What’s new with cybersecurity negotiations? UN Cyber OEWG Final Report analysis

The UN’s Open-ended Working Group (OEWG) on Developments in the Field of ICTs in the Context of International Security (UN Cyber OEWG) has established another landmark in the international negotiations about the ‘rules of the road’, and particularly the responsible behaviour of states, in cyberspace; by adopting its final report with consensus by 68 member states on 12 March 2021. Some would argue that this brings nothing new; others would commend the very fact that this is the new globally agreed report – first in almost six years, after the report of the UN GGE in 2015.

 

 

So what does the new report really mean?

In this blog, we focus on what the adopted document brings – and omits. Firstly, we dive into the substance of recommendations and discussions on emerging threats, applicability of international law, norms, confidence building measures, capacity building, and the future of institutional dialogue; we look at diversity of positions throughout the process, as well as what the final agreement brings (or takes) to the international community. After that, we take a look at the ‘procedural’ elements – the structure and foundations of the report – which already tell us much about the positions of states. Head to our previous blog to read our analysis on what the numbers about activity and contributions of different delegations tell us about the process and positions of delegations.

 

The Cyber OEWG Final Report: What does it recommend?

After reshuffling the order of the sections and after moving the discussions into the chairs’ summary- as we’ll go over in detail further down this article – the final report includes sections on:

• Existing and emerging threats
• Norms, rules and principles
• International law
• Confidence building measures
• Capacity building
• Regular institutional dialogue.

The changes to the wording between drafts, as well as changes made during the week of negotiations, provide some very interesting insights.

Existing and emerging threats

Increasingly frequent and sophisticated harmful ICT incidents, and their likeliness of creating conflicts in the future, were underscored by states in the final report. What is missing, according to comments by some non-government and business actors, is a more explicit language about threats stemming from state misuse of vulnerabilities.

The humanitarian consequences of malicious ICT activities on critical infrastructure (CI), critical information infrastructure (CII), as well as medical facilities, along with financial services, energy, water, transportation, and sanitation, are included as one of the CI that may be determined by the states within their prerogative. During the discussions, Australia has noted that the states would be remiss if they did not refer to medical facilities in times of a pandemic.

Additionally, the final report mentions the growing concern with regard to activities against CI and CII that undermine trust and confidence in political and electoral processes, public institutions, or that impact the general availability or integrity of the internet. Inclusion of these issues in the final report was specifically highlighted by the Netherlands in deliberations.

The final report (par. 19) specifically refers to state sovereignty, as one of the two instances in the whole report (other relates to capacity building principles), stating that ICT activity contrary to obligations under international law that intentionally damages critical infrastructure ICT constitutes threat not only to security, but also to state sovereignty.

Rules, norms, and principles for responsible state behaviour

Building on the 2015 GGE report, the final report states that voluntary, non-binding norms of responsible state behaviour contribute to the prevention of conflict and reflect the expectations and standards of the international community regarding the behaviour of states in ICT use. It was reaffirmed that binding obligations and rights of states under international law are not replaced by the norms. Norms are to provide additional guidance and specifications on what constitutes responsible state behaviour in the use of ICTs. Norms do not seek to limit or prohibit action that is otherwise consistent with international law.

The section on norms and principles further include the importance of protecting healthcare infrastructure including medical services and facilities (para. 26). It also calls for ensuring the general availability and integrity of the internet – which is a reference, though an indirect one, to the norm on protecting the public core of the internet proposed by the Global Commission for Stability of Cyberspace (GCSC). Importantly, it explicitly reiterates the norms of the GGE Report of 2015 about the need for the states to take reasonable steps to ensure the integrity of the ICT supply chain (as specifically mentioned by Egypt, India, EU, Italy, Norway, Singapore, among others), prevent proliferation of malicious tools and use of harmful hidden functions, and encourage responsible reporting of vulnerabilities (par. 28).

International Law

A highly debated paragraph of the final report featured the reaffirmation by the states that international law, and in particular the Charter of the UN, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. Some states were content with the final wording (Pacific Island Forum, Non Aligned Movement, Greece), while others wanted international law and the UN Charter to be applicable ‘in its entirety’. The third opinion, voiced by the Netherlands, Liechtenstein, Czech Republic, Australia, and many other countries was to include specific mention that the international humanitarian law, human rights law, and customary international law applies. However, some states (China, Cuba, Belarus) voiced their opposition to the applicability of international humanitarian law, arguing that it would legitimise militarisation of cyberspace and the resort to conflict in any domain. The reference to the international humanitarian law is now included in the Chair’s Summary in par. 12 and 18.

The lack of mention of international humanitarian law in the text of the final report was mentioned by many in their final interventions as one of the reasons they are not fully satisfied with the final report. The issue of the applicability of the international humanitarian law is certainly not new and was a major reason for the GGE 2017 being unable to find consensus on the report. One of the arguments of why international humanitarian law would not apply in cyberspace are military objectives and efforts of states to scale up and test their cyber capabilities, as well to engage in hybrid warfare. Should the applicability of international humanitarian law be confirmed, it may limit or prevent development of new cyber capabilities as these may have unintended effects on civilian population and infrastructure and restrict the conduct of hybrid warfare.

Another line of discussion in this section was on including specific references to principles enshrined in the UN Charter, such as sovereignty, sovereign equality, non-intervention, right to invoke self-defence (Art. 51 of the UN Charter). Similarly, the polarisation was about excluding all UN Charter and international humanitarian law principles such as, humanity, distinction, proportionality, necessity, in the final report. The principles were agreed upon by the GGE in 2015, but were not reiterated in the resolution that established the Cyber OEWG. However, one principle of the UN Charter is specifically mentioned in the final report – settlement of disputes by peaceful means – in line with the wording of Art. 2 par. 3 and Art. 33 par. 1 of the UN Charter. The discussion on principles of UN Charter and of international humanitarian law is now in the Chair’s Summary par. 18.

States concluded that further common understandings need to be developed on how international law applies to state use of ICTs within the UN as the forum and through neutral and objective capacity building efforts in the area of international law, national legislation, and policy.

States have agreed to continue to inform the UN Secretary-General of their national views and assessments on how international law applies to their use of ICTs in the context of international security on a voluntary basis.

Confidence building measures

States were generally in agreement on the key role of confidence building measures (CBM) and their contribution to prevention of conflict, on voluntary cooperation among states and sharing best practices.

The final report states that the dialogue within the Cyber OEWG was in itself a CBM and underscores the crucial role of the UN in the development and supporting implementation of global CBMs.

States have agreed to voluntarily:

• Share relevant information and lessons learned on CBM implementation;
• Establish a national Point of Contact at the technical, policy, and diplomatic levels
• Continue to inform the Secretary-General on a voluntary basis of their views and assessments and information on lessons learned and good practices of relevant CBMs at the bilateral, regional, or multilateral level.

The proposal for states to publicly reaffirm their commitment to the GGE Report of 2015 as a CBM was removed from the first draft in the final stage of negotiations.

Capacity building

The report lays out the principles of capacity building (par. 56), which will likely be the cornerstone of future references to cyber capacity building within the UN. It refers to capacity building as:

• a sustainable process, based on mutual trust, driven by nationally identified needs and priorities,
• comprising specific activities with clear purposes,
• activities should respect human rights and fundamental freedoms, be gender sensitive and inclusive, be and non-discriminatory, and contribute to closing the digital divide,
• result focused, evidence based, politically neutral, transparent, accountable, and without conditions,
• undertaken with full respect for the principle of state sovereignty.

However, the report fails to clearly emphasise the multistakeholder aspect, and suggest building on existing international efforts such as the Global Forum on Cyber Expertise. In spite of numerous written and verbal contributions by non-government stakeholders since the beginning of the process this remained to be the case up to the finalisation of the report. It was a missed opportunity to shape the principles in a more comprehensive way.

The final report consensus is also that states, on a voluntary basis, use the model ‘National Survey of Implementation of UN General Assembly Resolution 70/237’ (to be made available online) to help them inform the Secretary-General on their views, lessons learned, and good practices on capacity building. It is notable that the ‘survey’ of national efforts is also used in recommendations about the progress with implementation of norms, as well as in discussions about the views on the applicability of international law, so it is possible that this model could find its broader use in future.

Regular institutional dialogue

As the final point on the agenda, states discussed how to proceed with deliberations in the future. The USA, the EU, Japan, the Netherlands, Sweden, Ukraine, Canada, and others have voiced their support to the Programme of Action (PoA), which aims to end the ‘dual track’ of the Group of Governmental Experts (GGE) and the OEWG, and establishing ‘a permanent UN forum to consider the use of ICTs by States in the context of international security’. The proposal suggests the PoA to be in a single, long-term, inclusive, and progress oriented format and is supported by 51 states.

Others, like Russia, China, South Africa, Indonesia, Cuba, and India, see the future discussions on ICTs within the new OEWG 2021-2025, established by Resolution 75/240.

The final report recommends the regular institutional dialogue to continue under the auspices of the UN, including the 2021-2025 OEWG, and underlines that equal state participation must be upheld. It then opens the door for the PoA by calling for further elaboration of other proposals, such as the PoA, including (but not limited to) within the next edition of the OEWG. As the PoA was the major discussion point in this part since it was proposed, it is certain that the PoA will remain one of the main options to confront (or work along) the Cyber OEWG in the future.

A major concern raised by a number of non-government and industry actors during the multistakeholder consultation on the final document was that the document hasn’t managed to ensure the inclusive manner of future deliberations – be it the OEWG, PoA, or other options.

It is also worth mentioning that, while the report emphasised that the institutional dialogue should not duplicate existing UN mandates, the explicit reference to mandates related to terrorism, crime, development, human rights, and internet governance were removed in the final report. This leaves a possibility for future dialogue to expand its scope to some of those areas.

Final observations

The last paragraph of the final report mentions new ideas and important proposals that were put forward within the OEWG negotiations, not necessarily agreed by all states. This includes the possibility of additional legally binding obligations. The wording was criticised for reference to additional legally binding obligations by Canada, Croatia, the EU, Italy, Israel, Japan, Switzerland, and others, as this wording does not accurately reflect the content of the discussions and is not a provision agreed by all states.

The structure and foundation of the final report

What is the Cyber OEWG report based on?

Opinions of states have been split on the question whether the outcomes of work of the GGE in 2010, 2013, 2015, confirmed by the UN General Assembly (UN GA) Res/70/237 are the basis for the work of the Cyber OEWG and the basis for its final report. Some states wanted the previous acquis reaffirmed (EU, US, Netherlands, Republic of Korea, Liechtenstein, and others), stating that the OEWG does not start from scratch. Others (Cuba, Iran, Russia, and others) were of the opinion that the work of the Cyber OEWG, including the report, is to be based on UN GA Res/73/27 and is separate from GGE.

In the core of this dispute was the adoption and reaffirmation of the 2015 GGE report and reaffirming UN GA Res/70/237 (adopted by consensus) in the Cyber OEWG consensual report by 193 UN member states, thus solidifying the previous GGE conclusions on existing and emerging threats, norms, rules and principles, CBMs, capacity building, and application of international law, in particular the UN Charter in cyberspace.

The final report confirmed that the outcomes of GGE in 2010, 2013, 2015 and the UN GA Res/70/237 (together informally referred to as ‘acquis’) are the base for the final report (par. 7, 8, 14). The final report took into consideration the demands of the states of differing opinion by noting the Res/73/27 in the text.

What should the structure of the report be?

Great deal of debate was dedicated to the structure of the report. Mainly, what parts should stay in the report as recommendations and conclusions, what parts should be in the discussions section, and the order of sections was highly debated too.

When comparing previous drafts, the main objection states (EU et al.) voiced was moving the section on principles of international law and UN Charter from the recommendations and conclusion section into the discussion section, as they preferred to include the principles of international law and UN Charter in the body of the final report.

The outcome of the Cyber OEWG is now split between the final report (substantive) and the chair’s summary, issued under the responsibility of the chair, holding the content of the discussions as a base for further deliberations on these matters. Number of non-government actors raised concerns over removing the discussion part from the final document, though they commended the effort of the chair to preserve it in the form of the chair’s summary at least. The debated paragraph on the principles of international law and UN Charter is in the Chair’s summary, except for reaffirming the principle of settlement of disputes by peaceful means included in par. 35 of the final report.

Debate on the order of sections in the report related to two sections. The first draft had an international law section preceding the section on rules, norms and principles. After request by China, the order of these sections was flipped in the final report, putting rules, norms, and principles first. While this debate seems benign at first, it goes into the heart of application of international law and rules, norms, and principles in cyberspace.

Again, the opinion was split. Those wanting the international law section first (Republic of Korea, EU member states, the USA), are of the opinion that the international law applies in cyberspace, is binding and has precedence over rules, norms, and principles, which only further define the state’s obligations within the framework of international law. These states also stated that there is no need for new legally binding instruments. The other group of states (China, Cuba, NAM) considers rules, norms, and principles to be binding and taking precedence over the international law, and requests that a new legally binding regulation be discussed and adopted in course of future negotiations. It is worth reminding that Res/73/27, which defines the mandate of the Cyber OEWG, doesn’t specify the particular order, though it firstly mentions rules, norms and principles, and later studying how international law applies to cyberspace.

The final report has kept the section on rules, norms, and principles before the section on international law. However, the wording in other parts of the Final Report (par. 19, 25, 31, and others), and specifically par. 25 states that ‘The states reaffirmed that norms do not replace or alter States’ obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible State behaviour in the use of ICTs. Norms do not seek to limit or prohibit action that is otherwise consistent with international law’, making it clear that international law takes precedence over rules, norms, and principles.

Negotiation approach

States were discussing the final report and previous drafts as a whole, stating their preferred wording and objections to the different parts of the text, but not negotiating the wording paragraph by paragraph. This approach was not welcomed by all the states, specifically India and Singapore voiced objections to this approach, while Cuba has stated that they intend to resume paragraph by paragraph negotiations. Yet, time was short, stakes were high for everyone, and it was in a common interest to end this OEWG with a consensus report – factors which probably created space for such a decision by the chair.

Additional written statements by member states

Due to the changes in procedural rules at the UN headquarters due to COVID-19, the states had the opportunity to submit written statements to the Final report, which will be compiled and published as a compendium to the Final report. To support the inclusive approach, the Chair also invited other stakeholders to submit their written contributions throughout the process. These contributions are available at the OEWG site, but are not included in the compendium.

The verdict

So what is the verdict? A general feeling from all sides is that the report could have been stronger. At the same time, it reaffirms previous agreements and cements ‘the acquis’, while taking steps towards further negotiations by delineating the positions of states in particular, about the applicability of international humanitarian law. Importantly, it opens viable options for continuation of the institutional dialogue within the UN, which is currently more important than closing the existing ones. However, the inclusivity of these options remains a battle to be fought for.

Most importantly, it is a consensus document of 193 UN states, though as such it has likely made all parties ‘equally unhappy’. Being ‘new without bringing much new’, in the current geopolitical circumstances the report fulfills the conditions for becoming another landmark document which will certainly be referenced by all parties in years to come.

What’s next?

On the process side, we await the results of the more covert (if not fully untransparent) GGE process which should be completed by the end of May 2021. The establishment of the OEWG 2021-2025 is also underway with the organisational session already set for 1 June. The final report will be submitted to the 76th UN GA in September 2021. The final report of the current Cyber OEWG opens these doors widely, already setting a number of issues on its agenda. The PoA will certainly be among the first – but if dragged out for too long, its proponents may look for other options of establishing it. Good news is that lots of talks are ahead of us.

What do you think about the Cyber OEWG Final Report? Tell us on Textus!

As we aim to analyse and inform everyone who is interested in cyber-negotiations, we love to hear what you think! Head to Diplo’s hypertext tool Textus, to easily comment yourself and reflect on others’ comments in two simple steps:

1. Click on the ‘<’ button in the upper right corner, and a gray sidebar will appear. Go to the upper right corner of the sidebar and sign up.
2. Then simply log in and comment!