisation and allocation.
On the foundational capacities of cybersecurity, an emphasis was placed on developing ICT policies and national strategies, enhancing societal awareness, and establishing national cybersecurity agencies or CERTs.
Furthermore, the importance of self-assessment tools for improving states’ participation in capacity building programmes was emphasised. Pakistan proposed implementing checklists and frameworks for evaluating cybersecurity readiness and identifying gaps. Rwanda advocated for reviews based on the cybersecurity capacity maturity model (CMM) to achieve varying levels of capacity maturity. The discussions also commended existing initiatives, such as the Secretariat’s mapping exercise and emphasised the need for a multistakeholder approach in capacity building efforts. Finally, Germany highlighted the significant contributions of organisations in creating gender-sensitive toolkits for cybersecurity programming, underscoring the importance of incorporating gender perspectives in implementing the UN framework on cybersecurity.
Regular institutional dialogue: the fight for a single-track process
States are still divided on the issue of regular institutional dialogue. What they agree on is that there must be a singular process, its establishment must be agreed upon by consensus, and decisions it makes must be by consensus.
France, one of the original co-sponsors of the PoA, has delivered a presentation on the PoA’s future elements and organisation. Review conferences would be convened in the framework of the POA every few years. The scope of these review conferences would include (i) assessing the evolving cyber threat landscape, the results of the initiatives and meetings of the mechanism, (ii) updating the framework as necessary and (iii) providing strategic direction and mandate or a program of work for the POA’s activities. The periodicity would need to be defined as not being a burden to delegations, especially delegations from small countries and developing countries. However, the PoA would need to keep up with the rapid evolution of technology and of the threat landscape.
The PoA would also include open-ended plenary discussions to (i) assess the progress in the implementation of the framework, (ii) take forward any recommendations from these modalities (iii) to discuss ongoing and emerging threats, (iv) to provide guidance for open ended technical meetings and practical initiatives. Inter-sessional meetings could also be convened if necessary.
Furthermore, four modalities would feed discussions on the implementation of the framework: capacity building, voluntary reporting by states, practical initiatives, and contributions from multistakeholder community. The POA could leverage existing and potential capacity building efforts in order to increase their visibility, improve their coordination, and support the mobilisation of resources. The review conferences and the discussions would then provide an opportunity to exchange on the ongoing capacity building efforts and identify areas where additional action is needed. Voluntary reporting of states could be based either on creating a new reporting system or by promoting existing mechanisms. The PoA would contain, enable, and deepen practical initiatives. It would build on existing initiatives and develop new ones when necessary. The PoA would enable that engagement and collaboration with the multistakeholder community.
France also noted that a cross-regional paper to build on this proposal will be submitted at the next session.
Multiple delegations expressed support for the PoA, including the EU, the USA, the UK, Canada, Latvia, Switzerland, Cote d’Ivoire, Croatia, Belgium, Slovakia, Czechia, Israel, and Japan.
The Russian Federation, the country that originally suggested the OEWG, is the biggest proponent of its continuation. Russia cautioned against making decisions by a majority in the General Assembly, noting that such an approach will not be met with understanding by member states, first and foremost developing countries, which long fought to get the opportunity to directly partake in the negotiations process on the principles governing information security. Russia stated that after 2025, a permanent OEWG with a decision-making function should be established. Its pillar activity would be crafting legally binding rules, which would serve as elements of a future universal agreement on information security. The OEWG would also adapt international law to the ICT sphere. It would strengthen CBMs, launch mechanisms for cooperation, and establish programmes of funds for capacity building. Belarus, Venezuela, and Iran are also in favour of another OEWG.
A number of countries didn’t express support for either the PoA or the OEWG but noted some of the elements the future mechanism should have.
Similarly to Russia, China noted that the future mechanism should implement the existing framework but also formulate new norms and facilitate the drafting of legal instruments. The Arab Group noted that the future mechanism should develop the existing normative framework to achieve new legally binding norms. Indonesia also noted the mechanism should create rules and norms for a secure and safe cyberspace.
Latvia and Switzerland noted that the mechanism must focus on the implementation of the existing framework. However, Switzerland and the Arab Group noted that the mechanism could identify gaps in the framework and could develop the framework further.
Many delegations noted that capacity building must be an integral part of the regular mechanism, such as South Africa, Bangladesh, the Arab Group, Switzerland, Indonesia, and Kenya.
States also expressed opinions on which topics should be discussed under the permanent mechanism. Malaysia, South Africa, Korea, and Indonesia stated that the topics under the mechanism should be broadly similar to those of the OEWG. The UK, Latvia and Kenya stated it should discuss threats, while Bangladesh outlined the following emerging threats: countering disinformation campaigns, including deepfakes, quantum computing, AI-powered hacking, and addressing the use of ICTs for malicious purposes by non-state actors
South Africa highlighted that discussion on voluntary commitments, such as norms or CBMs, should be developed without prejudice to the possibility of a future legally binding agreement. The UK noted that the mechanism should also discuss international law.
States also discussed the operational details of the future mechanism. For instance, Egypt suggested that the future mechanism hold biannual meetings every two years, review conferences to be convened every six years, and intersessional meetings or informal working groups that may be decided by consensus. The future mechanism should ensure the operationalisation and review of established cyber tools, including POC’s directory and all other proposals to be adopted by the current OEWG. Sri Lanka noted that the sequence of submitting progress reports, be it annual or biennial, should correspond with the term of the Chair and its Bureau.
Brazil suggested a moratorium on First Committee resolutions until the end of the OEWG’s mandate to allow member states to focus on their efforts in the OEWG. This suggestion was supported by El Salvador, South Africa, Bangladesh, and India.
Dedicated stakeholders session
The dedicated stakeholder session allowed ten stakeholders to share their expertise within the substantive session.
The stakeholders addressed the topics of CII protection and AI (Center for Excellence of RSIS), norms I and J, supply chain vulnerabilities, and addressing the threat lifecycle (Hitachi), role of youth and the importance of youth perspective as a possible area of thematic interest of OEWG (Youth for Privacy). The topics of AI and supply chain management are echoed in SafePC Solutions‘ statement. At the same time, the Centre for International Law (CIL) at the National University of Singapore focused on the intersection of international law and the use of AI.
Chatham House has shared their research on the proliferation of commercial cyber intrusion tools, among others, and the Pall Mall Process, launched by the UK and France. Access Now focused on intersectional harms caused by malicious cyber threats, issues of surveillance and norms E and J. Building on the Chatham House and Access Now remarks, the Paris Peace Forum focused its intervention on the commercial proliferation of cyber-intrusive and disruptive cyber capabilities, and possible helpful steps states could undertake in the short term.
DiploFoundation focused on the responsibility of non-state stakeholders in cyberspace and shared the Geneva Manual on responsible behaviour in cyberspace.Nuclear Age Peace Foundation, in their statement, connected cybersecurity concerns with safeguarding weapons systems and the importance of secure software, while The National Association for International Information Security focused on the need to interpret the norms of state behaviour.
What’s next?
The OEWG’s schedule for 2024 is jam-packed: mid-April, the chair will revise the discussion papers circulated before the 7th session. On 9 May, the POC Directory will be launched, followed by a global roundtable meeting on ICT security capacity-building on 10 May 2024. A dedicated intersessional meeting will be held on 13-17 May 2024.
Looking ahead to the second half of 2024, the 8th and 9th substantive sessions are planned for 8-12 July and 2-6 December 2024. A simulation exercise for the POC directory is also on the schedule, along with the release of capacity-building materials by the Secretariat, including e-learning modules.