What’s new with cybersecurity negotiations? OEWG 2021-2025 fourth substantive session
Updated on 06 April 2023
Who should have a say – and of what sort – in global negotiations about cyber stability? The old song and dance about accrediting stakeholders without ECOSOC consultative status to participate in the OEWG’s work opened the session. While countries have agreed on the so-called modalities of stakeholder participation, the modalities were not followed in the veto process, as the vetoing countries didn’t identify themselves. Here’s who tried to make it in and who made it in.
The substantive discussions, once they started, were guided by the Annual Progress Report (APR) and the Chair’s guiding questions. Here’s what stood out this time around: two proposals to counter ransomware, high hopes for a future Points of Contact (PoC) directory, and in-depth discussions on the applicability of the UN Charter to cyberspace. Proposals also abounded – you can find those in the orange boxes dispersed throughout the text.
Existing and potential threats
Malicious activity in cyberspace is on the rise, member states agreed time and time again. Well, when has it not been the case? Yet, as the threat landscape is ever-evolving, member states were invited to identify the ones that should make it to the annual progress report.
The EU, Denmark, Finland, Iceland, Norway, Sweden, the Nordic countries, the Czech Republic, and Germany highlighted the spill-over effects of Russian cyberattacks on Ukraine. These attacks have led to significant risks associated with escalating cyberspace threats, particularly affecting European energy and IT infrastructure.
The over-reliance on digital infrastructure since the COVID-19 pandemic has increased the risks of supply chain disruption, a concern shared by many countries.
Countries like El Salvador, Germany, and the Czech Republic highlighted the impact of AI-powered cyber instruments on international peace, security, and stability. The accelerated use of ICTs and the intransparency of algorithms may cause lower levels of human control and oversight over ICTs, leading to risks in the security domain, these countries noted.
Another salient theme was the growing prevalence of ransomware and cybercrime. Ransomware had previously been the topic of discussion at the OEWG – it has been the most commonly mentioned cyber threat – but, surprisingly, it didn’t make it into the APR. El Salvador stated that ransomware continues to be one of the greatest threats to the security of information and data, a sentiment echoed by the USA, the EU, Kenya, Denmark, and Argentina.
Rules, norms, and principles
The discussions surrounding the rules, norms, and principles of responsible behaviour of states in cyberspace centred on how to effectively implement those behaviours.
Some countries, like Russia and Syria, argued that the existing voluntary and non-binding rules of state behaviour don’t effectively regulate the use of ICTs to prevent inter-state conflicts and promote the peaceful use of ICTs. They proposed a legally binding multilateral international treaty under the auspices of the UN. Egypt stressed that the development of new principles and norms to close existing gaps at the international level does not conflict with the normative framework of responsible behaviour in the use of ICT. Other countries, including Sri Lanka and Canada (among others in the second session), critiqued Russia’s proposal, stressing the importance of implementing the 11 norms of responsible behaviour before negotiating new legal frameworks.
Due diligence implementation was emphasised as one of the key aspects of the Framework for Responsible State Behavior. France, for instance, noted that due diligence norms 13(C) and 13(H) are based on the principle of state sovereignty, which means that states are responsible for taking adequate and reasonable measures to respond to malicious activities that originate on their territory.
Emphasising due diligence, many representatives also discussed the need to protect critical infrastructure. Singapore stressed the need to protect cross-border critical internet infrastructures (CIIs) as vital infrastructure to international trade, financial markets, global transport, communications, health, and humanitarian action. Disrupting or undermining the operations of these CIIs could impair the delivery of critical services to populations and have serious implications for international peace and security.
While the faultlines from the previous discussions remain, states have progressed in formulating and sharing their views, and delving deeper into international law issues.
The applicability of international law to cyberspace
The majority of states reaffirmed that international law, including the UN Charter in its entirety, applies to cyberspace. Most states also reaffirmed the applicability of human rights law and international humanitarian law (IHL) in cyberspace. Costa Rica also stated that international criminal law applies in cyberspace.
Thailand pointed out the need to ensure that there are no gaps in the implementation of international law. Israel noted the need for further study into understanding whether adjustments and clarifications of the traditional international law are necessary to apply it in the cyber domain.
Some states acknowledged the applicability of principles of international law enshrined in the UN Charter – sovereign equality of states, non-use of force and threat of force, settlement of international disputes by peaceful means, and non-interference into internal affairs of states – but consider the automatic applicability of international law premature (Cuba, India, Jordan, Nicaragua, Pakistan, Russia, Syria). For China, the primary focus of discussions on the application of international law is to affirm the application of the UN Charter to cyberspace, especially that of its principles.
The need for a new legally binding instrument
The rift remains in the opinions on whether there is a need for a new legally binding instrument. Cuba, Iran, Iraq, and Syria supported a new legally binding instrument. Iran would like a new legally binding treaty to define the terminology and principles of international law.
Other states (Australia, Austria, Belgium, Canada, the Czech Republic, Estonia, Ireland, Israel, the Netherlands, Malawi, the Republic of Korea, the UK, and New Zealand) do not support a new legally binding instrument.
The applicability of international humanitarian law (IHL)
A specific discussion on the applicability of international humanitarian law (IHL) in cyberspace, which dominated discussions at the last session, continued. The majority of the states confirmed the applicability of IHL and its principles of necessity, humanity, proportionality, and distinction in cyberspace.
The question, however, remains about what constitutes an attack and armed conflict for the purposes of IHL. The EU and Switzerland affirmed that the IHL applies in situations of armed conflict. The EU wants to further study how the IHL principles apply to the use of ICTs by states. New Zealand stated that a cyber activity might constitute an attack for the purposes of IHL where it results in death, injury, or physical damage, including loss of functionality equivalent to that caused by a kinetic attack. South Africa sees IHL as applicable to cyber operations, as it does to all operations with a nexus to an armed conflict, such as an attack on civilian infrastructure.
Russia refused the automatic application of IHL in cyberspace. It stated that since there is no consensus on what constitutes an armed attack, there are no grounds for assessing the applicability of IHL. Belarus denied the applicability of the IHL, as it does not consider ICTs as weapons.
Principles of the UN Charter
This time, the discussions were more substantial on individual principles enshrined in the UN Charter: the principle of sovereignty and sovereign equality, the obligation of states to settle international disputes by peaceful means, the principle of non-intervention and the prohibition of the threat or use of force.
Many states highlighted the important role of regional organisations in operationalising regional CBMs. In particular, states have mentioned the value of the OSCE, the OAS and ASEAN in enhancing information sharing between states. Therefore, some delegations, e.g. the EU, have also called for more active participation of regional organisations to share their experiences in the OEWG.
Another topic keen in states’ interventions was whether additional CBMs are needed. Some have suggested that the states should implement what has been already agreed on, while others suggested that new CBMs could be considered. Russia suggested agreeing on the basic universal principles of CBMs (e.g. to ensure that CBMs are not used as a tool to interfere in the internal affairs of states). Iran proposed developing ICT-related terminology. Canada, Australia, and the Netherlands have stressed the importance of exercising transparency by sharing cybersecurity agency missions and functions, national views and practices on cybersecurity incidents and related threats, and, as suggested specifically by Canada, what sectors each country considers as critical infrastructure. The EU, Spain, Chile, Mauritius, South Korea, India, and Canada stressed that active exchange with the private sector, academia, and NGOs could contribute to strengthening CBMs. Finally, Chile, the Czech Republic, Switzerland, Malaysia, and the Netherlands have highlighted the importance of sharing vulnerability information and coordinated vulnerability disclosure (CVD) as other concrete areas where states can further advance operationalisation efforts.
A broad agreement exists to establish a Points of Contact (PoC) Directory. However, states have shared diverging views on nuances, e.g. who should be nominated as a PoC (agencies or particular persons), who would be considered as ‘technical PoCs and which functions should be assigned for both technical and diplomatic PoCs’, if participation should be voluntary, and if the development and use of standardised templates should be a part of the work.
Delegations have also separately commented on capacity building elements in the context of the PoC Directory (and referring to the Chair’s revised non-paper). During the hybrid informal inter-sessional meeting on this topic (held on 2 March 2023), several delegations (e.g. Australia, Austria, Canada, and China) expressed their concerns about proposed capacity building elements. Mainly delegations stressed that the proposed measures seem overambitious as well as that capacity building should not end with the PoC Directory only.
The Chair shared his hope that by July, states will be able to agree on modalities and adopt them within the next APR. Under such a timeline, the implementation of the PoC Directory is likely to happen only in early 2024.
The next step regarding the PoC is that the Chair will convene an informal virtual meeting at the end of April where he plans to invite regional PoC Directories to share their experiences. After that, the Chair will prepare a second revision of the PoC elements non-paper.
El Salvador, Argentina, and Kenya highlighted prioritising practical support for establishing capacity-building programs in developing countries to mitigate ICT risks and building capacity amongst states to effectively respond to cyberthreats by increasing international cooperation both inter-regionally and within regions.
The role of international organisations in capacity building
The UK, Canada, and the USA noted that the OEWG could advance a general understanding of what capabilities need to be built. Yet, capacity building would be in the PoA’s remit.
The EU, UK, Chile, Albania, Czech Republic, Estonia, and Greece highlighted that the PoA will be the primary future instrument to structure cybersecurity capacity building initiatives by coordinating donors’ efforts and mapping the needs of recipient countries.
Japan stated that the OEWG should focus on collaborating with existing regional and international capacity building efforts to avoid duplications rather than creating a new organisation under the UN to provide capacity building projects.
Iran reiterated the idea it brought up at the December session: ITU could be a permanent forum for dialogue, consultation, cooperation, and coordination among member states, including developing technical capacities. Cuba supported this idea.
Funding capacity building needs
As for the funding of capacity building needs, the Dominican Republic pointed to various existing international funding mechanisms that could be used for cyber capacity building. Several states mentioned the World Bank Cyber Security Multi-donor Trust Fund, launched in 2021, dedicated to providing knowledge, technical cooperation, and practical tools to support cyber and digital security capacity building. Japan, Germany, and Estonia had already contributed to that Fund.
Capacity building in developing countries
Member states shared various perspectives on how capacity building should be carried out in developing countries. Greece highlighted the importance of needs-based partnerships for capacity building. Algeria stressed the need to consider the varying degrees of cybersecurity in different countries. Nicaragua, Fiji, and Botswana emphasised establishing a mechanism for technical and financial assistance to developing countries as a means of capacity building. Ghana proposed funding this mechanism through international development assistance and multilateral development banks. Colombia drew attention to a project proposed by UNIDIR on Unpacking Cyber Capacity-Building Needs, based on the 11 cyber norms to identify the areas in which developing countries require actions to develop.
States also discussed the Indian proposal on the Global Cyber Security Cooperation Portal that would contain a document repository, a PoC directory, a mapping of the needs of states in capacity building, a calendar of conferences and workshops, and incident reporting. However, Singapore and the Netherlands cautioned that it is important to look at the existing cooperation portals, like UNIDIR cyber portal and the GFCE cyber portal. India explained that the proposed portal would combine other relevant sub-portals for a broader understanding of the latest developments in cyberspace, which also helps smaller delegations access multiple platforms and track different portals that otherwise consume time.
Croatia and the Netherlands noted that recent proposals on repositories and portals could be explored in relation to their possible inclusion in PoA.
On regular institutional dialogue
States expectedly discussed the cyber Program of Action (PoA), which establishment was welcomed in the resolution 77/37.
Supporters of the PoA emphasise the complementarity of the OEWG and the PoA. They also stress engaging with other stakeholders more constructively. Interestingly, during this substantive session, several states mentioned the possibility of discussing additional cyber norms under the PoA, if needed – the point of past contradictions between the ‘two camps’.
Brazil, El Salvador, South Africa, India, and Malaysia warned once again of the problem of parallel tracks of discussions that require more resources to participate in. Germany said that the work on the PoA should not conflict with the OEWG meetings, but that the PoA should be ready by the end of the OEWG’s mandate in 2025.
A few countries remain staunch against the PoA. China noted that states who supported the PoA resolution are undermining the status of the OEWG as a single and inclusive process under the UN auspices. Cuba claimed that OEWG had proven its value and should be the central mechanism for regular institutional dialogue until 2025. Iran, Pakistan, and Syria stressed that any proposals on regular institutional dialogue should be discussed within the OEWG on an equal footing.
An inter-sessional meeting on international law and regular institutional dialogue will be held around the end of May. The Chair plans to prepare a zero-draft of the APR in early June. States will discuss the APR at the fifth substantive session on 24–28 July 2023. Additional informal consultations will follow. The OEWG will round off the year with one more substantive session.
In closing, the Chair called the states once again ‘to go beyond your comfort zone, beyond your region to understand what other people’s expectations are, what other people’s requirements are in order to reach convergence’. He expressed cautious optimism about having a substantive APR in July with an outcome on the PoC Directory.
By Andrijana Gavrilović, Stefania Grottola, Pavlina Ittelson, Anastasiya Kazakova, Salomé Petit-Siemens, Ilona Stadnik