OEWG’s sixth substantive session: the highlights
The group continued to discuss the six issues under its mandate: existing and potential threats, rules, norms and principles, international law, confidence-building measures, capacity building, and future institutional dialogue.
The sixth substantive session of the UN Open-Ended Working Group (OEWG) on security of and the use of information and communications technologies 2021–2025 was held in December 2023, marking the midway point of the process.
Threats
The risks and challenges associated with emerging technologies, such as AI, quantum computing, and IoT, were highlighted by several countries. Numerous nations expressed concerns about ransomware attacks’ increasing frequency and impact on various entities, including critical infrastructure, local governments, health institutions, and democratic institutions.
The need for capacity building efforts to enhance cybersecurity capabilities globally was emphasised by multiple countries, recognising the importance of preparing for and responding to cyber threats.
The Russian Federation raised concerns about the potential for interstate conflicts arising from using information and communication technologies (ICTs). It proposed discussions on a global information security system under UN auspices. El Salvador discussed evolving threats in the ICT sector, particularly during peacetime, indicating that cybersecurity challenges are not limited to times of conflict.
Delegates discussed the impact of malicious cyber activities on international trust and development, particularly in the context of state-sponsored cyber threats and cybercrime.
Several countries, including the United Kingdom, Kenya, Finland, and Ireland, focused on the intersection of AI and cybersecurity, advocating for approaches considering AI systems’ security implications.
Some countries, including Iran and Syria, expressed concerns about threats to sovereignty in cyberspace, including issues related to internet governance and potential interference in internal affairs.
Many countries emphasised the importance of international cooperation and information sharing to address cybersecurity challenges effectively. Proposals for repositories of information on threats and incidents were discussed. The idea of a global repository of cyber threats, as advanced by Kenya, enjoys much support.
Rules, norms and principles
Many delegations shared how they have already begun implementing national and regional norms through policies, laws and strategies. At the same time, some delegations shared the existing gaps and ongoing processes to introduce new laws, in particular, to protect critical infrastructure (CI) and implement CI-related norms.
Clarifying the norms and providing implementation guidance
Delegations also signalled that clarifying the norms and providing implementation guidance is necessary. Singapore, for instance, supported the proposal to develop broader norm implementation guidance, such as a checklist. The Netherlands argued that such guidance should not only consider the direct impact of malicious cyber activities but also consider the cascading effects that such activities may have, including their impact on citizens. Canada stressed that a checklist would be a complementary tool, formulating voluntary and non-binding guidelines, while some delegations (e.g. China and Syria) called for translating norms as political commitments into legally binding elements.
Australia suggested first focusing on developing norms implementation guidance for the three CI norms (F, G, and H). China, in particular, among many other delegations, expressed the same need to develop guidelines for the protection of CI. Portugal proposed the focus on clarifying and implementing the due diligence, including by the private sector in protecting CI, and France supported it.
In response to the Chair’s query about the norms related to ICT supply chain security and vulnerability reporting, Switzerland presented the Geneva Manual on Responsible Behaviour in Cyberspace. This inaugural edition offers comprehensive guidance for non-state stakeholders, emphasising norms related to supply chain security and responsible vulnerability reporting. At the same time, the UK and France raised the issue of the use of commercially available intrusion capabilities. The UK expressed its concerns about the growing market of software intrusion capabilities. It stressed that all actors, including the private sector, are responsible for ensuring that the development, facilitation and use of commercially available ICT capabilities do not undermine stability in cyberspace. In addition, France highlighted the need to guarantee the integrity of the supply chain by ensuring users’ trust in the safety of digital products and, in this context, cited the European Cyber Resilience Act proposal, which aims to impose cybersecurity requirements for digital products. China also addressed these norms and argued that some states abuse them by developing their standards for supply chain security and undermining fair competition for businesses. China also said all states should explicitly commit themselves to not proliferating offensive cyber technologies and urged that the so-called term ‘peacetime’ had never been used in the context of 11 norms in earlier consensus documents.
New norms vs existing norms
Delegations had divergent views on whether new norms should be developed or not. Some countries supported the idea of creating new norms till 2025 (the end of the OEWG mandate), and, in particular, China called for new norms on data security issues. Other delegations (e.g. Canada, Colombia, France, Israel, the Netherlands, Switzerland, etc.) opposed the development of new norms and instead called for implementing ones.
South Africa emphasised the need to intensify implementation efforts to identify any gaps in the existing normative frameworks and if there is a need for additional norms to close that gap. Brazil stressed that the implementation of existing standards is not contradictory to discussing the possibility of adopting specifically legally binding norms and thus rejected the idea that ‘there is any dichotomy opposing both perspectives’. Brazil expressed its openness to considering the adoption of both additional voluntary norms and legally binding ones to promote peaceful cyberspace.
International law
The discussion on international law in the use of ICTs by states was guided by four questions: whether states see convergences in perspectives on how international law applies in the use of ICTs, whether there are possible unique features of cyber domain as compared to other domains that would require distinction in application of international law, whether there are gaps in applicability, and on capacity-building needs. While some delegations had statements prepared by legal departments or had legal counsel input, others, especially developing countries, needed support in formulating their interventions.
Convergences in perspectives on how international law applies in the use of ICTs
The overwhelming majority of delegations stated that convergence is in agreement that international law, in particular, the UN Charter, is applicable in cyberspace (Thailand, Denmark, Iceland, Norway, Sweden, Finland, Brazil, Estonia, El Salvador, Austria, Canada, the EU, Republic of Korea, Netherlands, Israel, Pakistan, UK, Bangladesh, India, France, Japan, Singapore, South Africa, Australia, Chile, Ukraine, and others). These states see the need to deepen a common understanding of how existing international law applies in cyberspace, alongside its possible implications and legal consequences. Most delegations also stated that cyberspace is not unique and would require a distinction in how international law applies. Kenya pointed out the role of regional organisations in clarifying how international law applies to cyberspace, the African Union in particular, and their contributions to this debate, which was supported by many.
India stated that, in their view, the dynamic nature of cyberspace creates ambiguity in the application of international law since a state, as a subject of international law, can exercise its rights and obligations through its organs or other natural and legal persons.
Another group of states (Cuba, Nicaragua, Vietnam, and the Syrian Arab Republic) thinks cyberspace is unique and can not be addressed by applying existing international law. They call for a legally binding instrument in the UN framework. Russia and Bangladesh see gaps in international law that require new legally binding regulations. According to China and the Syrian Arab Republic, the draft of the International Convention on International Information Security proposed by the Russian Federation would be a good starting point for such negotiations.
The delegations also discussed general international law principles enshrined in the UN Charter. There is an overarching agreement that the principles of sovereignty and sovereign equality, non-intervention, peaceful settlement of disputes, and prohibition of the use of force apply in cyberspace (Malaysia, Australia, Russian Federation, Italy, the USA, India, Canada, Switzerland, Czech Republic, Estonia, Ireland, others). The states concluded that the principles of due diligence, attribution, invoking the right of self-defence, and assessing whether an internationally wrongful act has been committed requires additional work to understand how they apply in cyberspace.
Many delegations (Australia, Canada, the EU, New Zealand, Germany, Switzerland, Estonia, El Salvador, the USA, Singapore, Ireland, and others) stated that the discussions need to clarify how international law addresses violations, what rights and obligations arise in such case, and how international law of state responsibility applies in cyberspace. Mexico, Italy and Bangladesh see value in the contributions of the UN International Law Commission to this debate.
The majority of delegations see convergence in understanding that international humanitarian law applies in cyberspace in cases of armed conflict and that the states must adhere to international legal principles of humanity, necessity, proportionality and distinction (Kiribati, UK, Germany, the USA, Netherlands, El Salvador, Ukraine, Denmark, Czech Republic, Australia, others). Deeper discussions on this matter are necessary. Cuba, in line with its previous statements, disagrees with the concept of applying international humanitarian law in cyberspace.
Addressing capacity building in international law, Uganda stated that it is extremely difficult for developing countries to be equal partners and effectively participate globally due to a lack of expertise and capacity. The majority of countries have supported continuous capacity building efforts in international law (Thailand, Mexico, Nordic countries; Estonia, Ireland, Kenya, the EU, Spain, Italy, Republic of Korea, Netherlands, Malaysia, Bangladesh, India, France, Japan, Singapore, Australia, Switzerland), with Canada mentioning two priority areas: national expertise to enable meaningful participation in substantive legal discussions in multilateral processes such as our OEWG and expertise to develop national or regional positions. Almost all delegations have found the recent UNIDIR workshop to be a valuable contribution to understanding international law’s applicability in cyberspace.
Several delegations have underscored the value of sharing national positions (Thailand, Brazil, Austria, the EU, Israel, the UK, India, Nigeria, Nordic countries, and Mexico) in capacity-building and confidence-building measures.
Going forward, most speakers (Estonia, the EU, Austria, Spain, Italy, El Salvador, the Republic of Korea, the UK, Malaysia, Japan, Chile, and others) have supported the proposal to hold a two-day inter-sessional meeting dedicated to international law.
CBMs
Operationalisation of the Global POC Directory
Many states supported the operationalisation of the agreements to establish a global POC Directory. Australia stressed that those states already positioned to nominate their diplomatic and technical POCs should do so promptly. Switzerland, however, reiterated that the POC Directory should not duplicate the work of CERT and CSIRT teams. The Netherlands stressed the need to regularly evaluate the performance of the POC Directory once it is established. Ghana supported this proposal to develop a feedback mechanism to collect input from states on the Directory’s functionality and user experience. At the end of this agenda item, the Chair also addressed the participation of stakeholders and shared that a dedicated intersessional meeting in May will be convened to discuss stakeholders’ role in the POC directory.
Role of regional organisations
Some delegations (e.g. the US, the EU, Singapore, etc.) highlighted the role of regional organisations in operationalising the POC directory and CBMs. However, several delegations expressed their concerns – e.g. Cuba stated that they are not in favour of ‘attempts to impose the recognition of specific organisations as regional interlocutors on the subject when they do not include the participation of all member states of the region and question’. The EU noted that not all states are members of regional organisations and added that the UN should develop global recommendation service practices on cyber CBMs and encourage regional dialogue and exchanges.
Additional CBMs
Delegations discussed potentially adding additional CBMs. Iran highlighted the need for universal terminology in ICT security to reduce the risk of misunderstanding between states. India reiterated the proposal for a global cybersecurity cooperation portal to address cooperation channels for incident response. India also called for differentiating between cyberterrorism and other cyber incidents in this context. India also suggested that the OEWG may focus on building mechanisms for states to cooperate in investigating cyber crimes and sharing digital forensic evidence. The Chair, at the end of this agenda item, highlighted that the OEWG must continue discussions on potentially adding new CBMs and the importance of identifying if there are any additional things to do.
Capacity building
The recent discussions on cybersecurity highlighted a consensus among participating nations regarding the urgency and cross-cutting nature of cyber threats. Delegations emphasised the importance of Cyber Capacity (CB) in enabling countries to identify and address these threats while adhering to international law and norms for responsible behaviour in cyberspace. Central to the dialogue was the pursuit of equity among nations in achieving cyber resilience, with a recurring emphasis on the ‘leave no country behind’ principle. The core notion of foundational capacities was at the centre of the debates. The development of legal frameworks, dedicated agencies, and incident response mechanisms, especially Computer Emergency Response Teams (CERTs) and CERT cooperation, were highlighted. However, delegations also stressed the importance of national contexts and the lack of one-size-fits-all answers to foundational capacities. Instead, efforts should be tailored to individual countries’ specific needs, legal landscape and infrastructure.
Other issues highlighted were the shortage of qualified cybersecurity personnel and the need to develop technical skills through sustainable and self-sufficient traineeship programs, such as train-the-trainer initiatives. Notable among these initiatives was the Western Balkans Cyber Capacity Centre (WB3C), a long-term project fostering information exchange, good practices, and training courses developed by Slovenia and France together with Montenegro
Concrete actions emerged as a response to past calls from delegations for concrete actions. Two critical planned exercises, the mapping exercise and the Global Roundtable on CB, were commended. The mapping exercise scheduled for March 2024 aims to survey global cybersecurity capacity-building initiatives comprehensively, enhancing operational awareness and coordination. The Global Roundtable, scheduled for May 2024, is considered a milestone in involving the UN, showcasing ongoing initiatives, creating partnerships, and facilitating a dynamic exchange of needs and solutions. These initiatives align with the broader themes of global cooperation, encompassing south-south, north-south, and triangular collaboration in science, technology, and innovation, emphasising needs-based approaches by matching initiatives with specific needs.
Additional points from the discussions included a presentation from India on the technical aspects of the Global Cyber Security Cooperation Portal, emphasising synergy with existing portals. Delegations also supported a voluntary checklist of mainstream cyber capacity-building principles proposed by Singapore. Furthermore, the outcomes of the Global Conference on Cyber Capacity Building, hosted by Ghana and jointly organised by the Cyber Peace Institute, the World Bank, and the World Economic Forum, garnered endorsement from many delegations. The ‘Accra call,’ as it is being termed, is a practical action framework to strengthen cyber resilience as a vital enabler for sustainable development. Switzerland announced its plan to host the follow-up conference in 2025 and urged all states to endorse the Accra Call for cyber-resilient development.
Regular institutional dialogue
The 6th substantive session of the current OEWG marks halfway to the end of the mandate, and the fate of the future dialogue on international ICT security remains open. The situation is exacerbated with a new plot twist: in addition to the Program of Action (PoA) that was proposed by France and Egypt back in 2019 and noted by GA resolutions lately (77/37 and 78/16), Russia tabled a new concept paper introducing a permanent OEWG as an alternative.
Delegations spent in total more than 3 hours discussing the RID issue. All supporters of the PoA stressed the amount of votes that resolution 78/16 got in GA: 161 states upheld the option to create a permanent inclusive and action-oriented mechanism under the UN auspices upon the conclusion of the current OEWG and no later than 2026, implying PoA. Notably, supporters of the resolution stressed that the final vision of the PoA would be defined at the OEWG in a consensus manner, considering the common elements expressed in the 2nd Annual progress report. Several states noted that no PoA discussions may be held outside the OEWG to maintain consistency.
There is no consolidated view of the details of the PoA architecture. Egypt and Switzerland provided some ideas about the number and frequency of meetings and review mechanisms. However, Slovakia, Germany, Switzerland, Japan, Ireland, Australia, Colombia, Netherlands and France suggested including into the PoA architecture already discussed initiatives like PoC, Cyber Portal, threat repository, national implementation survey and other future ideas. The PoA recognises the possibility of developing new norms (beyond the agreed framework). Through the future review mechanism, it may identify gaps in existing international law and consider new legally binding norms to fill them if necessary. As for the additional common element to the RID, some states pointed to inclusivity. PoA should allow multistakeholder participation during meetings, especially in the private sector, and allow them to submit positions. However, the final decision-making will remain with states only.
The Russian proposal of a permanent OEWG after 2025 was co-sponsored by 11 states. It offers several principles for the group’s future work, stressing the consensus nature of decisions and stricter rules for stakeholder participation. It also provides detailed procedural rules and modalities of work.
The consensus issue was crucial at this substantive session as many states, even supporters of PoA, stressed this in statements. The problem may lie in the 78/16 resolution that does not specify the consensus mode of work except that the mechanism should be ‘permanent, inclusive and action-oriented’.
Another divergence between the two formats is the main scope. According to the statements by PoA supporters, PoA should focus on implementing the existing framework of responsible state behaviour in cyberspace and concentrate efforts on capacity building to enable developing countries to cope with that. There may be a place for a dialogue on new threats and norms, but this is not a primary task. On the contrary, a permanent OEWG will concentrate on drafting legally binding norms and mechanisms of its implementation as elements of a new treaty or convention on ICT security. However, other aspects, such as CBMs and capacity building, will also remain in its scope.
For Russia, the struggle to push the permanent OEWG format may lie in substance and in preserving the image of the pioneer of cyber negotiations at the UN and agenda-setter. If OEWG as a format ends in 2025, it will end the tradition of Russian diplomacy, which has more than 20 years of history. Also, earlier this year, in the submission to the SecGen under resolution 77/37, Russia frankly expressed its negative attitude towards PoA, saying that it will be ‘used by Western countries, in line with the ‘rules-based order’ concept promoted by the United States, to impose non-binding rules and standards to their advantage, instead of international law’.
The Chair plans to convey intersessional meetings on regular institutional dialogue in 2024 to deliberate this issue carefully.