What’s new with cybersecurity negotiations? OEWG 2021-2025 fourth substantive session

Who should have a say – and of what sort – in global negotiations about cyber stability? The old song and dance about accrediting stakeholders without ECOSOC consultative status to participate in the OEWG’s work opened the session. While countries have agreed on the so-called modalities of stakeholder participation, the modalities were not followed in the veto process, as the vetoing countries didn’t identify themselves. Here’s who tried to make it in and who made it in.

The substantive discussions, once they started, were guided by the Annual Progress Report (APR) and the Chair’s guiding questions. Here’s what stood out this time around: two proposals to counter ransomware, high hopes for a future Points of Contact (PoC) directory, and in-depth discussions on the applicability of the UN Charter to cyberspace. Proposals also abounded – you can find those in the orange boxes dispersed throughout the text.

Want to know more about UN OEWG? Visit our dedicated Digital Watch page.

Malicious activity in cyberspace is on the rise, member states agreed time and time again. Well, when has it not been the case? Yet, as the threat landscape is ever-evolving, member states were invited to identify the ones that should make it to the annual progress report. 

The EU, Denmark, Finland, Iceland, Norway, Sweden, the Nordic countries, the Czech Republic, and Germany highlighted the spill-over effects of Russian cyberattacks on Ukraine. These attacks have led to significant risks associated with escalating cyberspace threats, particularly affecting European energy and IT infrastructure. 

The over-reliance on digital infrastructure since the COVID-19 pandemic has increased the risks of supply chain disruption, a concern shared by many countries.

Countries like El Salvador, Germany, and the Czech Republic highlighted the impact of AI-powered cyber instruments on international peace, security, and stability. The accelerated use of ICTs and the intransparency of algorithms may cause lower levels of human control and oversight over ICTs, leading to risks in the security domain, these countries noted.

A new proposal! The OEWG to address responsible development of new tech by states

The Czech Republic proposed that the OEWG develop a more detailed discussion on responsible state behaviour in developing new technologies.

Another salient theme was the growing prevalence of ransomware and cybercrime. Ransomware had previously been the topic of discussion at the OEWG – it has been the most commonly mentioned cyber threat – but, surprisingly, it didn’t make it into the APR. El Salvador stated that ransomware continues to be one of the greatest threats to the security of information and data, a sentiment echoed by the USA, the EU, Kenya, Denmark, and Argentina.

New proposals! How to address ransomware and cybercrime

Kenya proposed establishing a repository of common threats, vectors, and actors under the auspices of the UN. Russia, Germany, Samoa, the Netherlands, Fiji, and others welcomed this idea and expressed willingness to explore it further during the OEWG work. The Philippines proposed a similar idea for a portal, which could be modelled after the Cybercrime Repository under the UN Office on Drugs and Crime and building on the existing Cyber Policy Portal of the UN Institute for Disarmament Research. The EU proposed taking stock of the work of the International Counter Ransomware Initiative and formulating a common position on issues such as ransomware.

The discussions surrounding the rules, norms, and principles of responsible behaviour of states in cyberspace centred on how to effectively implement those behaviours. 

Some countries, like Russia and Syria, argued that the existing voluntary and non-binding rules of state behaviour don’t effectively regulate the use of ICTs to prevent inter-state conflicts and promote the peaceful use of ICTs. They proposed a legally binding multilateral international treaty under the auspices of the UN. Egypt stressed that the development of new principles and norms to close existing gaps at the international level does not conflict with the normative framework of responsible behaviour in the use of ICT. Other countries, including Sri Lanka and Canada (among others in the second session), critiqued Russia’s proposal, stressing the importance of implementing the 11 norms of responsible behaviour before negotiating new legal frameworks. 

Due diligence implementation was emphasised as one of the key aspects of the Framework for Responsible State Behavior. France, for instance, noted that due diligence norms 13(C) and 13(H) are based on the principle of state sovereignty, which means that states are responsible for taking adequate and reasonable measures to respond to malicious activities that originate on their territory.

A new proposal! A practical guide for due diligence

France proposed creating a practical guide that would help facilitate the implementation of norms 13C (states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs) and 13H (states should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another state emanating from their territory, taking into account due regard for sovereignty).

Emphasising due diligence, many representatives also discussed the need to protect critical infrastructure. Singapore stressed the need to protect cross-border critical internet infrastructures (CIIs) as vital infrastructure to international trade, financial markets, global transport, communications, health, and humanitarian action. Disrupting or undermining the operations of these CIIs could impair the delivery of critical services to populations and have serious implications for international peace and security.

While the faultlines from the previous discussions remain, states have progressed in formulating and sharing their views, and delving deeper into international law issues. 

The applicability of international law to cyberspace

The majority of states reaffirmed that international law, including the UN Charter in its entirety, applies to cyberspace. Most states also reaffirmed the applicability of human rights law and international humanitarian law (IHL) in cyberspace. Costa Rica also stated that international criminal law applies in cyberspace. 

Thailand pointed out the need to ensure that there are no gaps in the implementation of international law. Israel noted the need for further study into understanding whether adjustments and clarifications of the traditional international law are necessary to apply it in the cyber domain.

Some states acknowledged the applicability of principles of international law enshrined in the UN Charter – sovereign equality of states, non-use of force and threat of force, settlement of international disputes by peaceful means, and non-interference into internal affairs of states – but consider the automatic applicability of international law premature (Cuba, India, Jordan, Nicaragua, Pakistan, Russia, Syria). For China, the primary focus of discussions on the application of international law is to affirm the application of the UN Charter to cyberspace, especially that of its principles.

The need for a new legally binding instrument

The rift remains in the opinions on whether there is a need for a new legally binding instrument. Cuba, Iran, Iraq, and Syria supported a new legally binding instrument. Iran would like a new legally binding treaty to define the terminology and principles of international law.

Other states (Australia, Austria, Belgium, Canada, the Czech Republic, Estonia, Ireland, Israel, the Netherlands, Malawi, the Republic of Korea, the UK, and New Zealand) do not support a new legally binding instrument.

New proposals! A new convention, and clarification of the rules of international law

Russia, in line with its previous statements, sees the adoption of a new legally binding instrument as a priority and has submitted an updated concept (proposal) of the ‘Convention of the UN on Ensuring International Information Security’ with Belarus and Nicaragua as co-sponsors. Previously, in 2011 and 2021, the Russian delegation prepared similar concepts for such a convention. However, the current updated concept has been shortened: parts on cybercrime and terrorism with the use of ICTs have been removed (which are, at the same time, on the table for the AHC negotiation process on a cybercrime convention). According to this updated concept, the Convention has three purposes such as to prevent and settle inter-state conflicts, build trust and develop cooperation among the UN member states in the field of international information security, and support the capacity building of states. For each of these purposes, the concept suggests several principles and proposals.

Vietnam stated that if the idea of the new legally binding document is premature, the OEWG could clarify the rules of international law through (a) a request for an advisory opinion to the International Court of Justice; (b) a mandate for a study by the UN International Law Commission; or (c) through submitting a topic for discussion at the UN Sixth Committee.

The applicability of international humanitarian law (IHL)

A specific discussion on the applicability of international humanitarian law (IHL) in cyberspace, which dominated discussions at the last session, continued. The majority of the states confirmed the applicability of IHL and its principles of necessity, humanity, proportionality, and distinction in cyberspace. 

The question, however, remains about what constitutes an attack and armed conflict for the purposes of IHL. The EU and Switzerland affirmed that the IHL applies in situations of armed conflict. The EU wants to further study how the IHL principles apply to the use of ICTs by states. New Zealand stated that a cyber activity might constitute an attack for the purposes of IHL where it results in death, injury, or physical damage, including loss of functionality equivalent to that caused by a kinetic attack. South Africa sees IHL as applicable to cyber operations, as it does to all operations with a nexus to an armed conflict, such as an attack on civilian infrastructure. 

Russia refused the automatic application of IHL in cyberspace. It stated that since there is no consensus on what constitutes an armed attack, there are no grounds for assessing the applicability of IHL. Belarus denied the applicability of the IHL, as it does not consider ICTs as weapons.

Principles of the UN Charter

This time, the discussions were more substantial on individual principles enshrined in the UN Charter: the principle of sovereignty and sovereign equality, the obligation of states to settle international disputes by peaceful means, the principle of non-intervention and the prohibition of the threat or use of force.

New discussion alert! How to enforce the states’ obligations

The discussions expanded – for the first time, we believe – into the question of enforcement of the obligations of states, citing the International Court of Justice (Switzerland) and the work of Liechtenstein within the International Criminal Court (ICC) on the application of the Rome Statute of the ICC to cyberwarfare, and in particular the provisions regarding the crime of aggression, war crimes, crimes against humanity, and genocide (Belgium, Vietnam).

New proposals! What international law matter should the OEWG discuss next?

Most states supported the Canadian-Swiss proposal to include the topics of the UN Charter, peaceful settlement of disputes, IHL and state responsibility in the OEWG Programme of work for 2023.

India suggested discussing convergence and gaps in member states’ common understanding and interpretation of international law.

States favouring a new legally binding instrument (Russia, Iran, Cuba) call for negotiating such a treaty, while China believes that the topics of intercession discussions must be balanced, not limited to a single topic.

Most of the states (Australia, Austria, Canada, Czechia, Estonia, the EU, Kenya, Netherlands, New Zealand, South Africa, Singapore, Sweden on behalf of Nordic countries, Switzerland, the UK, and others) would welcome a dedicated session on international law in May or June in the form of virtual or hybrid inter-sessional meeting, ahead of the fifth substantive session in July.

Many states highlighted the important role of regional organisations in operationalising regional CBMs. In particular, states have mentioned the value of the OSCE, the OAS and ASEAN in enhancing information sharing between states. Therefore, some delegations, e.g. the EU, have also called for more active participation of regional organisations to share their experiences in the OEWG.

Another topic keen in states’ interventions was whether additional CBMs are needed. Some have suggested that the states should implement what has been already agreed on, while others suggested that new CBMs could be considered. Russia suggested agreeing on the basic universal principles of CBMs (e.g. to ensure that CBMs are not used as a tool to interfere in the internal affairs of states). Iran proposed developing ICT-related terminology. Canada, Australia, and the Netherlands have stressed the importance of exercising transparency by sharing cybersecurity agency missions and functions, national views and practices on cybersecurity incidents and related threats, and, as suggested specifically by Canada, what sectors each country considers as critical infrastructure. The EU, Spain, Chile, Mauritius, South Korea, India, and Canada stressed that active exchange with the private sector, academia, and NGOs could contribute to strengthening CBMs. Finally, Chile, the Czech Republic, Switzerland, Malaysia, and the Netherlands have highlighted the importance of sharing vulnerability information and coordinated vulnerability disclosure (CVD) as other concrete areas where states can further advance operationalisation efforts.

A broad agreement exists to establish a Points of Contact (PoC) Directory. However, states have shared diverging views on nuances, e.g. who should be nominated as a PoC (agencies or particular persons), who would be considered as ‘technical PoCs and which functions should be assigned for both technical and diplomatic PoCs’, if participation should be voluntary, and if the development and use of standardised templates should be a part of the work. 

Delegations have also separately commented on capacity building elements in the context of the PoC Directory (and referring to the Chair’s revised non-paper). During the hybrid informal inter-sessional meeting on this topic (held on 2 March 2023), several delegations (e.g. Australia, Austria, Canada, and China) expressed their concerns about proposed capacity building elements. Mainly delegations stressed that the proposed measures seem overambitious as well as that capacity building should not end with the PoC Directory only.

New proposals! 

As co-sponsors, Russia, Belarus, and Nicaragua have submitted a proposal for establishing a PoC directory. Its tasks would include: (a) defining and keeping updated a list of PoCs; (b) establishing practical interaction between authorised national organisations in the field of computer incident response; (c) reducing tensions and the threat of conflicts resulting from misunderstanding and misperception of computer incidents.States would designate PoCs at the diplomatic and technical levels.

Iran proposed seven principles, including but not limited to the principles of non-intervention in the internal affairs of other states, along with sovereign equality for the work of the PoC Directory; the principle allowing the PoCs and their resources not to be subject to restrictive and blocking measures, including unilateral coercive measures (UCMs).

Iran suggested that the UN Secretariat seek views from states on capacities required for effective participation of PoCs in the Directory and on suitable mechanisms and actions for building such capacities. As a result, the background paper could be produced by the end of June 2023 for consideration at the 5th session of the OEWG.

The Chair shared his hope that by July, states will be able to agree on modalities and adopt them within the next APR. Under such a timeline, the implementation of the PoC Directory is likely to happen only in early 2024. 

The next step regarding the PoC is that the Chair will convene an informal virtual meeting at the end of April where he plans to invite regional PoC Directories to share their experiences. After that, the Chair will prepare a second revision of the PoC elements non-paper. 

El Salvador, Argentina, and Kenya highlighted prioritising practical support for establishing capacity-building programs in developing countries to mitigate ICT risks and building capacity amongst states to effectively respond to cyberthreats by increasing international cooperation both inter-regionally and within regions.

States shared experiences about tailored programs for particular countries, such as the Cybersecurity Program of the OAS, ASEAN-Japan Cyber Security Policy Meeting, ASEAN-Singapore Cybersecurity Centre of Excellence, ASEAN Cyber Shield Project, Western Balkans Cyber Capacity ensured by EU CyberNet, the Gulf Cooperation Council, the ITU’s regional and national cyber drills for capacity development, the UNDP program for cyber development, and of course, the GFCE.

The role of international organisations in capacity building

The UK, Canada, and the USA noted that the OEWG could advance a general understanding of what capabilities need to be built. Yet, capacity building would be in the PoA’s remit.

The EU, UK, Chile, Albania, Czech Republic, Estonia, and Greece highlighted that the PoA will be the primary future instrument to structure cybersecurity capacity building initiatives by coordinating donors’ efforts and mapping the needs of recipient countries. 

Japan stated that the OEWG should focus on collaborating with existing regional and international capacity building efforts to avoid duplications rather than creating a new organisation under the UN to provide capacity building projects. 

Iran reiterated the idea it brought up at the December session: ITU could be a permanent forum for dialogue, consultation, cooperation, and coordination among member states, including developing technical capacities. Cuba supported this idea. 

Funding capacity building needs

As for the funding of capacity building needs, the Dominican Republic pointed to various existing international funding mechanisms that could be used for cyber capacity building. Several states mentioned the World Bank Cyber Security Multi-donor Trust Fund, launched in 2021, dedicated to providing knowledge, technical cooperation, and practical tools to support cyber and digital security capacity building. Japan, Germany, and Estonia had already contributed to that Fund.

A new proposal! The OEWG to establish a fund for capacity building

Russia suggested that the OEWG consider establishing a specific assistance fund for capacity building needs. 

Capacity building in developing countries

Member states shared various perspectives on how capacity building should be carried out in developing countries. Greece highlighted the importance of needs-based partnerships for capacity building. Algeria stressed the need to consider the varying degrees of cybersecurity in different countries. Nicaragua, Fiji, and Botswana emphasised establishing a mechanism for technical and financial assistance to developing countries as a means of capacity building. Ghana proposed funding this mechanism through international development assistance and multilateral development banks. Colombia drew attention to a project proposed by UNIDIR on Unpacking Cyber Capacity-Building Needs, based on the 11 cyber norms to identify the areas in which developing countries require actions to develop. 

A new proposal! Cyber development goals

The International Chamber of Commerce proposed developing cyber development goals that the international community can align behind. These goals would define the scope, ambition, and required support, such as capacity building, to produce concrete yet country-specific frameworks. Read more about the cyber development goals in our IGF 2022 session report.

States also discussed the Indian proposal on the Global Cyber Security Cooperation Portal that would contain a document repository, a PoC directory, a mapping of the needs of states in capacity building, a calendar of conferences and workshops, and incident reporting. However, Singapore and the Netherlands cautioned that it is important to look at the existing cooperation portals, like UNIDIR cyber portal and the GFCE cyber portal. India explained that the proposed portal would combine other relevant sub-portals for a broader understanding of the latest developments in cyberspace, which also helps smaller delegations access multiple platforms and track different portals that otherwise consume time.

Croatia and the Netherlands noted that recent proposals on repositories and portals could be explored in relation to their possible inclusion in PoA.

Stakeholder comments on capacity building

Stakeholder comments on capacity building and public-private partnerships highlighted the interconnectedness of capacity building with development goals, human rights, and civil society participation. Youth education is vital for capacity building. Private sector partnerships were proven effective in educating the next generation of ICT professionals to address the growing threat of cyberattacks. However, it is also crucial for states to engage with youth activists and young professionals in ICTs. Gender considerations were also at the forefront of discussions. A gender-sensitive approach to capacity building should consider the gender impacts and implications of cyber threats and address the needs, priorities, and capacities of women and people of diverse sexualities, gender expressions, and identities. Such an approach should include principles such as participation, transparency, diversity, and accountability and ensure meaningful inclusion of women and LGBTQ+ people in projects, activities, approaches, and outcomes. Moreover, a call was made for states to recognise that a gender approach to cybersecurity is closely linked to other agendas and principles, such as human rights and development. 
The role of the Global Forum on Cyber Expertise was praised by various delegations for being a platform helping to match cyber capacity needs to offers of support from the community and facilitate a multistakeholder exchange allowing for public-private partnerships.

States expectedly discussed the cyber Program of Action (PoA), which establishment was welcomed in the resolution 77/37. 

Supporters of the PoA emphasise the complementarity of the OEWG and the PoA. They also stress engaging with other stakeholders more constructively. Interestingly, during this substantive session, several states mentioned the possibility of discussing additional cyber norms under the PoA, if needed – the point of past contradictions between the ‘two camps’.  

Brazil, El Salvador, South Africa, India, and Malaysia warned once again of the problem of parallel tracks of discussions that require more resources to participate in. Germany said that the work on the PoA should not conflict with the OEWG meetings, but that the PoA should be ready by the end of the OEWG’s mandate in 2025.

A new proposal! A dedicated session on the PoA

The Nordic countries, Egypt,  Canada, the Netherlands, Portugal, Colombia, France, Switzerland, and Australia called for a dedicated session in 2023–2024 to provide all states with the opportunity to have comprehensive discussions on the structure, content and objectives of the PoA. Calls for this session could be reflected and answered in the OEWG annual progress report. 

A few countries remain staunch against the PoA. China noted that states who supported the PoA resolution are undermining the status of the OEWG as a single and inclusive process under the UN auspices. Cuba claimed that OEWG had proven its value and should be the central mechanism for regular institutional dialogue until 2025. Iran, Pakistan, and Syria stressed that any proposals on regular institutional dialogue should be discussed within the OEWG on an equal footing.

New proposal! A new UNGA body for regular institutional dialogue

Russia, Belarus, and Nicaragua suggested an alternative to the PoA initiative, which also proposes establishing a permanent body with review mechanisms. The mandate of the future body (under the UN General Assembly auspices as an open-ended working group/commission/committee/review conference) should include the entire spectrum of issues related to ICT security. It should be oriented towards the practical implementing agreements reached in the OEWG. In particular, its mandate could include: (a) drafting a legally binding international instrument on international information security; (b) implementing the CBMs through developing mechanisms for practical cooperation among states; (c) establishing mechanisms to assist states in enhancing their capacities to protect national information resources.

The role of stakeholders should be strictly informal, while observers can only be from accredited organisations.

Next steps 

An inter-sessional meeting on international law and regular institutional dialogue will be held around the end of May. The Chair plans to prepare a zero-draft of the APR in early June. States will discuss the APR at the fifth substantive session on 24–28 July 2023. Additional informal consultations will follow. The OEWG will round off the year with one more substantive session.

In closing, the Chair called the states once again ‘to go beyond your comfort zone, beyond your region to understand what other people’s expectations are, what other people’s requirements are in order to reach convergence’. He expressed cautious optimism about having a substantive APR in July with an outcome on the PoC Directory.

By Andrijana Gavrilović, Stefania Grottola, Pavlina Ittelson, Anastasiya Kazakova, Salomé Petit-Siemens, Ilona Stadnik